Install cert-manager for Certificate Management

This topic explains how to install cert-manager into a workload cluster.

Prepare the Workload Cluster for cert-manager Installation

To prepare the cluster:

  1. Get the admin credentials of the workload cluster into which you want to deploy cert-manager. For example:

    tanzu cluster kubeconfig get my-cluster --admin
    
  2. Set the context of kubectl to the cluster. For example:

    kubectl config use-context my-cluster-admin@my-cluster
    

Install cert-manager

To install cert-manager:

  1. If you have not already done so, add the standard package repository to the cluster:

    tanzu package repository add tanzu-standard --url PACKAGE-REGISTRY-ENDPOINT --namespace tkg-system
    

    Where PACKAGE-REGISTRY-ENDPOINT is the URL of your Tanzu Standard registry, for example projects.registry.vmware.com/tkg/packages/standard/repo:v1.6.1.

    See List Package Repositories to obtain this value from the Tanzu CLI, or in Tanzu Mission Control see the Addons > Repositories list in the Cluster pane.

  2. Confirm that the cert-manager package is available in your workload cluster:

    tanzu package available list -A
    
  3. Retrieve the version of the available package:

    tanzu package available list cert-manager.tanzu.vmware.com -A
    
  4. Install the cert-manager package:

    • If the target namespace exists in the cluster, run:

      tanzu package install cert-manager --package-name cert-manager.tanzu.vmware.com --namespace TARGET-NAMESPACE --version AVAILABLE-PACKAGE-VERSION
      

      Where:

      • TARGET-NAMESPACE is the namespace in which you want to install the cert-manager package, cert-manager package app, and any other Kubernetes resources that describe the package. For example, the my-packages or tanzu-cli-managed-packages namespace. If the --namespace flag is not specified, the Tanzu CLI installs the package in the default namespace.
      • AVAILABLE-PACKAGE-VERSION is the version that you retrieved above.

      For example:

      tanzu package install cert-manager --package-name cert-manager.tanzu.vmware.com --namespace my-packages --version 1.7.2+vmware.1-tkg.1
      
    • If the target namespace does not exist in the cluster, run:

      tanzu package install cert-manager --package-name cert-manager.tanzu.vmware.com --namespace TARGET-NAMESPACE --version AVAILABLE-PACKAGE-VERSION --create-namespace
      

      Where:

      • TARGET-NAMESPACE is the namespace in which you want to install the cert-manager package, cert-manager package app, and any other Kubernetes resources that describe the package. For example, the my-packages or tanzu-cli-managed-packages namespace.
      • AVAILABLE-PACKAGE-VERSION is the version that you retrieved above.

      For example:

      tanzu package install cert-manager --package-name cert-manager.tanzu.vmware.com --namespace my-packages --version 1.7.2+vmware.1-tkg.1 --create-namespace
      

    Alternatively, you can create the namespace before installing the package by running the kubectl create namespace TARGET-NAMESPACE command.

  5. Confirm that the cert-manager package has been installed:

    tanzu package installed list -A
    

    The cert-manager package and cert-manager app are installed in the namespace that you specify when running the tanzu package install command.

  6. Confirm that the cert-manager app has been successfully reconciled in your TARGET-NAMESPACE. For example:

    kubectl get apps -A
    NAMESPACE     NAME             DESCRIPTION           SINCE-DEPLOY   AGE
    my-packages   cert-manager     Reconcile succeeded   3m2s           3m12s
    ...
    

    If the status is not Reconcile Succeeded, view the full status details of the cert-manager app. Viewing the full status can help you to troubleshoot the problem.

    kubectl get app cert-manager --namespace TARGET-NAMESPACE -o yaml
    

    Where TARGET-NAMESPACE is the namespace in which you installed the package. If troubleshooting does not help you solve the problem, you must uninstall the package before installing it again:

    tanzu package installed delete cert-manager --namespace TARGET-NAMESPACE
    
  7. Confirm that the cert-manager- pods are running:

    kubectl get pods -A
    

    The cert-manager pods and any other resources associated with the cert-manager component are created in the cert-manager namespace.

check-circle-line exclamation-circle-line close-line
Scroll to top icon