You can map a Kubernetes service instance to an SAP Service Manager instance in a given subaccount. The Service Manager instance is then used to provision this service instance.
- A subaccount in the SAP BTP cockpit.
- kubectl configured for communicating with your Kyma instance. See Access a Kyma Instance Using kubectl.
To have multiple service instances from different subaccounts associated with a namespace, you must store access credentials for each subaccount in a custom Secret in the kyma-system
namespace.
To create a service instance with a custom Secret, you must use the btpAccessCredentialsSecret field in the spec
of the service instance. In it, you pass the Secret from the kyma-system
namespace to create your service instance. You can use different Secrets for different service instances.
-
In the SAP BTP cockpit, create an SAP Service Manager service instance with the
service-operator-access
plan. See Creating Instances in Other Environments. -
Create a service binding to the SAP Service Manager service instance you have created. See Creating Service Bindings in Other Environments.
-
Get the access credentials of the SAP Service Manager instance from its service binding. Copy them from the BTP cockpit as a JSON file.
-
Create the
creds.json
file in your working directory and save the credentials there. -
In the same working directory, generate the Secret by calling the
create-secret-file.sh
script with the operator option as the first parameter and your-secret-name as the second parameter:curl https://raw.githubusercontent.com/kyma-project/btp-manager/main/hack/create-secret-file.sh | bash -s operator {YOUR_SECRET_NAME}
The expected result is the file
btp-access-credentials-secret.yaml
created in your working directory:apiVersion: v1 kind: Secret type: Opaque metadata: name: {YOUR_SECRET_NAME} namespace: kyma-system data: clientid: {CLIENT_ID} clientsecret: {CLIENT_SECRET} sm_url: {SM_URL} tokenurl: {AUTH_URL} tokenurlsuffix: "/oauth/token"
-
To create the Secret, run:
kubectl create -f ./btp-access-credentials-secret.yaml
-
To verify if the Secret has been successfully created, run:
kubectl get secret -n kyma-system {YOUR_SECRET_NAME}
You see the status
Created
.[!NOTE] You can also view the Secret in Kyma dashboard. In the
kyma-system
namespace, go to Configuration -> Secrets, and check the list of Secrets.
To create the service instance, use either Kyma dashboard or kubectl.
-
In the Namespaces view, go to the namespace you want to work in.
-
Go to Service Management -> Service Instances.
-
In the BTP Access Credentials Secret field, add the name of the custom Secret you have created.
-
Provide other required service details and create a service instance.
[!WARNING] Once you set a Secret name in the service instance, you cannot change it in the future.
You see the status
PROVISIONED
.
-
Create your service instance with:
- The btpAccessCredentialsSecret field in the
spec
pointing to the custom Secret you have created - Other parameters as needed
[!WARNING] Once you set a Secret name in the service instance, you cannot change it in the future.
See an example of a ServiceInstance custom resource:
kubectl create -f - <<EOF apiVersion: services.cloud.sap.com/v1 kind: ServiceInstance metadata: name: {SERVICE_INSTANCE_NAME} namespace: {NAMESPACE_NAME} spec: serviceOfferingName: {SERVICE_OFFERING_NAME} servicePlanName: {SERVICE_PLAN_NAME} btpAccessCredentialsSecret: {YOUR_SECRET_NAME} EOF
- The btpAccessCredentialsSecret field in the
-
To verify that your service instance has been created successfully, run:
kubectl get serviceinstances.services.cloud.sap.com {SERVICE_INSTANCE_NAME} -n {NAMESPACE}
You see the status
Created
and the message that your service instance has been created successfully. You also see your Secret name in the btpAccessCredentialsSecret field of thespec
. -
To verify if you've correctly added the access credentials of the SAP Service Manager instance in your service instance, go to the CR
status
section, and make sure the subaccount ID to which the instance belongs is provided in the subaccountID field. The field must not be empty.