Creating a service account to use a key encryption key

You can encrypt data and retain control and management of the encryption by using a key encryption key (KEK).

The deployment pipelines creates a new service account to enable the key encryption key in your BMC Helix Service Management environment.

If you want to run the deployment pipelines by using a non administrator Kubernetes user, the service account is not created by default. In this case, you must create a new service account, role, and role binding before you install BMC Helix Service Management.

Before you begin

Download the following files:

To create a service account, role, and role binding

In the kek_serviceaccount.yaml file, update the following parameters:
1. Replace the <<ITSM NAMESPACE>> parameter with your BMC Helix Innovation Suite namespace name.
2. Make sure that you do not modify the service account name in the file.
  The service account name must be sa-cm-secrets-reader-writer.
In the kek_role.yaml file, update the following parameters:
1. Replace the <<ITSM NAMESPACE>> parameter with your BMC Helix Innovation Suite namespace name.
2. Make sure that you do not modify the role name in the file.
  The role name must be role-cm-secrets-reader-writer.
In the kek_rolebinding.yaml file, update the following parameters:
1. Replace the <<ITSM NAMESPACE>> parameter with your BMC Helix Innovation Suite namespace name.
2. Make sure that you do not modify the role binding name in the file.
  The role binding name must be role rb-cm-secrets-reader-writer.
In the sts-utility-sa.yml file, update the following parameters:
1. Replace the <<ITSM NAMESPACE>> parameter with your BMC Helix Innovation Suite namespace name.
2. Make sure that you do not modify the service account name in the file.
  The service account name must be sts-utility.
In the sts-utility-role.yml file, update the following parameters:
1. Replace the <<ITSM NAMESPACE>> parameter with your BMC Helix Innovation Suite namespace name.
2. Make sure that you do not modify the role name in the file.
  The role name must be sts-utility-role.
In the sts-utility-rolebinding.yml file, update the following parameters:
1. Replace the <<ITSM NAMESPACE>> parameter with your BMC Helix Innovation Suite namespace name.
2. Make sure that you do not modify the role binding name in the file.
  The role binding name must be role sts-utility-role-binding.
On the Deployment Engine that is your Jenkins server, run the following commands:
1. To create the service account, run the following command: kubectl create -f kek_serviceaccount.yaml
2. To create the role, run the following command: kubectl create -f kek_role.yaml
3. To create role binding, run the following command:
  kubectl create -f kek_rolebinding.yaml
4. To associate the service account with your StatefulSet, run the following command:
  kubectl create -f sts-utility-sa.yml
5. To associate the role with your StatefulSet, run the following command:
  kubectl create -f sts-utility-role.yml
6. To associate the role binding with your StatefulSet, run the following command:
  kubectl create -f sts-utility-rolebinding.yml
Confirm that the service account, role, and role binding are created by using the following commands:
kubectl get serviceaccount -n <BMC Helix Innovation Suite namespace>
kubectl get role -n <BMC Helix Innovation Suite namespace>
kubectl get rolebinding -n <BMC Helix Innovation Suite namespace>

Important

After you complete the BMC Helix Service Management installation, use the REST API endpoint to review and change the existing KEK with your key and make sure that you back up the KEK.

See Example of using the kek endpoint to bring in your own key encryption key (KEK) in BMC Helix Innovation Suite documentation.

Where to go from here

Performing-the-BMC-Helix-Service-Management-installation

Creating a service account to use a key encryption key

Before you begin

To create a service account, role, and role binding

Where to go from here

On this page