Skip to content

Installing Approver Policy Enterprise using the Venafi CLI tool

Approver Policy Enterprise is a Kubernetes component of Venafi Control Plane.

To download the latest versions of the Docker image and the Helm Chart for Approver Policy Enterprise, see the download links specific to your region on the Approver Policy Enterprise release page.

Prerequisites

  • You must have access to a Venafi Control Plane (TLS Protect Cloud or TLS Protect Datacenter) instance.
  • You must have permission to install CRDs on your Kubernetes cluster.
  • You must have cert-manager installed on your cluster. If you intend to use Approver Policy Enterprise with cert-manager, the cert-manager default approver must be disabled. For more information see, the cert-manager install instructions.
  • You must have kubectl installed on your local computer.

Step 1: Configure access to the Venafi OCI registry

Follow the instructions in Configuring access to enterprise components to enable access to the artifacts required for this component (Approver Policy Enterprise Component for cert-manager is the default scope for Approver Policy Enterprise). Use venafi as the namespace.

Step 2: Deploy Approver Policy Enterprise using the Venafi CLI tool

  1. If not already installed, download and install the relevant version of the Venafi CLI tool for your platform.

  2. Initialize the Venafi Kubernetes Manifest tool:

    venctl components kubernetes manifest tool init

    For more information on this command and its associated flags, see the venctl reference page.

  3. Issue the following command to generate a Venafi Kubernetes manifest:`

    A sample command for users of the US region OCI registry:

    venctl components kubernetes manifest generate --region us --approver-policy-enterprise > venafi-components.yaml

    A sample command for users of the EU region OCI registry:

    venctl components kubernetes manifest generate --region eu --approver-policy-enterprise > venafi-components.yaml

    A sample command for users with their own organizatonal OCI registry. Be sure to update this command with the URI of your own company's registry:

    venctl components kubernetes manifest generate \
    --region custom \
    --cert-manager-custom-chart-repository oci://myregistry.example.com/charts \
    --cert-manager-custom-image-registry myregistry.example.com \
    --approver-policy-enterprise > venafi-components.yaml

  4. To apply the manifest, use the following command:

    venctl components kubernetes manifest tool sync --file venafi-components.yaml

    For more information and options on using the Venafi CLI tool to install this component, see the Venafi CLI tool reference page.

Note

There are also FIPS compliant Docker images available at oci://<oci-registry-regional-url>/venafi-approver-policy/approver-policy-enterprise-fips and these have the same version tags as the main Docker images.

Tip

You can also use the venctl components kubernetes apply command to install this component on a Kubernetes cluster quickly and easily for test purposes. Note that this command is not recommended for use in production environments.

See venctl components kubernetes apply for more information on how to use the command with this component.

Step 3: Enabling the Rego features of Approver Policy Enterprise

To enable the Rego features of Approver Policy Enterprise, create another values file called values-rego.yaml containing the Rego configuration, and supply that as an extra --values argument when installing the component. See the examples below:

kubectl create namespace my-namespace
approver-policy-enterprise.values-rego.yaml
cert-manager-approver-policy:
  app:
    extraArgs:
      - --rego-policy-directory=/var/run/rego
      - --rego-replicate=networking.k8s.io/v1/ingresses
      - --rego-replicate=/v1/services/my-namespace
      - --rego-replicate-cluster=/v1/namespaces
rego:
  rbac:
    namespaced:
      - namespace: ""
        apiGroup: "networking.k8s.io"
        resource: "ingresses"
      - namespace: "my-namespace"
        apiGroup: ""
        resource: "services"
    cluster:
      - apiGroup: ""
        resource: "namespaces"

  1. Redeploy Approver Policy Enterprise with the new values file:

    A sample command for users of the US region OCI registry:

    venctl components kubernetes manifest generate \
    --region us \
    --approver-policy-enterprise-values-files approver-policy-enterprise.values-rego.yaml \
    --approver-policy-enterprise > venafi-components.yaml

    A sample command for users of the EU region OCI registry:

    venctl components kubernetes manifest generate \
    --region eu \
    --approver-policy-enterprise-values-files approver-policy-enterprise.values-rego.yaml \
    --approver-policy-enterprise > venafi-components.yaml

    A sample command for users with their own organizatonal OCI registry. Be sure to update this command with the URI of your own company's registry:

    venctl components kubernetes manifest generate \
    --region custom \
    --cert-manager-custom-chart-repository oci://myregistry.example.com/charts \
    --cert-manager-custom-image-registry myregistry.example.com \
    --approver-policy-enterprise-values-files approver-policy-enterprise.values-rego.yaml \
    --approver-policy-enterprise > venafi-components.yaml

  2. To apply the manifest, use the following command:

    venctl components kubernetes manifest tool sync --file venafi-components.yaml

    For more information and options on using the Venafi CLI tool to install this component, see the Venafi CLI tool reference page.

Step 4: Configure Custom CA Certificates

You may need to configure custom CA bundles for Approver Policy Enterprise in three cases:

  • If you are loading policies from TLS Protect Datacenter, custom CA bundles will allow Approver Policy Enterprise to trust your private CA.

  • If you are loading policies from Venafi Control Plane and Kubernetes egress traffic has to go through an HTTP proxy or a transparent proxy, you will need to configure a custom CA bundle to let Approver Policy Enterprise connect to your internal HTTP or transparent proxy.

  • If your Venafi Connection relies on HashiCorp Vault, you will need to configure a custom CA bundle to trust your private CA.

If you are in one of the above scenarios, you can configure Approver Policy Enterprise to trust the internal CA by putting the internal CA certificates into a ConfigMap, and mounting the ConfigMap into the Approver Policy Enterprise Pod in the /etc/ssl/certs/ directory.

  1. Create a ConfigMap in the venafi namespace. For example, a TPP CA certificate ConfigMap will look like this:

    approver-policy-enterprise-ca-certificates.configmap.yaml
    apiVersion: v1
kind: ConfigMap
metadata:
    name: ca-cert-tpp
    namespace: venafi
data:
    ca.crt: |
      -----BEGIN CERTIFICATE-----
      ## INSERT CA CERTIFICATE DATA HERE
      -----END CERTIFICATE-----

  2. Use kubectl to apply the ConfigMap:

    kubectl apply -f approver-policy-enterprise-ca-certificates.configmap.yaml

  3. Use the volumeMounts and volumes values to mount the additional CA certificates into the /etc/ssl/certs/ directory.

    approver-policy-enterprise-ca-certificates.values.yaml
    cert-manager-approver-policy:
  volumes:
    - name: ca-cert-tpp-volume
      configMap:
        name: ca-cert-tpp
        optional: false
    - name: rego # (1)!
      configMap:
        name: cert-manager-approver-policy-rego
        optional: true

  volumeMounts:
    - name: ca-cert-tpp-volume
      mountPath: "/etc/ssl/certs/ca-cert-tpp-ca.crt"
      subPath: ca.crt # (2)!
      readOnly: true
    - name: rego  # (3)!
      mountPath: /var/run/rego
    1. This volume is required by the Rego plugin.
    2. The subPath value here must match the value of the data key to be loaded in the ConfigMap YAML file.
    3. This volumeMount is required by the Rego plugin.

  4. Redeploy Approver Policy Enterprise with the new values file:

    A sample command for users of the US region OCI registry:

    venctl components kubernetes manifest generate \
    --region us \
    --approver-policy-enterprise-values-files approver-policy-enterprise-ca-certificates.values.yaml \
    --approver-policy-enterprise > venafi-components.yaml

    A sample command for users of the EU region OCI registry:

    venctl components kubernetes manifest generate \
    --region eu \
    --approver-policy-enterprise-values-files approver-policy-enterprise-ca-certificates.values.yaml \
    --approver-policy-enterprise > venafi-components.yaml

    A sample command for users with their own organizatonal OCI registry. Be sure to update this command with the URI of your own company's registry:

    venctl components kubernetes manifest generate \
    --region custom \
    --cert-manager-custom-chart-repository oci://myregistry.example.com/charts \
    --cert-manager-custom-image-registry myregistry.example.com \
    --approver-policy-enterprise-values-files approver-policy-enterprise-ca-certificates.values.yaml \
    --approver-policy-enterprise > venafi-components.yaml

    Important

    The Rego volumes and mounts must be included because they are needed by the Rego plugin, and would otherwise be overwritten by these volumes and volumeMounts values.

    Note

    Mozilla's CA certificates are present in the image by default at /etc/ssl/certs/ca-certificates.crt and these cannot be disabled.

    Note

    If you are using TLS Protect Cloud you don't need to configure custom CA certificates, because the serving certificate of the TLS Protect Cloud REST API is signed by one of Mozilla's trusted CAs.

  5. To apply the manifest, use the following command:

    venctl components kubernetes manifest tool sync --file venafi-components.yaml

    For more information and options on using the Venafi CLI tool to install this component, see the Venafi CLI tool reference page.

Upgrade

To upgrade from a pre-v0.7.0 installation to v0.7.0 or a later version, some migration steps are required. You can obtain an ad-hoc migration plan by contacting Venafi's support team.

Next steps