Certificate generation through Cert-Manager Integration

Release version: Washingtondc

Updated February 1, 2024

2 minutes to read

Summarize

Summarized using AI

Summary of Certificate generation through Cert-Manager Integration

This integration allows ServiceNow customers to request and manage SSL certificates within Kubernetes using cert-manager and the ServiceNow External Issuer (sn-external-issuer). Certificates are securely stored as Kubernetes secrets, ensuring sensitive information is well-managed.

Show full answer Show less

Deployment Requirements

Deploy cert-manager in your Kubernetes environment.
Customize the manager.yaml file with necessary parameters such as Instance URL and Certificate Owner details.
Deploy the ServiceNow External Issuer in your Kubernetes environment.
Create a Kubernetes secret named clusterissuer-servicenow-credentials with the instance username and password, ensuring the user has the appropriate roles to request certificates.

Key Features

The ServiceNow External Issuer enhances cert-manager by enabling certificate issuance via ServiceNow APIs.
It stores Certificate Request UID and Task Sys Id for tracking and manages the status of certificate tasks using local JSON cache.
Upon completion of a certificate request, the issuer downloads the certificate and updates the Kubernetes secret automatically.

Request New Certificate Flow

After deploying the ServiceNow External Issuer, you can submit a certificate resource using a YAML file named certificateclusterissuer.yaml. This file should specify the issuer reference and details like common names and DNS names for the certificate.

Key Outcomes

By following this integration process, ServiceNow customers can streamline certificate management within their Kubernetes environment, enhancing security and operational efficiency. Successful deployments will allow for automated certificate requests and updates, minimizing manual overhead.

Request a certificate through Kubernetes cert-manager using the ServiceNow External Issuer (sn-external-issuer) and save the certificate and its related information securely within the Kubernetes cluster as a secret. In Kubernetes, a secret is an object that allows you to store and manage sensitive information, such as passwords, API keys, and certificates.

Deployment Requirements

Deploy cert-manager in your Kubernetes environment. Update manager.yaml with Instance URL, Certificate Owner Group, Certificate Owner, Environment, and Renewal Tracking.
Deploy the ServiceNow External Issuer (sn-external-issuer) in your Kubernetes environment. Create a Kubernetes secret clusterissuer-servicenow-credentials with the instance username and password, ensuring the user has the necessary roles to request a certificate.

ServiceNow External Issuer (sn-external-issuer)

External issuers expand cert-manager functionality to issue certificates through non-core APIs and services.
The ServiceNow External Issuer is a ServiceNow-specific implementation of an External Issuer.
When a new certificate task is created, its Certificate Request UID and Certificate Task Sys Id are stored in the local JSON cache and the Certificate Request UID to Task Map table on the instance.
The ServiceNow External Issuer polls the instance to monitor the status of the certificate task.
If the certificate task is in the Work in progress state, its Certificate Request UID and Certificate Task Sys Id are added to the External Issuer UID Map table on the instance and the local JSON cache. During this time, Cert-manager automatically attempts to request the certificate.
Upon receiving a certificate request, Cert-manager checks for a matching task in the local JSON cache. If found, it polls the same task; otherwise, it queries the instance for records from the External Issuer UID Map table and populates the local JSON cache.
Once the task is marked as complete and the certificate is generated, the ServiceNow External Issuer sends another request to the instance, downloads the certificate attachment, and updates the certificate resource and corresponding secret in Kubernetes.

Deploying the ServiceNow External Issuer in Kubernetes

Deploying the ServiceNow External Issuer in Kubernetes involves the following steps:

From the ServiceNow instance download page, obtain the Helm Chart or YAML zip package.
Customize the manager.yaml or values.yaml files as needed for your specific use case. These files may include essential information such as the Instance URL and Certificate Owner Group.
Create a Kubernetes secret named clusterissuer-servicenow-credentials with the instance username and password.
Example command:
- Create a Kubernetes secret named clusterissuer-servicenow-credentials with the instance username and password. Example command:
```
kubectl create secret generic clusterissuer-servicenow-credentials
              --from-literal=user=<user_name> --from-literal=password=<password> -n
            system
```
- Ensure that the user has the necessary roles to request certificates.

Execute the following commands for deployment.

kubectl create ns system
kubectl apply -f crd
kubectl apply -f rbac
kubectl apply -f issuers
kubectl apply -f manager/manager.yaml

(Optional) Customize any additional configurations in the files to suit your specific requirements.
Ensure that the deployment is successful and the ServiceNow External Issuer is up and running.

Request new certificate flow

After deployment, submit a certificate resource with the following information in a file named certificate_clusterissuer.yaml.

issuerRef : clusterissuer-servicenow
issuer : issuer-servicenow
kind : ClusterIssuer
issuerRef : servicenow-issuer.servicenow.com

Here's a sample Certificate Resource:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: certificate-by-clusterissuer
spec:
commonName: certificate-by-clusterissuer.servicenow.com
secretName: certificate-by-clusterissuer
dnsNames:
- servicenow.com
- foo.servicenow.com
issuerRef:
name: clusterissuer-servicenow
group: servicenow-issuer.servicenow.com
kind: ClusterIssuer

Apply the certificate resource using kubectl apply -f certificate_clusterissuer.yaml