Install Cert Manager in Workload Clusters Deployed by a Standalone Management Cluster
This topic explains how to install cert-manager into a workload cluster in Tanzu Kubernetes Grid (TKG). cert-manager installs automatically in a standalone management cluster.
This topic applies to workload clusters running on vSphere, Amazon Web Services (AWS), and Azure.
NoteAs of v2.5, TKG does not support clusters on AWS or Azure. See the End of Support for TKG Management and Workload Clusters on AWS and Azure in the Tanzu Kubernetes Grid v2.5 Release Notes.
Prepare the Workload Cluster for cert-manager Installation
To prepare the cluster:
-
Get the admin credentials of the workload cluster into which you want to deploy cert-manager. For example:
tanzu cluster kubeconfig get my-cluster --admin -
Set the context of kubectl to the cluster. For example:
kubectl config use-context my-cluster-admin@my-cluster
Install Cert Manager
To install cert-manager:
-
If you are installing cert-manager to a single-node cluster as described in Single-Node Clusters on vSphere, patch the
cert-managerpackage annotations to prevent a conflict between thecert-managerinstalled as a core package on single-node clusters and thecert-managerin the Tanzustandardrepo:kubectl annotate --overwrite package cert-manager.tanzu.vmware.com.1.12.2+vmware.1-tkg.1 tkg.tanzu.vmware.com/package-repo='standard' -
If the cluster does not have a package repository with the cert-manager package installed, such as the
tanzu-standardrepository, install one:tanzu package repository add PACKAGE-REPO-NAME --url PACKAGE-REPO-ENDPOINT --namespace tkg-systemWhere:
PACKAGE-REPO-NAMEis the name of the package repository, such astanzu-standardor the name of a private image registry configured withADDITIONAL_IMAGE_REGISTRYvariables.-
PACKAGE-REPO-ENDPOINTis the URL of the package repository.- For the TKG v2.5.1 release, the
tanzu-standardURL isprojects.registry.vmware.com/tkg/packages/standard/repo:v2024.4.12. See List Package Repositories to obtain this value from the Tanzu CLI, or in Tanzu Mission Control see the Addons > Repositories list in the Cluster pane.
- For the TKG v2.5.1 release, the
-
Confirm that the
cert-managerpackage is available in your workload cluster:tanzu package available list -A -
Retrieve the version of the available package:
tanzu package available list cert-manager.tanzu.vmware.com -A -
Install the cert-manager package:
tanzu package install cert-manager --package cert-manager.tanzu.vmware.com --namespace TARGET-NAMESPACE --version AVAILABLE-PACKAGE-VERSIONWhere:
-
TARGET-NAMESPACEis the namespace in which you want to install the cert-manager package. For example, themy-packagesortanzu-cli-managed-packagesnamespace.- If the
--namespaceflag is not specified, the Tanzu CLI installs the package in thedefaultnamespace. - The specified namespace must already exist, for example from running
kubectl create namespace my-packages.
- If the
AVAILABLE-PACKAGE-VERSIONis the version that you retrieved above.
For example:
tanzu package install cert-manager --package cert-manager.tanzu.vmware.com --namespace my-packages --version 1.12.2+vmware.1-tkg.1 -
-
Confirm that the
cert-managerpackage has been installed:tanzu package installed list -AThe
cert-managerpackage andcert-managerapp are installed in the namespace that you specify when running thetanzu package installcommand. -
Confirm that the
cert-managerapp has been successfully reconciled in yourTARGET-NAMESPACE. For example:kubectl get apps -A NAMESPACE NAME DESCRIPTION SINCE-DEPLOY AGE my-packages cert-manager Reconcile succeeded 3m2s 3m12s ...If the status is not
Reconcile Succeeded, view the full status details of thecert-managerapp. Viewing the full status can help you to troubleshoot the problem.kubectl get app cert-manager --namespace TARGET-NAMESPACE -o yamlWhere
TARGET-NAMESPACEis the namespace in which you installed the package. If troubleshooting does not help you solve the problem, you must uninstall the package before installing it again:tanzu package installed delete cert-manager --namespace TARGET-NAMESPACE -
Confirm that the
cert-manager-pods are running:kubectl get pods -AThe cert-manager pods and any other resources associated with the cert-manager component are created in the
cert-managernamespace.
