Install Cert Manager for Certificate Management

This topic gives an overview of the Cert Manager package, which you can install in Tanzu Kubernetes Grid (TKG) workload clusters to provide certificate management services for the cluster.

Cert Manager provides certificate management for the TKG cluster.

Cert Manager is a prerequisite for many other Tanzu packages and is usually the first package you install.

Installation: Install Cert Manager on a workload cluster in one of the following ways, based on its deployment option:

Cert Manager Components

The cert-manager package installs on the cluster the containers listed in the table. For more information, see https://cert-manager.io/. The containers are pulled from the VMware public registry specified in the Package Repository.

Container Resource Type Replicas Description
cert-manager Deployment 1 Controller for certificate and issuer resources
cert-manager-cainjector Deployment 1 Controller to inject CA certificates into webhooks, API services and CRDs
cert-manager-webhook Deployment 1 Webhook for validating, mutating, defaulting and converting cert-manager API resources
cert-manager-acmesolver Pod 1 per ACME challenge, short-lived Solver for an ACME challenge which gets deployed dynamically per challenge

Cert Manager Package Configuration Parameters

You can customize your cert-manager installation by editing the default values in the cert-manager package configuration file.

The table below contains information about the values that you can customize in the cert-manager-data-values.yaml file and how they can be used to modify the default installation of cert-manager when deployed into a workload cluster.

Parameter Description Type Default
issuers * An array of bootstrapped, self-signed ClusterIssuer to be created by the package installation array of objects []
kubernetes_distribution * The distribution of Kubernetes, used to determine if distribution-specific configurations need to be applied. Options are an empty string "" and openshift. If running on an Openshift cluster, this must be set to openshift. When set to openshift, a Role and RoleBinding are created to associate cert-manager’s components with the appropriate Openshift Security Context Constraint resource. string none
kubernetes_version * The version of Kubernetes being used, for enabling version-specific behaviors. Accept any valid major.minor.patch version of Kubernetes. This field is optional. Currently only has effect when kubernetes_distribution is set to openshift. semantic version string none
namespace The namespace where cert-manager pods run, distinct from where the packages are deployed. This is also known as cert-manager cluster resource namespace. ACME solver pods will run in the namespace of its certificate. string cert-manager

* new parameter in cert-manager.tanzu.vmware.com/1.12.2+vmware.1-tkg.1.

Examples for issuers:

  • Include a single, self-signed ClusterIssuer

    issuers:
    - name: my-self-signed
      self_signed: {}
    
  • Include a single, self-signed ClusterIssuer with specific private key configuration

    issuers:
    - name: my-self-signed
      self_signed:
        private_key:
          algorithm: RSA
          size: 8192
          encoding: PKCS8
    
check-circle-line exclamation-circle-line close-line
Scroll to top icon