You are currently viewing version 1.14 of the Apigee hybrid documentation. For more information, seeSupported versions.

This step explains how to download and installcert-manager, required for Apigee hybrid to operate.

Installations on Google Distributed Cloud

You do not need to install cert-manager if you are performing a fresh installation on one of the following on-premises platforms:

• Google Distributed Cloud (software only) on VMware
• Google Distributed Cloud (software only) on bare metal

Google Distributed Cloud comes with its own version of cert-manager. Apigee can use this Distributed Cloud version of cert-manager. If it is installed in a namespace other thancert-manager, you will need to include the namespace with thecertManager.namespace property in your overrides file. For more information about Google Distributed Cloud and cert-manager, seeConflicting cert-manager installation.

Installations on OpenShift

If you are installing Apigee hybrid on OpenShift, install cert-manager by following the instructions inInstallation in the cert-manager documentation.

See aKnown Issue about cert-manager version 1.10 on OpenShift.

Issues with Older Versions

Some versions of cert-manager have an issue where the webhook TLS server may fail to automatically renew its CA certificate. To avoid this, Apigee recommends using cert-manager versions1.15.5+ or1.16.3+.

Install cert-manager

1. Use the following command to install cert-manager v1.16.3 from GitHub.

   kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.3/cert-manager.yaml

   You should see a response that the cert-manager namespace and several cert-manager resources have been created. For example:

   customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io configuredcustomresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io configured...mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configuredvalidatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configured

2. Use the following command to verify the successful creation of cert-manager namespace and its corresponding components:

   kubectl get all -n cert-manager -o wide

   Your output should be similar to the following example. You should see pods forcert-manager,cert-manager-cainjector, andcert-manager-webhook.

       NAME                                          READY   STATUS    RESTARTS   AGE   IP           NODE                                                  NOMINATED NODE   READINESS GATES    pod/cert-manager-675d667c9-8rrdf              1/1     Running   0          13s   x.x.x.x      gke-test-apigee-apigee-runtime-fbff3412-fsz9          none             none    pod/cert-manager-cainjector-6674494d8-lfr5r   1/1     Running   0          13s   x.x.x.x      gke-test-apigee-hy-apigee-data-efb302e2-1gqg          none             none    pod/cert-manager-webhook-8566bcbc98-5krnh     1/1     Running   0          12s   x.x.x.x      gke-test-apigee-hy-apigee-data-0081cb07-2t5v          none             none    NAME                           TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE   SELECTOR    service/cert-manager           ClusterIP   x.x.x.x            none        9402/TCP   13s   app.kubernetes.io/component=controller,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cert-manager    service/cert-manager-webhook   ClusterIP   x.x.x.x            none        443/TCP    13s   app.kubernetes.io/component=webhook,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=webhook    NAME                                      READY   UP-TO-DATE   AVAILABLE   AGE   CONTAINERS                IMAGES                                             SELECTOR    deployment.apps/cert-manager              1/1     1            1           13s   cert-manager-controller   quay.io/jetstack/cert-manager-controller:v1.16.3  app.kubernetes.io/component=controller,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cert-manager    deployment.apps/cert-manager-cainjector   1/1     1            1           13s   cert-manager-cainjector   quay.io/jetstack/cert-manager-cainjector:v1.16.3  app.kubernetes.io/component=cainjector,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cainjector    deployment.apps/cert-manager-webhook      1/1     1            1           13s   cert-manager-webhook      quay.io/jetstack/cert-manager-webhook:v1.16.3     app.kubernetes.io/component=webhook,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=webhook    NAME                                                DESIRED   CURRENT   READY   AGE   CONTAINERS                IMAGES                                             SELECTOR    replicaset.apps/cert-manager-675d667c9              1         1         1       13s   cert-manager-controller   quay.io/jetstack/cert-manager-controller:v1.16.3   app.kubernetes.io/component=controller,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cert-manager,pod-template-hash=675d667c9    replicaset.apps/cert-manager-cainjector-6674494d8   1         1         1       13s   cert-manager-cainjector   quay.io/jetstack/cert-manager-cainjector:v1.16.3   app.kubernetes.io/component=cainjector,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cainjector,pod-template-hash=6674494d8    replicaset.apps/cert-manager-webhook-8566bcbc98     1         1         1       12s   cert-manager-webhook      quay.io/jetstack/cert-manager-webhook:v1.16.3      app.kubernetes.io/component=webhook,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=webhook,pod-template-hash=8566bcbc98

Summary

You now have cert-manager installed, and you are ready to install the Apigee hybrid custom resource definitions (CRDs).

Next step

12345678(NEXT) Step 9: Install the CRDs1011