Install cert-manager for Certificate Management

This topic explains how to install cert-manager into a workload cluster in Tanzu Kubernetes Grid. cert-manager installs automatically in a standalone management cluster.

This topic applies to workload clusters running on vSphere, Amazon Web Services (AWS), and Azure.

Prepare the Workload Cluster for cert-manager Installation

To prepare the cluster:

  1. Get the admin credentials of the workload cluster into which you want to deploy cert-manager. For example:

    tanzu cluster kubeconfig get my-cluster --admin
    
  2. Set the context of kubectl to the cluster. For example:

    kubectl config use-context my-cluster-admin@my-cluster
    

Install cert-manager

To install cert-manager:

  1. If you are installing cert-manager to a single-node cluster as described in Single-Node Clusters on vSphere, patch the cert-manager package annotations to prevent a conflict between the cert-manager installed as a core package on single-node clusters and the cert-manager in the Tanzu standard repo:

    kubectl annotate --overwrite package cert-manager.tanzu.vmware.com.1.10.1+vmware.1-tkg.1 tkg.tanzu.vmware.com/package-repo='standard'
    
  2. If the cluster does not have a package repository with the cert-manager package installed, such as the tanzu-standard repository, install one:

    tanzu package repository add PACKAGE-REPO-NAME --url PACKAGE-REPO-ENDPOINT --namespace tkg-system
    

    Where:

    • PACKAGE-REPO-NAME is the name of the package repository, such as tanzu-standard or the name of a private image registry configured with ADDITIONAL_IMAGE_REGISTRY variables.
    • PACKAGE-REPO-ENDPOINT is the URL of the package repository.

      • For this release, the tanzu-standard URL is projects.registry.vmware.com/tkg/packages/standard/repo:v2023.10.16. See List Package Repositories to obtain this value from the Tanzu CLI, or in Tanzu Mission Control see the Addons > Repositories list in the Cluster pane.
  3. Confirm that the cert-manager package is available in your workload cluster:

    tanzu package available list -A
    
  4. Retrieve the version of the available package:

    tanzu package available list cert-manager.tanzu.vmware.com -A
    
  5. Install the cert-manager package:

    tanzu package install cert-manager --package cert-manager.tanzu.vmware.com --namespace TARGET-NAMESPACE --version AVAILABLE-PACKAGE-VERSION
    

    Where:

    • TARGET-NAMESPACE is the namespace in which you want to install the cert-manager package. For example, the my-packages or tanzu-cli-managed-packages namespace.

      • If the --namespace flag is not specified, the Tanzu CLI installs the package in the default namespace.
      • The specified namespace must already exist, for example from running kubectl create namespace my-packages.
    • AVAILABLE-PACKAGE-VERSION is the version that you retrieved above.

    For example:

    tanzu package install cert-manager --package cert-manager.tanzu.vmware.com --namespace my-packages --version 1.10.1+vmware.1-tkg.1
    
  6. Confirm that the cert-manager package has been installed:

    tanzu package installed list -A
    

    The cert-manager package and cert-manager app are installed in the namespace that you specify when running the tanzu package install command.

  7. Confirm that the cert-manager app has been successfully reconciled in your TARGET-NAMESPACE. For example:

    kubectl get apps -A
    NAMESPACE     NAME             DESCRIPTION           SINCE-DEPLOY   AGE
    my-packages   cert-manager     Reconcile succeeded   3m2s           3m12s
    ...
    

    If the status is not Reconcile Succeeded, view the full status details of the cert-manager app. Viewing the full status can help you to troubleshoot the problem.

    kubectl get app cert-manager --namespace TARGET-NAMESPACE -o yaml
    

    Where TARGET-NAMESPACE is the namespace in which you installed the package. If troubleshooting does not help you solve the problem, you must uninstall the package before installing it again:

    tanzu package installed delete cert-manager --namespace TARGET-NAMESPACE
    
  8. Confirm that the cert-manager- pods are running:

    kubectl get pods -A
    

    The cert-manager pods and any other resources associated with the cert-manager component are created in the cert-manager namespace.

check-circle-line exclamation-circle-line close-line
Scroll to top icon