zhongwei/gh-secondsky-sap-skills-skills-sap-btp-cloud-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4b44ecffd4276f694519e70880cf3899c0f9ec72
gh-secondsky-sap-skills-ski…/references/kyma.md
Zhongwei Li 4b44ecffd4 Initial commit
2025-11-30 08:54:56 +08:00

500 lines
10 KiB
Markdown
Raw Blame History

# Kyma Environment Reference
Detailed guidance for SAP BTP Kyma environment development and administration.
**Source**: [https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/10-concepts](https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/10-concepts)
**Kyma Project**: [https://kyma-project.io/](https://kyma-project.io/)
---
## Table of Contents
1. [Architecture](#architecture)
2. [Modules](#modules)
3. [Namespaces](#namespaces)
4. [Deployment Patterns](#deployment-patterns)
5. [Service Consumption](#service-consumption)
6. [Serverless Functions](#serverless-functions)
7. [Eventing](#eventing)
8. [Security](#security)
9. [kubectl Commands](#kubectl-commands)
---
## Architecture
### Kyma in SAP BTP
- Fully managed Kubernetes runtime
- Based on open-source Kyma project
- Built on Gardener-managed Kubernetes clusters
- Modular architecture with selectable components
- 1:1 relationship: Subaccount → Kyma Cluster
### Supported Technologies
- CAP (Cloud Application Programming Model)
- SAP Cloud SDK
- Application Router
- HTML5 Deployer
- Docker containers
- Helm charts
### Structure
```
Subaccount (1:1 with Kyma Cluster)
└── Kubernetes Cluster
├── kyma-system (SAP managed)
├── namespace: dev
│ ├── Deployments
│ ├── Services
│ └── Functions
├── namespace: test
└── namespace: prod
```
---
## Modules
### Default Modules (Always Installed)
| Module | Purpose |
|--------|---------|
| `istio` | Service mesh with Kyma-specific configuration |
| `api-gateway` | Expose and secure APIs |
| `btp-operator` | Consume SAP BTP services via Kubernetes |
### Optional Modules
| Module | Purpose |
|--------|---------|
| `serverless` | Deploy simple code functions |
| `eventing` | CloudEvents pub/sub (NATS or SAP Event Mesh) |
| `application-connector` | Integrate external systems |
| `telemetry` | Collect logs and traces |
| `keda` | Event-driven autoscaling |
| `nats` | NATS cluster for eventing |
| `cloud-manager` | Cloud provider product integration |
### Module Management
```bash
# List available modules
kubectl get kymas -n kyma-system
# Add module via BTP Cockpit or kubectl
kubectl patch kyma default -n kyma-system --type merge -p '
spec:
modules:
- name: serverless
'
```
### Community Modules
User-provided modules without:
- Automatic updates
- SLA coverage
- SAP support
---
## Namespaces
### Best Practices
- Use namespaces for environment separation
- Apply resource quotas per namespace
- Implement network policies for isolation
### Create Namespace
```yaml
# namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: my-app
labels:
istio-injection: enabled
```
```bash
kubectl apply -f namespace.yaml
```
### Resource Quotas
```yaml
apiVersion: v1
kind: ResourceQuota
metadata:
name: my-quota
namespace: my-app
spec:
hard:
requests.cpu: "4"
requests.memory: 8Gi
limits.cpu: "8"
limits.memory: 16Gi
pods: "20"
```
---
## Deployment Patterns
### Standard Deployment
```yaml
# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
namespace: my-namespace
spec:
replicas: 2
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: my-app
image: my-registry/my-app:latest
ports:
- containerPort: 8080
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "512Mi"
cpu: "500m"
```
### Service
```yaml
apiVersion: v1
kind: Service
metadata:
name: my-app
namespace: my-namespace
spec:
selector:
app: my-app
ports:
- port: 80
targetPort: 8080
```
### API Rule (Expose API)
```yaml
apiVersion: gateway.kyma-project.io/v1beta1
kind: APIRule
metadata:
name: my-app
namespace: my-namespace
spec:
gateway: kyma-gateway.kyma-system.svc.cluster.local
host: my-app
service:
name: my-app
port: 80
rules:
- path: /.*
methods: ["GET", "POST", "PUT", "DELETE"]
accessStrategies:
- handler: jwt
config:
jwks_urls:
- [https://<subaccount>.authentication.<region>.hana.ondemand.com/token_keys](https://<subaccount>.authentication.<region>.hana.ondemand.com/token_keys)
```
### Helm Chart
```bash
# Install with Helm
helm install my-app ./my-chart -n my-namespace
# Upgrade
helm upgrade my-app ./my-chart -n my-namespace
# Rollback
helm rollback my-app 1 -n my-namespace
```
---
## Service Consumption
### SAP BTP Operator
Consume SAP BTP services via Kubernetes resources:
```yaml
# ServiceInstance
apiVersion: services.cloud.sap.com/v1
kind: ServiceInstance
metadata:
name: my-hana
namespace: my-namespace
spec:
serviceOfferingName: hana-cloud
servicePlanName: hana
parameters:
memory: 32
---
# ServiceBinding
apiVersion: services.cloud.sap.com/v1
kind: ServiceBinding
metadata:
name: my-hana-binding
namespace: my-namespace
spec:
serviceInstanceName: my-hana
secretName: my-hana-credentials
```
### Using Credentials
```yaml
env:
- name: HANA_URL
valueFrom:
secretKeyRef:
name: my-hana-credentials
key: url
```
---
## Serverless Functions
### Function Definition
```yaml
apiVersion: serverless.kyma-project.io/v1alpha2
kind: Function
metadata:
name: my-function
namespace: my-namespace
spec:
runtime: nodejs20
source:
inline:
source: |
module.exports = {
main: async function (event, context) {
const message = event.data?.message || "Hello World";
return { statusCode: 200, body: { message } };
}
};
resourceConfiguration:
function:
resources:
requests:
cpu: "50m"
memory: "64Mi"
limits:
cpu: "100m"
memory: "128Mi"
```
### Expose Function
```yaml
apiVersion: gateway.kyma-project.io/v1beta1
kind: APIRule
metadata:
name: my-function
namespace: my-namespace
spec:
gateway: kyma-gateway.kyma-system.svc.cluster.local
host: my-function
service:
name: my-function
port: 80
rules:
- path: /.*
methods: ["GET", "POST"]
accessStrategies:
- handler: noop # No authentication
```
---
## Eventing
### Subscription
```yaml
apiVersion: eventing.kyma-project.io/v1alpha2
kind: Subscription
metadata:
name: my-subscription
namespace: my-namespace
spec:
sink: [http://my-function.my-namespace.svc.cluster.local](http://my-function.my-namespace.svc.cluster.local)
source: myapp
types:
- order.created.v1
```
### Publishing Events
```javascript
// CloudEvent format
const event = {
specversion: "1.0",
type: "order.created.v1",
source: "myapp",
id: uuid(),
data: { orderId: "12345" }
};
await fetch(`${EVENTING_ENDPOINT}/publish`, {
method: "POST",
headers: { "Content-Type": "application/cloudevents+json" },
body: JSON.stringify(event)
});
```
---
## Security
### API Gateway Authentication
JWT validation with XSUAA:
```yaml
accessStrategies:
- handler: jwt
config:
jwks_urls:
- [https://<subaccount>.authentication.<region>.hana.ondemand.com/token_keys](https://<subaccount>.authentication.<region>.hana.ondemand.com/token_keys)
trusted_issuers:
- [https://<subaccount>.authentication.<region>.hana.ondemand.com/oauth/token](https://<subaccount>.authentication.<region>.hana.ondemand.com/oauth/token)
```
### RBAC
```yaml
# Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: developer
namespace: my-namespace
rules:
- apiGroups: ["", "apps"]
resources: ["pods", "deployments", "services"]
verbs: ["get", "list", "create", "update", "delete"]
---
# RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: developer-binding
namespace: my-namespace
subjects:
- kind: User
name: developer@example.com
roleRef:
kind: Role
name: developer
apiGroup: rbac.authorization.k8s.io
```
### Network Policies
```yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: my-namespace
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
```
---
## kubectl Commands
### Authentication
```bash
# Download kubeconfig from BTP Cockpit
# Or use kubelogin for OIDC
export KUBECONFIG=~/.kube/kyma-kubeconfig.yaml
kubectl get nodes
```
### Common Operations
```bash
# List resources
kubectl get pods -n my-namespace
kubectl get deployments -n my-namespace
kubectl get services -n my-namespace
# Apply configuration
kubectl apply -f deployment.yaml
# View logs
kubectl logs -f deployment/my-app -n my-namespace
# Describe resource
kubectl describe pod my-pod -n my-namespace
# Execute command in pod
kubectl exec -it my-pod -n my-namespace -- /bin/sh
# Port forward
kubectl port-forward svc/my-app 8080:80 -n my-namespace
# Delete resources
kubectl delete -f deployment.yaml
```
### Troubleshooting
```bash
# Get events
kubectl get events -n my-namespace --sort-by='.lastTimestamp'
# Check pod status
kubectl get pods -n my-namespace -o wide
# View container logs
kubectl logs my-pod -c my-container -n my-namespace
# Previous container logs
kubectl logs my-pod -c my-container -n my-namespace --previous
```
---
## Related Documentation
- Kyma Environment: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/kyma-environment-468c2f3.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/kyma-environment-468c2f3.md)
- Kyma Modules: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/kyma-modules-0dda141.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/10-concepts/kyma-modules-0dda141.md)
- Getting Started: [https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/20-getting-started/getting-started-in-the-kyma-environment-d1abd18.md](https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/20-getting-started/getting-started-in-the-kyma-environment-d1abd18.md)
- Kyma Project: [https://kyma-project.io/docs/](https://kyma-project.io/docs/)
Reference in New Issue View Git Blame Copy Permalink