A long-awaited update for Kyma runtime
Disclaimer: This blog post focuses on SAP BTP, Kyma runtime with the Kyma open source version 2.0. Keep in mind that adjustments might be needed at a higher release of Kyma.
If you are following this SAP community tag, you are most probably as well following what’s happening in the Kyma open source area. You might have seen the major release change of Kyma open source which happened in December 2021 and therefore wondered when this would reach SAP BTP, Kyma runtime. Now it is finally happening as this was just activated.
As a first step, new Kyma runtimes are provisioned with the most recent open source version. Upgrades of existing runtimes will take place in the cause of March during the official maintenance windows. Instances based on the plans for trail and free tier are planned to be upgraded next week.
First things first: there is no impact on your existing workloads, though you need to pay attention to exposed API Rules that have a JWT access strategy defined. These must be enriched with an individual jwks_url pointing to a custom OpenID Connect-compliant identity provider.
If your XSUAA instance was configured with a custom upstream IdP to delegate identity management, you would need to configure that IdP directly for Kyma. Read the Authentication and Authorization in the Kyma Environment for details.
A migration guide is posted to the release notes. Besides that, Kyma components and the architecture of the runtime get optimized, but this is independent of what you deployed.
Nevertheless, the behavior and the possibilities of Kyma runtime will change. In some areas, these are small changes, in other areas, these are major changes. Therefore, our Kyma enablement and adoption team is going to provide several posts step-by-step and link them from this entry.
Furthermore, we will update enablement materials like developer tutorials to make the suitable for the update being pushed to Kyma runtime. Not to mention the work by our technical writers to update SAP Help Portal along the upgrade.
We will cover the following areas in separate posts. Comment on any entry if you are missing an area or a detail.
One important change will span across all posts: you will gain full admin access to the Kubernetes cluster.
Though keep in mind: “With great power comes great responsibility“
0. (no blog post needed) There is going to be a non-expiring Kubeconfig for your user which authenticates you via OpenID Connect. You will need the extension kubelogin installed on your machine for the kubectl CLI to authenticate you.
1. Switching access management from XSUAA to RBAC – existing user access is migrated; new access must be granted differently.
2. Updates to API rules require changes in case of JWT access strategy due to removal of Dex
3. Extending on-premise systems via Kyma runtime – yes, you will be able to easily make use of the Connectivity Proxy for Kubernetes inside Kyma runtime to connect to Cloud Connector and do principal propagation and using x509-certificates
4. News for application connectivity to extend SAP CX solutions
5. How to subscribe to events from SAP CX solutions and bind them to your functions and deployments
6. Use custom domains to expose your deployments
7. Accessing the built-in observability tools of Kyma runtime
8. Changes on how to consume SAP BTP services and how to consume hyperscaler services
9. What to consider when installing own components into your cluster
10. Using the Kubernetes operators within SAP BTP, Kyma runtime
Many great news, some topics to adopt to. Summing up, this is the groundwork for future innovations inside SAP BTP, Kyma runtime! We are looking forward to your feedback and comments here.
If you have further questions around Kyma, feel free to post them in the answers area of the SAP Community, here is a link.
To stay up to date with everything Kyma, make sure to visit our Kyma topic page.
sounds pretty cool. As an CX guy, I'm especially looking forward to No 4 & 5 - but the backend connectivity via Cloud Connector also sounds very promising.