Skip to content

Installing Approver Policy using the Venafi CLI tool

Approver Policy is a Kubernetes component of Venafi Control Plane.

To download the latest versions of the Docker image and the Helm Chart for Approver Policy, see the download links specific to your region on the Approver Policy release page.

Prerequisites

  • You must have access to a Venafi Control Plane (TLS Protect Cloud or TLS Protect Datacenter) instance.
  • You must have permission to install CRDs on your Kubernetes cluster.
  • You must have cert-manager installed on your cluster. If you intend to use Approver Policy Enterprise with cert-manager, the cert-manager default approver must be disabled. For more information see, the cert-manager install instructions.
  • You must have kubectl on your local computer.

Step 1: Configure access to the Venafi OCI registry

Follow the instructions in Configuring access to the Venafi OCI registry to enable access to the artifacts required for this component (cert-manager Components is the default scope for Approver Policy). Use venafi as the namespace.

For the example below, we assume you created the following Kubernetes Secret:

  • namespace: venafi
  • name: venafi-image-pull-secret

Step 2: Deploy Approver Policy using the Venafi CLI tool

  1. If not already installed, download and install the relevant version of the Venafi CLI tool for your platform.
  2. Initialize the Venafi Kubernetes Manifest tool:

    venctl components kubernetes manifest tool init
    

    For more information on this command and its associated flags, see the venctl reference page.

  3. Issue the following command to generate a Venafi Kubernetes manifest file which, when applied, installs the Approver Policy:

    A sample command for users of the US region OCI registry:

    venctl components kubernetes manifest generate --region us --approver-policy > venafi-components.yaml
    

    A sample command for users of the EU region OCI registry:

    venctl components kubernetes manifest generate --region eu --approver-policy > venafi-components.yaml
    

    A sample command for users with their own organizatonal OCI registry. Be sure to update this command with the URI of your own company's registry:

    venctl components kubernetes manifest generate \
        --region custom \
        --cert-manager-custom-chart-repository oci://myregistry.example.com/charts \
        --cert-manager-custom-image-registry myregistry.example.com \
        --approver-policy > venafi-components.yaml
    
  4. To apply the manifest, use the following command:

    venctl components kubernetes manifest tool sync --file venafi-components.yaml
    

    For more information and options on using the Venafi CLI tool to install this component, see the Venafi CLI tool reference page.

Uninstalling Approver Policy

You can uninstall Approver Policy using the Venafi CLI command:

venctl components kubernetes manifest tool destroy --file venafi-components.yaml

This command does not, by design, delete any CRDs. To do that you must also apply the following command:

kubectl delete crd certificaterequestpolicies.policy.cert-manager.io