Skip to content

Approver Policy Enterprise image flags

A cert-manager certificate request approver that bases decisions on certificate request policies.

Usage

approver-policy [flags]

Application flags

Flags Type Description
--leader-election-namespace String Namespace to lease leader election for controller replica set.
-v, --log-level String Log level (1-5 - default 1).
--metrics-bind-address String TCP address for exposing HTTP Prometheus metrics served on the HTTP path /metrics. The value 0 disables exposing metrics (default :9402).
--readiness-probe-bind-address String TCP address for exposing the HTTP readiness probe served on the HTTP path /readyz (default :6060)

Webhooks flags

Flags Type Description
--webhook-ca-secret-namespace String Namespace that the cert-manager-approver-policy-tls Secret is stored (default cert-manager).
--webhook-certificate-dir String Directory where the Webhook certificate and private key are located. Certificate and private key must be named tls.crt and tls.key respectively (default /tmp).
--webhook-host String Host to serve webhook (default 0.0.0.0).
--webhook-port Integer Port to serve webhook (default 6443).
--webhook-service-name String Name of the Kubernetes Service that exposes the Webhook's server (default cert-manager-approver-policy).

Kubernetes flags

Flags Type Description
--as String Username to impersonate for the operation. User could be a regular user or a service account in a namespace.
--as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
--as-uid String UID to impersonate for the operation.
--cache-dir String Default cache directory (default /.kube/cache).
--certificate-authority String Path to a cert file for the certificate authority.
--client-certificate String Path to a client certificate file for TLS.
--client-key String Path to a client key file for TLS.
--cluster String The name of the kubeconfig cluster to use.
--context String The name of the kubeconfig context to use.
--disable-compression If true, opt-out of response compression for all requests to the server.
--insecure-skip-tls-verify If true, the server`s certificate are not checked for validity. This makes your HTTPS connections insecure.
--kubeconfig String Path to the kubeconfig file to use for CLI requests.
-n, --namespace String If present, the namespace scope for this CLI request.
--request-timeout String The length of time to wait before giving up on a single server request. Non-zero values must contain a corresponding time unit (for example, 1s, 2m, 3h). A value of zero means don't timeout requests (default 0).
-s, --server String The address and port of the Kubernetes API server.
--tls-server-name String Server name to use for server certificate validation. If it's not provided, the hostname used to contact the server is used.
--token String Bearer token for authentication to the API server.
--user String The name of the kubeconfig user to use.

Rego flags

Flags Type Description
--rego-policy-directory String Directory containing the rego policies to be be used for evaluation.
--rego-replicate strings Strings List of namespaced Kubernetes resource types to replicate. Accepts scoping to namespace. Can be defined multiple times .
--rego-replicate-cluster Strings List of Cluster Scoped Kubernetes resource types to replicate.Can be defined multiple times .

Venafi flags

Flags Type Description
--installation-namespace String The namespace in which the venafi-connection service account lives. This is the service account that is used to create JWT tokens for SAs or read credential secrets. (defaults to the namespace in which the controller is running)
--venafi-connection-namespace String The namespace where all referenced VenafiConnections live.(defaults to the namespace in which the controller is running)
--venafi-policy-cache-duration Duration The duration for which downloaded (cached) Venafi policies may be used (default 1m0s).
--venafi-ready-check-interval Duration The interval between periodic Ready checks (default 1h0m0s).