[Research] Check Kyma 2.0

[krasimirdermendzhiev]

Research the new Kyma 2.0 release.

• [x] Test XSK Deployment
• [x] Test connectivity

[krasimirdermendzhiev]

Kyma 2.0

No longer support the following authentication and authorization components

• API Server Proxy
• Console Backend Service
• Dex
• IAM Kubeconfig Service
• Permission Controller

API Exposure

• Exposing workloads on custom domains. Kyma 2.0 allows you to expose Istio workloads using custom, user-managed domains.

Application Connectivity

• New way to reach registered services. Kyma 2.0 brings some fresh air to the Application Connectivity area.

• Application Connectivity improvements

CLI

• Switch from Minikube to k3d
• Revamped way of installation
• Values instead of configuration overrides
• The kyma test command deprecated
• The kyma console command replaced with kyma dashboard

Eventing

• NATS Operator replaced with NATS Helm chart

Kyma Dashboard

• Kyma Console replaced with new technology
• Kyma Dashboard features

With the 2.0 release, Kyma does not expose Grafana, Kiali, and Jaeger UIs by default. After the upgrade, for each service, you can set up an identity provider of your choice.

New resources views

• Service Accounts
• Cluster Overview > Nodes
• Jobs
• Cron Jobs
• Stateful Sets
• Daemon Sets
• Gateways
• Issuers
• Certificates
• DNS Providers
• DNS Entries

Easier resource creation

• Roles
• Role Bindings
• Service Accounts
• Deployment
• Cron Jobs
• Jobs
• Config Maps
• Secrets
• Issuers
• Certificates
• DNS Providers
• DNS Entries
• Replica Sets

All Dashboards are accessible trough https://dashboard.kyma.cloud.sap

Connect your cluster

1. You need to paste or drag kubeconfig file to connect your cluster.

2. Privacy Options - ou can choose where to store your cluster configuration. Based on your kubeconfig type, we recommend the pre-selected storage mode. You can choose whatever you prefer for convenience and security. None of the options stores information on the server.

• Local storage - Cluster data is persisted between browser reloads.

• Session Storage - Cluster data is cleared when the page session end.

• In memory: Cluster data is cleared when you leave or refresh the page.

Cluster Overview

1. Cluster overview section - you can see versions for kubernetes and Kyma, API server address, Storage Type.

2. Nodes section - you see your nodes

3. Message section - you can see all messages for your cluster.

Namespaces

1. Columns - you can see names, created, labels, status.

Events

• Columns - name, type, message, involved object, source, count, last seen

Integration

• Applications

• Methods for creating applcation - Simple, Advanced, YAML

• Cluster Addons - look the same.

Configuration - the old Administration become Configuration

• Cluster Roles

• Columns - Name, Created, Labels, Alerts, Configurations

• Cluster Role Bindings

• Columns - Name, Created, Labels, Role reference, Subjects, Alerts, Configurations

• Custom Resource Definitions

• Columns - Name, Created, Labels, Scope, Categories, Alerts, Configurations

Observability

• Improved security for logs in Kyma Dashboard
• Containerd support
• Prometheus mTLS
• Observability services updated

1. Grafana

2. Kiali

3. Tracing

Security

• Native Kubernetes authentication in Kyma

  1. OpenID Connect tokens
  2. Role Based Access Control (RBAC)

• Full list of removed authentication and authorization components:

  1. API Server Proxy
  2. Console Backend Service
  3. Dex
  4. IAM Kubeconfig Service
  5. Permission Controller

• Ory Oathkeeper without Dex

Serverless

• Support for Python 3.8 deprecated - Python 3.9 available

Service Management

• Service Catalog deprecation update

  These are the examples of service operators provided by hyperscale cloud providers that you can use:

  Google Cloud Azure AWS

  The Service Catalog removal will also affect Application Connectivity in Kyma. Service Catalog objects will not be used anymore, and both ServiceInstances and ServiceBindings will not be required.

Recap At this point XSK is deployed normally. We will check periodically for any new changes.

[rdimitrov4]

SAP BTP Connectivity Proxy in Kyma 2 Environment

Establishing a secure tunnel between XSK deployed on Kyma 2.0 Environment and Systems on your On-Premise network.

Prerequisites:

• Connectivity Service Entitlement must be present within your subaccount. (Entitlements -> Configure Entitlements -> Add Service Plans -> Connectivity Service -> connectivity_proxy)
• Administrator Role Collections assigned to the user account that will establish the connection #

1. First we need to deploy the Connectivity Gateway.

• Go to SAP CP Cockpit, navigate to your subaccount and open the Kyma Console.

• Create a namespace <your-namespace> in which to deploy the connectivity gateway.

• In the Kyma Console, go to <your-namespace> -> Service management -> Catalog

• Search for Connectivity and press Add + to provision a Service Instance Name - unique name for your service Instance. The system can automatically generate one. Plan - choose the connectivity_proxy plan.

  After pressing Create the Connectivity Service Instance will be created.

• In the Kyma Console, go to <your-namespace> -> Service Management -> Instances

• Select the Service Instance created in the previous steps, press Add Service Binding + Name - unique name for your service binding. The system can automatticaly generate one. Secret Name - unique name for your secret. The system can automatically use the same name as for the service binding.

• As soon as the Kyma Control Plane detects that the Service Binding was created it will provision Connectivity Proxy in the cluster. The Connectivity Proxy will be deployed in the kyma-system namespace, and will be accessible within the cluster.

2. Install SAP Cloud Connector and connect it to your subaccount

• Download and install the SAP Cloud Connector and its Prerequisites for your OS https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/57ae3d62f63440f7952e57bfcef948d3.html

• Start the SAP Cloud Connector. Login with Administraotr / manage and connect it to your subaccount + Add Subaccount

  1. Region: <your-kyma-cluster-region>

     Specify the landscape domain, for example cf.sap.hana.ondemand.com You can find it by decoding the Secret for the Service Binding under connectivity_service {... url":"https://connectivity.cf.sap.hana.ondemand.com"}. Alternatively it can be found in the API Endpoint of Cloud Foundry Environment.

  2. Subaccount: <your-subaccount-ID>
  3. Subaccount User / Login E-Mail: Login credentials of the administrator that will establish the connection (has the right Role Collection assigned)

  4. Password: Password of the administrator

     Save and your connection will be established. To validate that go to your SAP BTP Cockpit and in your Subaccount go to Connectivity -> Cloud Connectors.

3. Deploy XSK and a Sample Docker Application

• We will test the connectivity with a sample docker application deployed locally and XSK deployed on the Kyma cluster
  1. To deploy XSK on your Kyma cluster follow the Setup instructions in https://www.xsk.io/ . Make sure to complete the prerequisites.
  2. The Docker application is built and deployed locally and can be found here https://github.com/dirigiblelabs/sample-docker-application (make sure to use the correct --platform flag when building the image)

4. Connecting your Cloud to the On-Premise system

• In the Cloud Connector in the Cloud To On-Premise section under your connection ID (subaccount-ID) add a new system mapping: Back-end Type: Non-SAP System Protocol: HTTP Internal Host: localhost Internal Port: 8080 Virtual Host: mycomputer Virtual Port: 8080 Principal Type: None Host In Request Header: Use Virtual Host

• Add a new resource accessible on mycomputer:8080 URL Path: / Active: checked Access Policy: Path and All Sub-Paths

5. Test the Cloud to On-Premise connection

• Go to your Kyma dashboard. In the namespace where you deployed XSK go to Discovery and Network -> API Rules and access your XSK WebIDE
• In your workspace create a new project and make a test.js file with the following function

  
  var httpClient = require("http/v4/client");
  var response = require("http/v4/response");

var httpResponse = httpClient.get("http://mycomputer:8080/services/v4/web/helloWorld/", { proxyHost: "connectivity-proxy.kyma-system", proxyPort: 20003 });

response.println(httpResponse.statusMessage); response.println(httpResponse.text); response.flush(); response.close();

- Save All, Publish all and Refresh.

This will make a request to the On-Premise application through the Virtual Host (mycomputer) via the `connectivity-proxy` in the `kyma-system` namespace. In the Preview tab we can see that the request is successful and we get the requested page from our docker application.

- Alternatively we can make a `curl` request from the XSK WebIDE's Terminal to the locally hosted application via the connectivity proxy  that returns the same HTML page.

dirigible@xsk-665f5d9f4f-2qxz7:~$ curl --proxy http://connectivity-proxy.kyma-system:20003 http://mycomputer:8080/services/v4/web/helloWorld/ <!DOCTYPE html>

Hello World!

dirigible@xsk-665f5d9f4f-2qxz7:~$

[rdimitrov4]

To add a new Cloud Connector administrator in an existing Kyma Cluster we must use: cluster-admin(CR) Role; app=kyma and type=admin Labels; Kind: User and the user's email for Subject; when creating the Cluster Role Binding