Install Cert Manager in Workload Clusters Deployed by a Supervisor

This topic explains how to deploy Cert Manager to Tanzu Kubernetes Grid (TKG) workload clusters deployed to vSphere by a vSphere with Tanzu Supervisor.

The Cert Manager package provides certificate management for the TKG cluster. Cert Manager is a prerequisite for all other Tanzu packages and therefore must be the first package you install.

You can install Cert Manager on a workload cluster in two ways:

Install Cert Manager Using the Tanzu CLI

Prerequisites

Adhere to the following prerequisite.

Install Cert Manager

Complete these steps to install the Cert Manager package on a TKG cluster on Supervisor.

  1. Create the Cert Manager namespace.

    kubectl create ns cert-manager

  2. Use Kubectl to list the packages and their versions available in the repository.

    kubectl -n tkg-system get packages

  3. Install the Cert Manager package.

    We will install the latest version available in the package repository. Adjust the version as needed to meet your requirements.

    tanzu package install cert-manager -p cert-manager.tanzu.vmware.com -n cert-manager -v 1.7.2+vmware.3-tkg.3

  4. Use Kubectl to verify the installation of Cert Manager.

    kubectl -n cert-manager get packageinstalls

    NAME           PACKAGE NAME                    PACKAGE VERSION        DESCRIPTION           AGE
cert-manager   cert-manager.tanzu.vmware.com   1.7.2+vmware.3-tkg.3   Reconcile succeeded   106s

  5. Use the Tanzu CLI to verify the installation of Cert Manager.

    tanzu package installed list -n cert-manager

    NAME          PACKAGE-NAME                   PACKAGE-VERSION       STATUS
cert-manager  cert-manager.tanzu.vmware.com  1.7.2+vmware.3-tkg.3  Reconcile succeeded

    tanzu package installed get -n cert-manager cert-manager

    NAME:                    cert-manager
PACKAGE-NAME:            cert-manager.tanzu.vmware.com
PACKAGE-VERSION:         1.7.2+vmware.3-tkg.3
STATUS:                  Reconcile succeeded
CONDITIONS:              [{ReconcileSucceeded True  }]

  6. Use Kubectl to check the Cert Manager namespace for resources created by the installation of the package.

    kubectl -n cert-manager get all

    NAME                                          READY   STATUS    RESTARTS   AGE
pod/cert-manager-b5675b75f-flkjp              1/1     Running   0          6m14s
pod/cert-manager-cainjector-f8dc756cf-f7xsv   1/1     Running   0          6m14s
pod/cert-manager-webhook-6c888c8ddd-5xlnb     1/1     Running   0          6m14s

NAME                           TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
service/cert-manager           ClusterIP   10.97.254.59     <none>        9402/TCP   6m14s
service/cert-manager-webhook   ClusterIP   10.105.225.156   <none>        443/TCP    6m14s

NAME                                      READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/cert-manager              1/1     1            1           6m14s
deployment.apps/cert-manager-cainjector   1/1     1            1           6m14s
deployment.apps/cert-manager-webhook      1/1     1            1           6m14s

NAME                                                DESIRED   CURRENT   READY   AGE
replicaset.apps/cert-manager-b5675b75f              1         1         1       6m14s
replicaset.apps/cert-manager-cainjector-f8dc756cf   1         1         1       6m14s
replicaset.apps/cert-manager-webhook-6c888c8ddd     1         1         1       6m14s

Install Cert Manager Using Kubectl

Cert Manager is a prerequisite for installing the other Tanzu packages.

Prerequisites

Adhere to the following prerequisite before you install Cert Manager.

Install Cert Manager

Cert Manager includes several components, as well as service accounts and RBAC objects. It is a prerequisite for the Tanzu packages.

  1. Create the Cert Manager namespace.

    kubectl create ns cert-manager

  2. List the available Cert Manager versions in the repository.

    imgpkg tag list -i projects.registry.vmware.com/tkg/packages/standard/cert-manager

    The command lists all available Cert Manager packages.

    Tags

Name
v1.1.0_vmware.1-tkg.2
...
v1.7.2_vmware.3-tkg.1
v1.7.2_vmware.3-tkg.2
v1.7.2_vmware.3-tkg.3

17 tags

Succeeded

    The latest Cert Manager package for TKG 2.2 is v1.7.2_vmware.3-tkg.3. This is the version we will install. If necessary adjust the version to meet your requirements.

  3. Create the cert-manager.yaml specification with the most recent version of Cert Manager.

    apiVersion: v1
kind: ServiceAccount
metadata:
  name: cert-manager-sa
  namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: cert-manager-sa
    namespace: cert-manager
---
apiVersion: packaging.carvel.dev/v1alpha1
kind: PackageInstall
metadata:
  name: cert-manager
  namespace: cert-manager
spec:
  serviceAccountName: cert-manager-sa
  packageRef:
    refName: cert-manager.tanzu.vmware.com
    versionSelection:
      constraints: 1.7.2+vmware.3-tkg.3
  values:
  - secretRef:
      name: cert-manager-data-values
---
apiVersion: v1
kind: Secret
metadata:
  name: cert-manager-data-values
  namespace: cert-manager
stringData:
  values.yml: |
    ---
    namespace: cert-manager

  4. Install Cert Manager on the TKG cluster.

    kubectl apply -f cert-manager.yaml

    serviceaccount/cert-manager-sa created
clusterrolebinding.rbac.authorization.k8s.io/admin created
packageinstall.packaging.carvel.dev/cert-manager created
secret/cert-manager-data-values created

  5. Verify the installation of Cert Manager.

    kubectl get pods -A
check-circle-line exclamation-circle-line close-line
Scroll to top icon