Install cert-manager

Install cert-manager to use with AWS Certificate Manager (ACM) in your Kubernetes and OpenShift environments.

To use AWS, you also must install the aws-privateca-issuer plug-in for the AWS Certificate Manager Private Certificate Authority (AWS ACM PCA). This plug-in helps you use ACM to create and manage the root and intermediate CA certificates for Gloo Mesh Enterprise.

Install cert-manager

  1. In your management cluster, install cert-manager. For more information about installation options and versions, see the cert-manager documentaton.

    • kubectl installation:
      kubectl apply --context $MGMT_CONTEXT -f https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.yaml
      
    • Helm installation:
      helm repo add jetstack https://charts.jetstack.io
      helm repo update
      helm install \
        cert-manager jetstack/cert-manager \
        --namespace cert-manager \
        --create-namespace \
        --version v1.5.4 \
        --set installCRDs=true
      
  2. Verify that cert-manager was successfully installed.

    kubectl get po -n cert-manager --context $MGMT_CONTEXT
    

    Example output:

    NAME                                       READY   STATUS    RESTARTS   AGE
    cert-manager-7c6f78c46d-247br              1/1     Running   0          17s
    cert-manager-cainjector-668d9c86df-7cqb8   1/1     Running   0          17s
    cert-manager-webhook-764b556954-2m4zf      1/1     Running   0          17s
    

Install the AWS ACM PCA plug-in

  1. Install the AWS ACM PCA plug-in. For more information, see the aws-privateca-issuer plug-in documentation

    helm repo add awspca https://cert-manager.github.io/aws-privateca-issuer
    helm repo update
    helm upgrade pca-issuer \
      --install awspca/aws-privateca-issuer \
      --namespace cert-manager \
      --set image.tag=v1.2.1
    
  2. Verify that the plug-in was successfully installed.

    kubectl get po -n cert-manager --context $MGMT_CONTEXT
    

    Example output:

    NAME                                               READY   STATUS    RESTARTS   AGE
    ...
    pca-issuer-aws-privateca-issuer-6768d7454b-w8d4l   1/1     Running   0          15s