Skip to content

Commit c6350d8

Browse files
committed
Update from SAP DITA CMS (squashed):
commit 0a408ece0d0b1ea46d58f1bb434813099af58196 Author: REDACTED Date: Tue Apr 28 11:24:43 2026 +0000 Update from SAP DITA CMS 2026-04-28 11:24:43 Project: dita-all/bex1621329160251 Project map: d3e749bbac3d4f728c12228db6629c45.ditamap Output: loio7f3353325512486fb7f82ce960a9573a Language: en-US Builddable map: e3519d9ca1494d8499d42deaa663c18b.ditamap commit 50f36ec78877958f2023a1bf2f2df5db2c09dc0f Author: REDACTED Date: Tue Apr 28 11:24:40 2026 +0000 Update from SAP DITA CMS 2026-04-28 11:24:40 Project: dita-all/bex1621329160251 Project map: d3e749bbac3d4f728c12228db6629c45.ditamap Output: loiodaa66b2ef49f48539fa2882d82d5b619 Language: en-US Builddable map: f17fa8568d0448c685f2a0301061a6ee.ditamap commit d2847e3bf8a9744095e42a44464ba612d4aa574e Author: REDACTED Date: Tue Apr 28 07:32:54 2026 +0000 Update from SAP DITA CMS 2026-04-28 07:32:54 Project: dita-all/bex1621329160251 Project map: d3e749bbac3d4f728c12228db6629c45.ditamap ################################################## [Remaining squash message was removed before commit...]
1 parent a48266e commit c6350d8

122 files changed

Lines changed: 6775 additions & 9584 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

docs/sap-ai-core/add-a-git-repository-b668176.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -16,14 +16,14 @@ You can use your own git repository to version control your SAP AI Core template
1616

1717
## Prerequisites
1818

19-
- You've completed the initial setup. For more information, see [Initial Setup](initial-setup-38c4599.md).
19+
- You've completed the initial setup.
2020

2121
- You have access to a git repository over the Internet.
2222
- You've generated a personal access token for your git repository. For more information, see [Create a Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token).
2323
- If you want to onboard a git repository hosted on GitLab, make sure that the repository URL contains the `.git` suffix.
2424
- Secrets aren't permitted in your repository. If secrets are used, it isn't possible to synchronize content.
2525

26-
- You've completed the initial setup. For more information, see [Initial Setup](initial-setup-38c4599.md).
26+
- You've completed the initial setup.
2727

2828

2929
> ### Note:
@@ -98,14 +98,14 @@ Create an application to sync your folders. For more information, see [Create an
9898

9999
## Prerequisites
100100

101-
- You've completed the initial setup. For more information, see [Initial Setup](initial-setup-38c4599.md).
101+
- You've completed the initial setup.
102102

103103
- You have access to a git repository over the Internet.
104104
- You've generated a personal access token for your git repository. For more information, see [Create a Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token).
105105
- If you want to onboard a git repository hosted on GitLab, make sure that the repository URL contains the `.git` suffix.
106106
- Secrets aren't permitted in your repository. If secrets are used, it isn't possible to synchronize content.
107107

108-
- You've completed the initial setup. For more information, see [Initial Setup](initial-setup-38c4599.md).
108+
- You've completed the initial setup.
109109

110110

111111
> ### Note:

docs/sap-ai-core/administration-7937fc1.md

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,12 +6,19 @@ Creating secrets for external programs and tools, that are used with SAP AI Core
66

77
Using SAP AI Core alongside external tools such as GitHub, Docker and Amazon Web Services S3 storage leverages the benefits of version control, containerization, and cloud storage. Your content is made available remotely, if you have a stable internet connection.
88

9-
Administration is a one-time procedure, but steps can be repeated, if necessary, for example to remove or add a tool.
9+
You only need to complete the administration steps once. However, you can repeat steps if, for example, you want to add or remove a tool.
1010

1111
> ### Note:
12-
> You must have completed the initial setup tasks before configuring your SAP AI Core instance. For more information, see [Initial Setup](initial-setup-38c4599.md).
12+
> You must have completed the initial setup tasks before configuring your SAP AI Core instance.
1313
1414
- **[Manage Resource Groups](manage-resource-groups-8aae6cb.md "A resource group is a unique dedicated namespace or workspace environment, where users can create or add configurations, executions,
1515
deployments, and artifacts. They are used for running training jobs or model servers.")**
1616
A resource group is a unique dedicated namespace or workspace environment, where users can create or add configurations, executions, deployments, and artifacts. They are used for running training jobs or model servers.
17+
- **[Manage mTLS Certificate Secrets](manage-mtls-certificate-secrets-200810f.md "")**
18+
19+
20+
**Related Information**
21+
22+
23+
[Initial Setup](initial-setup-38c4599.md "Get started with SAP AI Core using the standard procedures for the SAP BTP, Cloud Foundry environment or Kyma environment.")
1724

Lines changed: 113 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,113 @@
1+
<!-- loio684579369a5146a7be8f46a2bf1e8ff7 -->
2+
3+
# Consume mTLS Certificate Secrets
4+
5+
You can consume mTLS certificate secrets in your workloads to authenticate securely with external services that require mutual TLS.
6+
7+
The `mTLS` certificate secrets can be mounted as volumes in your execution or deployment containers. The secret provides a certificate and private key in PEM format. Your workload uses these files to send mTLS-authenticated requests to external services.
8+
9+
> ### Note:
10+
> `mTLS` certificate secrets can only be consumed as volume mounts. You can't use them as environment variables.
11+
12+
13+
14+
## Mount an mTLS Certificate Secret as a Volume
15+
16+
To mount the certificate and key files in your workload container, define a volume referencing the secret and a corresponding volume mount in your workflow or serving template.
17+
18+
The secret contains two data keys:
19+
20+
- `tls.crt`— the PEM-encoded X.509 client certificate
21+
- `tls.key` — the PEM-encoded private key
22+
23+
You can project these keys to custom file paths by using the `items` field.
24+
25+
**Example workflow template:**
26+
27+
```
28+
29+
apiVersion: argoproj.io/v1alpha1
30+
kind: WorkflowTemplate
31+
metadata:
32+
name: my-mtls-workflow
33+
annotations:
34+
scenarios.ai.sap.com/name: "my-scenario"
35+
executables.ai.sap.com/name: "my-executable"
36+
spec:
37+
entrypoint: main
38+
templates:
39+
- name: main
40+
inputs:
41+
parameters:
42+
- name: mtlsSecretName
43+
volumes:
44+
- name: mtls-cert-volume
45+
secret:
46+
secretName: "{{inputs.parameters.mtlsSecretName}}"
47+
items:
48+
- key: tls.crt
49+
path: client.crt
50+
- key: tls.key
51+
path: client.key
52+
container:
53+
image: my-image:latest
54+
volumeMounts:
55+
- name: mtls-cert-volume
56+
mountPath: /mnt/mtls
57+
readOnly: true
58+
```
59+
60+
Inside the container, the following files are available:
61+
62+
- `/mnt/mtls/client.crt` — the client certificate
63+
- `/mnt/mtls/client.key` — the private key
64+
65+
Your application can use these files to configure an mTLS-authenticated HTTP client. For example, in Python:
66+
67+
```
68+
69+
import requests
70+
response = requests.get(
71+
"https://external-service.example.com/api/data",
72+
cert=("/mnt/mtls/client.crt", "/mnt/mtls/client.key")
73+
)
74+
75+
```
76+
77+
78+
79+
## Parameterize the Secret Name
80+
81+
You can parameterize the secret name so that it's provided during execution creation instead of being hardcoded. Use the `inputs.parameters` mechanism:
82+
83+
```
84+
85+
inputs:
86+
parameters:
87+
- name: mtlsSecretName
88+
89+
```
90+
91+
When creating the execution through the AI API, provide the parameter value:
92+
93+
```
94+
95+
{
96+
"parameterBindings": [
97+
{
98+
"key": "mtlsSecretName",
99+
"value": "my-mtls-cert"
100+
}
101+
]
102+
}
103+
104+
```
105+
106+
107+
108+
## Additional Information
109+
110+
- Only `mTLS` certificate secrets that belong to the same resource group as the execution or deployment can be mounted. The platform validates this during admission.
111+
- If the referenced secret doesn't exist or doesn't belong to the same resource group, the workload is rejected.
112+
- After certificate rotation, see [Rotate an mTLS Certificate Secret](rotate-an-mtls-certificate-secret-e427cc3.md), the mounted files update automatically. If your application caches the certificate in memory, you must restart the workload to use the new certificate.
113+

docs/sap-ai-core/create-a-generic-secret-1831845.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ A generic secret authorizes SAP AI Core to use your resource group without expos
1616

1717
## Prerequisites
1818

19-
You've completed the initial setup. For more information, see [Initial Setup](initial-setup-38c4599.md).
19+
You've completed the initial setup.
2020

2121
You have access to a public-facing Docker registry over the internet. It isn't possible to use a Docker registry behind a VPN or corporate network.
2222

@@ -94,7 +94,7 @@ curl --location --request POST "$AI_API_URL/v2/admin/secrets" \
9494

9595
## Prerequisites
9696

97-
You've completed the initial setup. For more information, see [Initial Setup](initial-setup-38c4599.md).
97+
You've completed the initial setup.
9898

9999
You have access to a public-facing Docker registry over the internet. It isn't possible to use a Docker registry behind a VPN or corporate network.
100100

docs/sap-ai-core/create-a-resource-group-01753f4.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@
2323

2424
## Prerequisites
2525

26-
You've completed the initial setup. For more information, see [Initial Setup](initial-setup-38c4599.md).
26+
You've completed the initial setup.
2727

2828
You have access to a public-facing Docker registry over the internet. It isn't possible to use a Docker registry behind a VPN or corporate network.
2929

@@ -61,7 +61,7 @@ curl --location --request POST "$AI_API_URL/v2/admin/resourceGroups" --header "A
6161

6262
## Prerequisites
6363

64-
You've completed the initial setup. For more information, see [Initial Setup](initial-setup-38c4599.md).
64+
You've completed the initial setup.
6565

6666
You have access to a public-facing Docker registry over the internet. It isn't possible to use a Docker registry behind a VPN or corporate network.
6767

Lines changed: 116 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,116 @@
1+
<!-- loiod3a467832f8f40439dc62323bb919270 -->
2+
3+
# Create an mTLS Certificate Secret
4+
5+
Create an mTLS certificate secret so that your workloads can make mutually authenticated TLS \(mTLS\) requests to external services.
6+
7+
8+
9+
## Prerequisites
10+
11+
Make sure that you completed the initial setup. For more information, see [Initial Setup](initial-setup-38c4599.md).
12+
13+
14+
15+
## Context
16+
17+
An `mTLS` certificate secret instructs SAP AI Core to obtain an X.509 client certificate from the SAP BTP Certificate Service on your behalf. Unlike generic secrets, where you provide the credential payload, SAP AI Core generates both the certificate and the private key.
18+
19+
You can mount the generated certificate in executions or deployments to enable mTLS-authenticated requests to external services that trust the certificate's subject DN.
20+
21+
`mTLS` certificate secrets are scoped to a single resource group. They do not support main-tenant scope, tenant-wide scope, or shared resource groups.
22+
23+
When you create the secret, the response includes the `subjectDN`. You must configure trust for this subject DN on the external service before authentication succeeds.
24+
25+
You can optionally specify a `commonName`. If you omit it, SAP AI Core uses the secret name as the common name. The common name appears in the Common Name field of the certificate’s subject distinguished name.
26+
27+
> ### Note:
28+
> Creation is asynchronous. After you send a successful `POST` request \(HTTP 202\), the certificate may take a few moments to become available. Use a `GET` request to verify readiness before you run an execution or deployment that mounts the secret.
29+
30+
31+
32+
## Procedure
33+
34+
1. Send a POST request to the endpoint <code><code>$AI_API_URL/v2/admin/mtlsCertificateSecrets</code> </code>.
35+
36+
2. Include the `AI-Resource-Group` header to specify the resource group.
37+
38+
**Minimal request \(common name defaults to secret name\):**
39+
40+
```
41+
curl --location --request POST "$AI_API_URL/v2/admin/mtlsCertificateSecrets" \
42+
--header "Authorization: Bearer $TOKEN" \
43+
--header "Content-Type: application/json" \
44+
--header "AI-Resource-Group: default" \
45+
--data-raw '{
46+
"name": "my-mtls-cert"
47+
}'
48+
```
49+
50+
**Request with a custom common name:**
51+
52+
```
53+
curl --location --request POST "$AI_API_URL/v2/admin/mtlsCertificateSecrets" \
54+
--header "Authorization: Bearer $TOKEN" \
55+
--header "Content-Type: application/json" \
56+
--header "AI-Resource-Group: default" \
57+
--data-raw '{
58+
"name": "my-mtls-cert",
59+
"data": {
60+
"commonName": "my-service-client"
61+
}
62+
}'
63+
```
64+
65+
> ### Note:
66+
> The secret name must match the pattern `^[a-z0-9\-\.]+$` and be at most 252 characters. A common name can be up to 64 characters.
67+
68+
69+
70+
71+
## Results
72+
73+
The service returns HTTP `202 Accepted` and includes the issued certificate’s subject DN.
74+
75+
> ### Output Code:
76+
> ```
77+
> 202 Accepted
78+
> {
79+
> "name": "my-mtls-cert",
80+
> "message": "...",
81+
> "subjectDN": "C=DE, O=SAP SE, OU=SAP Cloud Platform Clients, OU=<subaccount-ou>, L=<locality-hash>, CN=my-service-client"
82+
> }
83+
> ```
84+
85+
Use the returned `subjectDN` to configure trust on the external service.
86+
87+
<a name="task_cl5_cjc_q3c"/>
88+
89+
<!-- task\_cl5\_cjc\_q3c -->
90+
91+
## Using a Third-Party API Platform
92+
93+
94+
95+
## Procedure
96+
97+
1. Send a POST request to `{{apiurl}}/v2/admin/mtlsCertificateSecrets.`
98+
99+
2. Select *raw* for the request body and enter the JSON payload.
100+
101+
```
102+
103+
{
104+
"name": "my-mtls-cert",
105+
"data": {
106+
"commonName": "my-service-client"
107+
}
108+
}
109+
110+
```
111+
112+
3. Set the `AI-Resource-Group` header to the target resource group name.
113+
114+
4. Send the request.
115+
116+

0 commit comments

Comments
 (0)