From ed9345ab9bfc67b70d36b1fb4eec2d32862dd656 Mon Sep 17 00:00:00 2001
From: Matthias Kuhr <matthias.kuhr@sap.com>
Date: Fri, 24 Oct 2025 15:47:06 +0200
Subject: [PATCH 1/2] ZTIS Support for Kyma

---
 .../connectivity/ZeroTrustIdentityService.java         | 10 ++++++++--
 release_notes.md                                       |  2 +-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/cloudplatform/connectivity-ztis/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/ZeroTrustIdentityService.java b/cloudplatform/connectivity-ztis/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/ZeroTrustIdentityService.java
index 3bc8da548..a560a5a44 100644
--- a/cloudplatform/connectivity-ztis/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/ZeroTrustIdentityService.java
+++ b/cloudplatform/connectivity-ztis/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/ZeroTrustIdentityService.java
@@ -47,6 +47,7 @@ public class ZeroTrustIdentityService
 {
     static final ServiceIdentifier ZTIS_IDENTIFIER = ServiceIdentifier.of("zero-trust-identity");
     private static final String DEFAULT_SOCKET_PATH = "unix:///tmp/spire-agent/public/api.sock";
+    private static final String SOCKET_ENVIRONMENT_VARIABLE = "SPIFFE_ENDPOINT_SOCKET";
     private static final Duration DEFAULT_SOCKET_TIMEOUT = Duration.ofSeconds(10);
     @Getter
     private static final ZeroTrustIdentityService instance = new ZeroTrustIdentityService();
@@ -105,17 +106,22 @@ X509Source initX509Source()
             return new FileSystemX509Source();
         }
 
+        final String socketPath = Option.of(System.getenv(SOCKET_ENVIRONMENT_VARIABLE))
+                .peek(s -> log.debug("Found {} environment variable, using socket path {} for ZTIS agent.", SOCKET_ENVIRONMENT_VARIABLE, s))
+                .onEmpty(() -> log.warn("Environment variable {} not set, using the default socket path {} for ZTIS agent", SOCKET_ENVIRONMENT_VARIABLE, DEFAULT_SOCKET_PATH))
+            .getOrElse(DEFAULT_SOCKET_PATH);
+
         final X509SourceOptions x509SourceOptions =
             X509SourceOptions
                 .builder()
-                .spiffeSocketPath(DEFAULT_SOCKET_PATH)
+                .spiffeSocketPath(socketPath)
                 .initTimeout(DEFAULT_SOCKET_TIMEOUT)
                 .build();
         try {
             return DefaultX509Source.newSource(x509SourceOptions);
         }
         catch( final Exception e ) {
-            throw new CloudPlatformException("Failed to load the certificate from the default unix socket.", e);
+            throw new CloudPlatformException("Failed to load the certificate from the unix socket: " + socketPath, e);
         }
     }
 
diff --git a/release_notes.md b/release_notes.md
index e150016a6..20ffb075e 100644
--- a/release_notes.md
+++ b/release_notes.md
@@ -12,7 +12,7 @@
 
 ### ✨ New Functionality
 
-- 
+- Add support for using the Zero Trust Identity Service (ZTIS) on Kyma by detecting the [well-known environment variable `SPIFFE_ENDPOINT_SOCKET`](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Workload_Endpoint.md#4-locating-the-endpoint).
 
 ### 📈 Improvements
 

From 93afaaf97c9313f3f866b50e165ae4197429eb57 Mon Sep 17 00:00:00 2001
From: Matthias Kuhr <matthias.kuhr@sap.com>
Date: Fri, 24 Oct 2025 17:08:21 +0200
Subject: [PATCH 2/2] formatting

---
 .../connectivity/ZeroTrustIdentityService.java       | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/cloudplatform/connectivity-ztis/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/ZeroTrustIdentityService.java b/cloudplatform/connectivity-ztis/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/ZeroTrustIdentityService.java
index a560a5a44..b9433549d 100644
--- a/cloudplatform/connectivity-ztis/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/ZeroTrustIdentityService.java
+++ b/cloudplatform/connectivity-ztis/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/ZeroTrustIdentityService.java
@@ -106,17 +106,11 @@ X509Source initX509Source()
             return new FileSystemX509Source();
         }
 
-        final String socketPath = Option.of(System.getenv(SOCKET_ENVIRONMENT_VARIABLE))
-                .peek(s -> log.debug("Found {} environment variable, using socket path {} for ZTIS agent.", SOCKET_ENVIRONMENT_VARIABLE, s))
-                .onEmpty(() -> log.warn("Environment variable {} not set, using the default socket path {} for ZTIS agent", SOCKET_ENVIRONMENT_VARIABLE, DEFAULT_SOCKET_PATH))
-            .getOrElse(DEFAULT_SOCKET_PATH);
+        final String socketPath = Option.of(System.getenv(SOCKET_ENVIRONMENT_VARIABLE)).getOrElse(DEFAULT_SOCKET_PATH);
+        log.info("Using socket path {} for ZTIS agent.", socketPath);
 
         final X509SourceOptions x509SourceOptions =
-            X509SourceOptions
-                .builder()
-                .spiffeSocketPath(socketPath)
-                .initTimeout(DEFAULT_SOCKET_TIMEOUT)
-                .build();
+            X509SourceOptions.builder().spiffeSocketPath(socketPath).initTimeout(DEFAULT_SOCKET_TIMEOUT).build();
         try {
             return DefaultX509Source.newSource(x509SourceOptions);
         }