This is a companion gist to Configure Custom SAP IAS tenant with SAP BTP Kyma runtime environment | SAP Blogs.
This brief is to showcase how to get this done using a SAP BTP trial account.
Albeit, the entire procedure is well documented in SAP Help portal, namely under Configure a Custom Identity Provider for Kyma, the missing piece of the puzzle is the configuration of the identity provider application.
Any OIDC provider can be used as a custom OIDC provider with a kyma cluster. However, SAP BTP platform makes it both simple and affordable with the Always Free SAP Cloud Identity Authentication services.
From experience, this is is the most error-prone part of the procedure.
In order to alleviate the pain and burden of creating a SAP IAS service provider application I have prepared automation scripts that can be used entirely programmatically from a kyma environment itself.
Let's see how.
{
"modules": {
"default": true
},
"oidc": {
"clientID": "",
"groupsClaim": "",
"issuerURL": "",
"signingAlgs": [],
"usernameClaim": "",
"usernamePrefix": ""
},
"administrators": []
}
All one needs to do is go to the subaccount security settings and hit the Establish Trust
button there.
If there are no tenants available (as shown below) that means one needs first to subscribe to a SAP IAS tenant in this very BTP subaccount.
|
In order to access the kyma cluster please use the above `Console URL: Link to dashboard`. That should open a kyma dashboard from where you can download the OIDC-based kubeconfig key. Alternatively, the OIDC-based kubeconfig key can be downloaded to disk. |
As this is an OIDC-based kubeconfig it means it is named user-based.
apiVersion: v1
kind: Config
current-context: garden-kyma--fee3078-external
clusters:
- name: garden-kyma--fee3078-external
cluster:
certificate-authority-data: >-
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ1akNDQWs2Z0F3SUJBZ0lRV29UNXRGL1pQbTVuN1NiRE5kQ0FYREFOQmdrcWhraUc5dzBCQVFzRkFEQU4KTLb2ZRWApxcEVyS2FCWDEzaFhRdWhyUXFIQmZ4QmNEQUh0WXJOZmJvZSsvVklsUDMvTTczRDFnakNaY3NvWQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://api.fee3078.kyma.ondemand.com
contexts:
- name: garden-kyma--fee3078-external
context:
cluster: garden-kyma--fee3078-external
user: garden-kyma--fee3078-external
users:
- name: garden-kyma--fee3078-external
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- get-token
- '--oidc-issuer-url=https://kyma.accounts.ondemand.com'
- '--oidc-client-id=12b13a26-d993-4d0c-aa08-5f5852bbdff6'
- '--oidc-extra-scope=email'
- '--oidc-extra-scope=openid'
command: kubectl-oidc_login
installHint: |
kubelogin plugin is required to proceed with authentication
# Homebrew (macOS and Linux)
brew install int128/kubelogin/kubelogin
# Krew (macOS, Linux, Windows and ARM)
kubectl krew install oidc-login
# Chocolatey (Windows)
choco install kubelogin
Good to know:
- What is a bit counter-intuitive is that initially only the users listed as administrators can access the cluster.
- Furthermore, only users who have been already registered with the default SAP ID service can be designated as administrators!
- Last but not least, for the sake of simplicity, please make sure you provide the list of administrators during the kyma cluster provisioning
- One can amend the list of cluster administrators at any time and/or add/remove/update additional cluster users from within the kyma cluster itself.
The automation is implemented as a helm chart. A helm chart is a collection of so-called manifest templates.
I prepared a couple of automation targets which can be run from a terminal window.
make
Usage:
make <target>
help Display this help.
skr-easy-deploy skr-easy-deploy
skr-easy-undeploy skr-easy-undeploy
skr-easy-template skr-easy-template
For instance, one can run skr-easy-template
apply the values against the helm chart template, namely:
make skr-easy-template > skr-easy.yaml
Alternatively, one can run the skr-easy-deploy
against the cluster, as follows:
make KUBECONFIG=~/.kube/kubeconfig-fee3078.yaml skr-easy-deploy
kubectl create ns skr-easy --kubeconfig ~/.kube/kubeconfig-fee3078.yaml --dry-run=client -o yaml | kubectl apply --kubeconfig ~/.kube/kubeconfig-fee3078.yaml -f -
namespace/skr-easy created
kubectl label namespace skr-easy istio-injection=enabled --kubeconfig ~/.kube/kubeconfig-fee3078.yaml
namespace/skr-easy labeled
helm upgrade -n skr-easy -i custom-idp helm/custom-idp \
--set namespace=skr-easy \
--set clusterDomain=fee3078.kyma.ondemand.com \
--set services.ias.name=fee3078 \
--install --kubeconfig ~/.kube/kubeconfig-fee3078.yaml
Release "custom-idp" does not exist. Installing it now.
NAME: custom-idp
This will result in creating of the SAP IAS service instance and binding (in a dedicated namespace).
The SAP IAS service instance is a placeholder for a custom SAP IAS service provider application that can be subsequently used to gain access to a kyma cluster.
Good to know:
- You can look up the SAP IAS service provider application clientid and the issuer url from the binding secret
- Those who cannot install all the required kubernetes tools on their devices will find a script template which can be run from a kyma dashboard of the cluster.
{
"modules": {
"default": true
},
"oidc": {
"clientID": "",
"issuerURL": "",
"groupsClaim": "groups",
"signingAlgs": [
"RS256"
],
"usernameClaim": "sub",
"usernamePrefix": "-"
},
"administrators": [
"email1@domain.com",
"email2@domain.com",
"email3@domain.com"
],
"name": "quovadis"
}
{
"modules": {
"default": true
},
"oidc": {
"clientID": "********************",
"groupsClaim": "groups",
"issuerURL": "https://***.trial-accounts.ondemand.com",
"signingAlgs": [
"RS256"
],
"usernameClaim": "sub",
"usernamePrefix": "-"
},
"administrators": [
"email1@domain.com",
"email2@domain.com",
"email3@domain.com"
],
"name": "quovadis"
}
and then update the kyma cluster environment instance with the following OIDC
and administrators
subsections:
{
"oidc": {
"clientID": "************************",
"groupsClaim": "groups",
"issuerURL": "https://***.trial-accounts.ondemand.com",
"signingAlgs": [
"RS256"
],
"usernameClaim": "sub",
"usernamePrefix": "-"
},
"administrators": [
"email1@domain.com",
"email2@domain.com",
"email3@domain.com"
]
}
Next, go to kyma dashboard and you will be offered to login with the Custom IAS tenant.
If you do not have your user account yet you can register your user account with the Custom IAS by following a self-registration routine, namely:
-
If in need to revert to default OIDC settings, please follow this procedure:
-
When running any of the make target one may encounter the following error:
43699 loader.go:222] Config not found: ~/.kube/kubeconfig--garden-kyma--fee3078-external.yaml
just make sure to copy your ~/.kube/kubeconfig--garden-kyma--fee3078-external.yaml
into ~/.kube/config
- accessing SAP BTP Global Accounts
Access Feature Set B global accounts at https://cockpit.btp.cloud.sap
Use the free trial at https://account.hanatrial.ondemand.com/
Purchase SAP BTP at SAP Store
Join the partner program via the SAP PartnerEdge – Build
Learn about SAP BTP from the official documentation. Join our community.