Step 8: Install cert-manager

You are currently viewing version 1.11 of the Apigee hybrid documentation.This version is end of life. You should upgrade to a newer version. For more information, seeSupported versions.

This step explains how to download and installcert-manager, required for Apigee hybrid to operate.

Installations on Anthos

You do not need to install cert-manager if you are performing a fresh installation on one of the following Anthos platforms:

  • Anthos on-premises - (VMware)
  • Anthos on Bare Metal

Anthos comes with its own version of cert-manager. Apigee can use this Anthos version of cert-manager. If it is installed in a namespace other thancert-manager, you will need to include the namespace with thecertManager.namespace property in your overrides file. For more information about Anthos and cert-manager, seeConflicting cert-manager installation.

Installations on OpenShift

If you are installing Apigee hybrid on OpenShift, install cert-manager by following the instructions inInstallation in the cert-manager documentation.

See aKnown Issue about cert-manager version 1.10 on OpenShift.

Install cert-manager

  1. Use the following command to install cert-manager v1.11.1 from GitHub.
    kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.1/cert-manager.yaml

    You should see a response that the cert-manager namespace and several cert-manager resources have been created. For example:

    customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io configuredcustomresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io configured...mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configuredvalidatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configured
  2. Use the following command to verify the successful creation of cert-manager namespace and its corresponding components:
    kubectl get all -n cert-manager -o wide

    Your output should be similar to the following example. You should see pods forcert-manager,cert-manager-cainjector, andcert-manager-webhook.

      NAME                                         READY    STATUS   RESTARTS   AGE     IP           NODE                                    NOMINATED NODE   READINESS GATES  pod/cert-manager-abcd1234-7hkt9               1/1     Running   0          35s   10.20.x.x    gke-hybrid-on-apigee-data-abcd1234-3d54  pod/cert-manager-cainjector-abcd1234-6lb4k    1/1     Running   0          35s   10.20.x.x    gke-hybrid-apigee-runtime-abcd1234-5hmn  pod/cert-manager-webhook-abcd1234-c8bg9       1/1     Running   0          35s   10.20.x.x    gke-hybrid-apigee-runtime-abcd1234-fk39  NAME                           TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE   SELECTOR  service/cert-manager           ClusterIP   10.24.x.x        9402/TCP   35s   app.kubernetes.io/component=controller,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cert-manager  service/cert-manager-webhook   ClusterIP   10.24.x.x        443/TCP    35s   app.kubernetes.io/component=webhook,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=webhook  NAME                                      READY   UP-TO-DATE   AVAILABLE   AGE   CONTAINERS                IMAGES                                             SELECTOR  deployment.apps/cert-manager              1/1     1            1           35s   cert-manager-controller   quay.io/jetstack/cert-manager-controller:v1.11.0   app.kubernetes.io/component=controller,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cert-manager  deployment.apps/cert-manager-cainjector   1/1     1            1           35s   cert-manager-cainjector   quay.io/jetstack/cert-manager-cainjector:v1.11.0   app.kubernetes.io/component=cainjector,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cainjector  deployment.apps/cert-manager-webhook      1/1     1            1           35s   cert-manager-webhook      quay.io/jetstack/cert-manager-webhook:v1.11.0      app.kubernetes.io/component=webhook,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=webhook  NAME                                                DESIRED   CURRENT   READY   AGE   CONTAINERS                IMAGES                                             SELECTOR  replicaset.apps/cert-manager-abcd1234                1         1         1       35s   cert-manager-controller   quay.io/jetstack/cert-manager-controller:v1.11.0   app.kubernetes.io/component=controller,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cert-manager,pod-template-hash=abcd1234  replicaset.apps/cert-manager-cainjector-abcd1234     1         1         1       35s   cert-manager-cainjector   quay.io/jetstack/cert-manager-cainjector:v1.11.0   app.kubernetes.io/component=cainjector,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cainjector,pod-template-hash=abcd1234  replicaset.apps/cert-manager-webhook-abcd1234        1         1         1       35s   cert-manager-webhook      quay.io/jetstack/cert-manager-webhook:v1.11.0      app.kubernetes.io/component=webhook,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=webhook,pod-template-hash=abcd1234

Summary

You now have cert-manager installed, and you are ready to install the Apigee hybrid custom resource definitions (CRDs).

12345678(NEXT) Step 9: Install the CRDs101112

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.