Skip to content

Installing cert-manager as an EKS add-on via AWS Marketplace

For your convenience, cert-manager is available on the AWS Marketplace as CyberArk Long Term Support (LTS) for cert-manager. You can obtain the cert-manager artifacts and deploy them to any Red Hat OpenShift or Kubernetes cluster using Helm, install cert-manager directly as an Amazon EKS add-on in your EKS clusters.

Access to CyberArk Long Term Support (LTS) for cert-manager requires an active subscription.

The following instructions outline how to deploy a standard cert-manager, as well as a FIPS-compliant version, as an Amazon EKS add-on to your EKS clusters.

Installation

There are two options you can use to install the CyberArk LTS for cert-manager EKS add-on:

  • Using the AWS Management Console
  • Using the AWS command line tool
  1. Open the AWS Management Console and go to the EKS cluster where you want to deploy the add-on.
  2. Select the Add-ons tab, and click Get more add-ons.
  3. To find the CyberArk add-on for cert-manager, scroll down to the AWS Marketplace add-ons section. In the filter, type CyberArk, then select CyberArk Long Term Support (LTS) for cert-manager (EKS Add-On and Helm). Click Next.
  4. If the add-on status shows Requires subscription, follow the on-screen prompts to complete the subscription process.
  5. From the Version drop-down, select the add-on release to install. Choose the latest Long-Term Support (LTS) or Standard Term Support (STS) version of cert-manager.
  6. Expand the Optional configuration section. Although the AWS Management Console may display this step as optional, you must configure some additional options. Without these, cert-manager will not initialize or function correctly. To simplify setup, use the relevant example (standard or FIPS) from the Sample values file for cert-manager section below.

  7. Follow the remaining prompts to finalize the installation.

  1. Use the following command to list all available versions of the CyberArk cert-manager EKS add-on:

    aws eks describe-addon-versions \
      --addon-name cyberark_cert-manager-eks \
      --query 'addons[].addonVersions[].addonVersion'
    

    Tip

    To filter versions for a specific Kubernetes release, add the --kubernetes-version flag. For example, --kubernetes-version 1.33.

  2. Run the command below to install the CyberArk EKS add-on for cert-manager:

    aws eks create-addon \
      --addon-name cyberark_cert-manager-eks \
      --addon-version <LTS_or_STS_VERSION> \
      --resolve-conflicts <None | Overwrite | Preserve> \
      --region <AWS_REGION> \
      --cluster-name <CLUSTER_NAME> \
      --configuration-values file://<VALUES FILE>
    
    Flag Description
    --addon-name The name of the add-on. This must be set to: cyberark_cert-manager-eks.
    --addon-version The version of the add-on you want to install. Choose the most recent Long-Term Support (LTS) or Standard Term Support (STS) version. For example, v1.17.4-eksbuild.1.
    --resolve-conflicts How to resolve field value conflicts for an Amazon EKS add-on. Conflicts are handled based on the value you choose. Possible values: None, Overwrite, or Preserve.
    --region The AWS region where your EKS cluster is deployed.
    --cluster-name The name of the EKS cluster where the add-on will be installed.
    --configuration-value The path to your cert-manager.values.yaml file, prefixed with file://. This file supplies additional configuration values. For a quick start, use the appropriate sample (standard or FIPS) from the Sample values file for cert-manager section below.

    Usage example:

    aws eks create-addon \
      --addon-name cyberark_cert-manager-eks \
      --addon-version v1.17.4-eksbuild.1 \
      --resolve-conflicts None \
      --region us-east-1 \
      --cluster-name my-cluster \
      --configuration-values file://cert-manager.values.yaml
    
  3. The add-on installation process is asynchronous. To verify its status, run:

    aws eks describe-addon \
      --addon-name cyberark_cert-manager-eks \
      --region <AWS_REGION> \
      --cluster-name <CLUSTER_NAME>
    

    Usage example:

    aws eks describe-addon \
      --addon-name cyberark_cert-manager-eks \
      --region us-east-1 \
      --cluster-name my-cluster 
    

Sample values file for cert-manager

Use the sample configuration below. Either paste it into the AWS Management Console when deploying the add-on, or save it as cert-manager.values.yaml to pass to the AWS CLI. This file defines the customization parameters used during installation of the CyberArk cert-manager EKS add-on.

Choose the sample that matches your environment (standard or FIPS images) below.

cert-manager.values.yaml
crds:
  enabled: true

global:
  leaderElection:
    namespace: cyberark
cert-manager.values.yaml
crds:
  enabled: true

global:
  leaderElection:
    namespace: cyberark
image:
  repository: cyberark/cert-manager/cert-manager-controller-fips
affinity:
  nodeAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      nodeSelectorTerms:
      - matchExpressions:
        - key: kubernetes.io/arch
          operator: In
          values:
          - amd64
        - key: kubernetes.io/os
          operator: In
          values:
          - linux
acmesolver:
  image:
    repository: cyberark/cert-manager/cert-manager-acmesolver-fips
webhook:
  image:
    repository: cyberark/cert-manager/cert-manager-webhook-fips
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: kubernetes.io/arch
            operator: In
            values:
            - amd64
          - key: kubernetes.io/os
            operator: In
            values:
            - linux
cainjector:
  image:
    repository: cyberark/cert-manager/cert-manager-cainjector-fips
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: kubernetes.io/arch
            operator: In
            values:
            - amd64
          - key: kubernetes.io/os
            operator: In
            values:
            - linux
startupapicheck:
  image:
    repository: cyberark/cert-manager/cert-manager-startupapicheck-fips
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: kubernetes.io/arch
            operator: In
            values:
            - amd64
          - key: kubernetes.io/os
            operator: In
            values:
            - linux

Add any additional values required for your environment. For the complete list of configurable parameters, see the Helm chart configuration specification

Uninstalling the EKS add-on

  1. Open the AWS Management Console and go to the EKS cluster where you want to install the add-on.
  2. Select the CyberArk add-on for cert-manager, and choose Delete.
  3. Confirm the deletion and wait for the status to show Deleted.

  4. Use the AWS CLI to remove the add-on from your cluster:

    aws eks delete-addon \
      --addon-name cyberark_cert-manager-eks \
      --region <AWS_REGION> \
      --cluster-name <CLUSTER_NAME>
    
    • --region: The AWS region where your EKS cluster is deployed.
    • --cluster-name: The name of your EKS cluster where the add-on will be installed.
  5. Since removal is asynchronous, check the status with:

    aws eks describe-addon \
      --addon-name cyberark_cert-manager-eks \
      --region <AWS_REGION> \
      --cluster-name <CLUSTER_NAME>
    

    If the add-on is successfully removed, it will no longer appear in the output. During deletion, you might briefly see statuses like DELETING.

  1. Use the AWS CLI to remove the add-on from your cluster:

    aws eks delete-addon \
      --addon-name cyberark_cert-manager-eks \
      --region <AWS_REGION> \
      --cluster-name <CLUSTER_NAME>
    
    • --region: The AWS region where your EKS cluster is deployed.
    • --cluster-name: The name of your EKS cluster where the add-on will be installed.
  2. Since removal is asynchronous, check the status with:

    aws eks describe-addon \
      --addon-name cyberark_cert-manager-eks \
      --region <AWS_REGION> \
      --cluster-name <CLUSTER_NAME>
    

    If the add-on is successfully removed, it will no longer appear in the output. During deletion, you might briefly see statuses like DELETING.