Kyma <---> apigee – How to set up seamless connectivity using compass

Kyma

project “Kyma” enables you to extend applications in a cloud-native fashion using side-by-side extensibility. Mostly those extensions can be implemented using lambdas in Kyma using Javascript as the programming language.

Compass

Compass is a central, multi-tenant system that allows you to connect Applications and manage them across multiple Kyma Runtimes. Using Compass, you can control and monitor your Application landscape in one central place. It can be run standalone as well as a part of the Kyma runtime using open source project Kyma.

apigee

apigee is an API gateway management tool offered by Google to exchange data across cloud services and applications. One can expose their enterprise APIs using apigee’s API Gateway and leverage all the API Gateway benefits without the need to implement them.

Connecting apigee to Kyma

Why

There could be business scenarios where we need to connect to apigee’s API Gateway to implement extensions or orchestration flow that encompasses multiple SAP, non-SAP systems as well as Enterprise APIs exposed via API Gateway.

I could have an extension and orchestration logic that might be making API calls to

• One or more SAP Systems
• Enterprise APIs served by apigee API Gateway
• One or more non-SAP Systems

What

One missing piece of the puzzle is to set up the connectivity between apigee’s API Gateway and Kyma Runtime

Compass to the rescue

This is where compass comes into the picture.

Using the compass, we can establish connectivity

• without writing any additional code
• without requiring to deploy any connectors or add-ons

The following section will provide detailed step-by-step instructions to

• Configure Kyma to enable compass (at present it is disabled by default)
• Use compass to set up connectivity with apigee API Gateway

Steps

We will use an API exposed via apigee API gateway with OAuth as an authentication mechanism and set up its connectivity with Kyma.

So that developers can write code to call the API without required to write code to get OAuth token.

All authentication steps will be taken care of by Kyma Application Gateway thus making the developer’s life easier and making the system more secure.

apigee configuration

• Set up a test apigee account or use one you already have.
• Set up an endpoint using OAuth
• Set the policy for an access token with grant_type as a form parameter.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 name="GenerateAccessTokenClient">
    <!-- This policy generates an OAuth 2.0 access token using the client_credentials grant type -->
    <Operation>GenerateAccessToken</Operation>
    <!-- This is in millseconds, so expire in an hour -->
    <ExpiresIn>3600000</ExpiresIn>
    <SupportedGrantTypes>
        <!-- This part is very important: most real OAuth 2.0 apps will want to use other
        grant types. In this case it is important to NOT include the "client_credentials"
        type because it allows a client to get access to a token with no user authentication -->
        <GrantType>client_credentials</GrantType>
    </SupportedGrantTypes>
    <GrantType>request.formparam.grant_type</GrantType> <!--changed this part -->
    <GenerateResponse/>
</OAuthV2>

• Added AssignMessage to send numeric values as Json Numbers/Integers. This is required as by default apigee token response sends all numeric values as JSON Strings. This causes the Kyma Oauth client to fail to parse. See this apigee community thread.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="expires_in_to_int">
    <DisplayName>expires_in_to_int</DisplayName>
    <Properties/>
    <Set>
        <Payload contentType="application/json">
        {
            "refresh_token_expires_in" : {oauthv2accesstoken.GenerateAccessTokenClient.expires_in},
            "api_product_list" : "{oauthv2accesstoken.GenerateAccessTokenClient.api_product_list}",
            "organization_name" : "{oauthv2accesstoken.GenerateAccessTokenClient.organization_name}",
        "issued_at": {oauthv2accesstoken.GenerateAccessTokenClient.issued_at},
        "client_id" : "{oauthv2accesstoken.GenerateAccessTokenClient.client_id}",
        "access_token" : "{oauthv2accesstoken.GenerateAccessTokenClient.access_token}",
        "application_name" : "{oauthv2accesstoken.GenerateAccessTokenClient.application_name}",
        "scope" : "{oauthv2accesstoken.GenerateAccessTokenClient.scope}",
            "expires_in" : {oauthv2accesstoken.GenerateAccessTokenClient.expires_in},
        "refresh_count" : {oauthv2accesstoken.GenerateAccessTokenClient.refresh_count},
        "status" : "{oauthv2accesstoken.GenerateAccessTokenClient.status}"
        }
        </Payload>
    </Set>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="true" transport="http" type="response"/>
</AssignMessage>

Kyma configuration

• Enable compass in existing Kyma or if creating a new Kyma cluster, uncomment compass components in installer.yaml

• Create an application via Compass

• Set up an API with Oauth access
  • client_id,
  • client_secret,
  • token url of the form https://{your environment}.apigee.net/oauth/client_credential/accesstoken

Calling API exposed via apigee

Follow the standard steps to consume an API from a namespace.

• Bind the application with the namespace.

• API will be available in the service catalog

• Add it once

• Create a lambda to make API call

Source Code

The lambda and other related artifacts can be referred from the Github repository.