Installing cert-manager as an EKS add-on via AWS Marketplace¶
For your convenience, cert-manager is available on the AWS Marketplace as CyberArk Long Term Support (LTS) for cert-manager. You can obtain the cert-manager artifacts and deploy them to any Red Hat OpenShift or Kubernetes cluster using Helm, install cert-manager directly as an Amazon EKS add-on in your EKS clusters.
Access to CyberArk Long Term Support (LTS) for cert-manager requires an active subscription.
The following instructions outline how to deploy a standard cert-manager, as well as a FIPS-compliant version, as an Amazon EKS add-on to your EKS clusters.
Installation¶
There are two options you can use to install the CyberArk LTS for cert-manager EKS add-on:
- Using the AWS Management Console
- Using the AWS command line tool
- Open the AWS Management Console and go to the EKS cluster where you want to deploy the add-on.
- Select the Add-ons tab, and click Get more add-ons.
- To find the CyberArk add-on for cert-manager, scroll down to the AWS Marketplace add-ons section. In the filter, type CyberArk, then select CyberArk Long Term Support (LTS) for cert-manager (EKS Add-On and Helm). Click Next.
- If the add-on status shows Requires subscription, follow the on-screen prompts to complete the subscription process.
- From the Version drop-down, select the add-on release to install. Choose the latest Long-Term Support (LTS) or Standard Term Support (STS) version of cert-manager.
-
Expand the Optional configuration section. Although the AWS Management Console may display this step as optional, you must configure some additional options. Without these, cert-manager will not initialize or function correctly. To simplify setup, use the relevant example (standard or FIPS) from the Sample values file for cert-manager section below.
-
Follow the remaining prompts to finalize the installation.
-
Use the following command to list all available versions of the CyberArk cert-manager EKS add-on:
aws eks describe-addon-versions \ --addon-name cyberark_cert-manager-eks \ --query 'addons[].addonVersions[].addonVersion'
Tip
To filter versions for a specific Kubernetes release, add the
--kubernetes-version
flag. For example,--kubernetes-version 1.33
. -
Run the command below to install the CyberArk EKS add-on for cert-manager:
aws eks create-addon \ --addon-name cyberark_cert-manager-eks \ --addon-version <LTS_or_STS_VERSION> \ --resolve-conflicts <None | Overwrite | Preserve> \ --region <AWS_REGION> \ --cluster-name <CLUSTER_NAME> \ --configuration-values file://<VALUES FILE>
Flag Description --addon-name
The name of the add-on. This must be set to: cyberark_cert-manager-eks
.--addon-version
The version of the add-on you want to install. Choose the most recent Long-Term Support (LTS) or Standard Term Support (STS) version. For example, v1.17.4-eksbuild.1
.--resolve-conflicts
How to resolve field value conflicts for an Amazon EKS add-on. Conflicts are handled based on the value you choose. Possible values: None
,Overwrite
, orPreserve
.--region
The AWS region where your EKS cluster is deployed. --cluster-name
The name of the EKS cluster where the add-on will be installed. --configuration-value
The path to your cert-manager.values.yaml file, prefixed with file://
. This file supplies additional configuration values. For a quick start, use the appropriate sample (standard or FIPS) from the Sample values file for cert-manager section below.Usage example:
aws eks create-addon \ --addon-name cyberark_cert-manager-eks \ --addon-version v1.17.4-eksbuild.1 \ --resolve-conflicts None \ --region us-east-1 \ --cluster-name my-cluster \ --configuration-values file://cert-manager.values.yaml
-
The add-on installation process is asynchronous. To verify its status, run:
aws eks describe-addon \ --addon-name cyberark_cert-manager-eks \ --region <AWS_REGION> \ --cluster-name <CLUSTER_NAME>
Usage example:
aws eks describe-addon \ --addon-name cyberark_cert-manager-eks \ --region us-east-1 \ --cluster-name my-cluster
Sample values file for cert-manager¶
Use the sample configuration below. Either paste it into the AWS Management Console when deploying the add-on, or save it as cert-manager.values.yaml to pass to the AWS CLI. This file defines the customization parameters used during installation of the CyberArk cert-manager EKS add-on.
Choose the sample that matches your environment (standard or FIPS images) below.
crds:
enabled: true
global:
leaderElection:
namespace: cyberark
crds:
enabled: true
global:
leaderElection:
namespace: cyberark
image:
repository: cyberark/cert-manager/cert-manager-controller-fips
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- key: kubernetes.io/os
operator: In
values:
- linux
acmesolver:
image:
repository: cyberark/cert-manager/cert-manager-acmesolver-fips
webhook:
image:
repository: cyberark/cert-manager/cert-manager-webhook-fips
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- key: kubernetes.io/os
operator: In
values:
- linux
cainjector:
image:
repository: cyberark/cert-manager/cert-manager-cainjector-fips
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- key: kubernetes.io/os
operator: In
values:
- linux
startupapicheck:
image:
repository: cyberark/cert-manager/cert-manager-startupapicheck-fips
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- key: kubernetes.io/os
operator: In
values:
- linux
Add any additional values required for your environment. For the complete list of configurable parameters, see the Helm chart configuration specification
Uninstalling the EKS add-on¶
- Open the AWS Management Console and go to the EKS cluster where you want to install the add-on.
- Select the CyberArk add-on for cert-manager, and choose Delete.
-
Confirm the deletion and wait for the status to show
Deleted
. -
Use the AWS CLI to remove the add-on from your cluster:
aws eks delete-addon \ --addon-name cyberark_cert-manager-eks \ --region <AWS_REGION> \ --cluster-name <CLUSTER_NAME>
--region
: The AWS region where your EKS cluster is deployed.--cluster-name
: The name of your EKS cluster where the add-on will be installed.
-
Since removal is asynchronous, check the status with:
aws eks describe-addon \ --addon-name cyberark_cert-manager-eks \ --region <AWS_REGION> \ --cluster-name <CLUSTER_NAME>
If the add-on is successfully removed, it will no longer appear in the output. During deletion, you might briefly see statuses like
DELETING
.
-
Use the AWS CLI to remove the add-on from your cluster:
aws eks delete-addon \ --addon-name cyberark_cert-manager-eks \ --region <AWS_REGION> \ --cluster-name <CLUSTER_NAME>
--region
: The AWS region where your EKS cluster is deployed.--cluster-name
: The name of your EKS cluster where the add-on will be installed.
-
Since removal is asynchronous, check the status with:
aws eks describe-addon \ --addon-name cyberark_cert-manager-eks \ --region <AWS_REGION> \ --cluster-name <CLUSTER_NAME>
If the add-on is successfully removed, it will no longer appear in the output. During deletion, you might briefly see statuses like
DELETING
.