SAP BTP, Kyma Runtime: Use a custom domain on an API Rule through Istio Gateway
With SAP BTP, Kyma Runtime, you can now expose your custom domain through an API Rule using an istio Gateway.
Steps to expose your custom domain
- Hold the certificate of your custom domain
- Create on istio-system namespace a TLS Secret holding the certificate’s data
- Create your new namespace (eg: dev)
- Create a new istio Gateway that consumes the Secret you just created
- Create a new API Rule hosting on your custom domain
- Test the endpoint on Postman with SSL enabled
Get the certificate of your custom domain
The certificate, or certificates should hold data for these 3 fields:
Create a TLS Kubernetes Secret with the credentials of your certificate
After getting your domains’ certificates, you’ll need to create a tls Kubernetes Secret that is required for your Istio Gateway. Log in to your Kyma cluster, go to istio-system namespace.
If istio-system is not visible on the namespace list, click on the top-right icon of your Dashboard to open “Preferences”. On the left side, select “Clusters” and enable “Show hidden Namespaces”.
Go back to your namespace list and select “istio-system”.
On the left panel select Configuration – Secret.
Click on “+ Create Secret” and choose tls preset:
After that choose a name to your secret and fill the Data panel.
The tls Secret needs to hold the correct values for:
After completion, click on Create. Your custom domain’s certificate is now saved as a tls Secret.
Create an istio Gateway
Go to your application namespace, or create a new one (eg: dev). On the left panel select istio – Gateways.
Click on “+ Create Gateway”
Firstly, choose a name for your Gateway. After that, start by adding a Server:
Click on “+ Add”
Create an HTTPS port
Port number: 443
On the TLS panel:
TLS mode: SIMPLE
Credential name: select your secret on the istio-system namespace. (if the secret does not appear on the dropdown, don’t worry and write it down, it will be found after creation)
On the Hosts panel:
Then click on “Create”
Create an API Rule
Go to your application namespace. On the left panel select Discovery and Network – API Rules.
Click on “+ Create API Rule” and start by selecting a name of your choice.
Under the Service panel:
Select Service name and choose the service and the port you want to expose through the API Rule.
After that complete Gateway and Hosts with your newly created Gateway and custom Domain.
Under the Rules panel, apply the necessary changes that you see most fit.
When that is done, click on “Create”.
Test the connection to your custom domain on Postman
Open Postman and paste your newly created custom domain. Add necessary credentials and parameters if that is the case. In the end, enable the SSL verification under Settings and hit “Send”.
Kyma dashboard offers the possibility of exposing a service through an API rule hosting on a custom domain. With this, it is possible to avoid using Kyma domain on exposed APIs.
Feel free to provide feedback or ask questions about this topic 😊
If the SAP BTP, Kyma runtime topic interests you, here are some other links that you may like:
are you aware of the blog post from Piotr Tesny: Public custom domains easy with SAP BTP, Kyma runtime.? I think you should also reference it as it uses automatic Certificate provisioning from Let's Encrypt.
Thank you for your feedback. I have updated the Reference section accordingly.