Enterprise Approver Policy administration¶

Custom Command Line Flags¶

You can change some settings of Enterprise Approver Policy for CyberArk Certificate Manager (Enterprise Approver Policy) component using command line flags. You must modify these in the approver-policy-enterprise Deployment resource. If you deployed Enterprise Approver Policy using Helm, you can customize the Deployment command line flags as follows.

Add the desired command line flags to a new or existing Helm values file:

enterprise-approver-policy-flags.values.yaml

    cert-manager-approver-policy:
        app:
            extraArgs:
            - --rego-policy-directory=/var/run/rego # This flag is required by the Rego plugin
            - --venafi-policy-cache-duration=0 #  Disable Venafi policy caching, for example.

Run helm upgrade to apply the new values:

    helm upgrade approver-policy-enterprise oci://private-registry.venafi.cloud/charts/approver-policy-enterprise \
        --wait \
        --namespace venafi \
        --values enterprise-approver-policy.values.yaml \
        --values enterprise-approver-policy-flags.values.yaml \
        --version v0.11.0

For more information about the Enterprise Approver Policy CLI commands, see Enterprise Approver Policy image flags.

Venafi Plugin¶

This section is for platform administrators who are using the Venafi features of Enterprise Approver Policy.

Configuring policy caching¶

By default, Enterprise Approver Policy begins enforcing new {[cy]} policies within one minute of you making changes in Venafi Control Plane.

Set --venafi-policy-cache-duration=0, if you want Enterprise Approver Policy to enforce the latest policy as soon as possible. This forces Enterprise Approver Policy to try to download the latest policy from Venafi for every pending CertificateRequest.

If you need to reduce the frequency of Venafi API requests, you can increase the --venafi-policy-cache-duration, causing Enterprise Approver Policy to cache the downloaded policy for longer.

For more information about the Enterprise Approver Policy CLI commands, see Enterprise Approver Policy image flags.

High availability¶

If you are using Enterprise Approver Policy with TLS Protect Datacenter there may be times when the REST API of TLS Protect Datacenter is unavailable; for example when performing an Offline upgrade of the TLS Protect Datacenter. You may need Enterprise Approver Policy to continue to approve certificate request resources during this time.

By default, Enterprise Approver Policy caches downloaded Venafi policies in memory for 1 minute. It then attempts to download the latest policy from the Venafi API server. If that fails, it does not approve new certificate requests until it has re-established a connection to the Venafi API and downloaded the latest policy.

If you need Enterprise Approver Policy to tolerate outages longer than 1 minute, increase the --venafi-policy-cache-duration, Enterprise Approver Policy then uses the last downloaded policy for longer in the absence of a connection to Venafi.

It is also a good idea to disable the periodic health checks by setting --venafi-ready-check-interval=0. Enterprise Approver Policy marks the CertificatreRequestPolicy as "not ready" in the event of a health check failure, and it is not evaluated when in that state.

Important

Don't restart Enterprise Approver Policy during a Venafi API outage, or you will lose in-memory cache. You can't download the {[cy]} policy until the connection to the {[cy]} API is restored.

Enterprise Approver Policy image flags