kyma-project · IwonaLanger · Dec 19, 2024 · Dec 19, 2024 · Dec 19, 2024 · Dec 19, 2024
@@ -29,7 +29,7 @@ The `sap-btp-manager` Secret provides the following credentials:
 
 > [!NOTE]
 > If you modify or delete the `sap-btp-manager` Secret, it is modified back to its previous settings or regenerated within up to 24 hours.
-> However, if the Secret is labeled with `kyma-project.io/skip-reconciliation: "true"`, the job skips the reconciliation for this Secret.
+> To prevent your changes from being reverted, label the Secret with `kyma-project.io/skip-reconciliation: "true"`. For more information, see [Customize Credentials and Access](03-11-customize_secret.md).
 
 When you add the SAP BTP Operator module to your cluster, the `sap-btp-manager` Secret generates the SAP BTP service operator's resources as shown in the following diagram:
 <!-- for the HP doc this sentence is different: The SAP BTP Operator module is added by default to your cluster and the `sap-btp-manager` (...) -->
@@ -43,12 +43,14 @@ The cluster ID represents a Kyma service instance created in a particular subacc
 
 ## Cluster Access
 
-By default, SAP BTP Operator has cluster-wide permissions. You cannot reconfigure the predefined settings.
+By default, SAP BTP Operator has cluster-wide permissions.
 
 The following parameters manage cluster access:
 
 | Parameter                     | Description                                                                                   |
 |-------------------------------|-----------------------------------------------------------------------------------------------|
 | **CLUSTER_ID**                | Generated when Kyma runtime is created.                                                       |
-| **MANAGEMENT_NAMESPACE**      | Always set to `kyma-system`.                                                |
+| **MANAGEMENT_NAMESPACE**      | By default, set to `kyma-system`.                                                |
 | **ALLOW_CLUSTER_ACCESS**      | You can use every namespace for your operations. The parameter is always set to `true`.<br>If you change it to `false`, the setting is automatically reverted. |
+
+To use your own cluster access settings, you must customize the `sap-btp-operator` Secret. For more information, see [Customize Default Credentials and Access](03-11-customize_secret.md).
@@ -0,0 +1,39 @@
+# Customize the Default Credentials and Access
+
+You can customize the `sap-btp-manager` Secret and manage your own default configuration of the SAP BTP Operator module.
+
+## Context
+
+When you create SAP BTP, Kyma runtime, the `sap-btp-manager` Secret is automatically created as the default Secret managing the SAP BTP Operator's resources. 
+Because of Kyma's automatic reconciliation, any changes to the Secret are reverted, and the previous settings are restored within up to 24 hours.
+See [Preconfigured Credentials and Access](03-10-preconfigured-secret.md#credentials).
+
+To customize the `sap-btp-manager` Secret and prevent your changes from being reverted, you must stop the Secret's reconciliation.
+With the customized Secret, you can perform the following actions:
+
+* Manage your own default configuration of SAP BTP Operator
+* Migrate the service instances you created outside of the Kyma environment to your Kyma cluster
+
+## Procedure
+
+To customize the `sap-btp-manager` Secret, perform the following steps:
+
+* Label the Secret with `kyma-project.io/skip-reconciliation: 'true'`.
+* Provide the following credentials from your SAP Service Manager instance: **clientid**, **clientsecret**, **sm_url**, and **tokenurl**.
+* Optionally, provide your **cluster_id**. Otherwise, it is generated automatically.
+* Optionally, add the `management_namespace` parameter and provide the name of your custom management namespace.
+
+## Result
+
+Your customized `sap-btp-manager` Secret is now the default Secret of the SAP BTP Operator module. It generates the SAP BTP service operator's resources, as shown in the following diagram:
+
+![Customized module credentials](../assets/module_credentials_customized.drawio.svg)
+
+The reconciliation of the Secret stops and your changes are not reverted.
+
+> [!WARNING]
+> If you delete the customized `sap-btp-manager` Secret, the reconciliation starts again, and the preconfigured default `sap-btp-manager` Secret is recreated for your Kyma instance within 24 hours. See [Preconfigured Credentials and Access](./03-10-preconfigured-secret.md#credentials).
+
+> [!NOTE]
+> If you created all service instances in your Kyma cluster from the customized `sap-btp-manager` Secret, you can delete the cluster even if those instances still exist.
+> The undeleted service instances do not block the deletion of the cluster.
@@ -9,9 +9,6 @@ To use an SAP BTP service in your Kyma cluster, create its service instance and
 * You know the service offering name and service plan name for the SAP BTP service you want to connect to your Kyma cluster.
   To find the service and service plan names, in the SAP BTP cockpit, go to **Services**->**Service Marketplace**. Click on the service tile and find its **name** and **Plan**.
 
-> [!NOTE]
-> You can use [SAP BTP kubectl plugin](https://github.com/SAP/sap-btp-service-operator#sap-btp-kubectl-plugin-experimental) to get the available services in your SAP BTP account by using the access credentials stored in the cluster. However, the plugin is still experimental.
-
 ## Create a Service Instance
 
 ### Context

@@ -13,6 +13,7 @@ The SAP BTP service operator enables provisioning and managing service instances
 The SAP BTP Operator module provides the following features:
 
 * Credentials and access preconfiguration: Your Secret is provided on Kyma runtime creation. See [Preconfigured Credentials and Access](03-10-preconfigured-secret.md).
+* Customization of the default credentials and access: You can customize the default `sap-btp-manager` Secret. See [Customize the Default Credentials and Access](03-11-customize_secret.md).
 * Multitenancy: You can configure multiple subaccounts in a single cluster. See [Working with Multiple Subaccounts](03-20-multitenancy.md).
 * Lifecycle management of service instances and service bindings: You can create and delete service instances and service bindings. See [Create Service Instances and Service Bindings](03-30-create-instances-and-bindings.md) and [Delete Service Bindings and Service Instances](03-70-delete-bindings-and-instances.md).
 * Service binding rotation: You can enhance security by automatically rotating the credentials associated with your service bindings. See [Rotating Service Bindings](03-40-service-binding-rotation.md).