Installing Enterprise Approver Policy for CyberArk Certificate Manager using Helm¶
Enterprise Approver Policy for CyberArk Certificate Manager (Enterprise Approver Policy) is a Kubernetes component of Venafi Control Plane.
To download the latest version of Enterprise Approver Policy as a Docker image or Helm Chart, see the download links specific to your region on the Enterprise Approver Policy release page.
Prerequisites¶
- You must have access to a Venafi Control Plane (TLS Protect Cloud or TLS Protect Datacenter) instance.
- You must have permission to install Helm charts and CRDs on your Kubernetes cluster.
- You must install cert-manager in your cluster.
- You must have
kubectl
and Helm 3.8.0 or later on your local computer.
Important
If you use your own registry, which replicates the Venafi images, replace the address of your own registry in any of the relevant commands given on this page.
Step 1: Configure access to the Venafi OCI registry¶
Important
Follow the instructions in Configuring access to enterprise components to enable access to the artifacts required for this component (Approver Policy Enterprise Component for cert-manager
is the default scope for Enterprise Approver Policy). Use venafi
as the namespace.
For the example below, we assume you created the following Kubernetes Secret:
- namespace:
venafi
- name:
venafi-image-pull-secret
Step 2: Reconfigure cert-manager¶
By default, cert-manager includes a built-in approver that attempts to mark all certificate requests as approved. To use Approver Policy you must disable this.
If you are using cert-manager v1.15.0 or later, you can disable the cert-manager approver by setting the following command line argument on the cert-manager controller:
--set disableAutoApproval=true
For example:
helm upgrade -i cert-manager oci://registry.venafi.cloud/charts/cert-manager \
--install \
--create-namespace \
--namespace venafi \
--version v1.18.2 \
--set crds.enabled=true \
--set disableAutoApproval=true
If you use a values file, you can also set the disableAutoApproval parameter there. For example:
disableAutoApproval: true
Tip
If you are running an earlier version of cert-manager, you can disable the cert-manager approver by setting the following command line argument on the cert-manager controller:
--controllers=*,-certificaterequests-approver
You can also do this by using the following values option:
helm upgrade -i cert-manager oci://registry.venafi.cloud/charts/cert-manager \
--install \
--create-namespace \
--namespace venafi \
--version v1.18.2 \
--set installCRDs=true \
--set extraArgs={--controllers='*\,-certificaterequests-approver'}
Be sure to customize the cert-manager controller extraArgs
, which are at the top level of the values file. Do not change the webhook.extraArgs
, startupAPICheck.extraArgs
or cainjector.extraArgs
settings.
If you are reconfiguring an already-installed cert-manager instance, you can check if the original installation the extraArgs value has already been customized by running helm get values cert-manager --namespace venafi
command. If pre-configured extraArgs
values, merge those with the extra --controllers
value. Otherwise, your original extraArgs
values will be overwritten.
Info
Note also that, as of cert-manager v1.15.0, the installCRDs
value is deprecated in favor of crds.enabled
.
The --set crds.enabled=true
setting is a convenient way to install the cert-manager CRDs, but it is optional and has some drawbacks. Learn more Helm: Installing Custom Resource Definitions
A message similar to the following appears in the cert-manager log when successful:
I0506 14:44:51.198463 1 controller.go:182] cert-manager/controller "msg"="not starting controller as it's disabled" "controller"="certificaterequests-approver"
Tip
A quick way to search in the logs, assuming cert-manager is deployed to the venafi
namespace:
kubectl logs -n venafi -l app=cert-manager --tail=-1 | grep "certificaterequests-approver"
Step 3: Deploy Enterprise Approver Policy using Helm¶
This procedure installs Enterprise Approver Policy in the venafi namespace and configures it to use the pull secret you created earlier, in addition to specifying the CA bundles Enterprise Approver Policy must trust.
-
Create a file called:
enterprise-approver-policy.values.yaml
containing the following content:A sample
enterprise-approver-policy.values.yaml
file for users of the Venafi US OCI registry:enterprise-approver-policy.values.yamlcert-manager-approver-policy: image: repository: private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise imagePullSecrets: - name: venafi-image-pull-secret venafiConnection: include: true # set to `false` if Venafi Connection CRDs & RBAC are already installed
Regional registries
The example above uses the US-based OCI registry. Tenants in the following Venafi Control Plane regions—US, Canada, Australia, and Singapore must use this registry. Tenants in the EU and UK must use the EU registry:
private-registry.venafi.eu
.For more information on Venafi OCI registries, see Configuring access to a Venafi OCI Registry.
A sample
enterprise-approver-policy.values.yaml
file for users with their own OCI registry:enterprise-approver-policy.values.yamlcert-manager-approver-policy: image: repository: myregistry.example.com/venafi-approver-policy/approver-policy-enterprise imagePullSecrets: - name: venafi-image-pull-secret venafiConnection: include: true # set to `false` if Venafi Connection CRDs & RBAC are already installed
Note
If you are using Enterprise Approver Policy with external issuers (such as Enterprise Issuer for CyberArk Certificate Manager, see example below), you must include their signer names so that Enterprise Approver Policy has permissions to approve and deny CertificateRequests that reference them.
enterprise-approver-policy.values.yamlcert-manager-approver-policy: app: approveSignerNames: - "issuers.cert-manager.io/*" - "clusterissuers.cert-manager.io/*" - "venaficlusterissuers.jetstack.io/*" - "venafiissuers.jetstack.io/*" ...
-
Use Helm to install the software and wait for it to be ready:
helm upgrade approver-policy-enterprise oci://registry.venafi.cloud/charts/approver-policy-enterprise \ --install \ --wait \ --namespace venafi \ --values enterprise-approver-policy.values.yaml \ --version v0.21.0
Uninstalling Enterprise Approver Policy using Helm¶
To uninstall Enterprise Approver Policy installed via Helm, run the following command:
helm uninstall approver-policy-enterprise --namespace venafi
Output:
These resources were kept due to the resource policy:
[CustomResourceDefinition] certificaterequestpolicies.policy.cert-manager.io
release "approver-policy-enterprise" uninstalled
As shown in the output, the CustomResourceDefinition
for CertificateRequestPolicy
is not removed by the Helm uninstall command. This prevents data loss, as removing the CustomResourceDefinition
would also remove all CertificateRequestPolicy
resources.
This command does not, by design, delete any CRDs. To do that you must also apply the following command:
```bash
kubectl delete crd certificaterequestpolicies.policy.cert-manager.io
```
Warning
Enterprise Approver Policy versions prior to v0.14.0 do not keep the CustomResourceDefinition
on uninstall, and will remove all CertificateRequestPolicy
resources from the cluster. Make sure to back up your CertificateRequestPolicy
resources before uninstalling Enterprise Approver Policy if you are using a version prior to v0.14.0. Alternatively, upgrade to v0.14.0 before uninstalling.
Step 4: Enabling the Rego features of Enterprise Approver Policy¶
To enable the Rego features of Enterprise Approver Policy, create another values file called values-rego.yaml
containing the Rego configuration, and supply that as an extra --values
argument when installing the component. See the examples below:
kubectl create namespace my-namespace
cert-manager-approver-policy:
app:
extraArgs:
- --rego-policy-directory=/var/run/rego
- --rego-replicate=networking.k8s.io/v1/ingresses
- --rego-replicate=/v1/services/my-namespace
- --rego-replicate-cluster=/v1/namespaces
rego:
rbac:
namespaced:
- namespace: ""
apiGroup: "networking.k8s.io"
resource: "ingresses"
- namespace: "my-namespace"
apiGroup: ""
resource: "services"
cluster:
- apiGroup: ""
resource: "namespaces"
helm upgrade approver-policy-enterprise oci://registry.venafi.cloud/charts/approver-policy-enterprise \
--install \
--wait \
--namespace venafi \
--values enterprise-approver-policy.values.yaml \
--values enterprise-approver-policy.values-rego.yaml \
--version v0.21.0
Step 5: Configure Custom CA Certificates¶
You may need to configure custom CA bundles for Enterprise Approver Policy for CyberArk Certificate Manager in three cases:
-
If you are loading policies from TLS Protect Datacenter, custom CA bundles will allow Enterprise Approver Policy to trust your private CA.
-
If you are loading policies from Venafi Control Plane and Kubernetes egress traffic has to go through an HTTP proxy or a transparent proxy, you will need to configure a custom CA bundle to let Enterprise Approver Policy connect to your internal HTTP or transparent proxy.
-
If your Venafi Connection relies on HashiCorp Vault, you will need to configure a custom CA bundle to trust your private CA.
If you are in one of the above scenarios, you can configure Enterprise Approver Policy to trust the internal CA by putting the internal CA certificates into a ConfigMap
, and mounting the ConfigMap
into the Enterprise Approver Policy Pod in the /etc/ssl/certs/
directory.
-
Create a
ConfigMap
in thevenafi
namespace. For example, a TPP CA certificateConfigMap
will look like this:enterprise-approver-policy-ca-certificates.configmap.yamlapiVersion: v1 kind: ConfigMap metadata: name: ca-cert-tpp namespace: venafi data: ca.crt: | -----BEGIN CERTIFICATE----- ## INSERT CA CERTIFICATE DATA HERE -----END CERTIFICATE-----
-
Use
kubectl
to apply theConfigMap
:kubectl apply -f enterprise-approver-policy-ca-certificates.configmap.yaml
-
Use the
volumeMounts
andvolumes
values to mount the additional CA certificates into the/etc/ssl/certs/
directory.enterprise-approver-policy-ca-certificates.values.yamlcert-manager-approver-policy: volumes: - name: ca-cert-tpp-volume configMap: name: ca-cert-tpp optional: false - name: rego # (1)! configMap: name: cert-manager-approver-policy-rego optional: true volumeMounts: - name: ca-cert-tpp-volume mountPath: "/etc/ssl/certs/ca-cert-tpp-ca.crt" subPath: ca.crt # (2)! readOnly: true - name: rego # (3)! mountPath: /var/run/rego
- This volume is required by the Rego plugin.
- The
subPath
value here must match the value of thedata
key to be loaded in theConfigMap
YAML file. - This volumeMount is required by the Rego plugin.
-
Redeploy the Enterprise Approver Policy Helm chart, using the extra values (above):
helm upgrade approver-policy-enterprise oci://registry.venafi.cloud/charts/approver-policy-enterprise \ --install \ --wait \ --namespace venafi \ --values enterprise-approver-policy.values.yaml \ --values enterprise-approver-policy-ca-certificates.values.yaml \ --version v0.21.0
Important
The Rego volumes and mounts must be included because they are needed by the Rego plugin, and would otherwise be overwritten by these
volumes
andvolumeMounts
values.Note
Mozilla's CA certificates are present in the image by default at
/etc/ssl/certs/ca-certificates.crt
and these cannot be disabled.Note
If you are using TLS Protect Cloud you don't need to configure custom CA certificates, because the serving certificate of the TLS Protect Cloud REST API is signed by one of Mozilla's trusted CAs.
Upgrade¶
To upgrade from a pre-v0.7.0 installation to v0.7.0 or a later version, some migration steps are required. You can obtain an ad-hoc migration plan by contacting Venafi's support team.
Next steps¶
- Learn how to configure Enterprise Approver Policy using CertificateRequestPolicy resources
- See examples of some common policy configurations
- Learn about the Venafi features of Enterprise Approver Policy
- Learn about the Rego features of Enterprise Approver Policy
- Read about common administration tasks related to Enterprise Approver Policy controller
- Read about the command line flags of the Enterprise Approver Policy controller