What is Application Connectivity in Kyma?
Application Connectivity in Kyma is an area that:
- Simplifies and secures the connection between external systems and Kyma
- Stores and handles the metadata of external systems
- Provides certificate handling for the Eventing flow in the Compass scenario (mode)
- Manages secure access to external systems
- Provides monitoring and tracing capabilities to facilitate operational aspects
Depending on your use case, Application Connectivity works in one of the two modes:
- Standalone mode (default) - a standalone mode where Kyma is not connected to Compass
- Compass mode - using Runtime Agent and integration with Compass to automate connection and registration of services using mTLS certificates
Application Connector
Overview
Application Connector (AC) is a custom, in-house built Kyma component that allows you to connect with external solutions. No matter if you want to integrate an on-premise or a cloud system, the integration process does not change, which allows you to avoid any configuration or network-related problems.
The external solution you connect to Kyma using AC is represented as an Application. There is always a one-to-one relationship between a connected solution and an Application, which helps to ensure the highest level of security and separation. This means that you must create five separate Applications in your cluster to connect five different external solutions and use their APIs and event catalogs in Kyma.
Application Connector secures Eventing with a client certificate verified by the Istio Ingress Gateway in the Compass scenario.
NOTE: When using AC, make sure to enable automatic Istio sidecar proxy injection. For more details, see Default Istio setup in Kyma.
Features
Application Connector:
- Simplifies and secures the connection between external systems and Kyma
- Stores and handles the metadata of external APIs
- Proxies calls sent from Kyma to external APIs registered by the connected external solution
- Provides certificate handling for the Eventing flow in the Compass scenario
- Delivers events from the connected external solution to Eventing in the Compass scenario
- Manages secure access to external systems
All the AC components scale independently, which allows you to adjust it to fit the needs of the implementation built using Kyma.
Supported APIs
Application Connector supports secured REST APIs exposed by the connected external solution. Application Connector supports a variety of authentication methods to ensure smooth integration with a wide range of APIs.
The following authentication methods for your secured APIs are supported:
- Basic Authentication
- OAuth
- OAuth 2.0 mTLS
- Client Certificates
NOTE: Non-secured APIs are supported too, however, they are not recommended in the production environment.
In addition to authentication methods, Application Connector supports Cross-Site Request Forgery (CSRF) Tokens.
AC supports any API that adheres to the REST principles and is available over the HTTP protocol.
Application Gateway
Application Gateway is an intermediary component between a Function or a microservice and an external API. It proxies the requests from Functions and microservices in Kyma to external APIs based on the configuration stored in Secrets.
Application Gateway also supports redirects for the request flows in which the URL host remains unchanged. For more details, see Response rewriting.
Supported API authentication for Application CR
Application Gateway can call services which are not secured, or are secured with:
- Basic Authentication
- OAuth
- OAuth 2.0 mTLS
- Client certificates
Additionally, Application Gateway supports cross-site request forgery (CSRF) tokens as an optional layer of API protection.
Application Gateway calls the registered APIs accordingly, basing on the security type specified for the API in the Application CR.
Provide a custom access token
Application Gateway overrides the registered API's security type if it gets a request which contains the Access-Token header. In such a case, Application Gateway rewrites the token from the Access-Token header into an OAuth-compliant Authorization header and forwards it to the target API.
This mechanism is suited for implementations in which an external application handles user authentication.
See how to pass an access token in a request header.
Security
Client certificates
To provide maximum security, in the Compass mode, Application Connector uses the TLS protocol with Client Authentication enabled. As a result, whoever wants to connect to Application Connector must present a valid client certificate, which is dedicated to a specific Application. In this way, the traffic is fully encrypted and the client has a valid identity.
TLS certificate verification for external systems
By default, the TLS certificate verification is enabled when sending data and requests to every application. You can disable the TLS certificate verification in the communication between Kyma and an application to allow Kyma to send requests and data to an unsecured application. Disabling the certificate verification can be useful in certain testing scenarios.
Runtime agent
Runtime Agent is a Kyma component that connects to Compass. It is an integral part of every Kyma Runtime in the Compass mode and it fetches the latest configuration from Compass. It also provides Runtime-specific information that is displayed in the Compass UI, such as Runtime UI URL, and it provides Compass with Runtime configuration, such as Event Gateway URL, that should be passed to an Application. To learn more, read the section on configuring the Runtime.
The main responsibilities of the component are:
- Establishing a trusted connection between the Kyma Runtime and Compass
- Renewing a trusted connection between the Kyma Runtime and Compass
- Synchronizing with the Director by fetching new Applications from the Director and creating them in the Runtime, and removing from the Runtime Applications that no longer exist in the Director.
Useful links
If you're interested in learning more about the Application Connectivity area, follow these links to:
Perform some simple and more advanced tasks:
- Pass the access token in the request header
- Create a new Application
- Register a service
- Register a secured API
- Call a registered external service from Kyma
- Disable TLS certificate verification
- Enable Kyma with Runtime Agent
- Establish a secure connection with Compass
- Maintain a secure connection with Compass
- Revoke a client certificate (RA)
- Configure Runtime Agent with Compass
- Reconnect Runtime Agent with Compass
Analyze Application Connectivity specification and configuration files:
- Application custom resource (CR)
- Application Connector chart
- Compass Connection custom resource (CR)
- Connection with Compass
Understand technicalities behind the Application Connectivity implementation: