Skip to content

Approver Policy Enterprise administration

Custom Command Line Flags

You can change some settings of Approver Policy Enterprise component using command line flags. You must modify these in the approver-policy-enterprise Deployment resource. If you deployed approver-policy-enterprise using Helm, you can customize the Deployment command line flags as follows.

  1. Add the desired command line flags to a new or existing Helm values file:

        # approver-policy-enterprise-flags.values.yaml
        cert-manager-approver-policy:
            app:
                extraArgs:
                - --rego-policy-directory=/var/run/rego # This flag is required by the Rego plugin
                - --venafi-policy-cache-duration=0 #  Disable Venafi policy caching, for example.
    
  2. Run helm upgrade to apply the new values:

        helm upgrade approver-policy-enterprise oci://private-registry.venafi.cloud/charts/approver-policy-enterprise \
            --wait \
            --namespace venafi \
            --values approver-policy-enterprise.values.yaml \
            --values approver-policy-enterprise-flags.values.yaml \
            --version v0.11.0
    

For more information about the Approver Policy Enterprise CLI commands, see Approver Policy Enterprise image flags.

Venafi Plugin

This section is for platform administrators who are using the Venafi features of Approver Policy Enterprise.

Configuring policy caching

By default, Approver Policy Enterprise begins enforcing new Venafi policies within one minute of you making changes in Venafi Control Plane.

Set --venafi-policy-cache-duration=0, if you want Approver Policy Enterprise to enforce the latest policy as soon as possible. This forces Approver Policy Enterprise to try to download the latest policy from Venafi for every pending CertificateRequest.

If you need to reduce the frequency of Venafi API requests, you can increase the --venafi-policy-cache-duration, causing Approver Policy Enterprise to cache the downloaded policy for longer.

For more information about the Approver Policy Enterprise CLI commands, see Approver Policy Enterprise image flags.

High availability

If you are using Approver Policy Enterprise with TLS Protect Datacenter there may be times when the REST API of TLS Protect Datacenter is unavailable; for example when performing an Offline upgrade of the Venafi platform. You may need Approver Policy Enterprise to continue to approve certificate request resources during this time.

By default, Approver Policy Enterprise caches downloaded Venafi policies in memory for 1 minute. It then attempts to download the latest policy from the Venafi API server. If that fails, it does not approve new certificate requests until it has re-established a connection to the Venafi API and downloaded the latest policy.

If you need Approver Policy Enterprise to tolerate outages longer than 1 minute, increase the --venafi-policy-cache-duration, Approver Policy Enterprise then uses the last downloaded policy for longer in the absence of a connection to Venafi.

It is also a good idea to disable the periodic health checks by setting --venafi-ready-check-interval=0. Approver Policy Enterprise marks the CertificatreRequestPolicy as "not ready" in the event of a health check failure, and it is not evaluated when in that state.

Important

Don't restart Approver Policy Enterprise during a Venafi API outage, or you will lose in-memory cache. You can't download the Venafi policy until the connection to the Venafi API is restored.