TLS Protect for Kubernetes
Log inCreate account

Installing approver-policy-enterprise

Learn how to install the approver-policy-enterprise component of TLS Protect for Kubernetes Enterprise



Introduction

approver-policy-enterprise is a software component of TLS Protect for Kubernetes. It has a Docker image and a Helm chart which are hosted at the TLS Protect for Kubernetes enterprise OCI registry. In this section you will learn about the different ways to install approver-policy-enterprise in your cluster using Helm.

Docker Images

  • Private Docker image: eu.gcr.io/jetstack-secure-enterprise/approver-policy-enterprise.
  • Private Helm registry: oci://eu.gcr.io/jetstack-secure-enterprise/charts.

Prerequisites

  • You will need access to a Venafi Control Plane (VaaS or TPP) instance.
  • And you will need permission to install Helm charts and CRDs on your Kubernetes cluster.
  • You should install cert-manager in your cluster.
  • You should install kubectl and helm >= 3.8.0 on your local computer.

Configure access to the enterprise registry

🔑 Follow the instructions in Access to enterprise components to enable access to the artifacts required for this component. Use jetstack-secure as the namespace.

For the example below, we assume you created the following Kubernetes Secret: namespace: jetstack-secure name: jse-gcr-creds

Reconfigure cert-manager

Remember that by default, cert-manager ships with an in-built approver that will attempt to mark all CertificateRequests as Approved. In order to use our own approver, we need to turn off this functionality; else the approvers will race and we would effectively have no policy at all!

To disable the in built approver, set the following command line argument to the cert-manager controller:

--controllers=*,-certificaterequests-approver
Copy to clipboard

If using helm, this can also be achieved through the following values option:

helm upgrade -i cert-manager jetstack/cert-manager \
  --namespace jetstack-secure \
  --create-namespace \
  --version v1.12.1  \
  --set installCRDs=true \
  --set extraArgs={--controllers='*\,-certificaterequests-approver'}
Copy to clipboard

Once done successfully, you should find the following log line in the cert-manager controller output detailing that the default approver controller has been disabled.

I0506 14:44:51.198463       1 controller.go:182] cert-manager/controller "msg"="not starting controller as it's disabled" "controller"="certificaterequests-approver"
Copy to clipboard

A quick way to search in the logs, assuming cert-manager is deployed to the jetstack-secure namespace:

kubectl logs -n jetstack-secure -l app=cert-manager | grep "certificaterequests-approver"
Copy to clipboard

Upgrade

To upgrade from a pre-v0.7.0 installation to a version >= v0.7.0, some migration steps are required. An ad-hoc migration plan can be obtained by contacting the development team.

Deploying approver-policy-enterprise using Helm

Now cert-manager's default approver has been disabled, we can install the enterprise version of approver-policy-enterprise using Helm.

Here we install approver-policy-enterprise in the jetstack-secure namespace and configure it to use the pull-secret that we created earlier. Additionally, we specify the CA bundles approver-policy-enterprise should trust.

Create a file called: approver-policy-enterprise.values.yaml containing the following content:

# approver-policy-enterprise.values.yaml
cert-manager-approver-policy:
  imagePullSecrets:
    - name: jse-gcr-creds


venafiConnection:
  include: true # set to `false` if VenafiConnection CRDs & RBAC are already installed
Copy to clipboard

Use Helm to install the software and wait for it to be ready:

helm upgrade approver-policy-enterprise oci://eu.gcr.io/jetstack-secure-enterprise/charts/approver-policy-enterprise \
    --registry-config <(jsctl registry auth output --format=dockerconfig) \
    --install \
    --wait \
    --namespace jetstack-secure \
    --values approver-policy-enterprise.values.yaml \
    --version v0.11.0
Copy to clipboard

Deploying approver-policy-enterprise with jsctl and TLS Protect for Kubernetes operator

Make sure the TLS Protect for Kubernetes operator is already present in the cluster. Use jsctl to show the software components present in the cluster.

jsctl cluster status
Copy to clipboard

The response will show the different components installed in the cluster, make sure the jetstack-secure-operator field is present.

# cluster components example status
crds:
- name: cert-manager.io
  items: []
- name: jetstack.io
  items:
  - installations.operator.jetstack.io
namespaces:
- jetstack-secure
ingress-shim-ingresses: []
components:
  cert-manager:
    ...
  jetstack-secure-operator:
    namespace: jetstack-secure
    version: ...
issuers: []
Copy to clipboard

If not present make sure to follow the TLS Protect for Kubernetes operator installation guide, to install the operator.

Install approver-policy-enterprise

Use jsctl to install the approver-policy-enterprise, making sure the --tier flag is set to enterprise|enterprise-plus.

jsctl operator installations apply --auto-registry-credentials \
    --tier=enterprise-plus
Copy to clipboard

Once installed you can start managing the CertificateRequestPolicy resources using the TLS Protect for Kubernetes operator, more on that here.

🔰 Read about Helm 3 support for OCI package distribution.

ℹī¸ If you are using approver-policy-enterprise with external issuers, don't forget to include their signer names so that approver-policy-enterprise has permissions to approve and deny CertificateRequests that reference them.

ℹī¸ There are also FIPS compliant Docker images available at eu.gcr.io/jetstack-secure-enterprise/approver-policy-enterprise and these have the same version tags as the main Docker images.

Enabling the Rego features of approver-policy-enterprise

To enable the Rego features of approver-policy-enterprise, create another values file called values-rego.yaml containing the Rego configuration, and supply that as an extra --values argument when installing the component:

kubectl create ns my-namespace
Copy to clipboard
# approver-policy-enterprise.values-rego.yaml
cert-manager-approver-policy:
  app:
    extraArgs:
      - --rego-policy-directory=/var/run/rego
      - --rego-replicate=networking.k8s.io/v1/ingresses
      - --rego-replicate=/v1/services/my-namespace
      - --rego-replicate-cluster=/v1/namespaces
rego:
  rbac:
    namespaced:
      - namespace: ""
        apiGroup: "networking.k8s.io"
        resource: "ingresses"
      - namespace: "my-namespace"
        apiGroup: ""
        resource: "services"
    cluster:
      - apiGroup: ""
        resource: "namespaces"
Copy to clipboard
helm upgrade approver-policy-enterprise oci://eu.gcr.io/jetstack-secure-enterprise/charts/approver-policy-enterprise \
    --registry-config <(jsctl registry auth output --format=dockerconfig) \
    --install \
    --wait \
    --namespace jetstack-secure \
    --values approver-policy-enterprise.values.yaml \
    --values approver-policy-enterprise.values-rego.yaml \
    --version v0.11.0
Copy to clipboard

Configure Custom CA Certificates

approver-policy-enterprise may need to connect to TLS servers, where the serving certificate is signed by an internal certificate authority (CA). For example: it may need to connect to the REST API of Trust Protection Platform, if you use TLS Protect Datacenter (TPP). Or it may need to connect to the REST API of an internal Vault server, if you use the HashiCorp Vault features of venafi-connection.

In these cases you will need to configure approver-policy-enterprise to trust the internal CA, by putting the internal CA certificates into a ConfigMap, and mounting the ConfigMap into the approver-policy-enterprise Pod, in the /etc/ssl/certs/ directory.

First create a ConfigMap in the jetstack-secure namespace. For example, a TPP CA certificate ConfigMap will look like this:

# approver-policy-enterprise-ca-certificates.configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
    name: ca-cert-tpp
    namespace: jetstack-secure
data:
    ca.crt: |
      -----BEGIN CERTIFICATE-----
      ## INSERT CA CERTIFICATE DATA HERE
      -----END CERTIFICATE-----
Copy to clipboard
kubectl apply -f approver-policy-enterprise-ca-certificates.configmap.yaml
Copy to clipboard

Then use the volumeMounts and volumes values to mount the additional CA certificates into the /etc/ssl/certs/ directory.

# approver-policy-enterprise-ca-certificates.values.yaml
cert-manager-approver-policy:
  volumes:
    - name: ca-cert-tpp-volume
      configMap:
        name: ca-cert-tpp
        optional: false
    - name: rego # ❗ This volume is required by the Rego plugin.
      configMap:
        name: cert-manager-approver-policy-rego
        optional: true


  volumeMounts:
    - name: ca-cert-tpp-volume
      mountPath: "/etc/ssl/certs/ca-cert-tpp-ca.crt"
      subPath: ca.crt
      readOnly: true
    - name: rego # ❗ This volumeMount is required by the Rego plugin.
      mountPath: /var/run/rego
Copy to clipboard

Redeploy the approver-policy-enterprise Helm chart, using the extra values (above):

helm upgrade approver-policy-enterprise oci://eu.gcr.io/jetstack-secure-enterprise/charts/approver-policy-enterprise \
    --install \
    --registry-config <(jsctl registry auth output --format=dockerconfig) \
    --wait \
    --namespace jetstack-secure \
    --values approver-policy-enterprise.values.yaml \
    --values approver-policy-enterprise-ca-certificates.values.yaml \
    --version v0.11.0
Copy to clipboard

⚠ī¸ The Rego volumes and mounts must be included because they are needed by the Rego plugin, and would otherwise be overwritten by these volumes and volumeMounts values.


ℹī¸ Mozilla's CA certificates are present in the image by default at /etc/ssl/certs/ca-certificates.crt and these cannot be disabled.


ℹī¸ If you are using TLS Protect Cloud you do not need to configure custom CA certificates, because the serving certificate of the VaaS REST API is signed by one of Mozilla's trusted CAs.

Next steps

On this page