This topic gives an overview of the Cert Manager package, which you can install in Tanzu Kubernetes Grid (TKG) workload clusters to provide certificate management services for the cluster.
Cert Manager provides certificate management for the TKG cluster.
Cert Manager is a prerequisite for many other Tanzu packages and is usually the first package you install. See Install Cert Manager in Workload Clusters Deployed by a Standalone Management Cluster
Cert Manager Components
The cert-manager package installs on the cluster the containers listed in the table. For more information, see https://cert-manager.io/. The containers are pulled from the VMware public registry specified in the Package Repository.
| Container | Resource Type | Replicas | Description |
|---|---|---|---|
| cert-manager | Deployment | 1 | Controller for certificate and issuer resources |
| cert-manager-cainjector | Deployment | 1 | Controller to inject CA certificates into webhooks, API services and CRDs |
| cert-manager-webhook | Deployment | 1 | Webhook for validating, mutating, defaulting and converting cert-manager API resources |
| cert-manager-acmesolver | Pod | 1 per ACME challenge, short-lived | Solver for an ACME challenge which gets deployed dynamically per challenge |
Cert Manager Package Configuration Parameters
You can customize your cert-manager installation by editing the default values in the cert-manager package configuration file.
The table below contains information about the values that you can customize in the cert-manager-data-values.yaml file and how they can be used to modify the default installation of cert-manager when deployed into a workload cluster.
| Parameter | Description | Type | Default |
|---|---|---|---|
issuers * | An array of bootstrapped, self-signed ClusterIssuer to be created by the package installation | array of objects | [] |
kubernetes_distribution * | The distribution of Kubernetes, used to determine if distribution-specific configurations need to be applied. Options are an empty string "" and openshift. If running on an Openshift cluster, this must be set to openshift. When set to openshift, a Role and RoleBinding are created to associate cert-manager’s components with the appropriate Openshift Security Context Constraint resource. | string | none |
kubernetes_version * | The version of Kubernetes being used, for enabling version-specific behaviors. Accept any valid major.minor.patch version of Kubernetes. This field is optional. Currently only has effect when kubernetes_distribution is set to openshift. | semantic version string | none |
namespace | The namespace where cert-manager pods run, distinct from where the packages are deployed. This is also known as cert-manager cluster resource namespace. ACME solver pods will run in the namespace of its certificate. | string | cert-manager |
* new parameter in cert-manager.tanzu.vmware.com/v1.12.10+vmware.2-tkg.2.
Examples for issuers:
-
Include a single, self-signed
ClusterIssuerissuers: - name: my-self-signed self_signed: {} -
Include a single, self-signed
ClusterIssuerwith specific private key configurationissuers: - name: my-self-signed self_signed: private_key: algorithm: RSA size: 8192 encoding: PKCS8
Content feedback and comments