Installing Approver Policy using the CLI tool for CyberArk Certificate Manager¶

Approver Policy is a Kubernetes component of Certificate Manager - SaaS.

To download the latest versions of the Docker image and the Helm Chart for Approver Policy, see the download links specific to your region on the Approver Policy release page.

Prerequisites¶

• You must have access to a Certificate Manager - SaaS or Certificate Manager - Self-Hosted instance.
• You must have permission to install CRDs on your Kubernetes cluster.
• You must have cert-manager installed on your cluster. If you intend to use Enterprise Approver Policy for CyberArk Certificate Manager with cert-manager, the cert-manager default approver must be disabled. For more information see, the cert-manager install instructions.
• You must have kubectl on your local computer.

Step 1: Configure access to the CyberArk OCI registry¶

Follow the instructions in Configuring access to the CyberArk OCI registry to enable access to the artifacts required for this component (cert-manager Components is the default scope for Approver Policy). Use venafi as the namespace.

For the example below, we assume you created the following Kubernetes Secret:

• namespace: venafi
• name: venafi-image-pull-secret

Step 2: Deploy Approver Policy using the CLI tool for CyberArk Certificate Manager¶

1. If not already installed, download and install the relevant version of the CLI tool for CyberArk Certificate Manager for your platform.

2. Issue the following command to generate a CyberArk Kubernetes manifest file which, when applied, installs the Approver Policy:

   CyberArk RegistryOwn registry

   A sample command for users of the US region OCI registry:

   venctl components kubernetes manifest generate --region us --approver-policy > venafi-components.yaml
   

   Regional registries

   The example above uses the US-based OCI registry. Tenants in the following Certificate Manager - SaaS regions—US, Canada, Australia, and Singapore must use this registry. Tenants in the EU and UK must use the EU registry: private-registry.venafi.eu.

   For more information on Venafi OCI registries, see Configuring access to a Venafi OCI Registry.

   A sample command for users with their own organizatonal OCI registry. Be sure to update this command with the URI of your own company's registry:

   venctl components kubernetes manifest generate \
       --region custom \
       --cert-manager-custom-chart-repository oci://myregistry.example.com/charts \
       --cert-manager-custom-image-registry myregistry.example.com \
       --approver-policy > venafi-components.yaml
   

3. To apply the manifest, use the following command:

   venctl components kubernetes manifest tool sync --file venafi-components.yaml
   

   For more information and options on using the CLI tool for CyberArk Certificate Manager to install this component, see the CLI tool for CyberArk Certificate Manager reference page.

Uninstalling Approver Policy¶

You can uninstall Approver Policy using the CLI tool for CyberArk Certificate Manager command:

venctl components kubernetes manifest tool destroy --file venafi-components.yaml

This command does not, by design, delete any CRDs. To do that you must also apply the following command:

kubectl delete crd certificaterequestpolicies.policy.cert-manager.io