How to Install and Configure cert-manager on Kubernetes with Helm
Learn step‑by‑step how to install Jetstack’s open‑source cert-manager on a Kubernetes cluster using Helm, from prerequisites and chart download to configuring TLS settings and deploying the service, ensuring secure inter‑service communication in cloud‑native environments.
With the rise of cloud computing and micro‑service architectures, Kubernetes has become the de‑facto container orchestration platform. Ensuring secure communication between services is critical, and TLS certificates are essential. Jetstack’s open‑source cert-manager simplifies certificate lifecycle management.
Prerequisites
Install Helm v3+ and a supported Kubernetes cluster.
Supported cert-manager versions and Kubernetes compatibility:
v1.15 – supports Kubernetes 1.25 to 1.31 (end‑of‑life at 1.17)
v1.14 – supports Kubernetes 1.24 to 1.31 (end‑of‑life at 1.16)
v1.12 LTS – supports Kubernetes 1.22 to 1.31 (EOL May 19 2025)
Install cert-manager
1. Add the Jetstack Helm repository:
<code>$ helm repo add jetstack https://charts.jetstack.io --force-update
"jetstack" has been added to your repositories</code>2. Download version 1.12 chart and push it to a Harbor registry:
<code># Download chart
$ helm pull jetstack/cert-manager --version v1.12.13
# Push to Harbor
$ helm push cert-manager-v1.12.13.tgz oci://core.jiaxzeng.com/plugins
Pushed: core.jiaxzeng.com/plugins/cert-manager:v1.12.13
Digest: sha256:b4c7cc94bfa93d28c3461d7dbb9a8112c61e5c78bc4b09edc5499b5a5b22e634</code>Tip: This step requires a node with internet access; typical internal clusters may not have it.
3. Pull the chart on the Kubernetes node:
<code>$ sudo helm pull oci://core.jiaxzeng.com/plugins/cert-manager --version v1.12.13 --untar --untardir /etc/kubernetes/addons/
Pulled: core.jiaxzeng.com/plugins/cert-manager:v1.12.13
Digest: sha256:b4c7cc94bfa93d28c3461d7dbb9a8112c61e5c78bc4b09edc5499b5a5b22e634</code>4. Create the cert‑manager values file:
<code>global:
leaderElection:
namespace: "kube-system"
installCRDs: true
image:
repository: core.jiaxzeng.com/library/cert-manager/cert-manager-controller
tag: v1.12.13
http_proxy: "http://172.139.20.170:3888"
https_proxy: "https://172.139.20.170:3888"
no_proxy: "127.0.0.1,localhost,172.139.20.0/24,10.96.0.0/16,10.244.0.0/16"
startupapicheck:
image:
repository: core.jiaxzeng.com/library/cert-manager/cert-manager-ctl
tag: v1.12.13
webhook:
image:
repository: core.jiaxzeng.com/library/cert-manager/cert-manager-webhook
tag: v1.12.13
cainjector:
image:
repository: core.jiaxzeng.com/library/cert-manager/cert-manager-cainjector
tag: v1.12.13</code>5. Deploy cert‑manager using Helm:
<code>$ helm -n kube-system install cert-manager -f /etc/kubernetes/addons/cert-manager-value.yml /etc/kubernetes/addons/cert-manager
NAME: cert-manager
LAST DEPLOYED: Thu Sep 26 23:23:09 2024
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
NOTES:
cert-manager v1.12.13 has been deployed successfully!
In order to begin issuing certificates, you will need to set up a ClusterIssuer or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
More information on issuers and configuration can be found at https://cert-manager.io/docs/configuration/
Documentation for the ingress-shim is at https://cert-manager.io/docs/usage/ingress/</code>Reference Documentation
cert-manager releases: https://cert-manager.io/docs/releases/
cert-manager Helm installation guide: https://cert-manager.io/docs/installation/helm/
Conclusion
By following these steps you have installed and configured cert-manager on your Kubernetes cluster, enabling efficient TLS certificate management and improving overall system security.
Linux Ops Smart Journey
The operations journey never stops—pursuing excellence endlessly.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.