Installing Approver Policy¶
Approver Policy is a Kubernetes component of Venafi Control Plane.
To download the latest versions of the Docker image and the Helm Chart for Approver Policy, see the download links specific to your region on the Approver Policy release page.
Prerequisites¶
- You must have access to a Venafi Control Plane (TLS Protect Cloud or TLS Protect Datacenter) instance.
- You must have permission to install Helm charts and CRDs on your Kubernetes cluster.
- You must install cert-manager in your cluster.
- You must have
kubectl
and Helm 3.8.0 or later on your local computer.
Step 1: Configure access to the Venafi OCI registry¶
Follow the instructions in Configuring access to the Venafi OCI registry to enable access to the artifacts required for this component (cert-manager Components
is the default scope for Approver Policy). Use venafi
as the namespace.
For the example below, we assume you created the following Kubernetes Secret:
- namespace:
venafi
- name:
venafi-image-pull-secret
Step 2: Reconfigure cert-manager¶
Important
Make sure that you have configured Helm correctly as outlined in Configuring access to the Venafi OCI registry before attempting this step.
By default, cert-manager includes a built-in approver that attempts to mark all certificate requests as approved. To use Approver Policy you must disable this.
If you are using cert-manager v1.15.0 or later, you can disable the cert-manager approver by setting the following command line argument on the cert-manager controller:
--set disableAutoApproval=true
For example:
helm upgrade -i cert-manager oci://registry.venafi.cloud/charts/cert-manager \
--install \
--create-namespace \
--namespace venafi \
--version v1.16.2 \
--set crds.enabled=true \
--set disableAutoApproval=true
If you use a values file, you can also set the disableAutoApproval parameter there. For example:
disableAutoApproval: true
Tip
If you are running an earlier version of cert-manager, you can disable the cert-manager approver by setting the following command line argument on the cert-manager controller:
--controllers=*,-certificaterequests-approver
You can also do this by using the following values option:
helm upgrade -i cert-manager oci://registry.venafi.cloud/charts/cert-manager \
--install \
--create-namespace \
--namespace venafi \
--version v1.16.2 \
--set installCRDs=true \
--set extraArgs={--controllers='*\,-certificaterequests-approver'}
Be sure to customize the cert-manager controller extraArgs
, which are at the top level of the values file. Do not change the webhook.extraArgs
, startupAPICheck.extraArgs
or cainjector.extraArgs
settings.
If you are reconfiguring an already-installed cert-manager instance, you can check if the original installation the extraArgs value has already been customized by running helm get values cert-manager --namespace venafi
command. If pre-configured extraArgs
values, merge those with the extra --controllers
value. Otherwise, your original extraArgs
values will be overwritten.
Info
Note also that, as of cert-manager v1.15.0, the installCRDs
value is deprecated in favor of crds.enabled
.
The --set crds.enabled=true
setting is a convenient way to install the cert-manager CRDs, but it is optional and has some drawbacks. Learn more Helm: Installing Custom Resource Definitions
A message similar to the following appears in the cert-manager log when successful:
I0506 14:44:51.198463 1 controller.go:182] cert-manager/controller "msg"="not starting controller as it's disabled" "controller"="certificaterequests-approver"
Tip
A quick way to search in the logs, assuming cert-manager is deployed to the venafi
namespace:
kubectl logs -n venafi -l app=cert-manager | grep "certificaterequests-approver"
Step 3: Deploy Approver Policy using Helm¶
This procedure installs Approver Policy in the venafi namespace and configures it to use the pull secret that you created earlier, in addition to specifying the CA bundles Approver Policy must trust.
-
Create a file named
approver-policy.values.yaml
that contains the following content:A sample
approver-policy.values.yaml
file for users of the Venafi US OCI registry:approver-policy.values.yamlcert-manager-approver-policy: image: repository: private-registry.venafi.cloud/cert-manager-approver-policy/cert-manager-approver-policy imagePullSecrets: - name: venafi-image-pull-secret
A sample
approver-policy.values.yaml
file for users of the Venafi EU OCI registry:approver-policy.values.yamlcert-manager-approver-policy: image: repository: private-registry.venafi.eu/cert-manager-approver-policy/cert-manager-approver-policy imagePullSecrets: - name: venafi-image-pull-secret
A sample
approver-policy.values.yaml
file for users with their own OCI registry:approver-policy.values.yamlcert-manager-approver-policy: image: repository: myregistry.example.com/cert-manager-approver-policy/cert-manager-approver-policy imagePullSecrets: - name: venafi-image-pull-secret
-
Use Helm to install the software and wait for it to be ready:
helm upgrade cert-manager-approver-policy oci://registry.venafi.cloud/charts/cert-manager-approver-policy \ --install \ --namespace venafi \ --values approver-policy.values.yaml \ --version v0.17.0 \ --wait
Uninstalling Approver Policy using Helm¶
To uninstall the Approver Policy installed via Helm, run the following command:
helm uninstall cert-manager-approver-policy --namespace venafi
Output:
These resources were kept due to the resource policy:
[CustomResourceDefinition] certificaterequestpolicies.policy.cert-manager.io
release "cert-manager-approver-policy" uninstalled
As shown in the output, the CustomResourceDefinition
for CertificateRequestPolicy
is not removed by the Helm uninstall command. This to prevent data loss, as removing the CustomResourceDefinition
will also remove all CertificateRequestPolicy
resources.
This command does not, by design, delete any CRDs. To do that you must also apply the following command:
kubectl delete crd certificaterequestpolicies.policy.cert-manager.io
Warning
Approver Policy versions prior to v0.13.0 do not keep the CustomResourceDefinition
on uninstall and will remove all CertificateRequestPolicy
resources from the cluster. Make sure to back up your CertificateRequestPolicy
resources before uninstalling Approver Policy if you are using a version prior to v0.13.0. Alternatively, upgrade to v0.13.0 or later before uninstalling.