Skip to content

Installing Approver Policy Enterprise

Approver Policy Enterprise is a Kubernetes component of Venafi Control Plane.

To download the latest version of Approver Policy Enterprise as a Docker image or Helm Chart, see the download links specific to your region on the Approver Policy Enterprise release page.

Prerequisites

  • You must have access to a Venafi Control Plane (TLS Protect Cloud or TLS Protect Datacenter) instance.
  • You must have permission to install Helm charts and CRDs on your Kubernetes cluster.
  • You must install cert-manager in your cluster.
  • You must have kubectl and Helm 3.8.0 or later on your local computer.

Important

If you use your own registry, which replicates the Venafi images, replace the address of your own registry in any of the relevant commands given on this page.

Step 1: Configure access to the Venafi OCI registry

Important

Follow the instructions in Configuring access to the Venafi OCI registry to enable access to the artifacts required for this component (Approver Policy Enterprise Component for cert-manager is the default scope for Approver Policy Enterprise). Use venafi as the namespace.

For the example below, we assume you created the following Kubernetes Secret:

  • namespace: venafi
  • name: venafi-image-pull-secret 
    ## Step 2: Reconfigure cert-manager

By default, cert-manager includes an in-built approver that attempts to mark all certificate requests as approved. To use Approver Policy Enterprise you must disable this.

To disable cert-manager's approver, set the following command line argument on
the cert-manager controller:

```bash
--controllers=*,-certificaterequests-approver

If using helm, you can also do this by using the following values option:

helm upgrade -i cert-manager oci://registry.venafi.cloud/charts/cert-manager \
  --namespace venafi \
  --create-namespace \
  --version v1.14.4  \
  --set installCRDs=true \
  --set extraArgs={--controllers='*\,-certificaterequests-approver'}

A message similar to the following appears in the cert-manager log when successful:

I0506 14:44:51.198463       1 controller.go:182] cert-manager/controller "msg"="not starting controller as it's disabled" "controller"="certificaterequests-approver"

Tip

A quick way to search in the logs, assuming cert-manager is deployed to the venafi namespace:

kubectl logs -n venafi -l app=cert-manager | grep "certificaterequests-approver"

Step 3: Deploy Approver Policy Enterprise

Deploying Approver Policy Enterprise using Helm

This procedure installs approver-policy-enterprise in the venafi namespace and configures it to use the pull-secret that you created earlier, in addition to specifying the CA bundles Approver Policy Enterprise must trust.

  1. Create a file called: approver-policy-enterprise.values.yaml containing the following content:

    # approver-policy-enterprise.values.yaml
cert-manager-approver-policy:
  image:
    repository: private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise
  imagePullSecrets:
    - name: venafi-image-pull-secret

venafiConnection:
  include: true # set to `false` if Venafi Connection CRDs & RBAC are already installed

    # approver-policy-enterprise.values.yaml
cert-manager-approver-policy:
  image:
    repository: private-registry.venafi.eu/venafi-approver-policy/approver-policy-enterprise
  imagePullSecrets:
    - name: venafi-image-pull-secret

venafiConnection:
  include: true # set to `false` if Venafi Connection CRDs & RBAC are already installed

    Note

    If you are using Approver Policy Enterprise with external issuers (such as Venafi Enhanced Issuer, see example below), you must include their signer names so that Approver Policy Enterprise has permissions to approve and deny CertificateRequests that reference them.

    # approver-policy-enterprise.values.yaml
cert-manager-approver-policy:
  app:
    approveSignerNames:
      - "issuers.cert-manager.io/*"
      - "clusterissuers.cert-manager.io/*"
      - "venaficlusterissuers.jetstack.io/*"
      - "venafiissuers.jetstack.io/*"
  ...

  2. Use Helm to install the software and wait for it to be ready:

    helm upgrade approver-policy-enterprise oci://registry.venafi.cloud/charts/approver-policy-enterprise \
    --install \
    --wait \
    --namespace venafi \
    --values approver-policy-enterprise.values.yaml \
    --version v0.15.0

Deploying Approver Policy Enterprise using the Venafi CLI tool

  1. If not already installed, download and install the relevant version of the Venafi CLI tool for your platform.

  2. Initialize the Venafi Kubernetes Manifest tool.

    venctl components kubernetes manifest tool init

  3. Issue the following command to generate a Venafi Kubernetes manifest which, when applied, will install Approver Policy Enterprise:

    venctl components kubernetes manifest generate --approver-policy-enterprise

    For more information and options on using the Venafi CLI tool to install Approver Policy Enterprise, see the Venafi CLI tool reference page.

Note

There are also FIPS compliant Docker images available at oci://<oci-registry-regional-url>/venafi-approver-policy/approver-policy-enterprise-fips and these have the same version tags as the main Docker images.

Tip

You can also use the venctl components kubernetes apply command to install this component on a Kubernetes cluster quickly and easily for test purposes. Note that this command is not recommended for use in production environments.

See venctl components kubernetes apply for more information on how to use the command with this component.

Step 4: Enabling the Rego features of Approver Policy Enterprise

To enable the Rego features of Approver Policy Enterprise, create another values file called values-rego.yaml containing the Rego configuration, and supply that as an extra --values argument when installing the component. See the examples below:

kubectl create namespace my-namespace

# approver-policy-enterprise.values-rego.yaml
cert-manager-approver-policy:
  app:
    extraArgs:
      - --rego-policy-directory=/var/run/rego
      - --rego-replicate=networking.k8s.io/v1/ingresses
      - --rego-replicate=/v1/services/my-namespace
      - --rego-replicate-cluster=/v1/namespaces
rego:
  rbac:
    namespaced:
      - namespace: ""
        apiGroup: "networking.k8s.io"
        resource: "ingresses"
      - namespace: "my-namespace"
        apiGroup: ""
        resource: "services"
    cluster:
      - apiGroup: ""
        resource: "namespaces"

helm upgrade approver-policy-enterprise oci://registry.venafi.cloud/charts/approver-policy-enterprise \
    --install \
    --wait \
    --namespace venafi \
    --values approver-policy-enterprise.values.yaml \
    --values approver-policy-enterprise.values-rego.yaml \
    --version v0.15.0

Step 5: Configure Custom CA Certificates

Approver Policy Enterprise need to connect to TLS endpoints, where the serving certificate is signed by an internal certificate authority (CA). For example, it may need to connect to the REST API of TLS Protect Datacenter.

In both cases you need to configure Approver Policy Enterprise to trust the internal CA by putting the internal CA certificates into a ConfigMap, and mounting the ConfigMap into the Approver Policy Enterprise Pod in the /etc/ssl/certs/ directory.

  1. Create a ConfigMap in the venafi namespace. For example, a TPP CA certificate ConfigMap will look like this:

    # approver-policy-enterprise-ca-certificates.configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
    name: ca-cert-tpp
    namespace: venafi
data:
    ca.crt: |
      -----BEGIN CERTIFICATE-----
      ## INSERT CA CERTIFICATE DATA HERE
      -----END CERTIFICATE-----

    kubectl apply -f approver-policy-enterprise-ca-certificates.configmap.yaml

  2. Use the volumeMounts and volumes values to mount the additional CA certificates into the /etc/ssl/certs/ directory.

    # approver-policy-enterprise-ca-certificates.values.yaml
cert-manager-approver-policy:
  volumes:
    - name: ca-cert-tpp-volume
      configMap:
        name: ca-cert-tpp
        optional: false
    - name: rego # ❗ This volume is required by the Rego plugin.
      configMap:
        name: cert-manager-approver-policy-rego
        optional: true

  volumeMounts:
    - name: ca-cert-tpp-volume
      mountPath: "/etc/ssl/certs/ca-cert-tpp-ca.crt"
      subPath: ca.crt
      readOnly: true
    - name: rego # ❗ This volumeMount is required by the Rego plugin.
      mountPath: /var/run/rego

  3. Redeploy the Approver Policy Enterprise Helm chart, using the extra values (above):

    helm upgrade approver-policy-enterprise oci://registry.venafi.cloud/charts/approver-policy-enterprise \
    --install \
    --wait \
    --namespace venafi \
    --values approver-policy-enterprise.values.yaml \
    --values approver-policy-enterprise-ca-certificates.values.yaml \
    --version v0.15.0

    Important

    The Rego volumes and mounts must be included because they are needed by the Rego plugin, and would otherwise be overwritten by these volumes and volumeMounts values.

    Note

    Mozilla's CA certificates are present in the image by default at /etc/ssl/certs/ca-certificates.crt and these cannot be disabled.

    Note

    If you are using TLS Protect Cloud you don't need to configure custom CA certificates, because the serving certificate of the TLS Protect Cloud REST API is signed by one of Mozilla's trusted CAs.

Upgrade

To upgrade from a pre-v0.7.0 installation to v0.7.0 or a later version, some migration steps are required. You can obtain an ad-hoc migration plan by contacting Venafi's support team.

Next steps