This sample demonstrates how the SAP SAAS Provisioning service can be used to develop a mulitenant application in the Kyma runtime. When a user subscribes the sample app will generate a number of dedicated k8s resources, with their tenant id appended to the name, for the subscribers subaccount which include:
- A configured deployment based on a generate config map of the App Auth Proxy to authenticate and authorize the user.
- An API rule to access the application pointing the the app-auth-proxy.
- A configured deployment based on a generate config map of nginx which outputs information regarding the subscriber.
- An external path to https://httpbin.org/ which will output the headers.
- The related services
kubectl create namespace saas
kubectl label namespaces saas istio-injection=enabled
The XSUAA Service Instance defines how subscribers will authenticate to the sample application. The sample app uses the App Auth Proxy
-
Open the file
k8s/xsuaa-instance.yaml
and adjust the value<cluster domain>
and then apply the filekubectl -n saas apply -f ./k8s/xsuaa-instance.yaml
-
Open the file
k8s/saas-instance.yaml
and adjust the value<cluster domain>
and then apply the filekubectl -n saas apply -f ./k8s/saas-instance.yaml
The sample app is what will be called when a user subscribes to your application. This sample app will provision resources based on the configmap provided.
When a consumer subscribes to the app the SaaS Provisioning Service will submit a JWT when calling the On-Subscription Endpoint which will be verified by the Kyma Application Gateway based on the values defined in the Issuer and JWKS URI. These values will cause the subscription to fail if the endpoints are not correct for the environment. Adjust the values for the Issuer and JWKS URI of the apirule.yaml
, for example
- Issuer: http://sap-provisioning.localhost:8080/uaa/oauth/token
- JWKS URI: https://sap-provisioning.authentication.us21.hana.ondemand.com/token_keys
Deploy the the resources found in the directory K8s into the saas
namespace
The apirule
validates the requests coming from the SAAS Provisioning service and forwards it to the sample app:
kubectl apply -f ./k8s/apirule.yaml -n saas
The config-map contains the struture needed to define the subscribers app. At a minimum you will have to adjust the value of domain to match the domain of your Kyma runtime:
kubectl apply -f ./k8s/config-map.yaml -n saas
The sample app deployment:
kubectl apply -f ./k8s/deployment.yaml -n saas
The service account used by the sample app to generate k8s resources:
kubectl apply -f ./k8s/service-account.yaml -n saas
- Create another subaccount using the same provider and region as the Kyma runtime containing the SAAS application and open it
- Choose the Subscriptions menu option
- Find and open the Kyma SAAS Provisioning Demo tile
- Choose Subscribe
- When the subscription completes...
- Choose Security -> Trust Configuration from the subaccount main menu.
- Choose SAP ID Service
- Provide your email address and choose Show Assignments
- Choose Assign Role Collection and choose saas-provisioning-demo-app-User
-
You may have to log out/in for the role assignment to take place.
-
Choose the menu option Subscriptions
-
Find and open the Kyma SAAS Provisioning Demo tile
-
Choose the Go to Application link.
-
The sample will display
-
The app will have the following endpoints
- <https://saas-demo-<tenant id>.<cluster domain>/>
- <https://saas-demo-<tenant id>.<cluster domain>/headers>
- <https://saas-demo-<tenant id>.<cluster domain>/auth/user>
- <https://saas-demo-<tenant id>.<cluster domain>/auth/groups>
-
Download a Kubeconfig from the Kyma runtime and set envirnoment variable
export KUBECONFIG=<file path>
-
Set envirnoment variables
export IDP_clientid='<client id>' export IDP_clientsecret='<client secret>' export IDP_url='<url>' export IDP_identityzone='<identityzone>' export IDP_xsappname='<xsappname>'
-
Within the folder cmd/api run
go run .
Send a PUT
or DELETE
request to http://localhost:8000/callback/v1.0/tenants/<a tentant id>
containing
Header Authorization: Bearer < valid jwt containing the saas-provisioning-demo-app****Callback scope for the app >
Body: with valid values
{
"subscriptionAppName": "",
"subscriptionAppId": "",
"subscribedSubaccountId": "",
"subscribedTenantId": "",
"subscribedSubdomain": "",
"globalAccountGUID": "",
"subscribedLicenseType": "",
"userId": ""
}