Installing approver-policy
Installation Steps
1. Install cert-manager
cert-manager must be installed, and the the default approver in cert-manager must be disabled.
⚠️ If the default approver is not disabled in cert-manager, approver-policy will race with cert-manager and policy will be ineffective.
If you install cert-manager using helm install or helm upgrade,
you can disable the default approver by Customizing the Chart Before Installing using the --set or --values command line flags:
# Example --set value--set extraArgs={--controllers='*\,-certificaterequests-approver'} # ⚠ Disable cert-manager's built-in approver
# Example --values file contentextraArgs:- "--controllers=*,-certificaterequests-approver" # ⚠ Disable cert-manager's built-in approver
Here's a full example which will install cert-manager or reconfigure it if it is already installed:
helm upgrade cert-manager jetstack/cert-manager \--install \--create-namespace \--namespace cert-manager \--version v1.14.4 \--set installCRDs=true \--set extraArgs={--controllers='*\,-certificaterequests-approver'} # ⚠ Disable cert-manager's built-in approver
ℹ️ The
--set installCRDs=truesetting is a convenient way to install the cert-manager CRDS, but it is optional and has some drawbacks. Read Helm: Installing Custom Resource Definitions to learn more.ℹ️ Be sure to customize the cert-manager controller
extraArgs, which are at the top level of the values file. Do not change thewebhook.extraArgs,startupAPICheck.extraArgsorcainjector.extraArgssettings.⚠️ If you are reconfiguring an already installed cert-manager, check whether the original installation already customized the
extraArgsvalue by runninghelm get values cert-manager --namespace cert-manager. If there are alreadyextraArgsvalues, merge those with the extra--controllersvalue. Otherwise your originalextraArgsvalues will be overwritten.
2. Install approver-policy
To install approver-policy:
helm repo add jetstack https://charts.jetstack.io --force-updatehelm upgrade cert-manager-approver-policy jetstack/cert-manager-approver-policy \--install \--namespace cert-manager \--version v0.13.0 \--wait
If you are using approver-policy with external issuers, you must include their signer names so that approver-policy has permissions to approve and deny CertificateRequests that reference them. For example, if using approver-policy for the internal issuer types, along with google-cas-issuer, and aws-privateca-issuer, set the following values when installing:
helm upgrade cert-manager-approver-policy jetstack/cert-manager-approver-policy \--install \--namespace cert-manager \--version v0.13.0 \--wait \--set app.approveSignerNames="{\issuers.cert-manager.io/*,clusterissuers.cert-manager.io/*,\googlecasclusterissuers.cas-issuer.jetstack.io/*,googlecasissuers.cas-issuer.jetstack.io/*,\awspcaclusterissuers.awspca.cert-manager.io/*,awspcaissuers.awspca.cert-manager.io/*\}"
Uninstalling
To uninstall approver-policy installed via Helm, run:
$ helm uninstall cert-manager-approver-policy --namespace cert-managerThese resources were kept due to the resource policy:[CustomResourceDefinition] certificaterequestpolicies.policy.cert-manager.iorelease "cert-manager-approver-policy" uninstalled
As shown in the output, the CustomResourceDefinition for CertificateRequestPolicy
is not removed by the Helm uninstall command. This to prevent data loss, as removing
the CustomResourceDefinition will also remove all CertificateRequestPolicy resources.
☢️ This will remove all
CertificateRequestPolicyresources from the cluster:$ kubectl delete crd certificaterequestpolicies.policy.cert-manager.io
⚠️ approver-policy versions prior to
v0.13.0do not keep theCustomResourceDefinitionon uninstall and will remove allCertificateRequestPolicyresources from the cluster. Make sure to back up yourCertificateRequestPolicyresources before uninstalling approver-policy if you are using a version prior tov0.13.0. Or upgrade tov0.13.0before uninstalling.
Usage
📖 Read the approver-policy docs.