cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Sharing a credential store instance between CloudFoundry and Kyma?

Go to solution
SeanKilleen
Explorer

on ‎09-21-2023 7:42 PM

0 Kudos

Hi all!


Background:

  • We previously intended to deploy our platform using BTP CloudFoundry.
  • We discovered that BTP CloudFoundry doesn't support node-to-node networking even though CloudFoundry itself does, so we're forced to move away from CloudFoundry to Kyma.
  • I have set up a Kyma environment, including installing BTP Service Operator
  • In the BTP CloudFoundry environment, I currently have our app bound to several service instances, including credstore.
  • There's ⁠a blog post that appears to say that BTP service broker allows instances to be shared, but only resources that support ⁠instance sharing. But doesn't provide a list anywhere of what those services are.

Goal: I would like to understand how to also bind this existing credstore instance to our Kyma environment so I can begin migrating our app into the Kyma environment and utilizing credstore there as well. If I can't do that, I'd like to understand how to create an additional credstore so that I can avoid deleting the old credstore. My goal here is a smooth developer transition - I'd like our devs to continue deploying/testing the app on CF while I shift it to Kyma.


Things I've tried:

  • Using a "ServiceBinding" CRD in Kyma that references the existing CF credstore instance. This didn't work, presumably because the credstore is a CF-based service. Error message: "couldn't find the service instance 'SctCredStore'. Error: ServiceInstance.services.cloud.sap.com "SctCredStore" not found"
  • Creating a new credstore instance in Kyma. I receive the error (guids redacted) "Quota is not sufficient for this request, up to 1 standard instance/s for subaccount is/are allowed". (NOTE: Note the quota on the subaccount for credstore entitlements is unlimited, so I'm presuming there is a system-level restriction that keeps the amount at 1).
  • Creating a credstore instance with the "proxy plan" in Kyma. When attempting to create an instance of "credstore" with the "proxy" service plan, I receive an error that "Mandatory parameters for service origin are not specified"
  • Sharing the existing CF-based credstore instance with the sub-account. Via BTP Cockpit, in the credential store instance, I head to "service sharing", and create a local, permanent share for the whole sub-account (the same subaccount the CF space and credstore instance are located in). When I do this, I'm still unable to find the service for the instance binding. Error message: "couldn't find the service instance 'SctCredStore'. Error: ServiceInstance.services.cloud.sap.com "SctCredStore" not found"

It is beginning to seem like my only path forward is to delete the existing credstore from the CF environment since we're migrating away from it, and recreate the instance via Kyma. But I'd love to avoid that disruption if at all possible, and I don't want to discount that I might be missing something due to being relatively new.

If I need to create a new separate sub-account for my Kyma environment to exist separately from the CF environment, that's not the end of the world, but I'd love to avoid it for simplicity's sake.

Show replies
Show replies
SeanKilleen
Explorer
‎09-22-2023 5:25 PM
0 Kudos

My workaround in this case was to move all of the Kyma-related infrastructure into a separate sub-account from the CloudFoundry infrastructure, create a new CredStore instance in the Kyma sub-account, and plan a future migration of the secrets to the new CredStore. After moving to the new sub-account, I was able to create the new credstore instance and bind it fine. It would have been much more convenient to have a path to do this within the same sub-account, but at least I'm unblocked for now.

Answer

Accepted Solutions (1)

Accepted Solutions (1)

piotr_kopczynski
Discoverer
‎10-12-2023 1:44 PM

Hello Sean,

about your "Sharing the existing CF-based credstore instance with the sub-account." attempt.
Your service instance should contain the below parameter, have u use it?

parameters:

  referenced_instance_id: <shared service id>


Example:

kind: ServiceInstance<br>metadata:
name: kyma-demo-instance-123<
namespace: develope
spec: 
  serviceOfferingName: xsuaa
  servicePlanName: reference-instance
  parameters:
    referenced_instance_id: <shared service id>

And of course, Kyma instance(btp operator instance) and credstore instance must be in the same subaccount.

Cheers, Piotr Kopczynski

Show replies
Show replies
SeanKilleen
Explorer
‎10-24-2023 7:56 PM

Hi Piotr -- thank you for the response on this! Apologies for my delayed reply.


I had already moved on to recreating the credstore so I wasn't able to verify this answer, but it seems correct.

Regarding the `referenced_instance_id` parameter -- I failed to find it anywhere in the docs, and I'm wondering if I just missed it somehow. Could you let me know where that list of parameters can be found so that I can better help myself in the future? Thank you!

Answers (0)

Ask a Question