[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis documentation covers the installation of cert-manager version 1.10.1, which is essential for the operation of Apigee hybrid.\u003c/p\u003e\n"],["\u003cp\u003eIf using Anthos on-premises or Anthos on Bare Metal, cert-manager installation is not required, as Anthos provides its own version.\u003c/p\u003e\n"],["\u003cp\u003eFor installations on OpenShift, cert-manager must be installed manually by following the instructions in the cert-manager documentation.\u003c/p\u003e\n"],["\u003cp\u003eTo install cert-manager, use the provided \u003ccode\u003ekubectl apply\u003c/code\u003e command, and verify the installation using the given \u003ccode\u003ekubectl get all\u003c/code\u003e command.\u003c/p\u003e\n"],["\u003cp\u003eSuccessful installation of cert-manager is a prerequisite for installing the Apigee hybrid command-line tool.\u003c/p\u003e\n"]]],[],null,["# Step 2: Install cert-manager\n\n| You are currently viewing version 1.9 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nThis step explains how to download and install [cert-manager](https://cert-manager.io/docs/), required for Apigee hybrid to operate.\n| **Installations on Anthos**\n|\n| You do not need to install cert-manager if you are\n| performing a fresh installation on one of the following Anthos platforms:\n|\n| - Anthos on-premises - (VMware)\n| - Anthos on Bare Metal\n|\n|\n| Anthos comes with its own version of cert-manager. Apigee can use this Anthos version of cert-manager.\n| If it is installed in a namespace other than `cert-manager`, you will need to include\n| the namespace with the [`certManager.namespace`](/apigee/docs/hybrid/v1.9/config-prop-ref#certmanager)\n| property in your overrides file.\n| For more information about Anthos and cert-manager, see\n| [Conflicting\n| cert-manager installation](/anthos/clusters/docs/on-prem/1.12/known-issues#conflicting-cert-manager-installation).\n|\n|\n| **Installations on OpenShift**\n|\n| If you are installing Apigee hybrid on OpenShift, install cert-manager by following the\n| instructions in [Installation](https://cert-manager.io/docs/installation/)\n| in the cert-manager documentation.\n|\n| See a\n| [Known Issue about cert-manager version 1.10 on OpenShift](https://cloud.google.com/apigee/docs/release/known-issues#271689008).\n\nInstall cert-manager\n--------------------\n\n1. Use the following command to install cert-manager v1.10.1 from GitHub. \n\n ```\n kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.10.1/cert-manager.yaml\n ```\n\n\n You should see a response that the cert-manager namespace and several cert-manager resources\n have been created. For example: \n\n ```\n customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io configured\n customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io configured\n ...\n mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configured\n validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configured\n ```\n2. Use the following command to verify the successful creation of cert-manager namespace and its corresponding components: \n\n ```\n kubectl get all -n cert-manager -o wide\n ```\n\n Your output should be similar to the following example.\n You should see pods for `cert-manager`, `cert-manager-cainjector`, and `cert-manager-webhook`. \n\n ```\n NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES\n pod/cert-manager-abcd1234-7hkt9 1/1 Running 0 35s 10.20.x.x gke-hybrid-on-apigee-data-abcd1234-3d54 \n pod/cert-manager-cainjector-abcd1234-6lb4k 1/1 Running 0 35s 10.20.x.x gke-hybrid-apigee-runtime-abcd1234-5hmn \n pod/cert-manager-webhook-abcd1234-c8bg9 1/1 Running 0 35s 10.20.x.x gke-hybrid-apigee-runtime-abcd1234-fk39 \n \n NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR\n service/cert-manager ClusterIP 10.24.x.x 9402/TCP 35s app.kubernetes.io/component=controller,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cert-manager\n service/cert-manager-webhook ClusterIP 10.24.x.x 443/TCP 35s app.kubernetes.io/component=webhook,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=webhook\n \n NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR\n deployment.apps/cert-manager 1/1 1 1 35s cert-manager-controller quay.io/jetstack/cert-manager-controller:v1.10.1 app.kubernetes.io/component=controller,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cert-manager\n deployment.apps/cert-manager-cainjector 1/1 1 1 35s cert-manager-cainjector quay.io/jetstack/cert-manager-cainjector:v1.10.1 app.kubernetes.io/component=cainjector,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cainjector\n deployment.apps/cert-manager-webhook 1/1 1 1 35s cert-manager-webhook quay.io/jetstack/cert-manager-webhook:v1.10.1 app.kubernetes.io/component=webhook,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=webhook\n \n NAME DESIRED CURRENT READY AGE CONTAINERS IMAGES SELECTOR\n replicaset.apps/cert-manager-abcd1234 1 1 1 35s cert-manager-controller quay.io/jetstack/cert-manager-controller:v1.10.1 app.kubernetes.io/component=controller,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cert-manager,pod-template-hash=abcd1234\n replicaset.apps/cert-manager-cainjector-abcd1234 1 1 1 35s cert-manager-cainjector quay.io/jetstack/cert-manager-cainjector:v1.10.1 app.kubernetes.io/component=cainjector,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cainjector,pod-template-hash=abcd1234\n replicaset.apps/cert-manager-webhook-abcd1234 1 1 1 35s cert-manager-webhook quay.io/jetstack/cert-manager-webhook:v1.10.1 app.kubernetes.io/component=webhook,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=webhook,pod-template-hash=abcd1234\n ```\n\nSummary\n-------\n\n\nYou now have cert-manager installed, and you are ready to install the Apigee hybrid\ncommand-line tool on your local machine.\n[1](/apigee/docs/hybrid/v1.9/install-create-cluster) [2](/apigee/docs/hybrid/v1.9/install-cert-manager) [(NEXT) Step 3: Install apigeectl](/apigee/docs/hybrid/v1.9/install-apigeectl) [4](/apigee/docs/hybrid/v1.9/install-service-accounts) [5](/apigee/docs/hybrid/v1.9/install-create-tls-certificates) [6](/apigee/docs/hybrid/v1.9/install-configure-cluster) [7](/apigee/docs/hybrid/v1.9/install-enable-synchronizer-access) [8](/apigee/docs/hybrid/v1.9/install-hybrid-runtime) [9](/apigee/docs/hybrid/v1.9/install-expose-apigee-ingress) [10](/apigee/docs/hybrid/v1.9/install-deploy-proxy)\n\n\u003cbr /\u003e"]]