This topic tells you how to install cert-manager from the Tanzu Application Platform (commonly known as TAP) package repository.
Note Follow the steps in this topic if you do not want to use a profile to install cert-manager. For more information about profiles, see Components and installation profiles.
The cert-manager package installs cert-manager and, optionally, a number of ClusterIssuer.
To install cert-manager with a self-signed ClusterIssuer from the Tanzu Application Platform package repository:
-
List version information for the package by running:
tanzu package available list cert-manager.tanzu.vmware.com -n tap-installFor example:
$ tanzu package available list cert-manager.tanzu.vmware.com -n tap-install / Retrieving package versions for cert-manager.tanzu.vmware.com... NAME VERSION RELEASED-AT cert-manager.tanzu.vmware.com 2.0.0 ...
-
Discover available configuration for the package by running:
tanzu package available get cert-manager.tanzu.vmware.com/2.0.0 --namespace tap-install --values-schemaFor example:
$ tanzu package available get cert-manager.tanzu.vmware.com/2.0.0 --namespace tap-install --values-schema KEY DEFAULT TYPE DESCRIPTION certManager.pspNames [] array PodSecurityPolicy names which cert-manager is allowed to use issuers [] array The ClusterIssuers to install - default: [] namespace string Cert-manager's namespace - also used as its cluster resource namespace https://cert-manager.io/v1.9-docs/faq/cluster-resource/
-
Create a file named
cert-manager-rbac.yamlby using the following sample:apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cert-manager-tap-install-cluster-admin-role rules: - apiGroups: - '*' resources: - '*' verbs: - '*' --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cert-manager-tap-install-cluster-admin-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cert-manager-tap-install-cluster-admin-role subjects: - kind: ServiceAccount name: cert-manager-tap-install-sa namespace: tap-install --- apiVersion: v1 kind: ServiceAccount metadata: name: cert-manager-tap-install-sa namespace: tap-install
Apply the configuration:
kubectl apply -f cert-manager-rbac.yaml -
Create a file named
cert-manager-install.yamlby using the following sample:--- apiVersion: packaging.carvel.dev/v1alpha1 kind: PackageInstall metadata: name: cert-manager namespace: tap-install spec: serviceAccountName: cert-manager-tap-install-sa packageRef: refName: cert-manager.tanzu.vmware.com versionSelection: constraints: "VERSION-NUMBER" prereleases: {} values: - secretRef: name: cert-manager-values --- apiVersion: v1 kind: Secret metadata: name: cert-manager-values namespace: tap-install stringData: values.yaml: | issuers: - name: tap-ingress-selfsigned self_signed: {}
Where:
VERSION-NUMBERis the version of the package listed earlier.- Secret
cert-manager-valuescontains your configuration of the cert-manager package.
Apply the configuration:
kubectl apply -f cert-manager-install.yaml -
Verify the package installation:
tanzu package installed get cert-manager -n tap-installFor example:
$ tanzu package installed get cert-manager -n tap-install / Retrieving installation details for cert-manager... NAME: cert-manager PACKAGE-NAME: cert-manager.tanzu.vmware.com PACKAGE-VERSION: 2.0.0 STATUS: Reconcile succeeded CONDITIONS: [{ReconcileSucceeded True}] USEFUL-ERROR-MESSAGE:
Verify that
STATUSisReconcile succeeded -
Verify that cert-manager is up and running:
kubectl get deployment -n cert-managerFor example:
$ kubectl get deployment -n cert-manager NAME READY UP-TO-DATE AVAILABLE AGE cert-manager 1/1 1 1 5m cert-manager-cainjector 1/1 1 1 5m cert-manager-webhook 1/1 1 1 5m
-
Verify that the self-signed
ClusterIssueris present:kubectl get clusterissuerFor example:
$ kubectl get clusterissuer NAME READY AGE tap-ingress-selfsigned True 5m tap-ingress-selfsigned-bootstrap True 5m ...