ZTIS Support for Kyma (#985)

MatKuhr · web-flow · commit 9323423c8d3e · 2025-10-28T14:19:27.000+01:00
diff --git a/cloudplatform/connectivity-ztis/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/ZeroTrustIdentityService.java b/cloudplatform/connectivity-ztis/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/ZeroTrustIdentityService.java
@@ -47,6 +47,7 @@ public class ZeroTrustIdentityService
 {
     static final ServiceIdentifier ZTIS_IDENTIFIER = ServiceIdentifier.of("zero-trust-identity");
     private static final String DEFAULT_SOCKET_PATH = "unix:///tmp/spire-agent/public/api.sock";
+    private static final String SOCKET_ENVIRONMENT_VARIABLE = "SPIFFE_ENDPOINT_SOCKET";
     private static final Duration DEFAULT_SOCKET_TIMEOUT = Duration.ofSeconds(10);
     @Getter
     private static final ZeroTrustIdentityService instance = new ZeroTrustIdentityService();
@@ -105,17 +106,16 @@ X509Source initX509Source()
             return new FileSystemX509Source();
         }
 
+        final String socketPath = Option.of(System.getenv(SOCKET_ENVIRONMENT_VARIABLE)).getOrElse(DEFAULT_SOCKET_PATH);
+        log.info("Using socket path {} for ZTIS agent.", socketPath);
+
         final X509SourceOptions x509SourceOptions =
-            X509SourceOptions
-                .builder()
-                .spiffeSocketPath(DEFAULT_SOCKET_PATH)
-                .initTimeout(DEFAULT_SOCKET_TIMEOUT)
-                .build();
+            X509SourceOptions.builder().spiffeSocketPath(socketPath).initTimeout(DEFAULT_SOCKET_TIMEOUT).build();
         try {
             return DefaultX509Source.newSource(x509SourceOptions);
         }
         catch( final Exception e ) {
-            throw new CloudPlatformException("Failed to load the certificate from the default unix socket.", e);
+            throw new CloudPlatformException("Failed to load the certificate from the unix socket: " + socketPath, e);
         }
     }
 
diff --git a/release_notes.md b/release_notes.md
@@ -12,7 +12,7 @@
 
 ### ✨ New Functionality
 
-- 
+- Add support for using the Zero Trust Identity Service (ZTIS) on Kyma by detecting the [well-known environment variable `SPIFFE_ENDPOINT_SOCKET`](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Workload_Endpoint.md#4-locating-the-endpoint).
 
 ### 📈 Improvements
 

Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,7 @@ public class ZeroTrustIdentityService`
`47`	`47`	`{`
`48`	`48`	`static final ServiceIdentifier ZTIS_IDENTIFIER = ServiceIdentifier.of("zero-trust-identity");`
`49`	`49`	`private static final String DEFAULT_SOCKET_PATH = "unix:///tmp/spire-agent/public/api.sock";`
	`50`	`+ private static final String SOCKET_ENVIRONMENT_VARIABLE = "SPIFFE_ENDPOINT_SOCKET";`
`50`	`51`	`private static final Duration DEFAULT_SOCKET_TIMEOUT = Duration.ofSeconds(10);`
`51`	`52`	`@Getter`
`52`	`53`	`private static final ZeroTrustIdentityService instance = new ZeroTrustIdentityService();`
`@@ -105,17 +106,16 @@ X509Source initX509Source()`
`105`	`106`	`return new FileSystemX509Source();`
`106`	`107`	`}`
`107`	`108`
	`109`	`+ final String socketPath = Option.of(System.getenv(SOCKET_ENVIRONMENT_VARIABLE)).getOrElse(DEFAULT_SOCKET_PATH);`
	`110`	`+ log.info("Using socket path {} for ZTIS agent.", socketPath);`
	`111`	`+`
`108`	`112`	`final X509SourceOptions x509SourceOptions =`
`109`		`- X509SourceOptions`
`110`		`- .builder()`
`111`		`- .spiffeSocketPath(DEFAULT_SOCKET_PATH)`
`112`		`- .initTimeout(DEFAULT_SOCKET_TIMEOUT)`
`113`		`- .build();`
	`113`	`+ X509SourceOptions.builder().spiffeSocketPath(socketPath).initTimeout(DEFAULT_SOCKET_TIMEOUT).build();`
`114`	`114`	`try {`
`115`	`115`	`return DefaultX509Source.newSource(x509SourceOptions);`
`116`	`116`	`}`
`117`	`117`	`catch( final Exception e ) {`
`118`		`- throw new CloudPlatformException("Failed to load the certificate from the default unix socket.", e);`
	`118`	`+ throw new CloudPlatformException("Failed to load the certificate from the unix socket: " + socketPath, e);`
`119`	`119`	`}`
`120`	`120`	`}`
`121`	`121`