Install Cert Manager for Certificate Management

This topic gives an overview of the Cert Manager package, which you can install in Tanzu Kubernetes Grid (TKG) workload clusters to provide certificate management services for the cluster.

Cert Manager provides certificate management for the TKG cluster.

Cert Manager is a prerequisite for many other Tanzu packages and is usually the first package you install.

Installation: Install Cert Manager on a workload cluster in one of the following ways, based on its deployment option:

TKG on Supervisor:
- Install Cert Manager Using the Tanzu CLI
- Install Cert Manager Using Kubectl
Standalone management cluster: Install Cert Manager in Workload Clusters Deployed by a Standalone Management Cluster

Cert Manager Components

The cert-manager package installs on the cluster the containers listed in the table. For more information, see https://cert-manager.io/. The containers are pulled from the VMware public registry specified in the Package Repository.

Container	Resource Type	Replicas	Description
cert-manager	Deployment	1	Controller for certificate and issuer resources
cert-manager-cainjector	Deployment	1	Controller to inject CA certificates into webhooks, API services and CRDs
cert-manager-webhook	Deployment	1	Webhook for validating, mutating, defaulting and converting cert-manager API resources
cert-manager-acmesolver	Pod	1 per ACME challenge, short-lived	Solver for an ACME challenge which gets deployed dynamically per challenge

Cert Manager Package Configuration Parameters

You can customize your cert-manager installation by editing the default values in the cert-manager package configuration file.

The table below contains information about the values that you can customize in the cert-manager-data-values.yaml file and how they can be used to modify the default installation of cert-manager when deployed into a workload cluster.

Parameter	Description	Type	Default
`issuers` *	An array of bootstrapped, self-signed `ClusterIssuer` to be created by the package installation	array of objects	`[]`
`kubernetes_distribution` *	The distribution of Kubernetes, used to determine if distribution-specific configurations need to be applied. Options are an empty string `""` and `openshift`. If running on an Openshift cluster, this must be set to openshift. When set to openshift, a Role and RoleBinding are created to associate cert-manager’s components with the appropriate Openshift Security Context Constraint resource.	string	none
`kubernetes_version` *	The version of Kubernetes being used, for enabling version-specific behaviors. Accept any valid major.minor.patch version of Kubernetes. This field is optional. Currently only has effect when kubernetes_distribution is set to openshift.	semantic version string	none
`namespace`	The namespace where cert-manager pods run, distinct from where the packages are deployed. This is also known as cert-manager cluster resource namespace. ACME solver pods will run in the namespace of its certificate.	string	`cert-manager`

^* new parameter in cert-manager.tanzu.vmware.com/1.12.2+vmware.1-tkg.1.

Examples for issuers:

Include a single, self-signed ClusterIssuer

issuers:
- name: my-self-signed
  self_signed: {}

Include a single, self-signed ClusterIssuer with specific private key configuration

issuers:
- name: my-self-signed
  self_signed:
    private_key:
      algorithm: RSA
      size: 8192
      encoding: PKCS8