Tanzu Mission Control Self-Managed – Part 4: Install Cert-Manager and Cluster Issuer for TLS certificates

Welcome to Tanzu Mission Control Self-Managed Part 4 of the series. I’ll show you how to use cluster issuer and cert-manager for automatic certificate issuing in this post.

If you have landed on this post directly by mistake, I encourage you to read the previous blog posts of this series using the below links:

1: TMC Self-Managed – Introduction & Architecture

2: Configure DNS for TMC Self-Managed

3: Configure OIDC Complaint Identity Provider (Okta)

For its certificates, TMC Self-Managed uses cert-manager. You can use the cert-manager and cluster issuer to create a self-signed certificate for the installation in a lab or POC environment. On the workload cluster where TMC Self-Managed will be installed in my lab, I have installed cert-manager as a Tanzu package.

In an airgap environment, you can follow the instructions outlined in the Add a Package Repository and Install cert-manager in the TKG product documentation to install cert-manager.

Deploy Cluster Issuer

When you install Tanzu Mission Control Self-Managed, the cert-manager requests TLS certificates for the external endpoints that you created previously in your DNS zone. So you must set up a cluster issuer in your cluster. 

Cert-Manager supports a wide variety of issuers to enable the creation of a ClusterIssuer, including the following:

This blog makes use of CA as a cluster issuer type, which allows bringing your own self-signed certificates to be used in the deployment. The steps for configuring CA for cert-manager are provided below:

Note: The commands provided below need to be executed on the bootstrap machine from where you are managing the TKG clusters.

Step 1: Generate a self-signed CA certificate for TMC Self-Managed

Step 2: Copy the ca certificate to the /etc/ssl/certs directory

Step 3: Create a secret for the cert-manager

Step 4: Create cluster issuer yaml

Note: Key secretName in the yaml should match with the secret that you created in the previous step. 

Step 5: Create cluster issuer

Step 6: Verify that cluster issuer status is ready

And that’s it for this post. In the next post of this series, I will demonstrate configuring the harbor registry for hosting TMC Self-managed artifacts.

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing.

One thought on “Tanzu Mission Control Self-Managed – Part 4: Install Cert-Manager and Cluster Issuer for TLS certificates

  1. Pingback: Install Tanzu Mission Control Self-Managed on vSphere with Tanzu on vSphere 7

Leave a ReplyCancel reply