Approver Policy Enterprise Helm values¶

Approver Policy Enterprise is the enterprise version of the Approver Policy tool. It enables you to apply certificate policies by connecting your Kubernetes cluster to Venafi Control Plane.

The following Approver Policy Enterprise Helm values are supported by the Venafi Kubernetes Manifest tool.

CRDs¶

The CRDs installed by this chart are annotated with "helm.sh/resource-policy: keep", this prevents them from being accidentally removed by Helm when this chart is deleted. After deleting the installed chart, the user still has to manually remove the remaining CRDs.

crds.forceRemoveValidationAnnotations¶

false

The 'x-kubernetes-validations' annotation is not supported in Kubernetes 1.22 and below. This annotation is used by CEL, which is a feature introduced in Kubernetes 1.25 that improves how validation is performed. This option allows to force the 'x-kubernetes-validations' annotation to be excluded, even on Kubernetes 1.25+ clusters.

Approver Policy¶

cert-manager Approver Policy dependency options.

Copied from https://github.com/cert-manager/approver-policy/blob/v0.13.0/deploy/charts/approver-policy/values.yaml

The following modifications are made by Venafi for compatibility with the Approver Policy Enterprise plugin:
nameOverride: cert-manager-approver-policy: to ensure that the webhook
service name matches the hostname in the webhook configuration.
image.registry: uses the enterprise registry where the Approver Policy Enterprise plugin image is hosted.
extraArgs: additional Approver Policy Enterprise plugin specific arguments are supplied.
volumes and volumeMounts: a volume is configured for the rego configuration of the Approver Policy Enterprise plugin.

cert-manager-approver-policy.nameOverride¶

cert-manager-approver-policy

nameOverride replaces the name of the chart in the Chart.yaml file, when this is used to construct Kubernetes object names.

cert-manager-approver-policy.crds.enabled¶

true

This option decides if the CRDs should be installed as part of the Helm installation.

cert-manager-approver-policy.crds.keep¶

true

This option makes it so that the "helm.sh/resource-policy": keep annotation is added to the CRD. This will prevent Helm from uninstalling the CRD when the Helm release is uninstalled.

cert-manager-approver-policy.replicaCount¶

1

Number of replicas of Approver Policy to run.

For example:
Use integer to set a fixed number of replicas

replicaCount: 2

Use null, if you want to omit the replicas field and use the Kubernetes default value.

replicaCount: null

Use a string if you want to insert a variable for post-processing of the rendered template.

replicaCount: ${REPLICAS_OVERRIDE:=3}

cert-manager-approver-policy.image.registry¶

Target image registry. This value is prepended to the target image repository, if set.
For example:

registry: eu.gcr.io
repository: jetstack-secure-enterprise/approver-policy-enterprise

cert-manager-approver-policy.image.repository¶

eu.gcr.io/jetstack-secure-enterprise/approver-policy-enterprise

Target image repository.

cert-manager-approver-policy.image.tag¶

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.

cert-manager-approver-policy.image.digest¶

Target image digest. Override any tag, if set.
For example:

digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20

cert-manager-approver-policy.image.pullPolicy¶

IfNotPresent

Kubernetes imagePullPolicy on Deployment.

cert-manager-approver-policy.imagePullSecrets¶

[]

Optional secrets used for pulling the Approver Policy container image.

cert-manager-approver-policy.app.logLevel¶

1

Verbosity of Approver Policy logging. This is a value from 1 to 5.

cert-manager-approver-policy.app.extraArgs[2]¶

--rego-policy-directory=/var/run/rego

cert-manager-approver-policy.app.extraArgs[2]¶

--rego-replicate=

cert-manager-approver-policy.app.extraArgs[2]¶

--rego-replicate-cluster=

cert-manager-approver-policy.app.approveSignerNames¶

[]

List of signer names that Approver Policy will be given permission to approve and deny. CertificateRequests referencing these signer names can be processed by Approver Policy.

For more information, see the [cert-manager documentation] (https://cert-manager.io/docs/concepts/certificaterequest/#approval).

cert-manager-approver-policy.app.metrics.service¶

9402

Port for exposing Prometheus metrics on 0.0.0.0 on path '/metrics'.

cert-manager-approver-policy.app.metrics.service.enabled¶

true

Create a Service resource to expose metrics endpoint.

cert-manager-approver-policy.app.metrics.service.type¶

ClusterIP

The service type to expose metrics.

cert-manager-approver-policy.app.metrics.service.servicemonitor.labels¶

false

Create Prometheus ServiceMonitor resource for Approver Policy.

cert-manager-approver-policy.app.metrics.service.servicemonitor.labels¶

default

The value for the "prometheus" label on the ServiceMonitor. This allows for multiple Prometheus instances selecting difference ServiceMonitors using label selectors.

cert-manager-approver-policy.app.metrics.service.servicemonitor.labels¶

10s

The interval that the Prometheus will scrape for metrics.

cert-manager-approver-policy.app.metrics.service.servicemonitor.labels¶

5s

The timeout on each metric probe request.

cert-manager-approver-policy.app.metrics.service.servicemonitor.labels¶

{}

Additional labels to give the ServiceMonitor resource.

cert-manager-approver-policy.app.readinessProbe.port¶

6060

The container port to expose Approver Policy HTTP readiness probe on default network interface.

cert-manager-approver-policy.app.webhook.service¶

0.0.0.0

The host that the webhook listens on.

cert-manager-approver-policy.app.webhook.service¶

10250

The port that the webhook listens on.

cert-manager-approver-policy.app.webhook.service¶

5

The timeout of webhook HTTP request.

cert-manager-approver-policy.app.webhook.hostNetwork¶

Deprecated. Use .hostNetwork instead.

cert-manager-approver-policy.app.webhook.dnsPolicy¶

Deprecated. Use .dnsPolicy instead.

cert-manager-approver-policy.app.webhook.affinity¶

Deprecated. Use .affinity instead.

cert-manager-approver-policy.app.webhook.nodeSelector¶

Deprecated. Use .nodeSelector instead.

cert-manager-approver-policy.app.webhook.tolerations¶

Deprecated. Use .tolerations instead.

cert-manager-approver-policy.app.webhook.service.type¶

ClusterIP

The type of Kubernetes Service used by the webhook.

cert-manager-approver-policy.app.webhook.service.nodePort¶

The nodePort set on the Service used by the webhook.

cert-manager-approver-policy.hostNetwork¶

false

Boolean value, expose pod on hostNetwork.
Required when running a custom CNI in managed providers such as AWS EKS.

For more information, see AWS EKS.

cert-manager-approver-policy.dnsPolicy¶

ClusterFirst

This value may need to be changed if hostNetwork: true

cert-manager-approver-policy.priorityClassName¶

""

Configure the priority class of the Pod.

For more information, see:
Guaranteed Scheduling For Critical Add-On Pods
Protect Your Mission-Critical Pods From Eviction With PriorityClass

For example:

priorityClassName: system-cluster-critical

cert-manager-approver-policy.affinity¶

{}

A Kubernetes Affinity, if required. For more information, see Affinity v1 core.

For example:

affinity:
  nodeAffinity:
   requiredDuringSchedulingIgnoredDuringExecution:
     nodeSelectorTerms:
     - matchExpressions:
       - key: foo.bar.com/role
         operator: In
         values:
         - master

cert-manager-approver-policy.nodeSelector¶

kubernetes.io/os: linux

The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see Assigning Pods to Nodes.

cert-manager-approver-policy.tolerations¶

[]

A list of Kubernetes Tolerations, if required. For more information, see Toleration v1 core.

For example:

tolerations:
- key: foo.bar.com/role
  operator: Equal
  value: master
  effect: NoSchedule

cert-manager-approver-policy.topologySpreadConstraints¶

[]

List of Kubernetes TopologySpreadConstraints. For more information, see: Pod Topology Spread Constraints.

For example:

topologySpreadConstraints:
- maxSkew: 2
  topologyKey: topology.kubernetes.io/zone
  whenUnsatisfiable: ScheduleAnyway
  labelSelector:
    matchLabels:
      app.kubernetes.io/name: cert-manager-approver-policy
      app.kubernetes.io/instance: cert-manager-approver-policy

cert-manager-approver-policy.podDisruptionBudget.enabled¶

false

Enable or disable the PodDisruptionBudget resource.

This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget blocks kubectl drain if it is used on the Node where the only remaining Approver Policy Pod is currently running.

cert-manager-approver-policy.podDisruptionBudget.minAvailable¶

Configures the minimum available pods for disruptions. Cannot be used if maxUnavailable is set.

cert-manager-approver-policy.podDisruptionBudget.maxUnavailable¶

Configures the maximum unavailable pods for disruptions. Cannot be used if minAvailable is set.

cert-manager-approver-policy.volumeMounts[0].mountPath¶

rego

cert-manager-approver-policy.volumeMounts[0].mountPath¶

/var/run/rego

cert-manager-approver-policy.volumes[0].configMap¶

rego

cert-manager-approver-policy.volumes[0].configMap.name¶

cert-manager-approver-policy-rego

cert-manager-approver-policy.volumes[0].configMap.optional¶

true

cert-manager-approver-policy.resources¶

{}

Kubernetes pod resources.
For more information, see Resource Management for Pods and Containers.

For example:

resources:
  limits:
    cpu: 100m
    memory: 128Mi
  requests:
    cpu: 100m
    memory: 128Mi

cert-manager-approver-policy.commonLabels¶

{}

Allow custom labels to be placed on resources - optional.

cert-manager-approver-policy.podAnnotations¶

{}

Allow custom annotations to be placed on cert-manager-approver pod - optional.

cert-manager-approver-policy.strategy¶

{}

Deployment update strategy for the Approver Policy Deployment.

This could be needed when deploying Approver Policy on each control-plane node and setting anti-affinities to forbid two pods on the same node. In this situation, default values of maxSurge (25% round up to next integer = 1) and maxUnavailable (25% round down to next integer = 0) block the rolling update as the new surge pod can't be scheduled on a control-plane node due to anti-affinities. Setting maxSurge to 0 and maxUnavailable to 1 would solve the problem.

For example:

strategy:
  type: RollingUpdate
  rollingUpdate:
    maxSurge: 0
    maxUnavailable: 1

For more information, see the Kubernetes documentation.

cert-manager-approver-policy.http_proxy¶

Configures the HTTP_PROXY environment variable where a HTTP proxy is required.

cert-manager-approver-policy.https_proxy¶

Configures the HTTPS_PROXY environment variable where a HTTP proxy is required.

cert-manager-approver-policy.no_proxy¶

Configures the NO_PROXY environment variable where a HTTP proxy is required, but certain domains should be excluded.

Venafi Connection¶

venafiConnection.include¶

true

When set to false, the rendered output does not contain the. VenafiConnection CRDs and RBAC. This is useful for when the. Venafi Connection resources are already installed separately.

Rego¶

rego.rbac.namespaced¶

[]

Namespace scoped resources to create RBAC for

rego.rbac.cluster¶

[]

Cluster scoped resources to create RBAC for