Installing Approver Policy Enterprise using the Venafi Control Plane Operator¶
Venafi Control Plane Operator for Red Hat OpenShift is designed to assist customers in installing, maintaining, and upgrading Venafi cluster components.
Follow the steps below to deploy the default version of cert-manager and Approver Policy Enterprise using the Venafi Control Plane Operator.
Prerequisites¶
To install Approver Policy Enterprise using the Venafi Control Plane Operator, you'll need to ensure you have the following:
- Access to the Venafi OCI registry (or your own mirror)
- Venafi Control Plane Operator already installed on your system
- Red Hat OpenShift CLI tool
ocinstalled on your system. - If you are enabling Rego feature or using Custom CAs you have Helm 3.8.0 or later installed on your system.
Step 1: Configure access to the Venafi OCI registry¶
Important
Follow the instructions in Configuring access to the Venafi OCI registry to enable access to the artifacts required for this component (cert-manager Components is the default scope for cert-manager). Use venafi as the namespace.
For the example below, it's assumed that you created the following Kubernetes Secret:
- namespace:
venafi - name:
venafi-image-pull-secret
Step 2: Create and apply the manifest¶
-
Create a manifest
venafi-components.yaml. You can use one of the samples below as a base:venafi-components.yamlapiVersion: installer.venafi.com/v1alpha1 kind: VenafiInstall metadata: name: venafi-components spec: globals: enableDefaultApprover: false imagePullSecretNames: [venafi-image-pull-secret] namespace: venafi useFIPSImages: false vcpRegion: US region: US certManager: install: true approverPolicyEnterprise: install: true values: cert-manager-approver-policy: tolerations: - key: node-role.kubernetes.io/infra operator: Exists effect: NoSchedule - key: node-role.kubernetes.io/private operator: Exists effect: NoSchedule version: v0.19.0 venafiConnection: install: truevenafi-components.yamlapiVersion: installer.venafi.com/v1alpha1 kind: VenafiInstall metadata: name: venafi-components spec: globals: enableDefaultApprover: false imagePullSecretNames: [venafi-image-pull-secret] namespace: venafi useFIPSImages: false vcpRegion: EU region: EU certManager: install: true approverPolicyEnterprise: install: true values: cert-manager-approver-policy: tolerations: - key: node-role.kubernetes.io/infra operator: Exists effect: NoSchedule - key: node-role.kubernetes.io/private operator: Exists effect: NoSchedule version: v0.19.0 venafiConnection: install: truevenafi-components.yamlapiVersion: installer.venafi.com/v1alpha1 kind: VenafiInstall metadata: name: venafi-components spec: globals: customChartRepository: oci://myregistry.example.com/charts customImageRegistry: myregistry.example.com enableDefaultApprover: false imagePullSecretNames: [venafi-image-pull-secret] namespace: venafi useFIPSImages: false certManager: install: true approverPolicyEnterprise: install: true values: cert-manager-approver-policy: tolerations: - key: node-role.kubernetes.io/infra operator: Exists effect: NoSchedule - key: node-role.kubernetes.io/private operator: Exists effect: NoSchedule version: v0.19.0 venafiConnection: install: trueNote
Set the
spec.certManager.skipparameter totrueand thespec.certManager.installparameter tofalseif you have already installed and configured cert-manager.Tip
For a complete list of Venafi Control Plane Operator configuration parameters, refer to the Venafi Control Plane Operator API reference.
Step 3: Enabling the Rego features of Approver Policy Enterprise¶
To enable the Rego features of Approver Policy Enterprise, add the Rego configuration in the values field in your venafi-components.yaml file. See the example below:
...
approverPolicyEnterprise:
install: true
values:
cert-manager-approver-policy:
app:
extraArgs:
- --rego-policy-directory=/var/run/rego
- --rego-replicate=networking.k8s.io/v1/ingresses
- --rego-replicate=/v1/services/my-namespace
- --rego-replicate-cluster=/v1/namespaces
rego:
rbac:
namespaced:
- namespace: ""
apiGroup: "networking.k8s.io"
resource: "ingresses"
- namespace: "my-namespace"
apiGroup: ""
resource: "services"
cluster:
- apiGroup: ""
resource: "namespaces"
Step 4: Configuring Custom CA Certificates¶
Approver Policy Enterprise needs to connect to TLS endpoints, where the serving certificate is signed by an internal certificate authority (CA).
For example, it may need to connect to the REST API of TLS Protect Datacenter.
In both cases, you need to configure Approver Policy Enterprise to trust the internal CA by putting the internal CA certificates into a ConfigMap, and mounting the ConfigMap into the Approver Policy Enterprise Pod in the /etc/ssl/certs/ directory.
-
Create a
ConfigMapin thevenafinamespace. For example, a TPP CA certificateConfigMapwill look like this:# approver-policy-enterprise-ca-certificates.configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: ca-cert-tpp namespace: venafi data: ca.crt: | -----BEGIN CERTIFICATE----- ## INSERT CA CERTIFICATE DATA HERE -----END CERTIFICATE-----oc apply -f approver-policy-enterprise-ca-certificates.configmap.yaml -
Use the
volumeMountsandvolumesvalues to mount the additional CA certificates into the/etc/ssl/certs/directory. Add these to yourvenafi-components.yamlfile. For example:... approverPolicyEnterprise: install: true values: cert-manager-approver-policy: volumes: - name: ca-cert-tpp-volume configMap: name: ca-cert-tpp optional: false - name: rego # (1)! configMap: name: cert-manager-approver-policy-rego optional: true volumeMounts: - name: ca-cert-tpp-volume mountPath: "/etc/ssl/certs/ca-cert-tpp-ca.crt" subPath: ca.crt readOnly: true - name: rego # (2)! mountPath: /var/run/rego- The Rego volume must be included because it is needed by the Rego plugin, and would otherwise be overwritten by these
volumesvalues. - The Rego volume mount must be included because it is needed by the Rego plugin, and would otherwise be overwritten by these
volumeMountsvalues.
Note
Mozilla's CA certificates are present in the image by default at
/etc/ssl/certs/ca-certificates.crt, and cannot be disabled.Note
If you are using TLS Protect Cloud, you don't need to configure custom CA certificates, because the serving certificate of the TLS Protect Cloud REST API is signed by one of Mozilla's trusted CAs.
- The Rego volume must be included because it is needed by the Rego plugin, and would otherwise be overwritten by these
Step 5: Apply the manifest and verify the installation¶
-
Apply the manifest by running the following command:
oc apply -f venafi-components.yaml -
Verify whether Approver Policy Enterprise is successfully installed by running the following command:
oc get venafiinstall,podsSample output:
NAME STATUS LAST SYNC venafiinstall.installer.venafi.com/venafi-components Synced 66s NAME READY STATUS RESTARTS AGE pod/cert-manager-7b67bb8b56-qtvbj 1/1 Running 0 7m26s pod/cert-manager-approver-policy-6c5968c4d6-ct824 1/1 Running 0 87s pod/cert-manager-cainjector-6f55988c8f-4vhjf 1/1 Running 0 7m26s pod/cert-manager-webhook-75ddc44d97-hndc6 1/1 Running 0 7m26s pod/vcp-operator-6f76c5fb67-z2cm2 1/1 Running 0 5d8h