You can map a Kubernetes service instance to an SAP Service Manager instance in a given subaccount. The Service Manager instance is then used to provision this service instance.
- A subaccount in the SAP BTP cockpit.
- kubectl configured for communicating with your Kyma instance. See Access a Kyma Instance Using kubectl.
To have multiple service instances from different subaccounts associated with a namespace, you must store access credentials for each subaccount in a custom Secret in the kyma-system namespace.
To create a service instance with a custom Secret, you must use the btpAccessCredentialsSecret field in the spec of the service instance. In it, you pass the Secret from the kyma-system namespace to create your service instance. You can use different Secrets for different service instances.
-
In the SAP BTP cockpit, create an SAP Service Manager service instance with the
service-operator-accessplan. See Creating Instances in Other Environments. -
Create a service binding to the SAP Service Manager service instance you have created. See Creating Service Bindings in Other Environments.
-
Get the access credentials of the SAP Service Manager instance from its service binding. Copy them from the BTP cockpit as a JSON file.
-
Create the
creds.jsonfile in your working directory and save the credentials there. -
In the same working directory, generate the Secret by calling the
create-secret-file.shscript with the operator option as the first parameter and your-secret-name as the second parameter:curl https://raw.githubusercontent.com/kyma-project/btp-manager/main/hack/create-secret-file.sh | bash -s operator {YOUR_SECRET_NAME}The expected result is the file
btp-access-credentials-secret.yamlcreated in your working directory:apiVersion: v1 kind: Secret type: Opaque metadata: name: {YOUR_SECRET_NAME} namespace: kyma-system data: clientid: {CLIENT_ID} clientsecret: {CLIENT_SECRET} sm_url: {SM_URL} tokenurl: {AUTH_URL} tokenurlsuffix: "/oauth/token"
-
To create the Secret, run:
kubectl create -f ./btp-access-credentials-secret.yaml -
To verify if the Secret has been successfully created, run:
kubectl get secret -n kyma-system {YOUR_SECRET_NAME}You see the status
Created.[!NOTE] You can also view the Secret in Kyma dashboard. In the
kyma-systemnamespace, go to Configuration -> Secrets, and check the list of Secrets.
To create the service instance, use either Kyma dashboard or kubectl.
-
In the Namespaces view, go to the namespace you want to work in.
-
Go to Service Management -> Service Instances.
-
In the BTP Access Credentials Secret field, add the name of the custom Secret you have created.
-
Provide other required service details and create a service instance.
[!WARNING] Once you set a Secret name in the service instance, you cannot change it in the future.
You see the status
PROVISIONED.
-
Create your service instance with:
- The btpAccessCredentialsSecret field in the
specpointing to the custom Secret you have created - Other parameters as needed
[!WARNING] Once you set a Secret name in the service instance, you cannot change it in the future.
See an example of a ServiceInstance custom resource:
kubectl create -f - <<EOF apiVersion: services.cloud.sap.com/v1 kind: ServiceInstance metadata: name: {SERVICE_INSTANCE_NAME} namespace: {NAMESPACE_NAME} spec: serviceOfferingName: {SERVICE_OFFERING_NAME} servicePlanName: {SERVICE_PLAN_NAME} btpAccessCredentialsSecret: {YOUR_SECRET_NAME} EOF
- The btpAccessCredentialsSecret field in the
-
To verify that your service instance has been created successfully, run:
kubectl get serviceinstances.services.cloud.sap.com {SERVICE_INSTANCE_NAME} -n {NAMESPACE}You see the status
Createdand the message that your service instance has been created successfully. You also see your Secret name in the btpAccessCredentialsSecret field of thespec. -
To verify if you've correctly added the access credentials of the SAP Service Manager instance in your service instance, go to the CR
statussection, and make sure the subaccount ID to which the instance belongs is provided in the subaccountID field. The field must not be empty.