Installing approver-policy-enterprise
Learn how to install the approver-policy-enterprise component of TLS Protect for Kubernetes Enterprise
Introduction
approver-policy-enterprise is a software component of TLS Protect for Kubernetes. It has a Docker image and a Helm chart which are hosted at the TLS Protect for Kubernetes enterprise OCI registry. In this section you will learn about the different ways to install approver-policy-enterprise in your cluster using Helm.
Docker Images
- Private Docker image: eu.gcr.io/jetstack-secure-enterprise/approver-policy-enterprise.
- Private Helm registry: oci://eu.gcr.io/jetstack-secure-enterprise/charts.
Prerequisites
- You will need access to a Venafi Control Plane (VaaS or TPP) instance.
- And you will need permission to install Helm charts and CRDs on your Kubernetes cluster.
- You should install cert-manager in your cluster.
- You should install kubectl and helm >= 3.8.0 on your local computer.
Configure access to the enterprise registry
đ Follow the instructions in Access to enterprise components to enable access to the artifacts required for this component. Use jetstack-secure as the namespace.
For the example below, we assume you created the following Kubernetes Secret: namespace: jetstack-secure name: jse-gcr-creds
Reconfigure cert-manager
Remember that by default, cert-manager ships with an in-built approver that will attempt to mark all CertificateRequests as Approved. In order to use our own approver, we need to turn off this functionality; else the approvers will race and we would effectively have no policy at all!
To disable the in built approver, set the following command line argument to the cert-manager controller:
--controllers=*,-certificaterequests-approver
If using helm, this can also be achieved through the following values option:
helm upgrade -i cert-manager jetstack/cert-manager \--namespace jetstack-secure \--create-namespace \--version v1.12.1 \--set installCRDs=true \--set extraArgs={--controllers='*\,-certificaterequests-approver'}
Once done successfully, you should find the following log line in the cert-manager controller output detailing that the default approver controller has been disabled.
I0506 14:44:51.198463 1 controller.go:182] cert-manager/controller "msg"="not starting controller as it's disabled" "controller"="certificaterequests-approver"
A quick way to search in the logs, assuming cert-manager is deployed to the jetstack-secure namespace:
kubectl logs -n jetstack-secure -l app=cert-manager | grep "certificaterequests-approver"
Upgrade
To upgrade from a pre-v0.7.0 installation to a version >= v0.7.0, some migration steps are required. An ad-hoc migration plan can be obtained by contacting the development team.
Deploying approver-policy-enterprise using Helm
Now cert-manager's default approver has been disabled, we can install the enterprise version of approver-policy-enterprise using Helm.
Here we install approver-policy-enterprise in the jetstack-secure namespace and configure it to use the pull-secret that we created earlier. Additionally, we specify the CA bundles approver-policy-enterprise should trust.
Create a file called: approver-policy-enterprise.values.yaml containing the following content:
# approver-policy-enterprise.values.yamlcert-manager-approver-policy:imagePullSecrets:- name: jse-gcr-credsvenafiConnection:include: true # set to `false` if VenafiConnection CRDs & RBAC are already installed
Use Helm to install the software and wait for it to be ready:
helm upgrade approver-policy-enterprise oci://eu.gcr.io/jetstack-secure-enterprise/charts/approver-policy-enterprise \--registry-config <(jsctl registry auth output --format=dockerconfig) \--install \--wait \--namespace jetstack-secure \--values approver-policy-enterprise.values.yaml \--version v0.11.0
Deploying approver-policy-enterprise with jsctl and TLS Protect for Kubernetes operator
Make sure the TLS Protect for Kubernetes operator is already present in the cluster. Use jsctl to show the software components present in the cluster.
jsctl cluster status
The response will show the different components installed in the cluster, make sure the jetstack-secure-operator field is present.
# cluster components example statuscrds:- name: cert-manager.ioitems: []- name: jetstack.ioitems:- installations.operator.jetstack.ionamespaces:- jetstack-secureingress-shim-ingresses: []components:cert-manager:...jetstack-secure-operator:namespace: jetstack-secureversion: ...issuers: []
If not present make sure to follow the TLS Protect for Kubernetes operator installation guide, to install the operator.
Install approver-policy-enterprise
Use jsctl to install the approver-policy-enterprise, making sure the --tier flag is set to enterprise|enterprise-plus.
jsctl operator installations apply --auto-registry-credentials \--tier=enterprise-plus
Once installed you can start managing the CertificateRequestPolicy resources using the TLS Protect for Kubernetes operator, more on that here.
đ° Read about Helm 3 support for OCI package distribution.
âšī¸ If you are using approver-policy-enterprise with external issuers, don't forget to include their signer names so that approver-policy-enterprise has permissions to approve and deny CertificateRequests that reference them.
âšī¸ There are also FIPS compliant Docker images available at eu.gcr.io/jetstack-secure-enterprise/approver-policy-enterprise and these have the same version tags as the main Docker images.
Enabling the Rego features of approver-policy-enterprise
To enable the Rego features of approver-policy-enterprise, create another values file called values-rego.yaml containing the Rego configuration, and supply that as an extra --values argument when installing the component:
kubectl create ns my-namespace
# approver-policy-enterprise.values-rego.yamlcert-manager-approver-policy:app:extraArgs:- --rego-policy-directory=/var/run/rego- --rego-replicate=networking.k8s.io/v1/ingresses- --rego-replicate=/v1/services/my-namespace- --rego-replicate-cluster=/v1/namespacesrego:rbac:namespaced:- namespace: ""apiGroup: "networking.k8s.io"resource: "ingresses"- namespace: "my-namespace"apiGroup: ""resource: "services"cluster:- apiGroup: ""resource: "namespaces"
helm upgrade approver-policy-enterprise oci://eu.gcr.io/jetstack-secure-enterprise/charts/approver-policy-enterprise \--registry-config <(jsctl registry auth output --format=dockerconfig) \--install \--wait \--namespace jetstack-secure \--values approver-policy-enterprise.values.yaml \--values approver-policy-enterprise.values-rego.yaml \--version v0.11.0
Configure Custom CA Certificates
approver-policy-enterprise may need to connect to TLS servers, where the serving certificate is signed by an internal certificate authority (CA). For example: it may need to connect to the REST API of Trust Protection Platform, if you use TLS Protect Datacenter (TPP). Or it may need to connect to the REST API of an internal Vault server, if you use the HashiCorp Vault features of venafi-connection.
In these cases you will need to configure approver-policy-enterprise to trust the internal CA, by putting the internal CA certificates into a ConfigMap, and mounting the ConfigMap into the approver-policy-enterprise Pod, in the /etc/ssl/certs/ directory.
First create a ConfigMap in the jetstack-secure namespace. For example, a TPP CA certificate ConfigMap will look like this:
# approver-policy-enterprise-ca-certificates.configmap.yamlapiVersion: v1kind: ConfigMapmetadata:name: ca-cert-tppnamespace: jetstack-securedata:ca.crt: |-----BEGIN CERTIFICATE-----## INSERT CA CERTIFICATE DATA HERE-----END CERTIFICATE-----
kubectl apply -f approver-policy-enterprise-ca-certificates.configmap.yaml
Then use the volumeMounts and volumes values to mount the additional CA certificates into the /etc/ssl/certs/ directory.
# approver-policy-enterprise-ca-certificates.values.yamlcert-manager-approver-policy:volumes:- name: ca-cert-tpp-volumeconfigMap:name: ca-cert-tppoptional: false- name: rego # â This volume is required by the Rego plugin.configMap:name: cert-manager-approver-policy-regooptional: truevolumeMounts:- name: ca-cert-tpp-volumemountPath: "/etc/ssl/certs/ca-cert-tpp-ca.crt"subPath: ca.crtreadOnly: true- name: rego # â This volumeMount is required by the Rego plugin.mountPath: /var/run/rego
Redeploy the approver-policy-enterprise Helm chart, using the extra values (above):
helm upgrade approver-policy-enterprise oci://eu.gcr.io/jetstack-secure-enterprise/charts/approver-policy-enterprise \--install \--registry-config <(jsctl registry auth output --format=dockerconfig) \--wait \--namespace jetstack-secure \--values approver-policy-enterprise.values.yaml \--values approver-policy-enterprise-ca-certificates.values.yaml \--version v0.11.0
â ī¸ The Rego volumes and mounts must be included because they are needed by the Rego plugin, and would otherwise be overwritten by these volumes and volumeMounts values.
âšī¸ Mozilla's CA certificates are present in the image by default at /etc/ssl/certs/ca-certificates.crt and these cannot be disabled.
âšī¸ If you are using TLS Protect Cloud you do not need to configure custom CA certificates, because the serving certificate of the VaaS REST API is signed by one of Mozilla's trusted CAs.
Next steps
- Learn how to configure approver-policy-enterprise using CertificateRequestPolicy resources
- See examples of some common policy configurations
- Learn about the Venafi features of approver-policy-enterprise
- Learn about the Rego features of approver-policy-enterprise
- Read about common administration tasks related to approver-policy-enterprise controller
- Read about the command line flags of the approver-policy-enterprise controller