Installing approver-policy
Installation Steps
1. Install cert-manager
cert-manager must be installed, and the the default approver in cert-manager must be disabled.
⚠️ If the default approver is not disabled in cert-manager, approver-policy will race with cert-manager and policy will be ineffective.
If you install cert-manager using helm install
or helm upgrade
,
you can disable the default approver by Customizing the Chart Before Installing using the --set
or --values
command line flags:
# ⚠️ This Helm option is only available in cert-manager v1.15.0 and later.# Example --set value--set disableAutoApproval=true
# ⚠️ This Helm option is only available in cert-manager v1.15.0 and later.# Example --values file contentdisableAutoApproval: true
If you already have cert-manager installed, you can reconfigure it to disable the default approver as in the example below. Note that doing this in a running cluster with no other approval configured will stop all issuance (as no certificate requests will be approved)!
# ⚠️ The disableAutoApproval Helm option is only available in cert-manager v1.15.0 and later.# ⚠️ DANGER: Only do this in a cluster if you're sure it's safe!existing_cert_manager_version=$(helm get metadata -n cert-manager cert-manager | grep '^VERSION' | awk '{ print $2 }')helm upgrade cert-manager jetstack/cert-manager \--reuse-values \--namespace cert-manager \--version $existing_cert_manager_version \--set disableAutoApproval=true
2. Install approver-policy
To install approver-policy:
helm repo add jetstack https://charts.jetstack.io --force-updatehelm upgrade cert-manager-approver-policy jetstack/cert-manager-approver-policy \--install \--namespace cert-manager \--wait
If you are using approver-policy with external issuers, you must include their signer names so that approver-policy has permissions to approve and deny CertificateRequests that reference them. For example, if using approver-policy for the internal issuer types, along with google-cas-issuer, and aws-privateca-issuer, set the following values when installing:
helm upgrade cert-manager-approver-policy jetstack/cert-manager-approver-policy \--install \--namespace cert-manager \--wait \--set app.approveSignerNames="{\issuers.cert-manager.io/*,clusterissuers.cert-manager.io/*,\googlecasclusterissuers.cas-issuer.jetstack.io/*,googlecasissuers.cas-issuer.jetstack.io/*,\awspcaclusterissuers.awspca.cert-manager.io/*,awspcaissuers.awspca.cert-manager.io/*\}"
Uninstalling
To uninstall approver-policy installed via Helm, run:
$ helm uninstall cert-manager-approver-policy --namespace cert-managerThese resources were kept due to the resource policy:[CustomResourceDefinition] certificaterequestpolicies.policy.cert-manager.iorelease "cert-manager-approver-policy" uninstalled
As shown in the output, the CustomResourceDefinition
for CertificateRequestPolicy
is not removed by the Helm uninstall command. This to prevent data loss, as removing
the CustomResourceDefinition
will also remove all CertificateRequestPolicy
resources.
☢️ This will remove all
CertificateRequestPolicy
resources from the cluster:$ kubectl delete crd certificaterequestpolicies.policy.cert-manager.io
⚠️ approver-policy versions prior to
v0.13.0
do not keep theCustomResourceDefinition
on uninstall and will remove allCertificateRequestPolicy
resources from the cluster. Make sure to back up yourCertificateRequestPolicy
resources before uninstalling approver-policy if you are using a version prior tov0.13.0
. Or upgrade tov0.13.0
before uninstalling.
Usage
📖 Read the approver-policy docs.