To create a real BTP Manager Secret, follow these steps:
-
Create a ServiceBinding to obtain the access credentials to the ServiceInstance as described in the Setup: Obtain the access credentials for the SAP BTP service operator section in the SAP BTP service operator documentation.
-
Copy and save the access credentials into your
creds.json
file in your working directory. -
In the same directory, run the following script to create the Secret:
curl https://raw.githubusercontent.com/kyma-project/btp-manager/main/hack/create-secret-file.sh | bash -s
-
Apply the Secret in your cluster.
kubectl apply -f operator-secret.yaml
[!WARNING] The Secret already contains the required label:
app.kubernetes.io/managed-by: kcp-kyma-environment-broker
. Without this label, the Secret would not be visible to BTP Manager.
To check the BtpOperator
custom resource (CR) status, run the following command:
kubectl get btpoperators btpoperator
The expected result is:
NAME STATE
btpoperator Ready
After successfully installing your Secret, you can create a ServiceInstance and a ServiceBinding.
Note
This section provides a real example with the real auditlog-api
service. Use your real Secret to successfully complete the procedure.
-
To create a ServiceInstance, run the following script:
kubectl create -f - <<EOF apiVersion: services.cloud.sap.com/v1alpha1 kind: ServiceInstance metadata: name: btp-audit-log-instance namespace: default spec: serviceOfferingName: auditlog-api servicePlanName: default externalName: btp-audit-log-instance EOF
[!TIP] You can find values for the serviceOfferingName and servicePlanName parameters in the Service Marketplace of the SAP BTP cockpit. Click on the service's tile and find name and Plan respectively. The value of the externalName parameter must be unique.
-
To check the output, run:
kubectl get serviceinstances.services.cloud.sap.com btp-audit-log-instance -o yaml
You see the status
created
and the messageServiceInstance provisioned successfully
. -
To create a ServiceBinding, run this script:
kubectl create -f - <<EOF apiVersion: services.cloud.sap.com/v1alpha1 kind: ServiceBinding metadata: name: btp-audit-log-binding namespace: default spec: serviceInstanceName: btp-audit-log-instance externalName: btp-audit-log-binding secretName: btp-audit-log-binding EOF
-
To check the output, run:
kubectl get servicebindings.services.cloud.sap.com btp-audit-log-binding -o yaml
You see the status
created
and the messageServiceBinding provisioned successfully
. -
Now use a given service in your Kyma cluster. To see credentials, run:
kubectl get secret btp-audit-log-binding -o yaml
-
Clean up your resources by running the following command:
kubectl delete servicebindings.services.cloud.sap.com btp-audit-log-binding kubectl delete serviceinstances.services.cloud.sap.com btp-audit-log-instance
To create a ServiceInstance, you must use the btpAccessCredentialsSecret field in the spec of the ServiceInstance. In it, you pass the Secret from the kyma-system
namespace. The Secret is used to create your ServiceInstance. You can use different Secrets for different ServiceInstances.
Warning
Once you set a Secret name in the ServiceInstance, you cannot change it in the future.
Adding the access credentials of the SAP BTP Service Manager Instance in your ServiceInstance results in displaying the subaccount ID to which the instance belongs in the status subaccountID field.
To create a ServiceInstance with a custom Secret, follow these steps:
-
Get the access credentials of the SAP BTP Service Manager Instance with the
service-operator-access
plan from its ServiceBinding. Copy them from the BTP cockpit as a JSON. -
Create the
creds.json
file in your working directory and save the credentials there. -
In the same working directory, generate a Secret by calling the
create-secret-file.sh
script with the operator option as the first parameter and your-secret-name as the second parameter.curl https://raw.githubusercontent.com/kyma-project/btp-manager/main/hack/create-secret-file.sh | bash -s operator 'test-secret' kubectl apply -f btp-access-credentials-secret.yaml
-
When you have the Secret, create your ServiceInstance with the btpAccessCredentialsSecret field in spec pointing to the newly created
test-secret
Secret and with other parameters as needed.Here is an example of a ServiceInstance which you can apply:
apiVersion: services.cloud.sap.com/v1 kind: ServiceInstance metadata: name: test-service-instance namespace: default spec: serviceOfferingName: xsuaa servicePlanName: application btpAccessCredentialsSecret: test-secret
-
To verify that the ServiceInstance has been created successfully, run:
kubectl get serviceinstances.services.cloud.sap.com test-service-instance -o yaml
You see the status
created
and the messageServiceInstance provisioned successfully
. You also see thetest-secret
value in the btpAccessCredentialsSecret spec field. In the status section, the subaccountId field must not be empty. -
Clean up your resources by running the following command:
kubectl delete serviceinstances.services.cloud.sap.com test-service-instance
If you are not using the
test-secret
Secret for other ServiceInstances, you can delete it with this command:kubectl delete secret test-secret -n kyma-system