ZTIS Support for Kyma

MatKuhr · MatKuhr · commit ed9345ab9bfc · 2025-10-24T15:47:06.000+02:00
diff --git a/cloudplatform/connectivity-ztis/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/ZeroTrustIdentityService.java b/cloudplatform/connectivity-ztis/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/ZeroTrustIdentityService.java
@@ -47,6 +47,7 @@ public class ZeroTrustIdentityService
 {
     static final ServiceIdentifier ZTIS_IDENTIFIER = ServiceIdentifier.of("zero-trust-identity");
     private static final String DEFAULT_SOCKET_PATH = "unix:///tmp/spire-agent/public/api.sock";
+    private static final String SOCKET_ENVIRONMENT_VARIABLE = "SPIFFE_ENDPOINT_SOCKET";
     private static final Duration DEFAULT_SOCKET_TIMEOUT = Duration.ofSeconds(10);
     @Getter
     private static final ZeroTrustIdentityService instance = new ZeroTrustIdentityService();
@@ -105,17 +106,22 @@ X509Source initX509Source()
             return new FileSystemX509Source();
         }
 
+        final String socketPath = Option.of(System.getenv(SOCKET_ENVIRONMENT_VARIABLE))
+                .peek(s -> log.debug("Found {} environment variable, using socket path {} for ZTIS agent.", SOCKET_ENVIRONMENT_VARIABLE, s))
+                .onEmpty(() -> log.warn("Environment variable {} not set, using the default socket path {} for ZTIS agent", SOCKET_ENVIRONMENT_VARIABLE, DEFAULT_SOCKET_PATH))
+            .getOrElse(DEFAULT_SOCKET_PATH);
+
         final X509SourceOptions x509SourceOptions =
             X509SourceOptions
                 .builder()
-                .spiffeSocketPath(DEFAULT_SOCKET_PATH)
+                .spiffeSocketPath(socketPath)
                 .initTimeout(DEFAULT_SOCKET_TIMEOUT)
                 .build();
         try {
             return DefaultX509Source.newSource(x509SourceOptions);
         }
         catch( final Exception e ) {
-            throw new CloudPlatformException("Failed to load the certificate from the default unix socket.", e);
+            throw new CloudPlatformException("Failed to load the certificate from the unix socket: " + socketPath, e);
         }
     }
 
diff --git a/release_notes.md b/release_notes.md
@@ -12,7 +12,7 @@
 
 ### ✨ New Functionality
 
-- 
+- Add support for using the Zero Trust Identity Service (ZTIS) on Kyma by detecting the [well-known environment variable `SPIFFE_ENDPOINT_SOCKET`](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Workload_Endpoint.md#4-locating-the-endpoint).
 
 ### 📈 Improvements
 
