Installing cert-manager and certificates

API Connect includes a cert-manager you can use to manage certificates.

Before you begin

Before you install a cert-manager, you should know your strategy for using certificates with API Connect.

Review the certificate requirements in Deployment requirements.
Review the certificates overview: Certificates in a Kubernetes environment
Determine if you want to use custom certificates:
Do not use the procedure in this topic if you want to use custom certificates, or if you are deploying with IBM Kubernetes Service.
- If you are deploying onto IBM Kubernetes Service, you must use custom certificates. Use these instructions instead: Using custom certificates with IBM Kubernetes Service.
- If you are not deploying onto IBM Kubernetes Service, but want to use custom certificates, do not use these instructions. Instead, go to Custom certificates on Kubernetes.
For additional instructions explaining how to install cert-manager and certificates in a two data center high availability (HA) deployment on Kubernetes, see Installing cert-manager and certificates in a two data center high availability deployment.

About this task

Use these instructions to install the supplied cert-manager and ingress-issuer-v1-alpha1.yaml.

The file ingress-issuer-v1-alpha1.yaml is supplied by cert-manager. The alpha designation in the filename ingress-issuer-v1-alpha1.yaml refers only to the status of the stability of the Kubernetes CRD definition that is used by cert-manager.

Procedure

Verify that you completed Obtaining product files and can access helper_files.zip.

Set KUBECONFIG for the target cluster:

export KUBECONFIG=<path_to_cluster_config_YAML_file>

Example path:

/Users/user/.kube/clusters/<cluster_name>/kube-config-<cluster_name>.yaml

Install a cert-manager.
Use of a certificate manager adds convenience to the generation and management of certificate, but is not required. Whenever a custom resource (CR) takes a certificate secret name as input, you can point to any secret name, as long as the secret exists before deploying the CR, and the secret contains relevant certificate data. Typically, this is tls.crt, tls.key, and ca.crt files. See Certificates in a Kubernetes environment.
1. Obtain the certificate manager.
  API Connect v10 uses cert-manager v0.10.1 of cert-manager, which is a native Kubernetes certificate management controller.
  
  You can obtain cert-manager v0.10.1 from the API Connect v10 distribution helper_files.zip archive. .
  
  Note: cert-manager is bundled as a common service in IBM CloudPack for Integration.
2. Apply the CR:
```
kubectl apply -f cert-manager-0.10.1.yaml
```
  Do not specify a custom namespace.
  
  See https://docs.cert-manager.io/en/release-0.10/getting-started/install/kubernetes.html.
3. Wait for cert-manager pods to enter Running 1/1 status before proceeding. To check the status:
```
kubectl get po -n cert-manager 
```
  There are 3 cert-manager pods in total.
Continue with Installing Kubernetes operators.