Tanzu Packages latest

PDF

Install Cert Manager in Workload Clusters Deployed by a Standalone Management Cluster

Last Updated February 10, 2025

This topic explains how to install cert-manager into a workload cluster in Tanzu Kubernetes Grid (TKG). cert-manager installs automatically in a standalone management cluster.

This documentation is applicable only to Tanzu Kubernetes Grid with management clusters. If you are using TKGS with vSphere Supervisor, see Installing Standard Packages on TKG Service Clusters.

This topic applies to workload clusters running on vSphere, Amazon Web Services (AWS), and Azure.

As of v2.5, TKG does not support clusters on AWS or Azure. See the End of Support for TKG Management and Workload Clusters on AWS and Azure in the Tanzu Kubernetes Grid v2.5 Release Notes.

Prepare the Workload Cluster for cert-manager Installation

To prepare the cluster:

  1. Get the admin credentials of the workload cluster into which you want to deploy cert-manager. For example:

    tanzu cluster kubeconfig get my-cluster --admin

  2. Set the context of kubectl to the cluster. For example:

    kubectl config use-context my-cluster-admin@my-cluster

Install Cert Manager

To install cert-manager:

  1. If you are installing cert-manager to a single-node cluster as described in Single-Node Clusters on vSphere, patch the cert-manager package annotations to prevent a conflict between the cert-manager installed as a core package on single-node clusters and the cert-manager in the Tanzu standard repo:

    kubectl annotate --overwrite package cert-manager.tanzu.vmware.com.v1.12.10+vmware.2-tkg.2 tkg.tanzu.vmware.com/package-repo='standard'

  2. If the cluster does not have a package repository with the cert-manager package installed, such as the tanzu-standard repository, install one:

    tanzu package repository add PACKAGE-REPO-NAME --url PACKAGE-REPO-ENDPOINT --namespace tkg-system

    Where:

    • PACKAGE-REPO-NAME is the name of the package repository, such as tanzu-standard or the name of a private image registry configured with ADDITIONAL_IMAGE_REGISTRY variables.

    • PACKAGE-REPO-ENDPOINT is the URL of the package repository.

      • For the TKG v2.5.2 release, the tanzu-standard URL is projects.packages.broadcom.com/tkg/packages/standard/repo:v2025.1.27. See List Package Repositories to obtain this value from the Tanzu CLI, or in Tanzu Mission Control see the Addons > Repositories list in the Cluster pane.

  3. Confirm that the cert-manager package is available in your workload cluster:

    tanzu package available list -A

  4. Retrieve the version of the available package:

    tanzu package available list cert-manager.tanzu.vmware.com -A

  5. Install the cert-manager package:

    tanzu package install cert-manager --package cert-manager.tanzu.vmware.com --namespace TARGET-NAMESPACE --version AVAILABLE-PACKAGE-VERSION

    Where:

    • TARGET-NAMESPACE is the namespace in which you want to install the cert-manager package. For example, the my-packages or tanzu-cli-managed-packages namespace.

      • If the --namespace flag is not specified, the Tanzu CLI installs the package in the default namespace.
      • The specified namespace must already exist, for example from running kubectl create namespace my-packages.
    • AVAILABLE-PACKAGE-VERSION is the version that you retrieved above.

    For example:

    tanzu package install cert-manager --package cert-manager.tanzu.vmware.com --namespace my-packages --version v1.12.10+vmware.2-tkg.2

  6. Confirm that the cert-manager package has been installed:

    tanzu package installed list -A

    The cert-manager package and cert-manager app are installed in the namespace that you specify when running the tanzu package install command.

  7. Confirm that the cert-manager app has been successfully reconciled in your TARGET-NAMESPACE. For example:

    kubectl get apps -A
NAMESPACE     NAME             DESCRIPTION           SINCE-DEPLOY   AGE
my-packages   cert-manager     Reconcile succeeded   3m2s           3m12s
...

    If the status is not Reconcile Succeeded, view the full status details of the cert-manager app. Viewing the full status can help you to troubleshoot the problem.

    kubectl get app cert-manager --namespace TARGET-NAMESPACE -o yaml

    Where TARGET-NAMESPACE is the namespace in which you installed the package. If troubleshooting does not help you solve the problem, you must uninstall the package before installing it again:

    tanzu package installed delete cert-manager --namespace TARGET-NAMESPACE

  8. Confirm that the cert-manager- pods are running:

    kubectl get pods -A

    The cert-manager pods and any other resources associated with the cert-manager component are created in the cert-manager namespace.