Administration of approver-policy-enterprise
Learn about some common administration tasks related to the approver-policy-enterprise component of TLS Protect for Kubernetes Enterprise
Custom Command Line Flags
Some of the settings of approver-policy-enterprise can be changed using command line flags. These must be modified in the approver-policy-enterprise Deployment resource. If you deployed approver-policy-enterprise using Helm, you can customize the Deployment command line flags as follows.
Add the desired command line flags to a new or existing Helm values file:
# approver-policy-enterprise-flags.values.yamlcert-manager-approver-policy:app:extraArgs:- --rego-policy-directory=/var/run/rego # â This flag is required by the Rego plugin- --venafi-policy-cache-duration=0 # âšī¸ Disable Venafi policy caching, for example.
Run helm upgrade to apply the new values:
helm upgrade approver-policy-enterprise oci://eu.gcr.io/jetstack-secure-enterprise/charts/approver-policy-enterprise \--registry-config <(jsctl registry auth output --format=dockerconfig) \--wait \--namespace jetstack-secure \--values approver-policy-enterprise.values.yaml \--values approver-policy-enterprise-flags.values.yaml \--version v0.11.0
đ Read more about the approver-policy image flags
Venafi Plugin
This section contains information for platform administrators who are using the Venafi features of approver-policy-enterprise.
Configuring policy caching
By default, approver-policy-enterprise will begin enforcing new Venafi policy within 1 minute of it being changed in TLS Protect.
Set --venafi-policy-cache-duration=0, if you want approver-policy-enterprise to enforce the latest policy as soon as possible. This will force approver-policy-enterprise to attempt to download the latest policy from Venafi for every pending CertificateRequest.
If you need to reduce the frequency of Venafi API requests, you can increase the --venafi-policy-cache-duration, which will cause approver-policy-enterprise to cache the downloaded policy for longer.
đ Read more about the approver-policy image flags
High availability
If you are using approver-policy-enterprise with TLS Protect Datacenter (TPP) there may be times when the REST API of Trust Protection Platform is unavailable; for example when performing an Offline upgrade of the Venafi platform. You may need approver-policy-enterprise to continue to approve CertificateRequest resources during this time.
By default approver-policy-enterprise caches downloaded Venafi policies in memory for 1 minute. After that time it will attempt to download the latest policy from the Venafi API server, and it that fails it will not approve new CertificateRequests. until it has re-established a connection to the Venafi API and downloaded the latest policy.
If you need approver-policy-enterprise to tolerate outages longer than 1 minute, you should increase the --venafi-policy-cache-duration, which will allow the last downloaded policy to be used for longer in the absence of a connection to Venafi.
You should also disable the periodic health checks by setting --venafi-ready-check-interval=0, because any failure of the health check will cause the CertificatreRequestPolicy to be marked as "not ready", and when it is in that state it will not be evaluated.
â ī¸ Do not restart the approver-policy-enterprise software during a Venafi API outage, because the in-memory cache will be lost and it will not be possible to download the Venafi policy until the connection to the Venafi API is restored.
đ Read more about the approver-policy image flags