This brief is about how to jumpstart a kyma environment from a default SAP BTP trial subaccount | SAP Help.
And then what to do in the aftermath of it.
Good to know:
- with a default SAP BTP trial subaccount all the required services and subscriptions are already entitled
![image](https://private-user-images.githubusercontent.com/52403733/329802346-76b1e01c-ac95-4405-8393-68127fb9ecb1.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE0NjIxNjEsIm5iZiI6MTcyMTQ2MTg2MSwicGF0aCI6Ii81MjQwMzczMy8zMjk4MDIzNDYtNzZiMWUwMWMtYWM5NS00NDA1LTgzOTMtNjgxMjdmYjllY2IxLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjAlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzIwVDA3NTEwMVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTVkNDU4YWE4NjRhNjc4MTE0YzEwMTE1NDM1MzUyMDM1NTdhMzUwZWVlZTVjNTlmYTMwNzg3ZGEyMmQ3MzVlOGEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.qDT-I4xmpuL27HYsM-k37VT81nZF23aGlPB7a19l4mE)
![image](https://private-user-images.githubusercontent.com/52403733/329802460-144dcd5f-c4f5-4844-9479-4d85158fb643.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE0NjIxNjEsIm5iZiI6MTcyMTQ2MTg2MSwicGF0aCI6Ii81MjQwMzczMy8zMjk4MDI0NjAtMTQ0ZGNkNWYtYzRmNS00ODQ0LTk0NzktNGQ4NTE1OGZiNjQzLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjAlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzIwVDA3NTEwMVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTEyNGE2MGM5YmQzODkxM2QxNDAxZWM5ODEyOWU3YTk2OGE1YTZjNTZmYzgxNTIyMDdmYjE1NmMzMDQ1ZTZmYzQmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.SXUEI2RmqF2gWijiSDCNtbZMsb9mHdEktfFCPFGLaWU)
btp target
Current target:
ec7cc50etrial (global account, subdomain: ec7cc50etrial-ga)
Choose subaccount or directory:
[..] Switch Global Accounts
[.] ec7cc50etrial (global account)
[1] ├─ quovadis-ap (subaccount)
[2] ├─ quovadis-us (subaccount)
[3] └─ trial (subaccount)
Choose, or hit ENTER to stay in 'ec7cc50etrial' [.]> 3
Now targeting:
ec7cc50etrial (global account, subdomain: ec7cc50etrial-ga)
Configure Custom SAP IAS tenant with SAP BTP Kyma runtime environment | SAP Blogs nicely details all the kymaruntime provisioning steps.
However, this time let's try to focus on the "aftermath".
- How do I get access to a kyma dashboard ?
- How to generate a sa-based (service account based) kubeconfig for pipeline automation?
- How do I deploy my applications to a cluster with CI/CD tools, for instance, with ArgoCD?
- How to dispose of it when no longer required ?
Let's start with configuring a SAP Custom Identity provider for use with a kyma cluster.
An OIDC provider is required to grant kyma named users access to a kyma cluster api server.
It is an optional step, as otherwise the kyma environment provisioner will assign all nominated kyma cluster-admin users to a SAP-managed OIDC provider | SAP Help.
However, customers may prefer using their own custom identity provider | SAP Help.
This option offers customers and partners full control over the kyma cluster OIDC users.
Moreover, it supports federation with corporate IDPs | SAP Help.
Table of Contents |
Each custom SAP Cloud Identity tenant subscription has a global account scope. Thus, a given Custom SAP Cloud Identity tenant can be used across multiple subaccounts.
Good to know:
- This step is optional if the list of available idps is not empty
- SAP Cloud Identity tenant onboarding email has been sent out the email address of the SAP BTP trial global account
btp subscribe accounts/subaccount --to-app sap-identity-services-onboarding --plan default
{
"jobId": "<jobId>"
}
The idp tenant subscriprion is asynchronous.
Next step is to retrieve the list of the custom SAP Cloud Identity tenants available for a given customer id in the context of a global account.
The btp CLI offers security/available-idp set of commands to deal with the account idps.
The below idp list should have at least one entry, for instance:
btp list security/available-idp
[
{
"tenantType": "enterprise",
"costCenterId": null,
"displayName": null,
"commonHost": "<tenantId>.trial-accounts.cloud.sap",
"dataCenterId": "TRIAL1",
"host": "<tenantId>.trial-accounts.ondemand.com",
"customerId": null,
"tenantId": "<tenantId>",
"description": "Cloud Foundry Trial subscription",
"customHost": null,
"customerName": null,
"status": "ACTIVE"
}
]
That's the equivalent of using the Establish Trust button from the subaccount UI, for instance:
Let's list the existing idp trust just to double check the idp has not been trusted yet.
The security/trust list will never be empty as each subaccount always has at minima a default SAP ID OIDC trust, for instance:
btp list security/trust
[
{
"name": "sap.default",
"originKey": "sap.default",
"typeOfTrust": "Application",
"status": "active",
"description": null,
"identityProvider": null,
"domain": null,
"linkTextForUserLogon": "Default Identity Provider",
"availableForUserLogon": "true",
"createShadowUsersDuringLogon": "false",
"sapBtpCli": null,
"protocol": "OpenID Connect",
"readOnly": false
}
]
After this verification (which may be optional with a trial subaccount), let's establish a new trust, using the [0].host
field as follows:
btp create security/trust --idp <tenantId>.trial-accounts.ondemand.com --name <custom name>
The good news is that both creation and configuration of custom oidc service provider applications can be fully automated.
Let's see how.
The SAP Cloud Identity subscription has a sibling BTP service plan to help automate the creation and configuration of OIDC service providers applications.
Let's create ias-local service instance and ias-local-binding service binding, as follows:
btp create services/instance --offering-name identity --plan-name application --name ias-local --parameters quovadis-ias-master.json
{
"id": "<id>",
"command": "btp get services/instance <instance> --subaccount <subaccount>",
"description": "Use the command above with the provided values (instance ID and subaccount ID respectively) to check the status of the create instance operation you initiated."
}
btp create services/binding --name ias-local-binding --instance-name ias-local --parameters quovadis-ias-binding.json
{
"id": "<id>",
"command": "btp get services/binding <binding> --subaccount <subaccount>",
"description": "Use the command above with the provided values (binding ID and subaccount ID respectively) to check the status of the create binding operation you initiated."
}
btp get services/binding --name ias-local-binding
{
"credentials": {
"app_tid": "<app_tid>",
"authorization_endpoint": "https://<tenantId>.trial-accounts.ondemand.com/oauth2/authorize",
"btp-tenant-api": "https://api.authentication.us10.hana.ondemand.com",
"clientid": "<clientid>",
"credential-type": "NONE",
"domain": "accounts.ondemand.com",
"domains": [
"accounts.ondemand.com",
"accounts.cloud.sap",
"trial-accounts.ondemand.com"
],
"end_session_endpoint": "https://<tenantId>.trial-accounts.ondemand.com/oauth2/logout",
"url": "https://<tenantId>.trial-accounts.ondemand.com",
"zone_uuid": "<zone_uuid>"
},
}
from where we need to extract two parameters, namely the clientID and the issuerURL
credentials.clientid
as clientIDcredentials.url
as issuerURL
These two values will be used in the kyma runtime environment OIDC parameters.
Provision kymaruntime service (environment) with either SAP BTP CLI or SAP Provisioning service (cis-local) REST APIs.
BTP CLI offers a number of command dedicated to runtime environments, namely:
- btp list accounts/environment-instance
- btp create accounts/environment-instance --display-name quovadis --environment kyma --service kymaruntime --plan trial --parameters config.json
- btp get accounts/environment-instance
- btp update accounts/environment-instance
- btp delete accounts/environment-instance
btp create accounts/environment-instance --display-name quovadis-trial --environment kyma --service kymaruntime --plan trial --parameters kyma-config.json
{
"id": "<kyma environment id>",
"name": "quovadis-trial",
"brokerId": "<brokerId>",
"globalAccountGUID": "<globalAccountGUID>",
"subaccountGUID": "<subaccountGUID>",
"tenantId": "<tenantId>",
"serviceId": "<kymaruntime serviceId>",
"planId": "<kymaruntime planId>",
"dashboardUrl": "https:\/\/dashboard.kyma.cloud.sap\/?kubeconfigID=69B01810-0425-4F8A-BF42-A4BEA69ED1A7",
"operation": "<operation>",
"parameters": "{\"modules\":{\"list\":[{\"name\":\"api-gateway\",\"channel\":\"regular\"},{\"name\":\"istio\",\"channel\":\"regular\"},{\"name\":\"btp-operator\",\"channel\":\"regular\"},{\"name\":\"serverless\",\"channel\":\"regular\"},{\"name\":\"connectivity-proxy\",\"channel\":\"regular\"}]},\"administrators\":[\"cluster-admin1@acme.com\",\"cluster-admin2@acme.com\",\"cluster-adminN@acme.com\"],\"oidc\":{\"clientID\":\"<clientID>\",\"groupsClaim\":\"groups\",\"issuerURL\":\"https:\/\/<idp-tenantId>.trial-accounts.ondemand.com\",\"signingAlgs\":[\"RS256\"],\"usernameClaim\":\"sub\",\"usernamePrefix\":\"-\"},\"name\":\"quovadis-trial\"}",
"labels": "{\"KubeconfigURL\":\"https:\/\/kyma-env-broker.cp.kyma.cloud.sap\/kubeconfig\/69B01810-0425-4F8A-BF42-A4BEA69ED1A7\",\"Name\":\"quovadis-trial\"}",
"customLabels": {},
"type": "Provision",
"status": "Processing",
"environmentType": "kyma",
"platformId": "<platformId>",
"createdDate": "<createdDate>",
"modifiedDate": "<modifiedDate>",
"state": "CREATING",
"stateMessage": "Creating environment instance.",
"serviceName": "kymaruntime",
"planName": "trial",
"jobId": "<jobId>"
}
Environment provisioning (creation) is asynchronous. Kymaruntime creation may take up to 40 minutes or will timeout.
Polling with btp get accounts/environment-instance F18A9B9E-99CE-4F28-B1CD-8DA3974637DA
POST /provisioning/v1/environments
{
"description": "Trial",
"environmentType": "kyma",
"name": "quovadis",
"parameters": {
"name": "quovadis",
"administrators": [
"cluster-admin1@acme.com",
"cluster-admin2@acme.com",
"cluster-adminN@acme.com"
],
"oidc": {
"clientID": "<SAP IAS clientID>",
"groupsClaim": "groups",
"issuerURL": "https://<SAP IAS tenant>.trial-accounts.ondemand.com"",
"signingAlgs": [
"RS256"
],
"usernameClaim": "sub",
"usernamePrefix": "-"
}
},
"planName": "trial",
"serviceName": "kymaruntime",
"user": "btptrial-admin@acme.com"
}
with the response payload as follows:
{
"id": "F234B0AB-CDBF-4BF6-B62B-30272D8A997B",
"name": "quovadis",
"description": "Trial",
"brokerId": "DBE346C8-77F3-40AB-9207-0788F94ADD5F",
"globalAccountGUID": "50750a24-0f15-48ca-b9c8-9c1900279e6b",
"subaccountGUID": "19c6a493-a6f5-46e0-9849-bf126ef6a0ff",
"tenantId": "19c6a493-a6f5-46e0-9849-bf126ef6a0ff",
"serviceId": "47c9dcbf-ff30-448e-ab36-d3bad66ba281",
"planId": "7d55d31d-35ae-4438-bf13-6ffdfa107d9f",
"dashboardUrl": "https://dashboard.kyma.cloud.sap/?kubeconfigID=F234B0AB-CDBF-4BF6-B62B-30272D8A997B",
"operation": "c5fcd032-fee4-48d9-a373-291bdfeb7c4d",
"parameters": "{\"name\":\"quovadis\",\"administrators\":[\"cluster-admin1@acme.com\",\"cluster-admin1@acme.com\",\"cluster-admin1@acme.com\"],\"oidc\":{\"clientID\":\"<clientID>\",\"groupsClaim\":\"groups\",\"issuerURL\":\"https://<tenant>.trial-accounts.ondemand.com\",\"signingAlgs\":[\"RS256\"],\"usernameClaim\":\"sub\",\"usernamePrefix\":\"-\"}}",
"labels": "{\"KubeconfigURL\":\"https://kyma-env-broker.cp.kyma.cloud.sap/kubeconfig/F234B0AB-CDBF-4BF6-B62B-30272D8A997B\",\"Name\":\"quovadis\"}",
"customLabels": {},
"type": "Provision",
"status": "Processing",
"environmentType": "kyma",
"platformId": "d40bcc14-6c3c-4ea8-8ff3-88498cd7e37b",
"createdDate": <createdDate>,
"modifiedDate": <modifiedDate>,
"state": "CREATING",
"stateMessage": "Creating environment instance.",
"serviceName": "kymaruntime",
"planName": "trial"
}
![image](https://private-user-images.githubusercontent.com/52403733/329833686-46a25f03-21fe-4ad9-82c6-fd996af97283.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE0NjIxNjEsIm5iZiI6MTcyMTQ2MTg2MSwicGF0aCI6Ii81MjQwMzczMy8zMjk4MzM2ODYtNDZhMjVmMDMtMjFmZS00YWQ5LTgyYzYtZmQ5OTZhZjk3MjgzLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjAlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzIwVDA3NTEwMVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWQwZGU3ZDJhNjE0NzNhMTk2ODFjZTJiN2YyYTU5ZGMwYmExMzhkMDc5NDQ1NmNhMTM5NzZjZGU1NGVmOGYxYmMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.-ywZdXNvpOrUd23zzjakZWhnkIvm6sn5KzQbR2JW2RY)
![image](https://private-user-images.githubusercontent.com/52403733/329833633-b0e0be75-ab76-400d-9f26-cc1f66b018e7.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE0NjIxNjEsIm5iZiI6MTcyMTQ2MTg2MSwicGF0aCI6Ii81MjQwMzczMy8zMjk4MzM2MzMtYjBlMGJlNzUtYWI3Ni00MDBkLTlmMjYtY2MxZjY2YjAxOGU3LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjAlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzIwVDA3NTEwMVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTg3MWE1NTZjZDRjZTAzYTc3ZDRhMzNkOTA3MDYwODM1OWY2ZmZiYmMxMWU1YjUxNWQ0ZDBlN2YwZTg5MjcxZmMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.7Ln7duaurINFoTa3vZbVCO7a-lExRnMMXXs5DmHJEfU)
After the successfull provisioning of kyma runtime environment:
- one can retrieve
dashboardUrl
for kyma dashboard interactive access - one can download the OIDC-user based kubeconfig from
labels.KubeconfigURL
Good to know:
- as of today there is no other way to gain access to a newly created kyma cluster but with a user OIDC-based kubeconfig
- as soon as a cluster is accessed it can be prepared for both manual and CI/CD operations with service accounts