Skip to content

Commit

Permalink
Adjust Application Connectivity docs to Kyma 2.0, pt.1 (#12259)
Browse files Browse the repository at this point in the history
* Appilcation Connectivity docs adjusted to Kyma 2.0

* Fixed incorrect secret name

* Update ac-14-disable-ssl-certificate-verification.md

* Add more fixes, remove obsolete assets, fix file numbering

* Add more fixes

* Update the cluster domain for local Kyma deployment in Get the Client Certificate

* Apply review suggestions

Co-authored-by: majakurcius <[email protected]>
  • Loading branch information
akgalwas and majakurcius authored Oct 19, 2021
1 parent 3a28f8f commit ab7ad4a
Show file tree
Hide file tree
Showing 58 changed files with 96 additions and 719 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ Application Connector (AC) is a custom, in-house built Kyma component that allow

The external solution you connect to Kyma using AC is represented as an Application. There is always a one-to-one relationship between a connected solution and an Application, which helps to ensure the highest level of security and separation. This means that you must create five separate Applications in your cluster to connect five different external solutions and use their APIs and event catalogs in Kyma.

Application Connector is secured with a client certificate verified by the Istio Ingress Gateway. The certificates are generated and stored as Kubernetes Secrets by Application Connector Certs Setup job. By default, the server key and certificate are automatically generated, but you can [provide a custom server certificate and key](../../../04-operation-guides/operations/ac-03-application-connector-certificates.md) during installation.
Application Connector is secured with a client certificate verified by the Istio Ingress Gateway. The root CA certificates are generated and stored as Kubernetes Secrets by Application Connector Certs Setup job. By default, the server key and certificate are automatically generated, but you can [provide a custom server certificate and key](../../../04-operation-guides/operations/ac-03-application-connector-certificates.md) during installation.

## Features

Expand All @@ -19,8 +19,6 @@ Application Connector:
- Registers APIs and event catalogs of the connected external solution.
- Delivers events from the connected external solution to Eventing.
- Proxies calls sent from Kyma to external APIs registered by the connected external solution.
- Allows to map an Application to a Kyma Namespace and use its registered APIs and event catalogs in the context of that Namespace.
- Integrates the registered APIs and event catalogs with the Kyma Service Catalog.

All of the AC components scale independently, which allows to adjust it to fit the needs of the implementation built using Kyma.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,13 @@
title: Application Gateway
---

Application Gateway is an intermediary component between a Function or a service and an external API. Application Gateway can work in [two modes](../../../05-technical-reference/00-architecture/ac-01-application-connector-components.md#application-operator), legacy (default) or Compass (required for Runtimes with the Runtime Agent connected to Compass). In the legacy mode, Application Gateway [proxies the requests](../../../05-technical-reference/00-architecture/ac-03-application-gateway.md) based on the services registered with Application Registry. In the alternative Compass mode, Application Gateway [proxies the requests](../../../05-technical-reference/00-architecture/ac-03-application-gateway.md) from Functions and services in Kyma to external APIs based on the configuration stored in Secrets.

Application Gateway is an intermediary component between a Function or a service and an external API.
It [proxies the requests](../../../05-technical-reference/00-architecture/ac-03-application-gateway.md) from Functions and services in Kyma to external APIs based on the configuration stored in Secrets.

Application Gateway can call services which are not secured, or are secured with:

- [Basic Authentication](https://tools.ietf.org/html/rfc7617)
- OAuth
- Client certificates

Additionally, Application Gateway supports cross-site request forgery (CSRF) tokens as an optional layer of API protection.
Additionally, Application Gateway supports cross-site request forgery (CSRF) tokens as an optional layer of API protection.
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,3 @@ Application Registry interacts with Kubernetes APIs to perform these tasks:

- Modify the Application CR instance.
- Create Secrets which contain client ID and client secret used to access OAuth-secured APIs.
- Create the Access Service.
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,10 @@ title: Security

To provide maximum security, Application Connector uses the TLS protocol with Client Authentication enabled. As a result, whoever wants to connect to Application Connector must present a valid client certificate, which is dedicated to a specific Application. In this way, the traffic is fully encrypted and the client has a valid identity.

## SSL certificate verification
## TLS certificate verification

By default, the SSL certificate verification is enabled when sending data and requests to every application.
You can [disable the SSL certificate verification](../../../03-tutorials/00-application-connectivity/ac-14-disable-ssl-certificate-verification.md) in the communication between Kyma and an application to allow Kyma to send requests and data to an unsecured application. Disabling the certificate verification can be useful in certain testing scenarios.
By default, the TLS certificate verification is enabled when sending data and requests to every application.
You can [disable the TLS certificate verification](../../../03-tutorials/00-application-connectivity/ac-11-disable-tls-certificate-verification.md) in the communication between Kyma and an application to allow Kyma to send requests and data to an unsecured application. Disabling the certificate verification can be useful in certain testing scenarios.

## API security type

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,20 +10,17 @@ If you're interested in learning more about the Application Connectivity area, f
- [Register an API in Application Registry](../../../04-operation-guides/operations/ac-02-api-registration.md)
- [Provide a custom AC certificate and key](../../../04-operation-guides/operations/ac-03-application-connector-certificates.md)
- [Access AC on a local deployment](../../../04-operation-guides/operations/ac-04-access-ac-on-local.md)
- [Disable SSL certificate verification](../../../03-tutorials/00-application-connectivity/ac-14-disable-ssl-certificate-verification.md)
- [Create a new Application](../../../03-tutorials/00-application-connectivity/ac-01-create-application.md)
- [Get the client certificate](../../../03-tutorials/00-application-connectivity/ac-02-get-client-certificate.md)
- [Bind an Application to a Namespace](../../../03-tutorials/00-application-connectivity/ac-03-application-mapping.md)
- [Register a service](../../../03-tutorials/00-application-connectivity/ac-04-register-manage-services.md)
- [Register a secured API](../../../03-tutorials/00-application-connectivity/ac-05-register-secured-api.md)
- [Bind a service to a Namespace](../../../03-tutorials/00-application-connectivity/ac-06-service-mapping.md)
- [Trigger a Function with events](../../../03-tutorials/00-application-connectivity/ac-07-trigger-function-with-event.md)
- [Call a registered external service from Kyma](../../../03-tutorials/00-application-connectivity/ac-08-call-registered-service-from-kyma.md)
- [Renew a client certificate](../../../03-tutorials/00-application-connectivity/ac-09-renew-client-cert.md)
- [Revoke a client certificate](../../../03-tutorials/00-application-connectivity/ac-10-revoke-client-cert.md)
- [Rotate the Root certificate and the key issued by the Certificate Authority](../../../03-tutorials/00-application-connectivity/ac-11-rotate-root-ca.md)
- [Get the API specification for AC components](../../../03-tutorials/00-application-connectivity/ac-12-get-api-specification.md)
- [Get subscribed events](../../../03-tutorials/00-application-connectivity/ac-13-get-subscribed-events.md)
- [Register a service](../../../03-tutorials/00-application-connectivity/ac-03-register-manage-services.md)
- [Register a secured API](../../../03-tutorials/00-application-connectivity/ac-04-register-secured-api.md)
- [Call a registered external service from Kyma](../../../03-tutorials/00-application-connectivity/ac-05-call-registered-service-from-kyma.md)
- [Renew a client certificate](../../../03-tutorials/00-application-connectivity/ac-06-renew-client-cert.md)
- [Revoke a client certificate](../../../03-tutorials/00-application-connectivity/ac-07-revoke-client-cert.md)
- [Rotate the Root certificate and the key issued by the Certificate Authority](../../../03-tutorials/00-application-connectivity/ac-08-rotate-root-ca.md)
- [Get the API specification for AC components](../../../03-tutorials/00-application-connectivity/ac-09-get-api-specification.md)
- [Get subscribed events](../../../03-tutorials/00-application-connectivity/ac-10-get-subscribed-events.md)
- [Disable TLS certificate verification](../../../03-tutorials/00-application-connectivity/ac-11-disable-tls-certificate-verification.md)

- Troubleshoot Application Connectivity-related issues for:

Expand All @@ -33,21 +30,17 @@ If you're interested in learning more about the Application Connectivity area, f

- Analyze Application Connectivity specification and configuration files:

- [Application Connectivity API specification](../../../05-technical-reference/ac-01-application-connectivity-api-specification.md)
- [Application](../../../05-technical-reference/00-custom-resources/ac-01-application.md) custom resource (CR)
- [ApplicationMapping](../../../05-technical-reference/00-custom-resources/ac-02-applicationmapping.md) CR
- [EventActivation](../../../05-technical-reference/00-custom-resources/ac-03-eventactivation.md) CR
- [TokenRequest](../../../05-technical-reference/00-custom-resources/ac-04-tokenrequest.md) CR
- [EventActivation](../../../05-technical-reference/00-custom-resources/ac-02-eventactivation.md) CR
- [TokenRequest](../../../05-technical-reference/00-custom-resources/ac-03-tokenrequest.md) CR
- [Application Connector chart](../../../05-technical-reference/00-configuration-parameters/ac-01-application-connector-chart.md)
- [Application Operator sub-chart](../../../05-technical-reference/00-configuration-parameters/ac-02-application-operator-sub-chart.md)
- [Application Registry sub-chart](../../../05-technical-reference/00-configuration-parameters/ac-03-application-registry-sub-chart.md)
- [Connector Service sub-chart](../../../05-technical-reference/00-configuration-parameters/ac-04-connector-service-sub-chart.md)
- [Application Connectivity Certs Setup Job](../../../05-technical-reference/00-configuration-parameters/ac-05-application-connectivity-certs-setup-job.md)
- [Application Registry sub-chart](../../../05-technical-reference/00-configuration-parameters/ac-02-application-registry-sub-chart.md)
- [Connector Service sub-chart](../../../05-technical-reference/00-configuration-parameters/ac-03-connector-service-sub-chart.md)
- [Application Connectivity Certs Setup Job](../../../05-technical-reference/00-configuration-parameters/ac-04-application-connectivity-certs-setup-job.md)

- Understand technicalities behind the Application Connectivity implementation:

- [Application Connector components](../../../05-technical-reference/00-architecture/ac-01-application-connector-components.md)
- [Connector Service workflow](../../../05-technical-reference/00-architecture/ac-02-connector-service.md)
- [Application Gateway workflow](../../../05-technical-reference/00-architecture/ac-03-application-gateway.md)
- [Application Broker workflow](../../../05-technical-reference/00-architecture/ac-04-application-broker.md)
- [Application Gateway details](../../../05-technical-reference/ac-02-application-gateway-details.md)
- [Application Gateway details](../../../05-technical-reference/ac-01-application-gateway-details.md)
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,6 @@
title: Create a new Application
---

Application Operator listens for the creation of Application custom resources. It provisions and de-provisions the necessary deployments for every created Application.

>**NOTE:** An Application represents a single connected external solution.
To create a new Application, run this command:
Expand All @@ -22,14 +20,14 @@ spec:
EOF
```

## Check the Application status
## Get the Application data

To check the status of the created Application and show the output in the `yaml` format, run this command:
To get the data of the created Application and show the output in the `yaml` format, run this command:
```bash
kubectl get app {APP_NAME} -o yaml
```

A successful response returns the Application custom resource with the specified name. The custom resource has the **status** section added.
A successful response returns the Application custom resource with the specified name.
This is an example response:

```yaml
Expand All @@ -47,10 +45,8 @@ metadata:
spec:
accessLabel: {APP_NAME}
description: {APP_DESCRIPTION}
labels: {}
labels:
region: "us"
kind: "production"
services: []
status:
installationStatus:
description: Install complete
status: deployed
```
```
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ After you create an Application, connect it to an external solution to consume t

This guide shows you how to get the client certificate.

>**NOTE:** The client certificate is valid for 92 days. See how to [renew the client certificate](../../03-tutorials/00-application-connectivity/ac-09-renew-client-cert.md), and
how to [revoke the client certificate](../../03-tutorials/00-application-connectivity/ac-10-revoke-client-cert.md), which prevents it from being renewed.
>**NOTE:** The client certificate is valid for 92 days. See how to [renew the client certificate](ac-06-renew-client-cert.md), and
how to [revoke the client certificate](../../03-tutorials/00-application-connectivity/ac-07-revoke-client-cert.md), which prevents it from being renewed.

## Prerequisites

Expand Down Expand Up @@ -153,16 +153,16 @@ Use `urls.metadataUrl` and `urls.eventsUrl` to get the URLs to the Application R
## Call Application Registry and Event Publisher on local deployment
Since Kyma installation on Minikube uses the self-signed certificate by default, skip TLS verification.
Since the local Kyma installation uses the self-signed certificate by default, skip TLS verification.
Call Application Registry with this command:
```bash
curl https://gateway.kyma.local/{APP_NAME}/v1/metadata/services --cert {CLIENT_CERT_FILE_NAME}.crt --key {KEY_FILE_NAME}.key -k
curl https://gateway.local.kyma.dev/{APP_NAME}/v1/metadata/services --cert {CLIENT_CERT_FILE_NAME}.crt --key {KEY_FILE_NAME}.key -k
```
Use this command to call the Event Publisher:
```bash
curl -X POST -H "Content-Type: application/json" https://gateway.kyma.local/{APP_NAME}/v1/events --cert {CLIENT_CERT_FILE_NAME}.crt --key {KEY_FILE_NAME}.key -k -d '{EVENT}'
curl -X POST -H "Content-Type: application/json" https://gateway.local.kyma.dev/{APP_NAME}/v1/events --cert {CLIENT_CERT_FILE_NAME}.crt --key {KEY_FILE_NAME}.key -k -d '{EVENT}'
```

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ This guide shows you how to register a service of your external solution in Kyma

1. To register a service with a Basic Authentication-secured API, follow this template to prepare the request body:

>**NOTE:** Follow the [tutorial](../../03-tutorials/00-application-connectivity/ac-05-register-secured-api.md) to learn how to register APIs secured with different security schemes or protected against cross-site request forgery (CSRF) attacks.
>**NOTE:** Follow the [tutorial](ac-04-register-secured-api.md) to learn how to register APIs secured with different security schemes or protected against cross-site request forgery (CSRF) attacks.
```json
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ You can specify only one authentication method for every secured API you registe

Additionally, you can secure the API against cross-site request forgery (CSRF) attacks. CSRF tokens are an additional layer of protection and can accompany any authentication method.

>**NOTE:** Registering a secured API is a part of registering services of an external solution connected to Kyma. To learn more about this process, follow the [tutorial](../../03-tutorials/00-application-connectivity/ac-04-register-manage-services.md).
>**NOTE:** Registering a secured API is a part of registering services of an external solution connected to Kyma. To learn more about this process, follow the [tutorial](ac-03-register-manage-services.md).
## Register a Basic Authentication-secured API

Expand Down
Loading

0 comments on commit ab7ad4a

Please sign in to comment.