Skip to content

Installing cert-manager using Helm

In this tutorial, you'll use Helm to install cert-manager on Kubernetes. See the cert-manager open-source documentation for alternate install options.

Prerequisites

To complete these steps, you must have:

  • On your local machine, kubectl and Helm 3.8.0+.
  • Permission to install Helm charts and custom resource definitions (CRDs) in your Kubernetes cluster.
  • As described in Configuring Next-Gen Trust Security registry access, private registry access through a Built-in Account with the OCI Registry Use Case and cert-manager Components Scope, using kubectl to create a pull secret.
  • Access to a Next-Gen Trust Security tenant.

Custom CA bundles

To configure custom CA bundles, see Installing Enterprise Issuer.

Step 1: Install cert-manager using Helm

Choose the method that matches your cert-manager version.

  1. To install cert-manager and configure it to use a pull secret, create cert-manager.values.yaml.

    cert-manager.values.yaml
    global:
  imagePullSecrets:
    - name: ngts-image-pull-secret

crds:
  enabled: true

# Add if using your own registry
# imageRegistry: myregistry.example.com
# imageNamespace: cert-manager

  2. Install cert-manager and wait for it to be ready:

    helm upgrade cert-manager oci://registry.ngts.paloaltonetworks.com/charts/cert-manager \
  --install \
  --wait \
  --create-namespace \
  --namespace venafi \
  --values cert-manager.values.yaml \
  --version v1.20.0

Prior to cert-manager v1.20, you specify the full image path for each component in the values file.

  1. To install cert-manager in the venafi namespace and configure it to use a pull secret, create cert-manager.values.yaml.

    If using your own registry, replace registry.ngts.paloaltonetworks.com with your registry URL.

    cert-manager.values.yaml
    global:
  imagePullSecrets:
    - name: ngts-image-pull-secret

crds:
  enabled: true

image:
  repository: registry.ngts.paloaltonetworks.com/cert-manager/cert-manager-controller

acmesolver:
  image:
    repository: registry.ngts.paloaltonetworks.com/cert-manager/cert-manager-acmesolver

webhook:
  image:
    repository: registry.ngts.paloaltonetworks.com/cert-manager/cert-manager-webhook

cainjector:
  image:
    repository: registry.ngts.paloaltonetworks.com/cert-manager/cert-manager-cainjector

startupapicheck:
  image:
    repository: registry.ngts.paloaltonetworks.com/cert-manager/cert-manager-startupapicheck

  2. Install cert-manager and wait for it to be ready:

    helm upgrade cert-manager oci://registry.ngts.paloaltonetworks.com/charts/cert-manager \
  --install \
  --wait \
  --create-namespace \
  --namespace venafi \
  --values cert-manager.values.yaml \
  --version vX.X.X

What's next?

With cert-manager installed, you can now add components that extend it. Enterprise Issuer lets your clusters request certificates from Next-Gen Trust Security.