Skip to content

Installing Approver Policy using Helm

In this tutorial, you'll use Helm to install Approver Policy, which replaces the built-in cert-manager approver with policy-driven certificate request approval.

Prerequisites

To complete these steps, you must have:

  • On your local machine, kubectl and Helm 3.8.0+.
  • Permission to install Helm charts and custom resource definitions (CRDs) in your Kubernetes cluster.
  • cert-manager installed in your cluster.
  • As described in Configuring Next-Gen Trust Security registry access, private registry access through a Built-in Account with the OCI Registry Use Case and cert-manager Components Scope, using kubectl to create a pull secret.
  • Access to a Next-Gen Trust Security tenant.

Step 1: Reconfigure cert-manager

To use Approver Policy for certificate requests, disable the built-in cert-manager approver. Use one of these methods, depending on your cert-manager version.

Disable the approver by setting disableAutoApproval to true on the cert-manager controller:

helm upgrade cert-manager -i oci://registry.ngts.paloaltonetworks.com/charts/cert-manager \
  --install \
  --create-namespace \
  --namespace venafi \
  --version vX.X.X \
  --set crds.enabled=true \
  --set disableAutoApproval=true
Using a values file

If using a values file, add the following instead:

disableAutoApproval: true

Disable the approver by excluding its controller with the extraArgs flag:

helm upgrade -i cert-manager oci://registry.venafi.cloud/charts/cert-manager \
  --install \
  --create-namespace \
  --namespace venafi \
  --version v1.20.0 \
  --set installCRDs=true \
  --set extraArgs={--controllers='*\,-certificaterequests-approver'}
Avoiding conflicts with existing settings
  • Only change extraArgs at the top level of the values file. Do not change webhook.extraArgs, startupAPICheck.extraArgs, or cainjector.extraArgs.
  • If reconfiguring an existing install, run helm get values cert-manager --namespace venafi to check whether extraArgs has already been customized. If so, merge the existing values with the --controllers flag to avoid overwriting them.

Confirm that the approver is disabled in the cert-manager controller log:

kubectl logs -n venafi -l app=cert-manager | grep "certificaterequests-approver"

A successful reconfiguration produces output similar to the following:

I0506 14:44:51.198463       1 controller.go:182] cert-manager/controller "msg"="not starting controller as it's disabled" "controller"="certificaterequests-approver"

Step 2: Deploy Approver Policy using Helm

Install Approver Policy and configure it to use the pull secret from the prerequisites and specify the CA bundles Approver Policy will trust.

  1. Create a file named approver-policy.values.yaml.

    If using your own registry, replace registry.ngts.paloaltonetworks.com with your registry base URL.

    approver-policy.values.yaml
    cert-manager-approver-policy:
    imagePullSecrets:
    - name: ngts-image-pull-secret


    # Add if using your own registry
    # imageRegistry: myregistry.example.com
    # imageNamespace: cert-manager

  2. Install Approver Policy and wait for it to be ready:

    helm upgrade cert-manager-approver-policy oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy \
    --install \
    --namespace venafi \
    --values approver-policy.values.yaml \
    --version v0.24.0 \
    --wait