Storing the instance credentials in Microsoft Azure Key VaultUsing Azure Key Vault to Store the Instance Credentials The informer program running in the Kubernetes cluster connects to the ServiceNow instance using credentials provided by the user. By default, those credentials are stored as a Kubernetes secret. However, when the Kubernetes cluster is hosted on Azure Kubernetes Service (AKS), it is possible to pull the credentials from Azure Key Vault. Azure Key Vault provides two types of vaults: Azure role-based access control (RBAC)Vault access policy Users may select either option. Within the vault they should create two secrets. One named user and the other named password.More details on the vault setup process can be found in Azure documentation. https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driverhttps://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-identity-access Example of a Key Vault using Vault Access Policy Example of a Key Vault using Azure Role-Based Access Control (RBAC) The Secrets The vault should contain a secret named user and a secret named password. The values should correspond to a ServiceNow user with at least the discovery_admin role. Install the Informer using the Helm Chart When installing the informer using Helm chart, you need to provide the additional parameters using the --set option. Parameter Name Value Mandatory? secretProvider azure Yes azureVault.vaultName The vault name Yes azureVault.vaultType “policy” or “rbac” No. Default is “rbac” azureVault.tenantId The tenant ID in Azure Yes azureVault.userAssignedIdentityId The clientId of the user defined identity Yes cloudName The Azure environment No. if empty, it defaults to AzurePublicCloud Example of Installation using Vault Access Policy helm install -n service-now --set acceptEula=Y --set instance.name=myinstance --set clusterName="my cluster" --set secretProvider=azure --set azureVault.vaultName=talvault-policy --set azureVault.tenantId=8bcff170-9979-491e-8683-01234567890a --set azureVault.userAssignedIdentityId=77ef0203-94e6-4343-9b40-01234567890a --set azureVault.vaultType=policy k8s-informer https://install.service-now.com/glide/distribution/builds/package/informer/2.2.0/informer-helm-2.2.0.tgz Example of Installation using Azure RBAC helm install -n service-now --set acceptEula=Y --set instance.name=myinstance --set clusterName="my cluster" --set secretProvider=azure --set azureVault.vaultName=talvault-rbac1 --set azureVault.tenantId=8bcff170-9979-491e-8683-01234567890a --set azureVault.userAssignedIdentityId=77ef0203-94e6-4343-9b40-01234567890a --set azureVault.vaultType=rbac k8s-informer https://install.service-now.com/glide/distribution/builds/package/informer/2.2.0/informer-helm-2.2.0.tgz Install the Informer using the k8s_informer.yaml Azure RBAC Vault Create a text file using the following content. Replace INSTANCE_NAME, USER_ASSIGNED_IDENTITY_ID, VAULT_NAME and TENANT_ID. If using the public cloud, remove the cloudName row. apiVersion: secrets-store.csi.x-k8s.io/v1kind: SecretProviderClassmetadata: name: k8s-informer-azure-INSTANCE_NAMEspec: provider: azure parameters: clientID: USER_ASSIGNED_IDENTITY_ID cloudName: CLOUD_NAME usePodIdentity: "false" keyvaultName: VAULT_NAME objects: | array: - | objectName: user objectType: secret - | objectName: password objectType: secret tenantId: TENANT_ID Run kubectl apply -f <file name> to deploy the file. Add annotation to the service account section in k8s_informer.yaml. Replace USER_ASSIGNED_IDENTITY_ID annotations: azure.workload.identity/client-id: USER_ASSIGNED_IDENTITY_ID Add label to the deployment section in k8s_informer.yaml labels: azure.workload.identity/use: "true" In the deployment section in k8s_informer.yaml, replace this part: secret: secretName: k8s-informer-cred-INSTANCE_NAME by this part: csi: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: secretProviderClass: k8s-informer-azure-INSTANCE_NAME In the deployment section of k8s_informer.yaml set the environment variable SECRET_PROVIDER to azure. - name: SECRET_PROVIDER value: "azure" Policy based RBAC Vault Create a text file using the following content. Replace INSTANCE_NAME, USER_ASSIGNED_IDENTITY_ID, VAULT_NAME and TENANT_ID. If using the public cloud, remove the cloudName row. apiVersion: secrets-store.csi.x-k8s.io/v1kind: SecretProviderClassmetadata: name: k8s-informer-azure-INSTANCE_NAMEspec: provider: azure parameters: useVMManagedIdentity: "true" userAssignedIdentityID: USER_ASSIGNED_IDENTITY_ID cloudName: CLOUD_NAME usePodIdentity: "false" keyvaultName: VAULT_NAME objects: | array: - | objectName: user objectType: secret - | objectName: password objectType: secret tenantId: TENANT_ID Run kubectl apply -f <file name> to deploy the file. In the deployment section in k8s_informer.yaml, replace this part: secret: secretName: k8s-informer-cred-INSTANCE_NAME by this part: csi: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: secretProviderClass: k8s-informer-azure-INSTANCE_NAME In the deployment section of k8s_informer.yaml set the environment variable SECRET_PROVIDER to azure. - name: SECRET_PROVIDER value: "azure"