You can map a Kubernetes service instance to an SAP Service Manager instance in a given subaccount. The Service Manager instance is then used to provision that service instance.
- A subaccount in the SAP BTP cockpit.
- kubectl configured for communicating with your Kyma instance. See Access a Kyma Instance Using kubectl.
To have multiple service instances from different subaccounts associated with one namespace, you must store access credentials for each subaccount in a custom Secret in the kyma-system namespace. To create a service instance with the custom Secret, you must use the btpAccessCredentialsSecret field in the spec of the service instance. In it, you pass the Secret from the kyma-system namespace to create your service instance. You can use different Secrets for different service instances.
-
In the SAP BTP cockpit, create an SAP Service Manager service instance with the
service-operator-accessplan. See Creating Instances in Other Environments. -
Create a service binding to the SAP Service Manager service instance you have created. See Creating Service Bindings in Other Environments.
-
Get the access credentials of the SAP Service Manager instance from its service binding. Copy them from the SAP BTP cockpit as a JSON file.
-
Create the
creds.jsonfile in your working directory and save the credentials there. -
In the same working directory, generate the Secret by calling the
create-secret-file.shscript with theoperatoroption as the first parameter andyour-secret-nameas the second parameter:curl https://raw.githubusercontent.com/kyma-project/btp-manager/main/hack/create-secret-file.sh | bash -s operator {YOUR_SECRET_NAME}The expected result is the file
btp-access-credentials-secret.yamlcreated in your working directory:apiVersion: v1 kind: Secret type: Opaque metadata: name: {YOUR_SECRET_NAME} namespace: kyma-system data: clientid: {CLIENT_ID} clientsecret: {CLIENT_SECRET} sm_url: {SM_URL} tokenurl: {AUTH_URL} tokenurlsuffix: "/oauth/token" -
To create the Secret, run:
kubectl create -f ./btp-access-credentials-secret.yaml -
To verify if the Secret has been successfully created, run:
kubectl get secret -n kyma-system {YOUR_SECRET_NAME}You see the status Created.
You can also view the Secret in Kyma dashboard. In the
kyma-systemnamespace, go to Configuration > Secrets, and check the list of Secrets.
To create the service instance, use either Kyma dashboard or kubectl.
-
Use Kyma dashboard.
-
In the Namespaces view, go to the namespace you want to work in.
-
Go to Service Management > Service Instances.
-
In the BTP Access Credentials Secret field, add the name of the custom Secret you have created.
-
Provide other required service details and create a service instance.
Once you set a Secret name in the service instance, you cannot change it in the future.
You see the status PROVISIONED.
-
-
Use kubectl.
-
Create your service instance with:
-
The
btpAccessCredentialsSecretfield in thespecpointing to the custom pointing to the custom Secret you have created. -
other parameters as needed
Once you set a Secret name in the service instance, you cannot change it in the future.
See an example of a
ServiceInstanceCR:kubectl create -f - <<EOF apiVersion: services.cloud.sap.com/v1 kind: ServiceInstance metadata: name: {SERVICE_INSTANCE_NAME} namespace: {NAMESPACE_NAME} spec: serviceOfferingName: {SERVICE_OFFERING_NAME} servicePlanName: {SERVICE_PLAN_NAME} btpAccessCredentialsSecret: {YOUR_SECRET_NAME} EOF -
-
To verify that your service instance has been created successfully, run:
kubectl get serviceinstances.services.cloud.sap.com {SERVICE_INSTANCE_NAME} -n {NAMESPACE}You see the status Created and the message that your service instance has been created successfully. You also see your Secret name in the
btpAccessCredentialsSecretfield of thespec. -
To verify that you've correctly added the access credentials of the SAP Service Manager instance in your service instance, go to the custom resource (CR)
statussection, and make sure the subaccount ID to which the instance belongs is provided in thesubaccountIDfield. The field must not be empty.
-