Storing credentials in Google Cloud Secret Manager - Support and Troubleshooting

Storing credentials in Google Cloud Secret Manager Storing Credentials in Google Cloud Secret Manager The informer program running in the Kubernetes cluster connects to the ServiceNow instance using credentials provided by the user. By default, those credentials are stored as a Kubernetes secret. However, when the Kubernetes cluster is hosted on Google Kubernetes Engine (GKE) , it is possible to pull the credentials from Google Secret Manager .

Adding Credentials to Google Cloud Secret Manager At minimum you need to add a secret that holds the ServiceNow instance username and a secret that holds the password. Other optional secrets are:

If OAuth2.0 is used, create secrets that hold the “client ID” and the “Client Secret” If proxy authentication is used create secrets that hold the proxy user and the proxy password.

Example:

Connecting your GKE Cluster to the Secrets For detailed information on how to configure your cluster see Google’s documentation .

Once your cluster is configured and ready to connect to the secrets run this command per each secret:

gcloud secrets add-iam-policy-binding SECRET_NAME \

--role=roles/secretmanager.secretAccessor \

--member=principal://iam.googleapis.com/projects/ PROJECT_NUMBER /locations/global/workloadIdentityPools/ PROJECT_ID .svc.id.goog/subject/ns/ NAMESPACE /sa/ SERVICE_ACCOUNT_NAME

Important note: If the namespace and service account are created by "Kubernetes Visibility Agent" and do not exist yet, run first the "Kubernetes Visibility Agent" installation (though the pod will not be able to run initially)

The PROJECT_NUMBER is the project numerical value (e.g. 617327982084). The PROJECT_ID is the textual ID (e.g. deductive-reach-207607).

You can find the PROJECT_ID and PROJECT_NUMBER if you will select the “Cloud Overview/Dashboard” in your GCP console:

If you are using the Helm chart, the SERVICE_ACCOUNT_NAME is by default servicenow- . If you access your instance using https://my_instance.service-now.com then the service account would be servicenow-my_instance.

If you are using k8s_informer.yaml, the SERVICE_ACCOUNT_NAME Is by default servicenow .

Customers who choose to install the "Kubernetes Visibility Agent" deployment (a.k.a. informer) using another service account should use here that service account name.

You need to repeat this command per each of the secrets.

Installing the Informer Using Helm Chart When installing the informer using Helm install command, you need to provide the additional parameters using the --set option.

Parameter Name

Value

Mandatory?

secretProvider

google

Yes

googleSecrets.projectId

The project ID. Example: deductive-reach-207607

Yes

googleSecrets.userSecret

The name of the secret holding the instance username

Yes

googleSecrets.userSecretVersion

The version of the secret

No. Default is “1”

googleSecrets.passwordSecret

The name of secret holding the instance password

Yes

googleSecrets.passwordSecretVersion

The version of the secret

No. Default is “1”

googleSecrets.gkeSecretProvider

The name of the secret provider

No. The default is secrets-store-gke.csi.k8s.io

OAuth Parameters

googleSecrets.oauthClientIdSecret

The name of secret holding the OAuth client ID

No. Only when OAuth is used

googleSecrets.oauthClientIdVersion

The version of the secret

No. Default is “1”

googleSecrets.oauthClientSecret

The name if secret holding the OAuth client secret

No. Only when OAuth is used

googleSecrets.oauthClientSecretVersion

The version of the secret

No. Default is “1”

Proxy Authentication Parameters

googleSecrets.proxyUserSecret

The name of the secret holding the proxy user secret

No. Only when proxy authentication is used

googleSecrets.proxyUserSecretVersion

The version of the secret

No. Default is “1”

googleSecrets.proxyPasswordSecret

The name of the secret holding the proxy password

No. Only when proxy authentication is used

googleSecrets.proxyPasswordSecretVersion

The version of the secret

No. Default is “1”

Installing the Informer Using k8s_informer.yaml Create a text file using the following content. Replace NAMESPACE, INSTANCE_NAME, USER_SECRET, USER_SECRET_VERSION, PASSWORD_SECRET, PASSWORD_SECRET_VERSION

If OAuth is used, replace OAUTH_CLIENT_ID_SECRET, OAUTH_CLIENT_ID_VERSION, OAUTH_CLIENT_SECRET, OAUTH_CLIENT_SECRET_VERSION. Otherwise, remove the lines containing these place holders.

If proxy authentication is used, replace PROXY_USER_SECRET, PROXY_USER_SECRET_VERSION, PROXY_PASSWORD_SECRET, PROXY_PASSWORD_SECRET_VERSION. Otherwise, remove the lines containing these place holders.

apiVersion : secrets-store.csi.x-k8s.io/v1

kind : SecretProviderClass

metadata :

name : k8s-informer-google-INSTANCE_NAME

name : NAMESPACE

spec :

provider : gke

parameters :

secrets : |

- resourceName: "projects/PROJECT_ID/secrets/USER_SECRET/versions/USER_SECRET_VERSION"

path: ".user"

- resourceName: "projects/PROJECT_ID/secrets/PASSWORD_SECRET/versions/PASSWORD_SECRET_VERSION"

path: ".password"

- resourceName: "projects/PROJECT_ID/secrets/OAUTH_CLIENT_ID_SECRET/versions/OAUTH_CLIENT_ID_VERSION"

path: ".client_id"

- resourceName: "projects/PROJECT_ID/secrets/OAUTH_CLIENT_SECRET/versions/OAUTH_CLIENT_SECRET"

path: ".client_secret"

- resourceName: "projects/PROJECT_ID/secrets/PROXY_USER_SECRET/versions/PROXY_USER_SECRET_VERSION"

path: ".proxyUser"

- resourceName: "projects/PROJECT_ID/secrets/PROXY_PASSWORD_SECRET/versions/PROXY_PASSWORD_SECRET_VERSION"

path: ".proxyPassword"

Run kubectl apply -f to deploy the file.

In the deployment section in k8s_informer.yaml replace this part:

secret :

secretName : k8s-informer-cred-INSTANCE_NAME

By this part:

csi :

driver : secrets-store-gke.csi.k8s.io

readOnly : true

volumeAttributes :

secretProviderClass : k8s-informer-google-INSTANCE_NAME

In the deployment section of k8s_informer.yaml set the environment variable SECRET_PROVIDER to google.

- name : SECRET_PROVIDER

value : "google"

Then continue to replace the place holders as described in the documentation and apply the file.