Implementing SAP Kyma headless kubeconfig with
a custom SAP Cloud Identity Services as SAP Kyma cluster OIDC providerkymaruntime environment service bindings
Let’s see how…
Table of Contents
kubeconfig with the authorization-code authentication flow.kubeconfig with the password grant type authentication flowkubeconfig with kyma runtime environment service bindings
https://dev.to/quovadis/sap-btp-kyma-blueprints-2cjf
Let me help break down this comprehensive information about SAP BTP Kyma kubeconfig authentication methods.
Let’s understand each approach and their specific use cases.
The three main authentication methods for Kyma kubeconfig are:
1. Authorization Code Flow (OIDC)
This is the standard approach for interactive users. It requires individual users to be defined in the SAP ID tenant and have appropriate RBAC cluster-admin role bindings. While this method works well for direct user interaction, it isn’t suitable for automated processes since it requires manual authentication.
2. Password Grant Type Flow
This method is designed for headless environments like CI/CD pipelines or automated workflows. It requires:
– A custom SAP Cloud Identity Service tenant
– A public client OIDC application
– A technical user with credentials stored securely
– The configuration uses a bash script to obtain tokens automatically
3. Kyma Runtime Environment Service Bindings
This approach provides service account tokens during the Kyma runtime environment provisioning.
Key points:
– Requires a cis-local plan Cloud Management service instance
– Tokens are obtained through the SAP Provisioning Service environment bindings API
– Provides the simplest configuration but requires proper setup of the environment binding
For implementing automated workflows, the Password Grant Type Flow offers the most flexibility while maintaining security through technical user credentials. The Kyma Runtime Environment Service Bindings approach is ideal when working directly with the provisioning process.
Let me know if you’d like me to elaborate on any of these authentication methods or their specific implementation details.
Let me explain the Password Grant Type authentication flow for SAP BTP Kyma in detail.
“`hcl
# First, set up the Identity Application entitlement in your subaccount
resource “btp_subaccount_entitlement” “identity_application” {
subaccount_id = data.btp_subaccount.context.id
service_name = “identity”
plan_name = “application”
}
# Reference the service plan for the identity application
data “btp_subaccount_service_plan” “identity_application” {
depends_on = [btp_subaccount_entitlement.identity_application]
subaccount_id = data.btp_subaccount.context.id
offering_name = “identity”
name = “application”
}
# Create the Identity Application service instance with specific OAuth2 configuration
resource “btp_subaccount_service_instance” “identity_application” {
depends_on = [btp_subaccount_trust_configuration.custom_idp]
subaccount_id = data.btp_subaccount.context.id
name = “ias-local”
serviceplan_id = data.btp_subaccount_service_plan.identity_application.id
# Detailed configuration for the Identity Application
parameters = jsonencode({
# Set access to public for broader accessibility
user-access = “public”
# OAuth2 configuration specifying allowed grant types and token policies
oauth2-configuration = {
grant-types = [
“authorization_code”,
“authorization_code_pkce_s256”,
“password”, # Enable password grant type for headless authentication
“refresh_token”
],
token-policy = {
token-validity = 3600, # Access token valid for 1 hour
refresh-validity = 15552000, # Refresh token valid for 180 days
refresh-usage-after-renewal = “off”,
refresh-parallel = 3,
access-token-format = “default”
},
public-client = true, # Enable public client mode
redirect-uris = [
“https://dashboard.kyma.cloud.sap“,
“http://localhost:8000“
]
},
# Configure how user identifiers are determined
subject-name-identifier = {
attribute = “mail”,
fallback-attribute = “none”
},
# Map assertion attributes to specific user properties
assertion-attributes = {
email = “mail”,
groups = “companyGroups”,
first_name = “firstName”,
last_name = “lastName”,
login_name = “loginName”,
mail = “mail”,
scope = “companyGroups”,
user_uuid = “userUuid”,
locale = “language”
},
# Set the application name using variables
name = “${var.BTP_KYMA_NAME}-${var.BTP_KYMA_PLAN}-${data.btp_subaccount.context.id}”,
display-name = “${var.BTP_KYMA_NAME}-${var.BTP_KYMA_PLAN}”
})
}
“`
The Password Grant Type authentication flow is designed specifically for non-interactive, automated scenarios. Let me break down how it works and why each component is important:
The Setup Process:
1. Custom Identity Service Setup
– You need to create a custom SAP Cloud Identity Service (IAS) tenant rather than using the default SAP ID Service
– This gives you more control over authentication policies and user management
– The service instance is configured as a public client, which is crucial for the password grant flow
2. OAuth2 Configuration
– The setup enables multiple grant types, but specifically includes the “password” grant
– Token policies are configured with specific validities:
– Access tokens last for 1 hour (3600 seconds)
– Refresh tokens last for 180 days (15552000 seconds)
– The public client setting eliminates the need for client secrets
3. User Attribute Mapping
– The configuration maps various user attributes (email, groups, name, etc.)
– This mapping ensures that Kubernetes RBAC can properly identify and authorize users
– The “mail” attribute serves as the primary identifier for users
Using the Authentication:
When this is set up, your automated processes can authenticate using a technical user’s credentials. Here’s how it works:
1. The process makes a POST request to the IAS token endpoint
2. It provides:
– The technical user’s username and password
– The client ID of your IAS application
– The required scopes (typically “groups” and “email”)
3. The IAS service returns an ID token
4. This token is then used for Kubernetes authentication
Security Considerations:
1. Technical User Management
– Create a dedicated technical user in your IAS tenant
– Assign minimum required permissions through groups
– Regularly rotate the password
– Store credentials in a secure vault or secret management system
2. Token Handling
– Never log or expose the tokens
– Implement proper error handling for token expiration
– Use refresh tokens when appropriate to minimize password usage
3. Access Control
– Implement proper RBAC policies in Kubernetes
– Regularly audit access patterns
– Monitor for suspicious authentication attempts
This authentication method is particularly useful for:
– CI/CD pipelines
– Automated deployment scripts
– Monitoring systems
– Backup solutions
– Any other headless processes that need to interact with your Kyma cluster
Would you like me to elaborate on any particular aspect of this setup, such as the technical user creation process or specific security best practices?
Let me explain the Kyma Runtime Environment Bindings method, which provides a streamlined way to obtain cluster access through SAP BTP service bindings.
“`hcl
# First, set up the Cloud Management Service instance
resource “btp_subaccount_service_instance” “cis_service” {
subaccount_id = data.btp_subaccount.context.id
name = “cis-local”
serviceplan_id = data.btp_subaccount_service_plan.cis_local.id
}
# Create the service binding for Cloud Management Service
resource “btp_subaccount_service_binding” “cis_binding” {
depends_on = [btp_subaccount_service_instance.cis_service]
subaccount_id = data.btp_subaccount.context.id
service_instance_id = btp_subaccount_service_instance.cis_service.id
name = “cis-local-binding”
}
# Set up the Kyma runtime environment
resource “btp_subaccount_service_instance” “kyma_runtime” {
subaccount_id = data.btp_subaccount.context.id
name = var.kyma_instance_name
serviceplan_id = data.btp_subaccount_service_plan.kyma_runtime.id
parameters = jsonencode({
name = var.kyma_instance_name
planName = var.kyma_plan_name
shootName = var.shoot_name
targetK8sVersion = var.kubernetes_version
machineType = var.machine_type
autoScalerMin = var.min_nodes
autoScalerMax = var.max_nodes
maxSurge = 1
volumeSizeGb = var.volume_size
diskType = “pd-standard”
region = var.region
workerCidr = var.worker_cidr
servicesCidr = var.services_cidr
podsCidr = var.pods_cidr
})
}
# Create the service binding for Kyma runtime
resource “btp_subaccount_service_binding” “kyma_binding” {
depends_on = [btp_subaccount_service_instance.kyma_runtime]
subaccount_id = data.btp_subaccount.context.id
service_instance_id = btp_subaccount_service_instance.kyma_runtime.id
name = “${var.kyma_instance_name}-binding”
}
“`
The Kyma Runtime Environment Bindings method works through the SAP BTP service binding mechanism. Let me break down how this approach functions and why it’s particularly useful.
Understanding the Components:
1. Cloud Management Service (CIS)
This service acts as a bridge between your BTP subaccount and the Kyma runtime. The CIS instance:
– Manages service credentials
– Handles authentication and authorization
– Provides necessary APIs for runtime management
– Must be provisioned with the cis-local plan
2. Kyma Runtime Instance
The Kyma runtime itself needs specific configuration, including:
– Kubernetes version specifications
– Node pool configurations
– Network settings
– Resource allocations
– Regional preferences
3. Service Bindings
Two key bindings are created:
– CIS binding: Provides access to cloud management capabilities
– Kyma binding: Delivers the actual kubeconfig credentials
How the Authentication Works:
When you create a service binding to your Kyma runtime:
1. The BTP Provisioning Service generates a service account in your Kyma cluster
2. This service account receives appropriate RBAC permissions
3. A kubeconfig file is generated containing a bearer token
4. The token is automatically rotated and managed by the platform
Advantages of This Method:
1. Simplified Management
– No need to manage separate credentials
– Platform handles token rotation automatically
– Reduced operational overhead
– Integrated with BTP service management
2. Security Benefits
– Tokens are managed by the platform
– Clear audit trail through BTP
– Automatic credential rotation
– Integrated with BTP security controls
3. Operational Efficiency
– Direct integration with BTP services
– No additional authentication setup required
– Works seamlessly with other BTP services
– Easy to automate through infrastructure as code
Best Practices for Implementation:
1. Service Instance Names
– Use consistent naming conventions
– Include environment indicators
– Make names descriptive and meaningful
– Document naming patterns
2. Binding Management
– Create separate bindings for different purposes
– Monitor binding status
– Implement proper error handling
– Keep binding information secure
3. Access Control
– Review generated RBAC permissions
– Monitor service account usage
– Implement proper security policies
– Regular access audits
Common Use Cases:
This method is particularly useful for:
– Development environments integrated with BTP
– Automated deployment pipelines
– Platform operations tools
– Monitoring and logging systems
– Any scenario where tight BTP integration is desired
The bindings method provides a more automated and platform-integrated approach compared to other authentication methods. Would you like me to elaborate on any specific aspect, such as the binding creation process or how to manage multiple environments?
Read More Technology Blogs by SAP articles
#abap