Architecture ​
The following architectural diagram includes all components of the Application Connector module and describes the workflow for integrating an external system into Kyma using the different components.
Components ​
| Component | Purpose |
|---|---|
| External application | An external system that interacts with your Kyma workload or is called by it. |
| Unified Customer Landscape (UCL) | The UCL system implements the SAP Extensibility concept and administrates system formations. |
| Runtime Agent | Runtime Agent is a client of the UCL system. It regularly synchronizes the defined system formations and integrates them into Kyma runtime. |
| Certificate Secret | Stores the UCL-managed certificates used for trusted communication between an external system and Kyma. |
| Application custom resource (CR) | Stores metadata of an external system (like endpoints, authentication method, etc.). Each Application CR corresponds to a single external system. |
| Application credentials Secret | Stores endpoint/API credentials of an external system. |
| Istio Ingress Gateway | The Application Connector module uses Istio Gateway as an endpoint for incoming requests from external systems. The Gateway supports mTLS for establishing trusted connections between an external system and Kyma runtime. |
| Application Connectivity Validator | Verifies incoming requests by analyzing the certificate subject and passes the request to the Kyma Eventing module. |
| Eventing module | The Kyma Eventing module dispatches incoming requests from external systems to Kyma workloads. |
| Kyma workload | A user workload (for example, deployed applications) or any Kyma-hosted Serverless Function. |
| Application Gateway | Acts as a proxy for outgoing communication from a Kyma workload to an external system. It supports various types of authentication methods. |
| Application Connector Manager | This Kubernetes Operator installs and configures all Application Connector module components in Kyma runtime. It manages the lifecycle of the Application Connector module based on the dedicated ApplicationConnector custom resource (CR). |
Workflow ​
The diagram workflow shows the steps from registering an external system at UCL until it can interact with Kyma workloads. Some steps are only relevant when the integration of an external system is managed manually, but all of them are applied when the integration happens automatically using UCL.
| Step | Description | Manual integration | Integration by UCL |
|---|---|---|---|
| Inbound communciation | |||
| 1 | An external system is registered in the UCL system and configured in the UCL system formation for Kyma runtime. | X | |
| 2 | Runtime Agent connects to the UCL system and gathers all registered applications for this Kyma runtime. | X | |
| 3 | The agent retrieves from UCL the cryptographical certificates used to secure communication between an external system and Kyma. The certificate is stored in a Kubernetes Secret. | X | |
| 4 | Additionally, application metadata of an external system (for example, authentication type, API endpoints, etc.) are stored in an Application custom resource (CR). | X This manual step is applied by an administrator | X Step is automatically applied by Runtime Agent |
| 5 | Finally, Runtime Agent stores the credentials for accessing the API of an external system in a Kubernetes Secret. These credentials are used for outbound communication proxied by the Application Gateway. | X | |
| 6 | External systems communicate with Kyma runtime through the Istio Ingress Gateway. | X | X |
| 7 | Istio Gateway uses the provided certificate to secure communication using mTLS. | X | |
| 8 | Incoming calls are verified by the Application Connectivity Validator by investigating the subject of the certificate. It finally forwards the request to the inbound handler of the Eventing module. | X | |
| 9 | Kyma workloads can receive incoming events and process them. | X | X |
| Onbound communciation | |||
| a | The Application Gateway acts as a proxy for any outbound communication from a Kyma workload to an external system API. | X | X |
| b | The Application Gateway handles security and authentication during the conversation with an external system API. | X | X |