In this exercise, we will create and configure an instance of the "Authorization and Trust Management" service within SAP BTP, Kyma runtime. With that service instance, you will generate a Role Collection inside the SAP BTP subaccount which will control the access to the CAP application you will deploy later.
After completing these steps you will have created the "Authorization and Trust Management" service instance.
Apply the resource to create the service instance and binding for the XSUAA instance. This will generate an XSUAA instance that is used to perform a token exchange which the CAP application requires to authenticate/authorize the user:
kubectl -n cap apply -f ./resources/html5/xsuaa-service.yamlInside the Kyma console, open the namespace cap.
Now open the service instance cap-orders-xsuaa-instance found under Service Management -> BTP Service Bindings.
Choose the cap-orders-xsuaa-binding instance and choose the Secret cap-orders-xsuaa-binding.
Choose the option Decode as these decoded values will need to be copied in the next steps.
Create a copy of the file ./resources/html5/html5-config-secret.yaml within the credentials directory, naming it html5-config-secret.yaml.
Within the html5-config-secret.yaml file replace the following values with the values found in the cap-orders-xsuaa-binding secret decoded in the previous step:
Replace the value of cluster domain with the Kyma cluster domain url. This can be found on the main Kyma dashboard screen listed as API Server Address and shown as https://api.{cluster domain}
\"clientId\": \"{clientid}\",
\"clientSecret\":\"{clientsecret}\",
\"tokenServiceURL\": \"{url}/oauth/token\",
\"URL\":\"https://cap-orders-service.{cluster domain}\"}]"Now it's time to apply the secret to the cluster.
kubectl -n cap apply -f ./credentials/html5-config-secret.yamlOpen the file ./credentials/vcap_services.json and replace the value <service key> with the Credentials value for the xsuaa property. This can be done manually or much easier using jq. To export the entire decoded secret using jq run:
kubectl get secret cap-orders-xsuaa-binding -n cap -o json | jq '.data | map_values(@base64d)'The result looks like this:
{
"apiurl": "https://api.authentication.{region}.hana.ondemand.com",
"clientid": "{clientid}",
"clientsecret": "{clientsecret}",
"credential-type": "instance-secret",
"identityzone": "{identityzone}",
"identityzoneid": "{identityzoneid}",
"sburl": "https://internal-xsuaa.authentication.{region}.hana.ondemand.com",
"subaccountid": "{subaccountid}",
"tenantid": "{tenantid}",
"tenantmode": "dedicated",
"uaadomain": "authentication.{region}.hana.ondemand.com",
"url": "{url}",
"verificationkey": "-----BEGIN PUBLIC KEY-----{verificationkey}-----END PUBLIC KEY-----",
"xsappname": "{xsappname}",
"zoneid": "{zoneid}"
}Copy the result into the xsuaa.credentials found in the vcap_services.json replacing the value of <service key>. With the preparation done in GETTING STARTED - SAP HANA Cloud - Setup, the file will look like this:
{
"xsuaa": [
{
"name": "cpapp",
"label": "xsuaa",
"tags": ["xsuaa"],
"credentials": {
"apiurl": "https://api.authentication.{region}.hana.ondemand.com",
"clientid": "{clientid}",
"clientsecret": "{clientsecret}",
"credential-type": "instance-secret",
"identityzone": "{identityzone}",
"identityzoneid": "{identityzoneid}",
"sburl": "https://internal-xsuaa.authentication.{region}.hana.ondemand.com",
"subaccountid": "{subaccountid}",
"tenantid": "{tenantid}",
"tenantmode": "dedicated",
"uaadomain": "authentication.{region}.hana.ondemand.com",
"url": "{url}",
"verificationkey": "-----BEGIN PUBLIC KEY-----{verificationkey}-----END PUBLIC KEY-----",
"xsappname": "{xsappname}",
"zoneid": "{zoneid}"
}
}
],
"hana": [
{
"binding_name": null,
"credentials": {
"host": "{host}",
"port": "443",
"driver": "com.sap.db.jdbc.Driver",
"url": "{url}",
"schema": "{schema}",
"hdi_user": "{hdi_user}",
"hdi_password": "{hdi_password}",
"user": "{user}",
"password": "{password}",
"certificate": "-----BEGIN CERTIFICATE-----{certificate}-----END CERTIFICATE-----"
},
"instance_name": "cpapp",
"label": "cpapp",
"name": "cpapp",
"plan": "hdi-shared",
"provider": null,
"syslog_drain_url": null,
"tags": ["hana", "database", "relational"],
"volume_mounts": []
}
]
}Create a secret in Kyma containing the contents of this file executing the following steps.
-
If using a bash shell:
kubectl -n cap create secret generic orders-vcap-services --from-literal "VCAP_SERVICES=$(<credentials/vcap_services.json)" -
If using PowerShell first convert the file into base64 by running:
[convert]::ToBase64String((Get-Content -path "credentials/vcap_services.json" -Encoding byte))Then within the project open the file
templates/orders-vcap-services.yamland create a copy of it saving it into thecredentialsdirectory of the project. Replace the contents of the<base64 encoded vcap_services>with the result of the previous command and apply the file.kubectl -n cap apply -f ./credentials/orders-vcap-services.yaml
Add your user to the Role collection cap-orders-kyma-rc by navigating to the SAP BTP subaccount you are using. Within the SAP BTP cockpit open Security -> Role Collections. Choose Edit, add your user, and Save your changes.
🎉 Congratulations - You've now created in instance of the XSUAA service and created the VCAP service. Furthermore, you added your user to the generated Role Collection.
Continue to Exercise 2 - Exercise 2 PREPARE APP FOR LOCAL USE