Skip to Content

Creating a service account to use a key encryption key

You can encrypt data and retain control and management of the encryption by using a key encryption key (KEK)

The deployment pipelines creates a new service account to enable the key encryption key in your BMC Helix Service Management environment.

If you want to run the deployment pipelines by using a non administrator Kubernetes user, the service account is not created by default. In this case, you must create a new service account, role, and role binding before you install BMC Helix Service Management.

Related topic

Example of using the kek endpoint to bring in your own key encryption key (KEK) in BMC Helix Innovation Suite documentation

Before you begin

Download the following files:

To create a service account, role, and role binding

  1. In the kek_serviceaccount.yaml file, update the following parameters:
    1. Replace the <<ITSM NAMESPACE>> parameter with your BMC Helix Innovation Suite namespace name.
    2. Make sure that you do not modify the service account name in the file.
      The service account name must be sa-cm-secrets-reader-writer.
  2. In the kek_role.yaml file, update the following parameters:
    1. Replace the <<ITSM NAMESPACE>> parameter with your BMC Helix Innovation Suite namespace name.
    2. Make sure that you do not modify the role name in the file.
      The role name must be role-cm-secrets-reader-writer.
  3. In the kek_rolebinding.yaml file, update the following parameters:
    1. Replace the <<ITSM NAMESPACE>> parameter with your BMC Helix Innovation Suite namespace name.
    2. Make sure that you do not modify the role binding name in the file.
      The role binding name must be role rb-cm-secrets-reader-writer.
  4. In the sts-utility-sa.yml file, update the following parameters:
    1. Replace the <<ITSM NAMESPACE>> parameter with your BMC Helix Innovation Suite namespace name.
    2. Make sure that you do not modify the service account name in the file.
      The service account name must be sts-utility.
  5. In the sts-utility-role.yml file, update the following parameters:
    1. Replace the <<ITSM NAMESPACE>> parameter with your BMC Helix Innovation Suite namespace name.
    2. Make sure that you do not modify the role name in the file.
      The role name must be sts-utility-role.
  6. In the sts-utility-rolebinding.yml file, update the following parameters:
    1. Replace the <<ITSM NAMESPACE>> parameter with your BMC Helix Innovation Suite namespace name.
    2. Make sure that you do not modify the role binding name in the file.
      The role binding name must be role sts-utility-role-binding.
  7. On the Deployment Engine that is your Jenkins server, run the following commands:
    1. To create the service account, run the following command:  kubectl create -f kek_serviceaccount.yaml
    2. To create the role, run the following command:  kubectl create -f kek_role.yaml

    3. To create role binding, run the following command:

      kubectl create -f kek_rolebinding.yaml

    4. To associate the service account with your StatefulSet, run the following command:

      kubectl create -f sts-utility-sa.yml

    5. To associate the role with your StatefulSet, run the following command:

      kubectl create -f sts-utility-role.yml 

    6. To associate the role binding with your StatefulSet, run the following command:

      kubectl create -f sts-utility-rolebinding.yml 

  8. Confirm that the service account, role, and role binding are created by using the following commands:

    kubectl get serviceaccount -n <BMC Helix Innovation Suite namespace>
    kubectl get role -n <BMC Helix Innovation Suite namespace>
    kubectl get rolebinding -n <BMC Helix Innovation Suite namespace>
Warning
Important

After you complete the BMC Helix Service Management installation, use the REST API endpoint to review and change the existing KEK with your key and make sure that you back up the KEK. 

See Example of using the kek endpoint to bring in your own key encryption key (KEK) in BMC Helix Innovation Suite documentation.

To create a service account for multiple domain support

To configure BMC Helix Single Sign-On multiple domain configuration to host Service Management applications and the BMC Helix Platform on separate domains, create the service account, role, and role binding. Create the service account, role, and role binding only if the user installing BMC Helix Service Management lacks permission to create them. Use the sa-is-common.yml, role-is-common.yml, and rolebinding-is-common.yml files for this setup.

  1. In the sa-is-common.yml, role-is-common.yml, and rolebinding-is-common.yml files, replace the <<ITSM NAMESPACE>> parameter with your BMC Helix Innovation Suite namespace name.
    Make sure that you do not modify the service account, role, and role binding names in the files.
  2. On the Deployment Engine that is your Jenkins server, run the following commands to create the service account, role, and role binding:
    kubectl create -f sa-is-common.yml
    kubectl create -f role-is-common.yml
    kubectl create -f rolebinding-is-common.yml

  3. Confirm that the service account, role, and role binding are created by using the following commands:

    kubectl get serviceaccount -n <BMC Helix Innovation Suite namespace>
    kubectl get role -n <BMC Helix Innovation Suite namespace>
    kubectl get rolebinding -n <BMC Helix Innovation Suite namespace>

Where to go from here

Performing the BMC Helix Service Management installation

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Service Management Deployment 25.4.01