[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[],[],null,["# Step 8: Install cert-manager\n\nThis step explains how to download and install [cert-manager](https://cert-manager.io/docs/), required for Apigee hybrid to operate.\n| **Installations on Google Distributed Cloud**\n|\n| You do not need to install cert-manager if you are\n| performing a fresh installation on one of the following on-premises platforms:\n|\n| - Google Distributed Cloud (software only) on VMware\n| - Google Distributed Cloud (software only) on bare metal\n|\n|\n| Google Distributed Cloud comes with its own version of cert-manager. Apigee can use this Distributed Cloud version of cert-manager.\n| If it is installed in a namespace other than `cert-manager`, you will need to include\n| the namespace with the [`certManager.namespace`](/apigee/docs/hybrid/v1.15/config-prop-ref#certmanager)\n| property in your overrides file.\n| For more information about Google Distributed Cloud and cert-manager, see\n| [Conflicting\n| cert-manager installation](/kubernetes-engine/distributed-cloud/vmware/docs/troubleshooting/known-issues#conflicting-cert-manager-installation).\n|\n|\n| **Installations on OpenShift**\n|\n| If you are installing Apigee hybrid on OpenShift, install cert-manager by following the\n| instructions in [Installation](https://cert-manager.io/docs/installation/)\n| in the cert-manager documentation.\n|\n| See a\n| [Known Issue about cert-manager version 1.10 on OpenShift](https://cloud.google.com/apigee/docs/release/known-issues#271689008).\n|\n|\n| **Issues with Older Versions**\n|\n|\n| Some versions of cert-manager have an issue where the webhook TLS server may fail to automatically renew its CA certificate. To avoid this, Apigee recommends using cert-manager versions [1.16.3](https://cert-manager.io/docs/releases/release-notes/release-notes-1.16/#v1163)+ or [1.17.2](https://cert-manager.io/docs/releases/release-notes/release-notes-1.17/#v1172)+.\n\nInstall cert-manager\n--------------------\n\n1. Use the following command to install cert-manager v1.17.2 from GitHub. \n\n ```\n kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.2/cert-manager.yaml\n ```\n\n\n You should see a response that the cert-manager namespace and several cert-manager resources\n have been created. For example: \n\n ```\n customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io configured\n customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io configured\n ...\n mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configured\n validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configured\n ```\n2. Use the following command to verify the successful creation of cert-manager namespace and its corresponding components: \n\n ```\n kubectl get all -n cert-manager -o wide\n ```\n\n Your output should be similar to the following example.\n You should see pods for `cert-manager`, `cert-manager-cainjector`, and `cert-manager-webhook`. \n\n ```\n NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES\n pod/cert-manager-675d667c9-8rrdf 1/1 Running 0 13s x.x.x.x gke-test-apigee-apigee-runtime-fbff3412-fsz9 none none\n pod/cert-manager-cainjector-6674494d8-lfr5r 1/1 Running 0 13s x.x.x.x gke-test-apigee-hy-apigee-data-efb302e2-1gqg none none\n pod/cert-manager-webhook-8566bcbc98-5krnh 1/1 Running 0 12s x.x.x.x gke-test-apigee-hy-apigee-data-0081cb07-2t5v none none\n\n NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR\n service/cert-manager ClusterIP x.x.x.x none 9402/TCP 13s app.kubernetes.io/component=controller,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cert-manager\n service/cert-manager-webhook ClusterIP x.x.x.x none 443/TCP 13s app.kubernetes.io/component=webhook,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=webhook\n\n NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR\n deployment.apps/cert-manager 1/1 1 1 13s cert-manager-controller quay.io/jetstack/cert-manager-controller:v1.15.1 app.kubernetes.io/component=controller,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cert-manager\n deployment.apps/cert-manager-cainjector 1/1 1 1 13s cert-manager-cainjector quay.io/jetstack/cert-manager-cainjector:v1.15.1 app.kubernetes.io/component=cainjector,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cainjector\n deployment.apps/cert-manager-webhook 1/1 1 1 13s cert-manager-webhook quay.io/jetstack/cert-manager-webhook:v1.15.1 app.kubernetes.io/component=webhook,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=webhook\n\n NAME DESIRED CURRENT READY AGE CONTAINERS IMAGES SELECTOR\n replicaset.apps/cert-manager-675d667c9 1 1 1 13s cert-manager-controller quay.io/jetstack/cert-manager-controller:v1.15.1 app.kubernetes.io/component=controller,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cert-manager,pod-template-hash=675d667c9\n replicaset.apps/cert-manager-cainjector-6674494d8 1 1 1 13s cert-manager-cainjector quay.io/jetstack/cert-manager-cainjector:v1.15.1 app.kubernetes.io/component=cainjector,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cainjector,pod-template-hash=6674494d8\n replicaset.apps/cert-manager-webhook-8566bcbc98 1 1 1 12s cert-manager-webhook quay.io/jetstack/cert-manager-webhook:v1.15.1 app.kubernetes.io/component=webhook,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=webhook,pod-template-hash=8566bcbc98\n ```\n\nSummary\n-------\n\n\nYou now have cert-manager installed, and you are ready to install the Apigee hybrid\ncustom resource definitions (CRDs).\n\nNext step\n---------\n\n\u003cbr /\u003e\n\n[1](/apigee/docs/hybrid/v1.15/install-create-cluster) [2](/apigee/docs/hybrid/v1.15/install-download-charts) [3](/apigee/docs/hybrid/v1.15/install-create-namespace) [4](/apigee/docs/hybrid/v1.15/install-service-accounts) [5](/apigee/docs/hybrid/v1.15/install-create-tls-certificates) [6](/apigee/docs/hybrid/v1.15/install-create-overrides) [7](/apigee/docs/hybrid/v1.15/install-enable-control-plane-access) [8](/apigee/docs/hybrid/v1.15/install-cert-manager) [(NEXT) Step 9: Install the CRDs](/apigee/docs/hybrid/v1.15/install-crds) [10](/apigee/docs/hybrid/v1.15/install-helm-charts) [11](/apigee/docs/hybrid/v1.15/install-workload-identity)\n\n\u003cbr /\u003e"]]