With the SAP BTP Operator module, you can create configurations for several subaccounts in a single Kyma cluster.
To apply the multitenancy feature, choose the method that suits your needs and application architecture:
- Namespace-based mapping: Connect namespaces to separate subaccounts by configuring dedicated credentials for each namespace.
- Instance-level mapping: Define a specific subaccount for each service instance, regardless of the namespace context.
Regardless of the method, you must create Secrets managed in the kyma-system
namespace.
To connect a namespace to a specific subaccount, maintain access credentials to this subaccount in a Secret dedicated to the specific namespace. Define the {NAMESPACE-NAME}-sap-btp-service-operator
Secret in the kyma-system
namespace.
See the following examples:
-
Default access credentials:
apiVersion: v1 kind: Secret metadata: name: {NAMESPACE_NAME}-sap-btp-service-operator namespace: kyma-system type: Opaque stringData: clientid: {CLIENT_ID} clientsecret: {CLIENT_SECRET} sm_url: {SM_URL} tokenurl: {AUTH_URL} tokenurlsuffix: "/oauth/token"
-
mTLS access credentials:
apiVersion: v1 kind: Secret metadata: name: {NAMESPACE_NAME}-sap-btp-service-operator namespace: kyma-system type: Opaque stringData: clientid: {CLIENT_ID} tls.crt: {TLS_CERTIFICATE} tls.key: {TLS_KEY} sm_url: {SM_URL} tokenurl: {AUTH_URL} tokenurlsuffix: "/oauth/token"
To deploy service instances belonging to different subaccounts within the same namespace, follow these steps:
-
Define a new Secret: Securely store access credentials for each subaccount in a separate Secret in the
kyma-system
namespace. See the following examples:- Default access credentials
apiVersion: v1 kind: Secret metadata: name: {SECRET_NAME} namespace: kyma-system type: Opaque stringData: clientid: {CLIENT_ID} clientsecret: {CLIENT_SECRET} sm_url: {SM_URL} tokenurl: {AUTH_URL} tokenurlsuffix: "/oauth/token"
- mTLS access credentials
apiVersion: v1 kind: Secret metadata: name: {SECRET_NAME} namespace: kyma-system type: Opaque stringData: clientid: {CLIENT_ID} tls.crt: {TLS_CERTIFICATE} tls.key: {TLS_KEY} sm_url: {SM_URL} tokenurl: {AUTH_URL} tokenurlsuffix: "/oauth/token"
- Default access credentials
-
Specify a subaccount per service: Configure the Secret name in the ServiceInstance resource within the btpAccessCredentialsSecret property. The Secret containing the relevant subaccount's credentials tells SAP BTP Operator explicitly which subaccount to use to provision the service instance. The Secret must be located in the
kyma-system
namespace.apiVersion: services.cloud.sap.com/v1 kind: ServiceInstance metadata: name: {SERVICE_INSTANCE_NAME} spec: serviceOfferingName: service-manager servicePlanName: subaccount-audit btpAccessCredentialsSecret: {SECRET_NAME}
SAP BTP Operator searches for the credentials in the following order:
- Explicit Secret defined in a service instance
- Default namespace Secret
- Default cluster Secret