Application Connector - Docs | Kyma - An easy way to extend enterprise applications on Kubernetes.

Overview

The Application Connector (AC) is a proprietary Kyma implementation that allows you to connect with external solutions. No matter if you want to integrate an on-premise or a cloud system, the integration process doesn't change, which allows to avoid any configuration or network-related problems.

The external solution you connect to Kyma using the AC is represented as an Application (App). There is always a one-to-one relationship between a connected solution and an App, which helps to ensure the highest level of security and separation. This means that you must create five separate Apps in your cluster to connect five different external solutions and use their APIs and Event catalogs in Kyma.

The AC gives you this functionality:

Manages the lifecycle of Apps.
Establishes a secure connection and generates the client certificate used by the connected external solution.
Registers the APIs and the Event catalogs of the connected external solution.
Delivers the Events from the connected external solution to the Kyma Event Bus.
Proxies calls sent from Kyma to external APIs registered by the connected external solution.
Allows to map an App to a Kyma Namespace and use its registered APIs and Event catalogs in the context of that Namespace.
Integrates the registered APIs and Event catalogs with the Kyma Service Catalog.

All of the AC components scale independently, which allows to adjust it to fit the needs of the implementation built using Kyma.

NOTE: To learn more about the concept of Namespaces in Kyma, read this document.

Supported APIs

The Application Connector allows you to register secured REST APIs exposed by the connected external solution. The Application Connector supports a variety of authentication methods to ensure smooth integration with a wide range of APIs.

You can register an API secured with one of the following authentication methods:

Basic Authentication
OAuth
Client Certificates

NOTE: You can register non-secured APIs for testing purposes, however, it is not recommended in the production environment.

In addition to authentication methods, the Application Connector supports Cross-Site Request Forgery Tokens.

You can register any API that adheres to the REST principles and is available over the HTTP protocol. The Application Connector also allows you to register APIs implemented with the OData technology.

You can provide specifications that document your APIs. The Application Connector supports OpenAPI and OData specification formats.

Application Connector components

Architecture Diagram

Nginx Ingress Controller

The Nginx Ingress Controller exposes the Application Connector by assigning a public IP address and a DNS name to it. The DNS name of the Ingress is cluster-dependant and follows the gateway.{cluster-dns} format, for example gateway.servicemanager.cluster.kyma.cx. You can access every exposed Application (App) through its gateway by using the assigned path. For example, to reach the gateway for the user-custom App, use this URL: gateway.servicemanager.cluster.kyma.cx/user-custom. The Nginx Ingress Controller secures the endpoint with certificate validation. Each call must include a valid client certificate which is App-specific.

Connector Service

The Connector Service:

Handles the exchange of client certificates for a given App.
Provides the Application Registry and Event Service endpoints.
Signs client certificates using the server-side certificate stored in a Kubernetes Secret.

Application Registry

The Application Registry saves and reads the APIs and Event Catalog metadata of the connected external solution in the Application custom resource. The system creates a new Kubernetes service for each registered API.

NOTE: Using the Application Registry, you can register an API along with its OAuth or Basic Authentication credentials. The credentials are stored in a Kubernetes Secret.

Event Service

The Event Service sends Events to the Kyma Event Bus and enriches the Events with metadata that indicates the source of the Event. This allows routing the Events to lambda functions and services based on their source App.

Application

An App represents an external solution connected to Kyma. It handles the integration with other components, such as the Service Catalog or the Event Bus. Using the components of the Application Connector, the App creates a coherent identity for a connected external solution and ensures its separation. All Apps are created through the Application custom resource, which also stores all of the relevant metadata. You can map an App to many Kyma Namespaces and use the APIs and the Event Catalogs of the connected external solution within their context.

Application Broker

The Application Broker (AB) watches all Application custom resources. These custom resources contain definitions of the external solutions’ APIs and Events. The AB exposes those APIs and Events definitions as ServiceClasses to the Service Catalog. When the list of remote ServiceClasses is available in the Service Catalog, you can create an ApplicationMapping, provision those ServiceClasses, and enable them for Kyma services. This allows you to extend the functionality of existing systems.

The AB implements the Open Service Broker API. For more details about Service Brokers, see this documentation.

Application Operator

The operator listens for creating or deleting the Application custom resources and acts accordingly, either provisioning or de-provisioning an instance of Application Gateway and Event Service for every custom resource.

NOTE: Every Application custom resource corresponds to a single App to which you can connect an external solution.

Application Gateway

The Application Gateway is an intermediary component between a lambda function or a service and an external API registered with the Application Registry. It can call services secured with:

Basic Authentication mechanism,
OAuth
Client certificates

Additionally, the Application Gateway supports cross-site request forgery (CSRF) tokens as an optional layer of API protection.

Access Service

The Access Service exposes the Application Gateway and manages the access from the Lambda functions and services deployed in Kyma to the external APIs over the Application Gateway.

Asset Store

The Asset Store stores the documentation of the connected external solution's registered APIs and Event catalogs.

Kubernetes Secret

The Kubernetes Secret is a Kubernetes object which stores sensitive data, such as the OAuth credentials.

Connector Service

The Connector Service generates client certificates which are used to secure the communication between Kyma and the connected external solutions.

Generating a new client certificate is the first step in the process of configuring an Application (App). Kyma stores the root certificate and serves as the Certificate Authority when you configure a new App. When you generate a new client certificate, the Connector Service returns it along with the root certificate to allow validation.

This diagram illustrates the client certificate generation flow in details:

The administrator requests for a token using the CLI or the UI and receives a link with the token, which is valid for a limited period of time.
The administrator passes the token to the external system, which requests for information regarding the Kyma installation. In the response, it receives the following information:
- the URL to which a third-party solution sends its Certificate Signing Request (CSR)
- the URL of the metadata endpoint
- information required to generate a CSR
The external system generates a CSR based on the information provided by Kyma and sends the CSR to the designated URL. In the response, the external system receives a signed certificate. It can use the certificate to authenticate and safely communicate with Kyma.
The external system calls the metadata endpoint that contains the following information:
- the URL of the Application Registry API
- the URL of the Event Service API
- the certificate renewal URL used to rotate certificates
- the certificate revocation URL used to revoke compromised certificates
- information uniquely identifying certificate, such as the Application name
- information required to generate a CSR

NOTE: The external application should not hardcode any URLs. The information returned from the metadata endpoint should be stored by the external application along with the certificate. This approach implicates less coupling and offers a great deal of flexibility.

NOTE: The external application can call the metadata endpoint to fetch information required to generate a CSR prior to certificate renewal. This approach makes certificate rotation process convenient and flexible, since the external application does not need to store information required to generate a CSR in its data model.

NOTE: Follow this tutorial to learn how to get a client certificate for your implementation.

Application Gateway

The Application Gateway sends the requests from Lambda functions and services in Kyma to external APIs registered with the Application Registry. The Application Gateway works in conjunction with the Access Service, which exposes the Application Gateway.

NOTE: The system creates an Access Service for every external API registered by the Application Registry.

The following diagram illustrates how the Application Gateway interacts with other components and external APIs which are either unsecured or secured with various security mechanisms and protected against cross-site request forgery (CSRF) attacks.

Application Gateway Diagram

A lambda function calls the Access Service. The name of every Access Service follows this format: app-{application-name}-{service-id}
The Access Service exposes the Application Gateway.
The Application Gateway extracts the Application name and the service ID from the name of the Access Service name. Using the extracted Application name, the Application Gateway finds the respective Application custom resource and obtains the information about the registered external API, such as the API URL and security credentials.
The Application Gateway gets a token from the OAuth server.
The Application Gateway gets a CSRF token from the endpoint exposed by the upstream service. This step is optional and is valid only for the API which was registered with a CSRF token turned on.
The Application Gateway calls the target API.

Caching

To ensure optimal performance, the Application Gateway caches the OAuth tokens and CSRF tokens it obtains. If the service doesn't find valid tokens for the call it makes, it gets new tokens from the OAuth server and the CSRF token endpoint. Additionally, the service caches ReverseProxy objects used to proxy the requests to the underlying URL.

Handling of headers

The Application Gateway removes the following headers while making calls to the registered applications:

X-Forwarded-Proto
X-Forwarded-For
X-Forwarded-Host
X-Forwarded-Client-Cert

In addition, the User-Agent header is set to an empty value not specified in the call, which prevents from setting the default value.

Application Broker

The Application Broker (AB) workflow consists of the following steps:

The Application Broker watches for Applications (Apps) in the cluster and ApplicationMappings (AMs) in all Namespaces.
The user creates an ApplicationMapping custom resource in a given Namespace. The AM activates services offered by an App. The AM must have the same name as the App.
The Application Broker creates an application-broker Service Broker (SB) inside the Namespace in which the AM is created. This Service Broker contains data of all services provided by the activated Applications. There is always only one application-broker Service Broker per Namespace, even if there are more AMs.
The Service Catalog fetches services that the application-broker Service Broker exposes.
The Service Catalog creates a ServiceClass for each service received from the Service Broker.

AB architecture

When this process is complete, you can provision and bind your services.

Provisioning and binding for an API ServiceClass

This ServiceClass has a bindable flag set to true which means that you have to provision a ServiceInstance and bind it to the service or lambda to connect to the given API. The provisioning and binding workflow for an API ServiceClass consists of the following steps: 1. Select an API ServiceClass from the Service Catalog. 2. Provision this ServiceClass by creating its ServiceInstance in a Namespace. 3. Bind your ServiceInstance to the service or lambda. During the binding process, ServiceBinding and ServiceBindingUsage resources are created. ServiceBinding contains a Secret with a GatewayURL required to connect to the given API. ServiceBindingUsage injects the Secret, together with the label given during the registration process, to the lambda or service. 4. The service or lambda calls the API through the Application Connector. The Application Connector verifies the label to check if you have the authorization to access this API. 5. After verifying the label, the Application Connector allows you to access the Application API.

API Service Class

Provisioning and binding for an Event ServiceClass

This ServiceClass has a bindable flag set to false which means that after provisioning a ServiceClass in the Namespace, given Events are ready to use for all services. The provisioning workflow for an Event ServiceClass consists of the following steps: 1. Select a given Event ServiceClass from the Service Catalog. 2. Provision this ServiceClass by creating a ServiceInstance in the given Namespace. 3. During the provisioning process, the EventActivation resource is created together with the ServiceInstance. EventActivation allows you to create an Event Bus Subscription. 4. A Subscription is a custom resource by which an Event Bus triggers the lambda for a particular type of Event in this step. 5. The Application sends an Event to the Application Connector. 6. The Application Connector sends an Event to the lambda through the Event Bus.

Event Service Class

Provisioning and binding for both the API and Event ServiceClass

This ServiceClass has a bindable flag set to true. The provisioning and binding workflow for both the API and Event ServiceClass is a combination of steps described for an API ServiceClass and an Event ServiceClass.

Security

Client certificates

To provide maximum security, the Application Connector uses TLS protocol with Client Authentication enabled. As a result, whoever wants to connect to the Application Connector must present a valid client certificate, which is dedicated to a specific Application (App). In this way, the traffic is fully encrypted and the client has a valid identity.

Disable SSL certificate verification

You can disable the SSL certificate verification in the communication between Kyma and an App to allow Kyma to send requests and data to an unsecured App. Disabling the certificate verification can be useful in certain testing scenarios.

NOTE: By default, the SSL certificate verification is enabled when sending data and requests to every App.

Follow these steps to disable SSL certificate verification for communication between Kyma and an existing App:

Edit the {APPLICATION}-application-gateway Deployment in the kyma-integration Namespace. Run:
Click to copy
```
kubectl -n kyma-integration edit deployment {APPLICATION}-application-gateway
```
Edit the Deployment in Vim. Select i to start editing.
Find the skipVerify parameter and change its value to true.
Select esc, type :wq, and select enter to write and quit.

Override the API security type

The Application Registry allows you to register APIs:

Secured with Basic Authentication
Secured with OAuth flow
Secured with client certificates
Not secured
Protected against cross-site request forgery (CSRF) attacks

The Application Gateway calls the registered APIs accordingly, basing on the security type specified in the API registration process.

The Application Gateway overrides the registered APIs security type if it gets a request which contains the Access-Token header. In such a case, the Application Gateway rewrites the token from the Access-Token header into an OAuth-compliant Authorization header and forwards it to the target API.

This mechanism is suited for implementations in which an external application handles user authentication.

Access the Application Connector on a local Kyma deployment

To access the Application Connector on a local deployment of Kyma, you must add the Kyma server certificate to the trusted certificate storage of your programming environment. This is necessary to connect the external solution to your local Kyma deployment, allow client certificate exchange, and API registration.

For example, to access the Application Connector from a Java environment, run this command to add the Kyma server certificate to the Java Keystore:

Click to copy

sudo {JAVA_HOME}/bin/keytool -import -alias “Kyma” -keystore {JAVA_HOME}/jre/lib/security/cacerts -file {KYMA_HOME}/installation/certs/workspace/raw/server.crt

Consume applications through the Service Catalog

To consume an external solution connected to Kyma, you must register it as an Application (App). As a result of registering the external solution, ClusterServiceClasses are created in the Service Catalog.

External solution's services in the Service Catalog

The Example API is registered in Kyma with the targetUrl pointing to https://www.orders.com/v1/orders. The ID assigned to the API in the registration process is 01a702b8-e302-4e62-b678-8d361b627e49.

The Application Broker, which provides ServiceClasses to the Service Catalog, follows this naming convention for its objects:

Click to copy

app-{application-name}-{service-id}

The {service-id} is the service identifier assigned in the process of registration. The {application} is the name of the App created in Kyma. It represents an instance of the connected external solution that owns the registered service. Such identifier used by the Application Broker is referred to as the name of a ClusterServiceClass in the Service Catalog.

This an example of a full ClusterServiceClass name:

Click to copy

re-ec-default-01a702b8-e302-4e62-b678-8d361b627e49

Service consumption

After you provision the Example API in the Namespace of your choice using the Service Catalog, you can bind it to your application and consume it by calling the URL you get as a result of a successful binding.

This is a sample URL for the Example API:

Click to copy

re-ec-default-01a702b8-e302-4e62-b678-8d361b627e49.kyma-integration/orders

When you call this URL, the Application Gateway passes all requests to the https://www.orders.com/v1/orders address, which is the targetUrl registered for the Example API. You do not have to get an OAuth token and manually include it in the call as the Application Gateway does it for you automatically.

Application Registry

The Application Registry allows you to register the APIs and Event catalogs of the services exposed by the connected external solution.

The Application Registry stores the data of all registered services in:

Application custom resource (CR), which stores the metadata of the service.
Docs Topic Custom Resource (CR), which stores the links to API specification, Event catalog, and documentation.
Upload Service, which stores the files containing API specification, Event catalog, and documentation in an Asset Store bucket.
Kubernetes secrets, which stores sensitive data, such as OAuth credentials.

Kubernetes APIs interaction

The Application Registry interacts with Kubernetes APIs to perform these tasks:

Modify the Application CR instance.
Create Secrets which contain client ID and client secret used to access OAuth-secured APIs.
Create the Access Service.

Pass an access token in a request header

The Application Connector supports passing the access token directly in the request.

Passing the access token

If the user is already authenticated to the target API, the access token can be passed in a custom Access-token header. The value of the header is of the Bearer {token} or Basic {token} form. If the Application Connector detects that the custom header is present, instead of performing authentication steps, it removes the Access-token header, and passes the received value in the Authorization header.

Payload size limits for registering APIs

The Application Connector allows you to adjust the payload size limit for registering API definitions. You can tune the limit individually for every Application in your Kyma cluster.

The nginx.ingress.kubernetes.io/proxy-body-size annotation defines the maximum payload size. By default, every Application you create comes with the payload size limit set to 5 MB. You can adjust it to fit the needs of your implementation.

To change the maximum payload size for an API definition, edit the configuration of the Ingress of the Application for which you want to tune the limit. Run this command to edit the Ingress configuration:

Click to copy

kubectl -n kyma-integration edit ingress {APPLICATION_NAME}-application

API registration in the Application Registry

The Application Registry supports the following formats of the API specification:

OpenAPI 2.0
OData XML 2.0, 3.0 and 4.0

You can pass the API specification in two ways:

JSON format
SpecificationUrl

NOTE: Specification passed directly as a JSON has a higher priority than SpecificationUrl. If you use these two methods at once, SpecificationUrl is ignored.

For the OpenAPI format, both methods are supported. You can register OData APIs only with SpecificationUrl.

Application

The applications.applicationconnector.kyma-project.io CustomResourceDefinition (CRD) is a detailed description of the kind of data and the format used to register an Application (App) in Kyma. The Application custom resource defines the APIs that the App offers. After creating a new custom resource for a given App, the App is mapped to appropriate ServiceClasses in the Service Catalog. To get the up-to-date CRD and show the output in the yaml format, run this command:

Click to copy

kubectl get crd applications.applicationconnector.kyma-project.io -o yaml

Sample custom resource

This is a sample resource that registers the system-prod App which offers one service.

NOTE: The name of the App must consist of lower case alphanumeric characters, - or ., and start and end with an alphanumeric character.

Click to copy

apiVersion: applicationconnector.kyma-project.io/v1alpha1
kind: Application
metadata:
  name: system-prod
spec:
  description: This is the system-production Application.
  labels:
    region: us
    kind: production

Custom resource parameters

This table lists all the possible parameters of a given resource together with their descriptions:

Parameter	Mandatory	Description
metadata.name	YES	Specifies the name of the CR.
spec.description	NO	Describes the connected Application.
spec.accessLabel	NO	Labels the App when an ApplicationMapping is created.
spec.labels	NO	Defines the labels of the App.
spec.services	NO	Contains all services that the Application provides.
spec.services.id	YES	Identifies the service that the Application provides.
spec.services.identifier	NO	Provides an additional identifier of the ServiceClass.
spec.services.name	NO	Represents a unique name of the service used by the Service Catalog.
spec.services.displayName	YES	Specifies a human-readable name of the Application service. Parameter provided by the Application Registry, do not edit.
spec.services.description	NO	Provides a short, human-readable description of the service offered by the App. Parameter provided by the Application Registry, do not edit.
spec.services.longDescription	NO	Provides a longer, human-readable description of the service offered by the App. Parameter provided by the Application Registry, do not edit.
spec.services.providerDisplayName	YES	Specifies a human-readable name of the Application service provider. Parameter provided by the Application Registry, do not edit.
spec.services.tags	NO	Specifies additional tags used for better documentation of the available APIs. Parameter provided by the Application Registry, do not edit.
spec.services.labels	NO	Specifies additional labels for the service offered by the App. Parameter provided by the Application Registry, do not edit.
spec.services.entries	YES	Contains the information about the APIs and Events that the service offered by the App provides. Parameter provided by the Application Registry, do not edit.
spec.services.entries.type	YES	Specifies the entry type: API or Event. Parameter provided by the Application Registry, do not edit.
spec.services.entries.gatewayUrl	NO	Specifies the URL of the Application Connector. This field is required for the API entry type. Parameter provided by the Application Registry, do not edit.
spec.services.entries.accessLabel	NO	Specifies the label used in Istio rules in the Application Connector. This field is required for the API entry type.
spec.services.entries.targetUrl	NO	Specifies the URL of a given API. This field is required for the API entry type. Parameter provided by the Application Registry, do not edit.
spec.services.entries.oauthUrl	NO	Specifies the URL used to authorize with a given API. This field is required for the API entry type. Parameter provided by the Application Registry, do not edit.
spec.services.entries.credentialsSecretName	NO	Specifies the name of the Secret which allows you to call a given API. This field is required if spec.services.entries.oauthUrl is specified. Parameter provided by the Application Registry, do not edit.

These components use this CR:

Component	Description
Application Registry	Reads and saves the APIs and Event Catalog metadata of the connected external solution in this CR.
Application Broker	Exposes the APIs and Event definitions stored in this CR as ServiceClasses to the Service Catalog.
Application Operator	Provisions and de-provisions an instance of Application Gateway and Event Service for every created or deleted Application CR.

Additional information

The Application Operator adds the status section which describes the status of the App installation to the created CR periodically. This table lists the fields of the status section.

Field	Description
status.installationStatus	Describes the status of the App installation.
status.installationStatus.description	Provides a longer description of the installation status.
status.installationStatus.status	Provides a short, human-readable description of the installation status.

ApplicationMapping

The applicationmappings.application.kyma-project.io CustomResourceDefinition (CRD) is a detailed description of the kind of data and the format used to enable APIs and Events from an Application (App) as a ServiceClass in a given Namespace. To get the up-to-date CRD and show the output in the yaml format, run this command:

Click to copy

kubectl get crd applicationmappings.applicationconnector.kyma-project.io -o yaml

Sample custom resource

This is a sample ApplicationMapping resource which enables the test Application in the production Namespace:

Click to copy

apiVersion: applicationconnector.kyma-project.io/v1alpha1
kind: ApplicationMapping
metadata:
  name: test
  namespace: production

Custom resource parameters

This table lists all the possible parameters of a given resource together with their descriptions:

Parameter	Mandatory	Description
metadata.name	YES	Specifies the name of the CR and the App.
metadata.namespace	YES	Specifies the Namespace in which the App is enabled.

These components use this CR:

Component	Description
Application Broker	Uses this CR to enable the provisioning of ServiceClasses in a given Namespace.
Console Backend Service	Uses this CR to filter the enabled Apps. It also allows you to create or delete ApplicationMappings.

EventActivation

The eventactivations.applicationconnector.kyma-project.io CustomResourceDefinition (CRD) is a detailed description of the kind of data and the format used to create an Event Bus Subscription and to get an Event schema. To get the up-to-date CRD and show the output in the yaml format, run this command:

Click to copy

kubectl get crd eventactivations.applicationconnector.kyma-project.io -o yaml

Sample custom resource

This is a sample resource that allows you to consume Events sent from the service with the ac031e8c-9aa4-4cb7-8999-0d358726ffaa ID in a production Namespace.

Click to copy

apiVersion: applicationconnector.kyma-project.io/v1alpha1
kind: EventActivation
metadata:
  name: "ac031e8c-9aa4-4cb7-8999-0d358726ffaa"
  namespace: production
spec:
  displayName: "Orders"
  sourceId: "prod"

Custom resource parameters

This table lists all the possible parameters of a given resource together with their descriptions:

Parameter	Mandatory	Description
metadata.name	YES	Specifies the name of the CR and the ID of the Application service. This field is also used to fetch Event schemas from the Minio storage.
metadata.namespace	YES	Specifies the Namespace in which the CR is created.
spec.displayName	YES	Specifies a human-readable name of the Application service.
spec.sourceId	YES	Used to construct a Publish-Subscribe (Pub/Sub) topic name where the Events are send and from where the Events are consumed.

These are the resources related to this CR:

Custom resource	Description
Application	Describes a service from which the user receives Events.
Subscription	Contains information on how to create an infrastructure for consuming Events. Works only if the EventActivation is enabled.

These components use this CR:

Component	Description
Application Broker	Uses this CR to enable the user to receive Events from a given service.
Event Bus	Uses this CR to control the consumption of an Event.
Serverless	Lambda UI sends a GraphQL query to Console Backend Service to list EventActivations.
Console Backend Service	Exposes the given CR to the Console UI.

TokenRequest

The tokenrequests.applicationconnector.kyma-project.io CustomResourceDefinition (CRD) is a detailed description of the kind of data and the format used to request token for Application (App) configuration URL from the Connector Service. To get the up-to-date CRD and show the output in the yaml format, run this command:

Click to copy

kubectl get crd tokenrequests.applicationconnector.kyma-project.io -o yaml

Sample custom resource

This is a sample custom resource (CR) which allows to get the configuration required to connect an external solution to the test App.

Click to copy

apiVersion: applicationconnector.kyma-project.io/v1alpha1
kind: TokenRequest
metadata:
  name: test-app
context:
  tenant: test-tenant
  group: test-group

Custom resource parameters

This table lists all the possible parameters of a given resource together with their descriptions:

Parameter	Mandatory	Description
metadata.name	YES	Specifies the name of the CR and the App to request token for.
context.tenant	NO	Specifies the name of the Tenant.
context.group	NO	Specifies the name of the Group.

Additional information

When you fetch an existing TokenRequest CR, the system adds the status section which describes the status of the request and lists the configuration details. This table lists the fields of the status section.

Field	Description
status.expireAfter	Date and time after wich the token will expire and the controller will delete the CR.
status.application	The name of the App for which the token was issued.
status.state	Status of the token request. This field can have one of two values: `OK` or `ERR`.
status.token	The token generated by the Connector Service.
status.url	The URL to the Connector Service info endpoint with the token.

Create a new Application

The Application Operator listens for the creation of Application custom resources. It provisions and de-provisions the necessary deployments for every created Application (App).

NOTE: An App represents a single connected external solution.

To create a new App, run this command:

Click to copy

cat <<EOF | kubectl apply -f -
apiVersion: applicationconnector.kyma-project.io/v1alpha1
kind: Application
metadata:
  name: {APP_NAME}
spec:
  description: {APP_DESCRIPTION}
  labels:
    region: us
    kind: production
EOF

Check the App status

To check the status of the created App and show the output in the yaml format, run this command:

Click to copy

kubectl get app {APP_NAME} -o yaml

A successful response returns the Application custom resource with the specified name. The custom resource has the status section added. This is an example response:

Click to copy

apiVersion: applicationconnector.kyma-project.io/v1alpha1
kind: Application
metadata:
  clusterName: ""
  creationTimestamp: 2018-11-22T13:53:20Z
  generation: 1
  name: test1
  namespace: ""
  resourceVersion: "30728"
  selfLink: /apis/applicationconnector.kyma-project.io/v1alpha1/applications/test1
  uid: f8ca5595-ee5d-11e8-acb2-000d3a443243
spec:
  accessLabel: {APP_NAME}
  description: {APP_DESCRIPTION}
  labels: {}
  services: []
status:
  installationStatus:
    description: Installation complete
    status: DEPLOYED

Get the client certificate

After you create an Application (App), connect it to an external solution to consume the solution's APIs and Event catalogs in Kyma. To accomplish this, get the client certificate for the external solution and register its services.

This guide shows you how to get the client certificate.

NOTE: The client certificate is valid for 92 days. See this tutorial to learn how to renew the client certificate. You can also revoke the client certificate, which prevents it from being renewed. See this tutorial to learn how to do this.

Prerequisites

OpenSSL toolkit to create a Certificate Signing Request (CSR), keys, and certificates which fulfil high security standards

Get the configuration URL with a token

To get the configuration URL which allows you to fetch the required configuration details, create a TokenRequest custom resource (CR). The controller which handles this CR kind adds the status section to the created CR. The status section contains the required configuration details.

Create a TokenRequest CR. The CR name must match the name of the App for which you want to get the configuration details. Run:

Click to copy

cat <<EOF | kubectl apply -f -
apiVersion: applicationconnector.kyma-project.io/v1alpha1
kind: TokenRequest
metadata:
  name: {APP_NAME}
EOF

Fetch the TokenRequest CR you created to get the configuration details from the status section. Run:
Click to copy
```
kubectl get tokenrequest.applicationconnector.kyma-project.io {APP_NAME} -o yaml
```
NOTE: If the response doesn't contain the status section, wait for a few moments and fetch the CR again.

A successful call returns the following response:

Click to copy

apiVersion: applicationconnector.kyma-project.io/v1alpha1
kind: TokenRequest
metadata:
  name: {APP_NAME}
status:
  expireAfter: 2018-11-22T18:38:44Z
  application: {APP_NAME}
  state: OK
  token: h31IwJiLNjnbqIwTPnzLuNmFYsCZeUtVbUvYL2hVNh6kOqFlW9zkHnzxYFCpCExBZ_voGzUo6IVS_ExlZd4muQ==
  url: https://connector-service.kyma.local/v1/applications/signingRequests/info?token=h31IwJiLNjnbqIwTPnzLuNmFYsCZeUtVbUvYL2hVNh6kOqFlW9zkHnzxYFCpCExBZ_voGzUo6IVS_ExlZd4muQ==

Get the CSR information and configuration details from Kyma

Use the link you got in the previous step to fetch the CSR information and configuration details required to connect your external solution. Run:

Click to copy

curl {CONFIGURATION_URL_WITH_TOKEN}

NOTE: The URL you call in this step contains a token that is valid for 5 minutes or for a single call. You get a code 403 error if you call the same configuration URL more than once, or if you call an URL with an expired token.

A successful call returns the following response:

Click to copy

{
    "csrUrl": "{CSR_SIGNING_URL_WITH_TOKEN}",
    "api":{
        "metadataUrl":      "https://gateway.{CLUSTER_DOMAIN}/{APP_NAME}/v1/metadata/services",
        "eventsUrl":        "https://gateway.{CLUSTER_DOMAIN}/{APP_NAME}/v1/events",
        "infoUrl":          "https://gateway.{CLUSTER_DOMAIN}/v1/applications/management/info",
        "certificatesUrl":  "https://connector-service.{CLUSTER_DOMAIN}/v1/applications/certificates",
    },
    "certificate":{
        "subject":"OU=Test,O=TestOrg,L=Waldorf,ST=Waldorf,C=DE,CN={APP_NAME}",
        "extensions": "",
        "key-algorithm": "rsa2048",
    }
}

NOTE: The response contains URLs to the Application Registry API and the Events Service API, however, it is not recommended to use them. You should call the metadata endpoint URL, which is provided in api.infoUrl property, to fetch correct URLs to the Application Registry API and to the Events Service API, and other configuration details.

Generate a CSR and send it to Kyma

Generate a CSR using the certificate subject data obtained in the previous step:

Click to copy

openssl genrsa -out generated.key 2048
openssl req -new -sha256 -out generated.csr -key generated.key -subj "/OU=Test/O=TestOrg/L=Waldorf/ST=Waldorf/C=DE/CN={APP_NAME}"
openssl base64 -in generated.csr

Send the encoded CSR to Kyma. Run:

Click to copy

curl -H "Content-Type: application/json" -d '{"csr":"BASE64_ENCODED_CSR_HERE"}' {CSR_SIGNING_URL_WITH_TOKEN}

The response contains a valid client certificate signed by the Kyma Certificate Authority.

Click to copy

{
    "crt":"BASE64_ENCODED_CRT_CHAIN",
    "clientCrt":"BASE64_ENCODED_CLIENT_CRT",
    "caCrt":"BASE64_ENCODED_CA_CRT"
}

After you receive the certificate, decode it and use it in your application.

Call the metadata endpoint

Call the metadata endpoint with the generated certificate to get URLs to the following:

the Application Registry API
the Events Service API
the certificate renewal endpoint
the certificate revocation endpoint

The URL to the metadata endpoint is returned in the response body from the configuration URL. Use the value of the api.infoUrl property to get the URL. Run:

Click to copy

curl {CLUSTER_DOMAIN}/v1/applications/management/info --cert {CERT_FILE_NAME}.crt --key {KEY_FILE_NAME}.key

A successful call returns the following response:

Click to copy

{
  "clientIdentity": {
    "application": "{APP_NAME}"
  },
  "urls": {
    "metadataUrl": "https://gateway.{CLUSTER_DOMAIN}/{APP_NAME}/v1/metadata/services",
    "eventsUrl": "https://gateway.{CLUSTER_DOMAIN}/{APP_NAME}/v1/events",
    "renewCertUrl": "https://gateway.{CLUSTER_DOMAIN}/v1/applications/certificates/renewals",
    "revokeCertUrl": "https://gateway.{CLUSTER_DOMAIN}/v1/applications/certificates/revocations"
  },
  "certificate": {
    "subject": "OU=Test,O=Test,L=Blacksburg,ST=Virginia,C=US,CN={APP_NAME}",
    "extensions": "string",
    "key-algorithm": "rsa2048"
  }
}

Use urls.metadataUrl and urls.eventsUrl to get the URLs to the Application Registry API and to the Events API.

Call the Application Registry and Event services on local deployment

When you connect an external solution to a local Kyma deployment, you must pass the NodePort of the application-connector-ingress-nginx-ingress-controller to successfully call the Application Registry and the Event Service.

To get the NodePort, run:

Click to copy

kubectl -n kyma-system get svc application-connector-ingress-nginx-ingress-controller -o 'jsonpath={.spec.ports[?(@.port==443)].nodePort}'

When you send requests to the Application Registry and the Event Service, pass the NodePort along with the generated certificate and key. For example:

Click to copy

curl https://gateway.kyma.local:{NODE_PORT}/{APP_NAME}/v1/metadata/services --cert {CERT_FILE_NAME}.crt --key {KEY_FILE_NAME}.key -k

Click to copy

curl https://gateway.kyma.local:{NODE_PORT}/{APP_NAME}/v1/events --cert {CERT_FILE_NAME}.crt --key {KEY_FILE_NAME}.key -k

Register a service

This guide shows you how to register a service of your external solution in Kyma.

Prerequisites

Valid certificate signed by the Kyma Certificate Authority.

Register a service

To register a service with a Basic Authentication-secured API, follow this template to prepare the request body:

NOTE: Follow this tutorial to learn how to register APIs secured with different security schemes or protected against cross-site request forgery (CSRF) attacks.

Click to copy

{
  "provider": "example-provider",
  "name": "example-name",
  "description": "This is the long description of your service",
  "shortDescription": "Short description",
  "labels": {
    "example": "true"
  },
  "api": {
    "targetUrl": "https://httpbin.org/",
    "spec": {},
    "credentials": {
      "basic": {
        "username": "{USERNAME}",
        "password": "{PASSWORD}"
      }
    }
  },
  "events": {
    "spec": {
      "asyncapi": "1.0.0",
      "info": {
        "title": "PetStore Events",
        "version": "1.0.0",
        "description": "Description of all the events"
      },
      "baseTopic": "stage.com.some.company.system",
      "topics": {
        "petCreated.v1": {
          "subscribe": {
            "summary": "Event containing information about new pet added to the Pet Store.",
            "payload": {
              "type": "object",
              "properties": {
                "pet": {
                  "type": "object",
                  "required": [
                    "id",
                    "name"
                  ],
                  "example": {
                    "id": "4caad296-e0c5-491e-98ac-0ed118f9474e",
                    "category": "mammal",
                    "name": "doggie"
                  },
                  "properties": {
                    "id": {
                      "title": "Id",
                      "description": "Resource identifier",
                      "type": "string"
                    },
                    "name": {
                      "title": "Name",
                      "description": "Pet name",
                      "type": "string"
                    },
                    "category": {
                      "title": "Category",
                      "description": "Animal category",
                      "type": "string"
                    }
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "documentation": {
    "displayName": "Documentation",
    "description": "Description",
    "type": "some type",
    "tags": ["tag1", "tag2"],
    "docs": [
        {
        "title": "Documentation title...",
        "type": "type",
        "source": "source"
        }
    ]
  }
}

Include the request body you prepared in the following call to register a service:

For a cluster deployment:

Click to copy

curl -X POST -d '{YOUR_REQUEST_BODY}' https://gateway.{CLUSTER_DOMAIN}/{APP_NAME}/v1/metadata/services --cert {CERT_FILE_NAME}.crt --key {KEY_FILE_NAME}.key -k

For a local deployment:

Click to copy

curl -X POST -d '{YOUR_REQUEST_BODY}' https://gateway.kyma.local:{NODE_PORT}/{APP_NAME}/v1/metadata/services --cert {CERT_FILE_NAME}.crt --key {KEY_FILE_NAME}.key -k

A successful response returns the ID of the registered service:

Click to copy

{"id":"{YOUR_SERVICE_ID}"}

Check the details of a registered service

For a cluster deployment:

Click to copy

curl https://gateway.{CLUSTER_DOMAIN}/{APP_NAME}/v1/metadata/services/{YOUR_SERVICE_ID} --cert {CERT_FILE_NAME}.crt --key {KEY_FILE_NAME}.key -k

For a local deployment:

Click to copy

curl https://gateway.kyma.local:{NODE_PORT}/{APP_NAME}/v1/metadata/services/{YOUR_SERVICE_ID} --cert {CERT_FILE_NAME}.crt --key {KEY_FILE_NAME}.key -k

Register API with a specification URL

The Application Registry allows you to pass API specifications in a form of specification URLs.

To register API with specification URL, replace api.spec with api.specificationUrl.

NOTE: If both api.spec and api.specificationUrl are provided, api.spec will be used due to its higher priority.

See the example of the API part of the request body with specification URL:

Click to copy

"api": {
  "targetUrl": "https://services.odata.org/OData/OData.svc",
  "specificationUrl": "https://services.odata.org/OData/OData.svc/$metadata",
  "credentials": {
    "basic": {
      "username": "{USERNAME}",
      "password": "{PASSWORD}"
    }
}

The Application Registry will fetch the specification from provided URL but it will not use any credentials, therefore the endpoint can not be secured by any authentication mechanism.

NOTE: Fetching specification from a URL is supported only for APIs. Fetching specifications for Events or documentation is not supported.

Register the OData API

If the api.spec or api.specificationUrl parameters are not specified and the api.type parameter is set to OData, the Application Registry will try to fetch specification from the target URL with the $metadata path.

For example, for the service with the following API, the Application Registry will try to fetch API specification from https://services.odata.org/OData/OData.svc/$metadata.

Click to copy

"api": {
  "targetUrl": "https://services.odata.org/OData/OData.svc",
  "apiType": "OData"
  "credentials": {
    "basic": {
      "username": "{USERNAME}",
      "password": "{PASSWORD}"
    }
}

Register a secured API

The Application Registry allows you to register a secured API for every service. The supported authentication methods are Basic Authentication, OAuth, and client certificates.

You can specify only one authentication method for every secured API you register. If you try to register and specify more than one authentication method, the Application Registry returns a 400 code response.

Additionally, you can secure the API against cross-site request forgery (CSRF) attacks. CSRF tokens are an additional layer of protection and can accompany any authentication method.

NOTE: Registering a secured API is a part of registering services of an external solution connected to Kyma. To learn more about this process, follow this tutorial.

Register a Basic Authentication-secured API

To register an API secured with Basic Authentication, add a credentials.basic object to the api section of the service registration request body. You must include these fields:

Field	Description
username	Basic Authorization username
password	Basic Authorization password

This is an example of the api section of the request body for an API secured with Basic Authentication:

Click to copy

    "api": {
        "targetUrl": "https://sampleapi.targeturl/v1",
        "credentials": {
            "basic": {
                "username": "{USERNAME}",
                "password": "{PASSWORD}"
            },
        }

Register an OAuth-secured API

To register an API secured with OAuth, add a credentials.oauth object to the api section of the service registration request body. You must include these fields:

Field	Description
url	OAuth token exchange endpoint of the service
clientId	OAuth client ID
clientSecret	OAuth client Secret

This is an example of the api section of the request body for an API secured with OAuth:

Click to copy

    "api": {
        "targetUrl": "https://sampleapi.targeturl/v1",
        "credentials": {
            "oauth": {
                "url": "https://sampleapi.targeturl/authorizationserver/oauth/token",
                "clientId": "{CLIENT_ID}",
                "clientSecret": "{CLIENT_SECRET}"
            },
        }

Register a client certificate-secured API

To register an API and secure it with client certificates, you must add the credentials.certificateGen object to the api section of the service registration request body. The Application Registry generates a ready to use certificate and key pair for every API registered this way. You can use the generated pair or replace it with your own certificate and key.

Include this field in the service registration request body:

Field	Description
commonName	Name of the generated certificate. Set as the `CN` field of the certificate Subject.

This is an example of the api section of the request body for an API secured with generated client certificates:

Click to copy

    "api": {
        "targetUrl": "https://sampleapi.targeturl/v1",
        "credentials": {
            "certificateGen": {
                "commonName": "{CERT_NAME}"
            },
        }

NOTE: If you update the registered API and change the certificateGen.commonName, the Application Registry generates a new certificate-key pair for that API. When you delete an API secured with generated client certificates, the Application Registry deletes the corresponding certificate and key.

Details

When you register an API with the credentials.certificateGen object, the Application Registry generates a SHA256withRSA-encrypted certificate and a matching key. To enable communication between Kyma and an API secured with this authentication method, set the certificate as a valid authentication medium for all calls coming from Kyma in your external solution.

You can retrieve the client certificate by sending the following request:

Click to copy

curl https://gateway.{CLUSTER_DOMAIN}/{APP_NAME}/v1/metadata/services/{YOUR_SERVICE_ID} --cert {CERT_FILE_NAME}.crt --key {KEY_FILE_NAME}.key -k

A successful call will return a response body with the details of a registered service and a base64-encoded client certificate.

The certificate and key pair is stored in a Secret in the kyma-integration Namespace. List all Secrets and find the one created for your API:

Click to copy

kubectl -n kyma-integration get secrets

To fetch the certificate and key encoded with base64, run this command:

Click to copy

kubectl -n kyma-integration get secrets app-{APP_NAME}-{SERVICE_ID} -o yaml

NOTE: Replace the APP_NAME placeholder with the name of the Application used to connect the external solution that is the origin of the API. Replace the SERVICE_ID placeholder with the ID of the registered service to which the API belongs. You get this ID after you register an external solution's service in Kyma.

If the API you registered provides a certificate-key pair or the generated certificate doesn't meet your security standards or specific needs, you can use a custom certificate-key pair for authentication. To replace the Kyma-generated pair with your certificate and key, run this command:

Click to copy

kubectl -n kyma-integration patch secrets app-{APP_NAME}-{SERVICE_ID} --patch 'data:
  crt: {BASE64_ENCODED_CRT}
  key: {BASE64_ENCODED_KEY}'

Register a CSRF-protected API

The Application Registry supports CSRF tokens as an additional layer of API protection. To register a CSRF-protected API, add the credentials.{AUTHENTICATION_METHOD}.csrfInfo object to the api section of the service registration request body.

Include this field in the service registration request body:

Field	Description
tokenEndpointURL	The URL to the upstream service endpoint that exposes CSRF tokens.

This is an example of the api section of the request body for an API secured with both Basic Authentication and a CSRF token.

Click to copy

    "api": {
        "targetUrl": "https://sampleapi.targeturl/v1",
        "credentials": {
            "basic": {
                "username": "{USERNAME}",
                "password": "{PASSWORD}",
                "csrfInfo": {
                    "tokenEndpointURL": "{TOKEN_ENDPOINT_URL}"
                }
            },
        }

Trigger a lambda with events

This guide shows how to create a simple lambda function and trigger it with an event.

Prerequisites

An Application (App) bound to the production Namespace
Client certificates generated for the connected App.

Steps

NOTE: See this tutorial to learn how to register a service.

Click to copy

{
  "name": "my-events-service",
  "provider": "myCompany",
  "Identifier": "identifier",
  "description": "This is some service",
  "events": {
    "spec": {
      "asyncapi": "1.0.0",
      "info": {
        "title": "Example Events",
        "version": "1.0.0",
        "description": "Description of all the example events"
      },
      "baseTopic": "example.events.com",
      "topics": {
        "exampleEvent.v1": {
          "subscribe": {
            "summary": "Example event",
            "payload": {
              "type": "object",
              "properties": {
                "myObject": {
                  "type": "object",
                  "required": [
                    "id"
                  ],
                  "example": {
                    "id": "4caad296-e0c5-491e-98ac-0ed118f9474e"
                  },
                  "properties": {
                    "id": {
                      "title": "Id",
                      "description": "Resource identifier",
                      "type": "string"
                    }
                  }
                }
              }
            }
          }
        }
      }
    }
  }
}

Get the externalName of the Service Class of the registered service.

Click to copy

kubectl -n production get serviceclass {SERVICE_ID}  -o jsonpath='{.spec.externalName}'

Create a Service Instance for the registered service.

Click to copy

cat <<EOF | kubectl apply -f -
apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceInstance
metadata:
  name: my-events-service-instance-name
  namespace: production
spec:
  serviceClassExternalName: {EXTERNAL_NAME}
EOF

Create a sample lambda function which sends a request to http://httpbin.org/uuid. A successful response logs a Response acquired successfully! Uuid: {RECEIVED_UUID} message. To create and register the lambda function in the production Namespace, run:

Click to copy

cat <<EOF | kubectl apply -f -
apiVersion: kubeless.io/v1beta1
kind: Function
metadata:
  name: my-events-lambda
  namespace: production
spec:
  deployment:
    spec:
      template:
        spec:
          containers:
          - name: ""
            resources: {}
  deps: |-
    {
        "name": "example-1",
        "version": "0.0.1",
        "dependencies": {
          "request": "^2.85.0"
        }
    }
  function: |-
    const request = require('request');
    module.exports = { main: function (event, context) {
        return new Promise((resolve, reject) => {
            const url = \`http://httpbin.org/uuid\`;
            const options = {
                url: url,
            };
            sendReq(url, resolve, reject)
        })
    } }
    function sendReq(url, resolve, reject) {
        request.get(url, { json: true }, (error, response, body) => {
            if(error){
                resolve(error);
            }
            console.log("Response acquired successfully! Uuid: " + response.body.uuid);
            resolve(response);
        })
    }
  function-content-type: text
  handler: handler.main
  horizontalPodAutoscaler:
    spec:
      maxReplicas: 0
  runtime: nodejs8
  service:
    ports:
    - name: http-function-port
      port: 8080
      protocol: TCP
      targetPort: 8080
    selector:
      created-by: kubeless
      function: my-events-lambda
  timeout: ""
  topic: exampleEvent
EOF

Create a Subscription to allow events to trigger the lambda function.

Click to copy

cat <<EOF | kubectl apply -f -
apiVersion: eventing.kyma-project.io/v1alpha1
kind: Subscription
metadata:
  labels:
    Function: my-events-lambda
  name: lambda-my-events-lambda-exampleevent-v1
  namespace: production
spec:
  endpoint: http://my-events-lambda.production:8080/
  event_type: exampleEvent
  event_type_version: v1
  include_subscription_name_header: true
  max_inflight: 400
  push_request_timeout_ms: 2000
  source_id: {APP_NAME}
EOF

Send an event to trigger the created lambda.

On a cluster:

Click to copy

curl -X POST https://gateway.{CLUSTER_DOMAIN}/{APP_NAME}/v1/events -k --cert {CERT_FILE_NAME}.crt --key {KEY_FILE_NAME}.key -d \
'{
    "event-type": "exampleEvent",
    "event-type-version": "v1",
    "event-id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
    "event-time": "2018-10-16T15:00:00Z",
    "data": "some data"
}'

On a local deployment:

Click to copy

curl -X POST https://gateway.kyma.local:{NODE_PORT}/{APP_NAME}/v1/events -k --cert {CERT_FILE_NAME}.crt --key {KEY_FILE_NAME}.key -d \
'{
    "event-type": "exampleEvent",
    "event-type-version": "v1",
    "event-id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
    "event-time": "2018-10-16T15:00:00Z",
    "data": "some data"
}'

Check the logs of the lambda function to see if it was triggered. Every time an event successfully triggers the function, this message appears in the logs: Response acquired successfully! Uuid: {RECEIVED_UUID}. Run this command:

Click to copy

kubectl -n production logs "$(kubectl -n production get po -l function=my-events-lambda -o jsonpath='{.items[0].metadata.name}')" -c my-events-lambda | grep "Response acquired successfully! Uuid: "

Call a registered external service from Kyma

This guide shows how to call a registered external service from Kyma using a simple lambda function.

Prerequisites

An Application (App) bound to the production Namespace
Client certificates generated for the connected App.
Map my-lambda-production.kyma.local to your Minikube IP to call the lambda function on a local Kyma deployment.

Steps

Register a service with the following specification to the desired Application.
NOTE: See this tutorial to learn how to register a service.

Click to copy

{
  "name": "my-service",
  "provider": "myCompany",
  "Identifier": "identifier",
  "description": "This is some service",
  "api": {
    "targetUrl": "http://httpbin.org/",
    "spec": {
      "swagger":"2.0"
    }
  }
}

Get the externalName of the Service Class of the registered service.

Click to copy

kubectl -n production get serviceclass {SERVICE_ID}  -o jsonpath='{.spec.externalName}'

Create a Service Instance for the registered service.

Click to copy

cat <<EOF | kubectl apply -f -
apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceInstance
metadata:
  name: my-service-instance-name
  namespace: production
spec:
  serviceClassExternalName: {EXTERNAL_NAME}
EOF

Create a lambda function that sends a request to the registered service with an additional path of /uuid. A successful response returns a UUID generated by httpbin.org. To create and register the lambda function in the production Namespace, run:

Click to copy

cat <<EOF | kubectl apply -f -
apiVersion: kubeless.io/v1beta1
kind: Function
metadata:
  name: my-lambda
  namespace: production
spec:
  deployment:
    spec:
      template:
        metadata:
          labels:
            app-{APP_NAME}-{SERVICE_ID}: "true"
        spec:
          containers:
          - env:
            - name: GATEWAY_URL
              value: app-{APP_NAME}-{SERVICE_ID}.kyma-integration
  deps: |-
    {
        "name": "example-1",
        "version": "0.0.1",
        "dependencies": {
          "request": "^2.85.0"
        }
    }
  function: |-
    const request = require('request');
    module.exports = { main: function (event, context) {
        return new Promise((resolve, reject) => {
            const url = \`http://\${process.env.GATEWAY_URL}/uuid\`;
            const options = {
                url: url,
            };
            sendReq(url, resolve, reject)
        })
    } }
    function sendReq(url, resolve, reject) {
        request.get(url, { json: true }, (error, response, body) => {
            if(error){
                resolve(error);
            }
            resolve(response.body);
        })
    }
  function-content-type: text
  handler: handler.main
  horizontalPodAutoscaler:
    spec:
      maxReplicas: 0
  runtime: nodejs8
  service:
    ports:
    - name: http-function-port
      port: 8080
      protocol: TCP
      targetPort: 8080
    selector:
      created-by: kubeless
      function: my-lambda
  timeout: ""
  topic: http
EOF

Create a ServiceBinding and a ServiceBindingUsage to bind the Service Instance to the lambda function.

Click to copy

cat <<EOF | kubectl apply -f -
apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceBinding
metadata:
  labels:
    Function: my-lambda
  name: my-service-binding
  namespace: production
spec:
  instanceRef:
    name: my-service-instance-name
EOF

Click to copy

cat <<EOF | kubectl apply -f -
apiVersion: servicecatalog.kyma-project.io/v1alpha1
kind: ServiceBindingUsage
metadata:
  labels:
    Function: my-lambda
    ServiceBinding: my-service-binding
  name: my-service-binding
  namespace: production
spec:
  serviceBindingRef:
    name: my-service-binding
  usedBy:
    kind: function
    name: my-lambda
EOF

To expose the lambda function outside the cluster create an Api custom resource:

Click to copy

cat <<EOF | kubectl apply -f -
apiVersion: gateway.kyma-project.io/v1alpha2
kind: Api
metadata:
  labels:
    function: my-lambda
  name: my-lambda
  namespace: production
spec:
  authentication: []
  hostname: my-lambda-production.{CLUSTER_DOMAIN}
  service:
    name: my-lambda
    port: 8080
EOF

To verify that everything was setup correctly you can now call the lambda through https:

On a cluster

Click to copy

curl https://my-lambda-production.{CLUSTER_DOMAIN}/ -k

On a local deployment:

Click to copy

curl https://my-lambda-production.kyma.local/ -k

A successful response returns a UUID generated by httpbin.org:

Click to copy

{
  "uuid": "d44cc373-b26e-4a36-9890-6418d131a285"
}

Bind an Application to a Namespace

This guide shows you how to bind an Application (App) to a Namespace in Kyma. To execute the binding, create an ApplicationMapping custom resource in the cluster. Follow the instructions to bind your App to the production Namespace.

Prerequisites

To complete this guide, your cluster must have at least one App created.

Steps

List all Apps bound to the production Namespace:
Click to copy
```
kubectl get em -n production
```

Bind an App to a Namespace. Run this command to create an ApplicationMapping custom resource and apply it to the cluster:

Click to copy

cat <<EOF | kubectl apply -f -
apiVersion: applicationconnector.kyma-project.io/v1alpha1
kind: ApplicationMapping
metadata:
  name: {NAME_OF_APP_TO_BIND}
  namespace: production
EOF

Check if the operation is successful. List all Namespaces to which your App is bound:

Click to copy

kubectl get em --all-namespaces -o jsonpath='{range .items[?(@.metadata.name=="{NAME_OF_YOUR_APP}")]}{@.metadata.namespace}{""}{end}'

Renew the client certificate

By default, the client certificate you generate when you connect an external solution to Kyma is valid for 92 days. Follow this tutorial to renew the client certificate.

NOTE: You can only renew client certificates that are still valid. If your client certificate is expired or revoked, you must generate a new one.

To renew the client certificate, use the same certificate subject that matches the subject of your current certificate. To check the certificate subject, run:
Click to copy
```
openssl x509 -noout -subject -in {PATH_TO_OLD_CRT}
```
Generate a new CSR using the certificate subject you got in the previous step. Run:
Click to copy
```
openssl req -new -sha256 -out renewal.csr -key {PATH_TO_KEY} -subj "{SUBJECT}"
```

Send a request to the Connector Service to renew the certificate:

Click to copy

curl -X POST https://gateway.{DOMAIN}/v1/applications/certificates/renewals -d '{"csr":"BASE64_ENCODED_CSR"}' -k --cert {PATH_TO_OLD_CRT} --key {PATH_TO_KEY}

A successful call returns a renewed client certificate:

Click to copy

{
    "crt":"BASE64_ENCODED_CRT_CHAIN",
    "clientCrt":"BASE64_ENCODED_CLIENT_CRT",
    "caCrt":"BASE64_ENCODED_CA_CRT"
}

Revoke the client certificate

You can revoke a client certificate generated for your Application. Revocation prevents a certificate from being renewed. A revoked certificate, however, continues to be valid until it expires.

To revoke a client certificate, send a request to the certificates/revocations endpoint. Pass the certificate you want to revoke and a key that matches this certificate in the call. Run:

Click to copy

curl -X POST https://gateway.{CLUSTER_DOMAIN}/v1/applications/certificates/revocations --cert {CERT_TO_REVOKE} --key {CERT_TO_REVOKE_KEY} -k

Revoke a certificate using SHA256 fingerprint

If you have admin access to the Kyma cluster, you can revoke client certificates by sending the SHA256 fingerprint of a certificate to the internal certificates/revocations endpoint. Follow these steps:

Convert the certificate from the pem format to the der format. Run:

Click to copy

openssl x509 -in {CLIENT_CERT_FILE}.crt -outform der -out {CLIENT_CERT_DER_FILE}.der

Get the SHA256 fingerprint of the certificate. Run:
Click to copy
```
shasum -a 256 {CLIENT_CERT_DER_FILE}.der
```

Revoke the certificate using the SHA256 fingerprint:

Click to copy

curl -X POST http://connector-service-internal-api:8080/v1/applications/certificates/revocations -d '{hash: {SHA256_FINGERPRINT_OF_CERT_TO_REVOKE_}}'

Rotate the Root CA certificate and key

The Central Connector Service uses the Root CA certificate to issue new certificates for runtimes and by the Nginx Ingress Controller to validate their identity.

Two different components use the Root CA certificate. As a result, the certificate is stored in two separate Secrets:

The connector-service-app-ca Connector Service CA Secret responsible for signing certificate requests
The nginx-auth-ca Nginx Ingress Secret responsible for security in the Connector Service API

Keeping both Secrets up-to-date is vital for the security of your implementation as it guarantees that the Connector Service issues proper certificates and no unregistered applications can access its API.

The Root CA certificate has a set expiration date and must be renewed periodically to prevent its expiration. You must also renew the Root CA certificate and key every time they are compromised.

This tutorial describes the procedure you must follow for these scenarios:

Rotating a soon-to-expire Root CA certificate
Rotating a compromised Root CA certificate
Rotating a compromised Root CA key

Rotating a soon-to-expire CA certificate

To successfully rotate a soon-to-expire CA certificate, replace it with a new certificate in both the Connector Service CA Secret and the Nginx Ingress Secret. Follow these steps to replace the old certificate in both Secrets:

Get the existing Root CA key. Fetch it from the connector-service-app-ca Secret and save it to a ca.key file. Run:

Click to copy

kubectl -n kyma-integration get secret connector-service-app-ca -o=jsonpath='{.data.ca\.key}' | base64 --decode > ca.key

Generate a new certificate for the key you obtained and save it to a new-ca.crt file. Run:
Click to copy
```
openssl req -new -key ca.key -x509 -sha256 -days {TTL_DAYS} -nodes -out new-ca.crt
```

NOTE: Use the -days flag to set the TTL of the newly generated certificate.

Encode the newly created certificate with base64:
Click to copy
```
cat new-ca.crt | base64
```
Replace the old certificate in the Connector Service CA Secret. Edit the Secret and replace the ca.crt value with the new base64-encoded certificate. Run:
Click to copy
```
kubectl -n kyma-integration edit secret connector-service-app-ca
```
Get the existing Nginx Ingress Secret. Fetch it from the nginx-auth-ca Secret and save it to a old-ca.crt file. Run:
Click to copy
```
kubectl -n kyma-integration get secret nginx-auth-ca -o=jsonpath='{.data.ca\.crt}' | base64 --decode > old-ca.crt
```
Merge the old Nginx certificate and the newly generated certificate into a single nginx-ca.crt file:
Click to copy
```
cat old-ca.crt > nginx-ca.crt
cat new-ca.crt >> nginx-ca.crt
```
Encode the newly created nginx-ca.crt certificate file with base64:
Click to copy
```
cat nginx-ca.crt | base64
```
Replace the old certificate in the Nginx Ingress Secret. Edit the Secret and replace the ca.crt value with the nginx-ca.crt base64-encoded certificate. Run:
Click to copy
```
kubectl -n kyma-integration edit secret nginx-auth-ca
```
Renew the certificates in a runtime. To do that, create a CertificateRequest CR in the runtime in which you want to renew the certificates. Alternatively, wait for the certificates to expire in a given runtime. The system renews the certificates automatically using the information stored in the Secrets you updated.

After the certificates are renewed in a runtime, remove the nginx-auth-ca Secret entry which contains the old certificate. First, encode the new-ca.crt file with base64:
Click to copy
```
cat new-ca.crt | base64
```
Edit the Secret and replace the ca.crt value with the new-ca.crt base64-encoded certificate. Run:
Click to copy
```
kubectl -n kyma-integration edit secret nginx-auth-ca
```

Rotating a compromised Root CA certificate

Get the existing Root CA key. Fetch it from the connector-service-app-ca Secret and save it to a ca.key file. Run:

Click to copy

kubectl -n kyma-integration get secret connector-service-app-ca -o=jsonpath='{.data.ca\.key}' | base64 --decode > ca.key

Generate a new certificate for the key you obtained and save it to a new-ca.crt file. Run:
Click to copy
```
openssl req -new -key ca.key -x509 -sha256 -days {TTL_DAYS} -nodes -out new-ca.crt
```

NOTE: Use the -days flag to set the TTL of the newly generated certificate.

Encode the newly created certificate with base64:
Click to copy
```
cat new-ca.crt | base64
```
Replace the old certificate in the Connector Service CA Secret. Edit the Secret and replace ca.crt value with the new base64-encoded certificate. Run:
Click to copy
```
kubectl -n kyma-integration edit secret connector-service-app-ca
```
Replace the old certificate in the Nginx Ingress Secret. Edit the Secret and replace the ca.crt value with the new base64-encoded certificate. Run:
Click to copy
```
kubectl -n kyma-integration edit secret nginx-auth-ca
```
Renew the certificates in a runtime. To do that, create a CertificateRequest CR in the runtime in which you want to renew the certificates.

Rotating a compromised root CA key

Generate a new, RSA-encoded root CA key and save to a new-ca.key file:
Click to copy
```
openssl genrsa -out new-ca.key 2048
```
Generate a new certificate using the key you generated and save it to a new-ca.crt file. Run:
Click to copy
```
openssl req -new -key ca.key -x509 -sha256 -days {EXPIRATION_DAYS} -nodes -out new-ca.crt
```

NOTE: Use the -days flag to set the TTL of the newly generated certificate.

Encode the newly created certificate and key with base64:
Click to copy
```
cat new-ca.key | base64
```
Click to copy
```
cat new-ca.crt | base64
```
Replace the old certificate and key in the Connector Service CA Secret. Edit the Secret and replace the ca.crt and ca.key values with the new base64-encoded certificate and key respectively. Run:
Click to copy
```
kubectl -n kyma-integration edit secret connector-service-app-ca
```
Replace the old certificate in the Nginx Ingress Secret. Edit the Secret and replace the ca.crt value with the new base64-encoded certificate. Run:
Click to copy
```
kubectl -n kyma-integration edit secret nginx-auth-ca
```
Renew the certificates in a runtime. To do that, create a CertificateRequest CR in the runtime in which you want to renew the certificates.

Connector Service

The Connector Service exposes two separate APIs:

An internal API available in the Kyma cluster used to initiate certificate generation.
An external API exposed through Ingress used to finalize certificate generation.

Find the specification of both of these APIs here.

Alternatively, get the API specification directly from the Connector Service:

Click to copy

https://connector-service.{CLUSTER_DOMAIN}/v1/api.yaml

Run this command to access the API specification on a local Kyma deployment:

Click to copy

curl https://connector-service.kyma.local/v1/api.yaml

Application Registry

You can get the API specification of the Application Registry for a given version of the service using this command:

Click to copy

curl https://gateway.{CLUSTER_DOMAIN}/{APP_NAME}/v1/metadata/api.yaml

To access the API specification of the Application Registry locally, provide the NodePort of the application-connector-ingress-nginx-ingress-controller.

To get the NodePort, run this command:

Click to copy

kubectl -n kyma-system get svc application-connector-ingress-nginx-ingress-controller -o 'jsonpath={.spec.ports[?(@.port==443)].nodePort}'

To access the specification, run:

Click to copy

curl https://gateway.kyma.local:{NODE_PORT}/{APP_NAME}/v1/metadata/api.yaml

Event Service

The Event Service provides an endpoint for fetching subscribed Events for the application. To fetch all of them, make a call:

Click to copy

curl https://gateway.{CLUSTER_DOMAIN}/{APP_NAME}/v1/events/subscribed -k --cert {APP_CERT} --key {APP_CERTS_KEY}

To get all events locally, provide the NodePort of application-connector-ingress-nginx-ingress-controller.

To get the NodePort, run this command:

Click to copy

kubectl -n kyma-system get svc application-connector-ingress-nginx-ingress-controller -o 'jsonpath={.spec.ports[?(@.port==443)].nodePort}'

To fetch the Events, run this command:

Click to copy

curl https://gateway.kyma.local:{NODE_PORT}/{APP_NAME}/v1/events/subscribed -k --cert {APP_CERT} --key {APP_CERTS_KEY}

The successful call returns a list of all active Events for the application.

TIP: For details on the Event Service API specification, see this file.

Supported APIs

Nginx Ingress Controller

Connector Service

Application Registry

Event Service

Application

Application Broker

Application Operator

Application Gateway

Access Service

Asset Store

Kubernetes Secret

Caching

Handling of headers

Provisioning and binding for an API ServiceClass

Provisioning and binding for an Event ServiceClass

Provisioning and binding for both the API and Event ServiceClass

Client certificates

Disable SSL certificate verification

Override the API security type

External solution's services in the Service Catalog

Service consumption

Kubernetes APIs interaction

Passing the access token

Sample custom resource

Custom resource parameters

Related resources and components

Additional information

Sample custom resource

Custom resource parameters

Related resources and components

Sample custom resource

Custom resource parameters

Related resources and components

Sample custom resource

Custom resource parameters

Additional information

Check the App status

Prerequisites

Get the configuration URL with a token

Get the CSR information and configuration details from Kyma

Generate a CSR and send it to Kyma

Call the metadata endpoint

Call the Application Registry and Event services on local deployment

Prerequisites

Register a service

Check the details of a registered service

Register API with a specification URL

Register the OData API

Register a Basic Authentication-secured API

Register an OAuth-secured API

Register a client certificate-secured API

Details

Register a CSRF-protected API

Prerequisites

Steps

Prerequisites

Steps

Prerequisites

Steps

Revoke a certificate using SHA256 fingerprint

Rotating a soon-to-expire CA certificate

Rotating a compromised Root CA certificate

Rotating a compromised root CA key