Install cert-manager for Certificate Management
This topic explains how to install cert-manager into a workload cluster in Tanzu Kubernetes Grid. cert-manager installs automatically in a standalone management cluster.
This topic applies to workload clusters running on vSphere, Amazon Web Services (AWS), and Azure.
Prepare the Workload Cluster for cert-manager Installation
To prepare the cluster:
-
Get the admin credentials of the workload cluster into which you want to deploy cert-manager. For example:
tanzu cluster kubeconfig get my-cluster --admin -
Set the context of kubectl to the cluster. For example:
kubectl config use-context my-cluster-admin@my-cluster
Install cert-manager
To install cert-manager:
-
If you are installing cert-manager to a single-node cluster as described in Single-Node Clusters on vSphere, patch the
cert-managerpackage annotations to prevent a conflict between thecert-managerinstalled as a core package on single-node clusters and thecert-managerin the Tanzustandardrepo:kubectl annotate --overwrite package cert-manager.tanzu.vmware.com.1.10.1+vmware.1-tkg.1 tkg.tanzu.vmware.com/package-repo='standard' -
If the cluster does not have a package repository with the cert-manager package installed, such as the
tanzu-standardrepository, install one:tanzu package repository add PACKAGE-REPO-NAME --url PACKAGE-REPO-ENDPOINT --namespace tkg-systemWhere:
PACKAGE-REPO-NAMEis the name of the package repository, such astanzu-standardor the name of a private image registry configured withADDITIONAL_IMAGE_REGISTRYvariables.-
PACKAGE-REPO-ENDPOINTis the URL of the package repository.- For this release, the
tanzu-standardURL isprojects.registry.vmware.com/tkg/packages/standard/repo:v2023.10.16. See List Package Repositories to obtain this value from the Tanzu CLI, or in Tanzu Mission Control see the Addons > Repositories list in the Cluster pane.
- For this release, the
-
Confirm that the
cert-managerpackage is available in your workload cluster:tanzu package available list -A -
Retrieve the version of the available package:
tanzu package available list cert-manager.tanzu.vmware.com -A -
Install the cert-manager package:
tanzu package install cert-manager --package cert-manager.tanzu.vmware.com --namespace TARGET-NAMESPACE --version AVAILABLE-PACKAGE-VERSIONWhere:
-
TARGET-NAMESPACEis the namespace in which you want to install the cert-manager package. For example, themy-packagesortanzu-cli-managed-packagesnamespace.- If the
--namespaceflag is not specified, the Tanzu CLI installs the package in thedefaultnamespace. - The specified namespace must already exist, for example from running
kubectl create namespace my-packages.
- If the
AVAILABLE-PACKAGE-VERSIONis the version that you retrieved above.
For example:
tanzu package install cert-manager --package cert-manager.tanzu.vmware.com --namespace my-packages --version 1.10.1+vmware.1-tkg.1 -
-
Confirm that the
cert-managerpackage has been installed:tanzu package installed list -AThe
cert-managerpackage andcert-managerapp are installed in the namespace that you specify when running thetanzu package installcommand. -
Confirm that the
cert-managerapp has been successfully reconciled in yourTARGET-NAMESPACE. For example:kubectl get apps -A NAMESPACE NAME DESCRIPTION SINCE-DEPLOY AGE my-packages cert-manager Reconcile succeeded 3m2s 3m12s ...If the status is not
Reconcile Succeeded, view the full status details of thecert-managerapp. Viewing the full status can help you to troubleshoot the problem.kubectl get app cert-manager --namespace TARGET-NAMESPACE -o yamlWhere
TARGET-NAMESPACEis the namespace in which you installed the package. If troubleshooting does not help you solve the problem, you must uninstall the package before installing it again:tanzu package installed delete cert-manager --namespace TARGET-NAMESPACE -
Confirm that the
cert-manager-pods are running:kubectl get pods -AThe cert-manager pods and any other resources associated with the cert-manager component are created in the
cert-managernamespace.
