Approver Policy Helm values¶

Approver Policy is an cert-manager approver that approves or denies certificate requests based on policies defined in the certificate request policy custom resource.

The following Approver Policy Helm values are supported by the Venafi Kubernetes Manifest tool.

nameOverride¶

nameOverride replaces the name of the chart in the Chart.yaml file, when this is used to construct Kubernetes object names.

http_proxy¶

Configures the HTTP_PROXY environment variable where a HTTP proxy is required.

https_proxy¶

Configures the HTTPS_PROXY environment variable where a HTTP proxy is required.

no_proxy¶

Configures the NO_PROXY environment variable where a HTTP proxy is required, but certain domains should be excluded.

crds.enabled¶

true

This option decides if the CRDs should be installed as part of the Helm installation.

crds.keep¶

true

This option makes it so that the helm.sh/resource-policy: keep annotation is added to the CRD. This will prevent Helm from uninstalling the CRD when the Helm release is uninstalled.

replicaCount¶

1

Number of replicas of approver-policy to run.

For example:
Use integer to set a fixed number of replicas

replicaCount: 2

Use null, if you want to omit the replicas field and use the Kubernetes default value.

replicaCount: null

Use a string if you want to insert a variable for post-processing of the rendered template.

replicaCount: ${REPLICAS_OVERRIDE:=3}

image.registry¶

Target image registry. This value is prepended to the target image repository, if set.
For example:

registry: quay.io
repository: jetstack/cert-manager-approver-policy

image.repository¶

quay.io/jetstack/cert-manager-approver-policy

Target image repository.

image.tag¶

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.

image.digest¶

Target image digest. Override any tag, if set.
For example:

digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20

image.pullPolicy¶

IfNotPresent

Kubernetes imagePullPolicy on Deployment.

imagePullSecrets¶

[]

Optional secrets used for pulling the approver-policy container image.

app.logLevel¶

1

Verbosity of approver-policy logging. This is a value from 1 to 5.

app.extraArgs¶

[]

Extra CLI arguments that will be passed to the approver-policy process.

app.approveSignerNames¶

- issuers.cert-manager.io/*
- clusterissuers.cert-manager.io/*

List if signer names that approver-policy will be given permission to approve and deny. CertificateRequests referencing these signer names can be processed by approver-policy. For more information, see cert-manager documentation.

app.metrics.port¶

9402

Port for exposing Prometheus metrics on 0.0.0.0 on path /metrics.

app.metrics.service.servicemonitor¶

true

Create a Service resource to expose metrics endpoint.

app.metrics.service.servicemonitor¶

ClusterIP

The service type to expose metrics.

app.metrics.service.servicemonitor.enabled¶

false

Create Prometheus ServiceMonitor resource for approver-policy.

app.metrics.service.servicemonitor.prometheusInstance¶

default

The value for the "prometheus" label on the ServiceMonitor. This allows for multiple Prometheus instances selecting difference ServiceMonitors using label selectors.

app.metrics.service.servicemonitor.interval¶

10s

The interval that the Prometheus will scrape for metrics.

app.metrics.service.servicemonitor.scrapeTimeout¶

5s

The timeout on each metric probe request.

app.metrics.service.servicemonitor.labels¶

{}

Additional labels to give the ServiceMonitor resource.

app.readinessProbe.port¶

6060

The container port to expose Approver Policy HTTP readiness probe on default network interface.

app.webhook.host¶

0.0.0.0

The host that the webhook listens on.

app.webhook.port¶

10250

The port that the webhook listens on.

app.webhook.timeoutSeconds¶

5

The timeout of webhook HTTP request.

app.webhook.hostNetwork¶

Deprecated. Use .hostNetwork instead.

app.webhook.dnsPolicy¶

Deprecated. Use .dnsPolicy instead.

app.webhook.affinity¶

Deprecated. Use .affinity instead.

app.webhook.nodeSelector¶

Deprecated. Use .nodeSelector instead.

app.webhook.tolerations¶

Deprecated. Use .tolerations instead.

app.webhook.service.type¶

ClusterIP

The type of Kubernetes Service used by the webhook.

app.webhook.service.nodePort¶

The nodePort set on the Service used by the webhook.

hostNetwork¶

false

Boolean value, expose pod on hostNetwork.
Required when running a custom CNI in managed providers such as AWS EKS.

For more information, see AWS EKS.

dnsPolicy¶

ClusterFirst

This value may need to be changed if hostNetwork: true

priorityClassName¶

""

Configure the priority class of the Pod.

For more information, see:
- Guaranteed Scheduling For Critical Add-On Pods
- Protect Your Mission-Critical Pods From Eviction With PriorityClass

For example:

priorityClassName: system-cluster-critical

affinity¶

{}

A Kubernetes Affinity, if required. For more information, see Affinity v1 core.

For example:

affinity:
  nodeAffinity:
   requiredDuringSchedulingIgnoredDuringExecution:
     nodeSelectorTerms:
     - matchExpressions:
       - key: foo.bar.com/role
         operator: In
         values:
         - master

nodeSelector¶

{}

The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see Assigning Pods to Nodes.

tolerations¶

[]

A list of Kubernetes Tolerations, if required. For more information, see Toleration v1 core.

For example:

tolerations:
- key: foo.bar.com/role
  operator: Equal
  value: master
  effect: NoSchedule

topologySpreadConstraints¶

[]

List of Kubernetes TopologySpreadConstraints. For more information, see:
Pod Topology Spread Constraints.

For example:

topologySpreadConstraints:
- maxSkew: 2
  topologyKey: topology.kubernetes.io/zone
  whenUnsatisfiable: ScheduleAnyway
  labelSelector:
    matchLabels:
      app.kubernetes.io/name: cert-manager-approver-policy
      app.kubernetes.io/instance: cert-manager-approver-policy

podDisruptionBudget.enabled¶

false

Enable or disable the PodDisruptionBudget resource.

This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget blocks kubectl drain if it is used on the Node where the only remaining approver-policy
Pod is currently running.

podDisruptionBudget.minAvailable¶

Configures the minimum available pods for disruptions.
Cannot be used if maxUnavailable is set.

podDisruptionBudget.maxUnavailable¶

Configures the maximum unavailable pods for disruptions.
Cannot be used if minAvailable is set.

volumeMounts¶

[]

Optional extra volume mounts. Useful for mounting custom root CAs.

For example:

volumeMounts:
- name: my-volume-mount
  mountPath: /etc/approver-policy/secrets

volumes¶

[]

Optional extra volumes.

For example:

volumes:
- name: my-volume
  secret:
    secretName: my-secret

resources¶

{}

Kubernetes pod resources.
For more information, see Resource Management for Pods and Containers.

For example:

resources:
  limits:
    cpu: 100m
    memory: 128Mi
  requests:
    cpu: 100m
    memory: 128Mi

commonLabels¶

{}

Allow custom labels to be placed on resources - optional.

podAnnotations¶

{}

Allow custom annotations to be placed on cert-manager-approver pod - optional.

strategy¶

{}

Deployment update strategy for the Approver Policy Deployment.

This could be needed when deploying Approver Policy on each control-plane node and setting anti-affinities to forbid two pods on the same node. In this situation, default values of maxSurge (25% round up to next integer = 1) and maxUnavailable (25% round down to next integer = 0) block the rolling update as the new surge pod can't be scheduled on a control-plane node due to anti-affinities. Setting maxSurge to 0 and maxUnavailable to 1 would solve the problem.

For example:

strategy:
  type: RollingUpdate
  rollingUpdate:
    maxSurge: 0
    maxUnavailable: 1

For more information, see the Kubernetes documentation.