Important Announcement!

This deprecated version of TLS Protect for Kubernetes, originally known as Jetstack Secure, will be PERMANENTLY SHUTDOWN on May 19, 2025. If you're still using this version, please work with your CyberArk/Venafi account team to transition to the current version of TLS Protect for Kubernetes.

Administration of approver-policy-enterprise

Learn about some common administration tasks related to the approver-policy-enterprise component of TLS Protect for Kubernetes Enterprise



Custom Command Line Flags

Some of the settings of approver-policy-enterprise can be changed using command line flags. These must be modified in the approver-policy-enterprise Deployment resource. If you deployed approver-policy-enterprise using Helm, you can customize the Deployment command line flags as follows.

Add the desired command line flags to a new or existing Helm values file:

# approver-policy-enterprise-flags.values.yaml
cert-manager-approver-policy:
app:
extraArgs:
- --rego-policy-directory=/var/run/rego # ❗ This flag is required by the Rego plugin
- --venafi-policy-cache-duration=0 # ℹī¸ Disable Venafi policy caching, for example.
Copy to clipboard

Run helm upgrade to apply the new values:

helm upgrade approver-policy-enterprise oci://eu.gcr.io/jetstack-secure-enterprise/charts/approver-policy-enterprise \
--registry-config <(jsctl registry auth output --format=dockerconfig) \
--wait \
--namespace jetstack-secure \
--values approver-policy-enterprise.values.yaml \
--values approver-policy-enterprise-flags.values.yaml \
--version v0.11.0
Copy to clipboard

📖 Read more about the approver-policy image flags

Venafi Plugin

This section contains information for platform administrators who are using the Venafi features of approver-policy-enterprise.

Configuring policy caching

By default, approver-policy-enterprise will begin enforcing new Venafi policy within 1 minute of it being changed in TLS Protect.

Set --venafi-policy-cache-duration=0, if you want approver-policy-enterprise to enforce the latest policy as soon as possible. This will force approver-policy-enterprise to attempt to download the latest policy from Venafi for every pending CertificateRequest.

If you need to reduce the frequency of Venafi API requests, you can increase the --venafi-policy-cache-duration, which will cause approver-policy-enterprise to cache the downloaded policy for longer.

📖 Read more about the approver-policy image flags

High availability

If you are using approver-policy-enterprise with TLS Protect Datacenter (TPP) there may be times when the REST API of Trust Protection Platform is unavailable; for example when performing an Offline upgrade of the Venafi platform. You may need approver-policy-enterprise to continue to approve CertificateRequest resources during this time.

By default approver-policy-enterprise caches downloaded Venafi policies in memory for 1 minute. After that time it will attempt to download the latest policy from the Venafi API server, and it that fails it will not approve new CertificateRequests. until it has re-established a connection to the Venafi API and downloaded the latest policy.

If you need approver-policy-enterprise to tolerate outages longer than 1 minute, you should increase the --venafi-policy-cache-duration, which will allow the last downloaded policy to be used for longer in the absence of a connection to Venafi.

You should also disable the periodic health checks by setting --venafi-ready-check-interval=0, because any failure of the health check will cause the CertificatreRequestPolicy to be marked as "not ready", and when it is in that state it will not be evaluated.

⚠ī¸ Do not restart the approver-policy-enterprise software during a Venafi API outage, because the in-memory cache will be lost and it will not be possible to download the Venafi policy until the connection to the Venafi API is restored.


📖 Read more about the approver-policy image flags

On this page