This blog specifically deals with consuming Cloud foundry services with Canary/gardener instance on any of the cloud providers. This scenario is for private cloud Kubernetes instance within a company’s firewall. The idea is to have secure REST api’s hosted on Kubernetes on gardener and be able to apply various policies such as rate limiting and access policy provided by api management. All sap cloud foundry services can follow the similar architecture if they are deploying nodejs/other applications on kubernetes platform.
Let me talk about the setup and architecture first
Architecture
The application pod hosts the rest API which we will be accessing in api management via cloud connector. the host and port will be the ClusterIP address of your pod/port.
The user interacts via certificate/api key or any other mechanism that you want to use for authentication. The sap cloud connector is used as the k8s system is within sap VPN and hence it treats the gardener system as an on prem system and establishes a secured tunnel from api management to k8s. the Pod is a ClusterIP service pod so it is accessible via cloud connector pod but not via external systems. The configurations that you have to make is use a docker container for sapcc and install it on the k8s using deployment file. Follow the below blog for
docker installation
After you have the setup done on local machine and you have tested the flow, Create a K8s file like below. I will explain about the file in detail. The only aberration it has is the usage of init containers. If you don’t use init containers then your sap cc installation is wiped out after each time k8s restarts your sapcc pod. You can use a persistent volume to store the contents but without init containers, the pv is not able to store the installation files. Below i have declared two persistent volume and two pvc. it is required to copy contents for the init container. You have to store the contents at temp location /opt/sap/scc_seed and then copy them to your containers default location /opt/sap/scc
apiVersion: v1
kind: PersistentVolume
metadata:
name: stc-pv-vol
namespace: stc-mvp
spec:
storageClassName: default
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
hostPath:
path: /data
type: Directory
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: stc-pv-claim
namespace: stc-mvp
spec:
storageClassName: default
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: stc-pv-volc
namespace: stc-mvp
spec:
storageClassName: default
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
hostPath:
path: /data
type: Directory
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: stc-pv-claimc
namespace: stc-mvp
spec:
storageClassName: default
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: stc-mvp
name: sapcc
labels:
app: sapcc
spec:
selector:
matchLabels:
app: sapcc
replicas: 1
template:
metadata:
labels:
app: sapcc
spec:
volumes:
- name: stc-pv-vol
persistentVolumeClaim:
claimName: stc-pv-claim
- name: stc-pv-volc
persistentVolumeClaim:
claimName: stc-pv-claimc
initContainers:
- image:<imagename>:latest
name: init-service
command:
- bash
- "-c"
- |
set -ex
if find /opt/sap/scc/config -mindepth 1 | read; then
echo "directory not empty";
echo `ls -la /opt/sap/scc`
else
echo "directory empty";
cp -fR /opt/sap/scc_seed/* /opt/sap/scc/
echo "what is the listing now?";
echo `ls -la /opt/sap/scc`
fi
volumeMounts:
- name: stc-pv-vol
mountPath: /opt/sap/scc
containers:
- image:<imagename>:latest
imagePullPolicy: Always
name: sapcc
ports:
- name: http
containerPort: 8443
volumeMounts:
- name: stc-pv-volc
mountPath: /opt/sap/scc
---
apiVersion: v1
kind: Service
metadata:
name: sapcc
namespace: stc-mvp
labels:
app: sapcc
spec:
ports:
- name: http
port: 8443
selector:
app: sapcc
type: LoadBalancer
Your docker file also requires some changes. you have to create a temp directory /opt/sap/scc_seed.
RUN mkdir /opt/sap/scc_seed && cp -fR /opt/sap/scc/* /opt/sap/scc_seed/
Hope this helps