Skip to content

Installing Approver Policy

Approver Policy is a Kubernetes component of Venafi Control Plane.

Alternatively, to download the latest version of Approver Policy as a Docker image or Helm Chart, see the download links specific to your region on the Approver Policy release page.

Prerequisites

  • You must have access to a Venafi Control Plane (TLS Protect Cloud or TLS Protect Datacenter) instance.
  • You must have permission to install Helm charts and CRDs on your Kubernetes cluster.
  • You must install cert-manager in your cluster.
  • You must have kubectl and Helm 3.8.0 or later on your local computer.

Important

If you use your registry, which replicates the Venafi images, replace the address of your registry in any of the relevant commands given on this page.

Step 1: Configure access to the Venafi OCI registry

Important

Follow the instructions in Configuring access to the Venafi OCI registry to enable access to the artifacts required for this component (Approver Policy Component for cert-manager is the default scope for Approver Policy). Use venafi as the namespace.

For the example below, we assume you created the following Kubernetes Secret:

  • namespace: venafi
  • name: venafi-image-pull-secret

Step 2: Reconfigure cert-manager

Important

Make sure that you have configured Helm correctly as outlined in Configuring access to the Venafi OCI registry before attempting this step.

By default, cert-manager includes a built-in approver that attempts to mark all certificate requests as approved. To use Approver Policy you must disable this.

To disable the cert-manager approver, set the following command line argument on the cert-manager controller:

--controllers=*,-certificaterequests-approver

If using Helm, you can also do this by using the following values option:

helm upgrade -i cert-manager oci://registry.venafi.cloud/charts/cert-manager \
  --install \
  --create-namespace \
  --namespace venafi \
  --version v1.14.5 \
  --set installCRDs=true \
  --set extraArgs={--controllers='*\,-certificaterequests-approver'}

Info

The --set installCRDs=true setting is a convenient way to install the cert-manager CRDS, but it is optional and has some drawbacks. Learn more Helm: Installing Custom Resource Definitions

Note

Be sure to customize the cert-manager controller extraArgs, which are at the top level of the values file. Do not change the webhook.extraArgs, startupAPICheck.extraArgs or cainjector.extraArgs settings.

Warning

If you are reconfiguring an already-installed cert-manager instance, you can check if the original installation the extraArgs value has already been customized by running helm get values cert-manager --namespace venafi command. If pre-configured extraArgs values, merge those with the extra --controllers value. Otherwise, your original extraArgs values will be overwritten.

A message similar to the following appears in the cert-manager log when successful:

I0506 14:44:51.198463       1 controller.go:182] cert-manager/controller "msg"="not starting controller as it's disabled" "controller"="certificaterequests-approver"

Tip

A quick way to search in the logs, assuming cert-manager is deployed to the venafi namespace:

kubectl logs -n venafi -l app=cert-manager | grep "certificaterequests-approver"

Step 3: Deploy Approver Policy

There are two ways you can deploy Approver Policy:

  • Using the Venafi CLI utility and Venafi Kubernetes Manifest tool
  • Using Helm

Deploying Approver Policy using the Venafi CLI tool

  1. If not already installed, download and install the relevant version of the Venafi CLI tool for your platform.

  2. Initialize the Venafi Kubernetes Manifest tool: 

    venctl components kubernetes manifest tool init

  3. Issue the following command to generate a Venafi Kubernetes manifest file which, when applied, installs the Approver Policy:

    venctl components kubernetes manifest generate --approver-policy > helmfile.yaml

  4. To apply the manifest, use the following command:

    venctl components kubernetes manifest tool sync --file helmfile.yaml

    For more information and options on using the Venafi CLI tool to install Approver Policy, see the documentation for the venctl components kubernetes manifest generate and venctl components kubernetes manifest tool sync commands.

Important

You can uninstall Approver Policy using the Venafi CLI command:

venctl components kubernetes manifest tool destroy --file helmfile.yaml
This command does not, by design, delete any CRDs. To do that you must also apply the following command:

$ kubectl delete crd certificaterequestpolicies.policy.cert-manager.io

Deploying Approver Policy using Helm

This procedure installs Approver Policy in the venafi namespace and configures it to use the pull secret that you created earlier, in addition to specifying the CA bundles Approver Policy must trust.

  1. Create a file named approver-policy.values.yaml that contains the following content:

    # approver-policy.values.yaml
cert-manager-approver-policy:
  image:
    repository: private-registry.venafi.cloud/cert-manager-approver-policy/cert-manager-approver-policy
  imagePullSecrets:
    - name: venafi-image-pull-secret

venafiConnection:
  include: true # set to `false` if Venafi Connection CRDs & RBAC are already installed

    # approver-policy.values.yaml
cert-manager-approver-policy:
  image:
    repository: private-registry.venafi.eu/cert-manager-approver-policy/cert-manager-approver-policy
  imagePullSecrets:
    - name: venafi-image-pull-secret

venafiConnection:
  include: true # set to `false` if Venafi Connection CRDs & RBAC are already installed

    Note

    If you are using Approver Policy Enterprise with external issuers (such as Venafi Enhanced Issuer, see example below), you must include their signer names so that Approver Policy Enterprise has permissions to approve and deny CertificateRequests that reference them.

    # approver-policy-enterprise.values.yaml
cert-manager-approver-policy:
  app:
    approveSignerNames:
      - "issuers.cert-manager.io/*"
      - "clusterissuers.cert-manager.io/*"
      - "venaficlusterissuers.jetstack.io/*"
      - "venafiissuers.jetstack.io/*"
  ...

  2. Use Helm to install the software and wait for it to be ready:

    helm upgrade cert-manager-approver-policy oci://registry.venafi.cloud/charts/cert-manager-approver-policy \
    --install \
    --namespace venafi \
    --values approver-policy.values.yaml \
    --version v0.14.1 \
    --wait

Uninstalling Approver Policy using Helm

To uninstall the Approver Policy installed via Helm, run the following command:

$ helm uninstall cert-manager-approver-policy --namespace venafi
These resources were kept due to the resource policy:
[CustomResourceDefinition] certificaterequestpolicies.policy.cert-manager.io

release "cert-manager-approver-policy" uninstalled

As shown in the output, the CustomResourceDefinition for CertificateRequestPolicy is not removed by the Helm uninstall command. This to prevent data loss, as removing the CustomResourceDefinition will also remove all CertificateRequestPolicy resources.

This command does not, by design, delete any CRDs. To do that you must also apply the following command:

kubectl delete crd certificaterequestpolicies.policy.cert-manager.io

Warning

Approver Policy versions prior to v0.13.0 do not keep the CustomResourceDefinition on uninstall and will remove all CertificateRequestPolicy resources from the cluster. Make sure to back up your CertificateRequestPolicy resources before uninstalling Approver Policy if you are using a version prior to v0.13.0. Alternatively, upgrade to v0.13.0 or later before uninstalling.