This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Installation

How to install CAP Operator in a Kubernetes cluster

1: Prerequisites
2: Using Helm

2.1: Helm Values

3: Using CAP Operator Manager

4: Kyma Cluster

This page provides an overview of available methods to install CAP Operator on a Kubernetes cluster.

1 - Prerequisites

How to prepare the cluster before installing CAP Operator

We recommend using a “Gardener” managed cluster to deploy CAP applications managed with CAP Operator.

Set up the following prerequisites in the Kubernetes cluster before installing CAP Operator:

Istio (version >= 1.22)

Istio service mesh is used for HTTP traffic management. CAP Operator creates Istio resources to manage incoming HTTP requests to the application and to route requests on specific (tenant) subdomains.

Determine the public ingress Gateway subdomain and the overall shoot domain for the system, and specify them in the chart values. See here for an example.

Note: Istio promoted many of its APIs to v1 in the 1.22 release. As of CAP Operator release v0.11.0, Istio version >= 1.22 is therefore a prerequisite.

sap-btp-service-operator or cf-service-operator

These operators can be used for managing SAP BTP service instances and service bindings from within the Kubernetes cluster.

If some SAP BTP services are not available for Kubernetes platforms, you can use cf-service-operator, which creates the services for a Cloud Foundry space and inserts the required access credentials as Secrets into the Kubernetes cluster.

Service credentials added as Kubernetes Secrets by these operators support additional metadata. If you don’t use this feature, set secretKey: credentials in the spec to ensure that service credentials retain JSON data as-is. We recommend using secretKey even when credential metadata is available, to reduce the overhead of parsing multiple JSON attributes.

“Gardener” certificate management

This component is available in “Gardener” managed clusters and is used to manage TLS certificates and issuers. Alternatively, you can use cert-manager.io cert-manager.

2 - Using Helm

How to deploy with Helm charts

To install CAP Operator components, use the Helm chart published as an OCI package at oci://ghcr.io/sap/cap-operator-lifecycle/helm/cap-operator.

Installation

Create a namespace and install the Helm chart in that namespace by specifying the domain and dnsTarget for your subscription server, either:

As command line parameters:

kubectl create namespace cap-operator-system
helm upgrade -i -n cap-operator-system cap-operator oci://ghcr.io/sap/cap-operator-lifecycle/helm/cap-operator --set subscriptionServer.domain=cap-operator.<CLUSTER-DOMAIN> --set subscriptionServer.dnsTarget=public-ingress.<CLUSTER-DOMAIN>

As a `YAML` values file:

kubectl create namespace cap-operator-system
helm upgrade -i -n cap-operator-system cap-operator oci://ghcr.io/sap/cap-operator-lifecycle/helm/cap-operator -f my-cap-operator-values.yaml

The values file my-cap-operator-values.yaml can have the following content:

subscriptionServer:
  dnsTarget: public-ingress.<CLUSTER-DOMAIN>
  domain: cap-operator.<CLUSTER-DOMAIN>

Optional steps

Enable Service Monitors for metrics
To enable monitoring via metrics emitted by CAP Operator components, set the following value:
```
monitoring:
  enabled: true # <-- enables creation of service monitors for metrics emitted by CAP Operator components
```
To enable detailed operational metrics for the controller:
```
controller:
    detailedOperationalMetrics: true
```
Set up Prometheus integration for Version Monitoring
To use the Version Monitoring feature, provide a Prometheus server URL to the CAP Operator. When installing with the Helm chart, specify the following values:
```
controller:
  versionMonitoring:
    prometheusAddress: "http://prometheus-operated.monitoring.svc.cluster.local:9090" # <-- example of a Prometheus server running inside the same cluster
    promClientAcquireRetryDelay: "2h"
    metricsEvaluationInterval: "30m" # <-- interval at which version metrics are evaluated
```
On startup, the controller attempts to connect to the Prometheus server and fetch runtime information to verify the connection. If the connection fails, it retries after the delay specified in controller.versionMonitoring.promClientAcquireRetryDelay. See default values here.
Note
- When connecting the controller to a Prometheus server running inside the cluster, ensure that the NetworkPolicies required for connecting to the service in the Prometheus namespace are also created.
- If the Prometheus service is configured to use TLS, mount the relevant CA root certificates as volumes to the controller.

2.1 - Helm Values

Discover all values supported by the latest CAP Operator helm chart

image:
  # -- Default image tag (can be overwritten on component level)
  tag: ""
  # -- Default image pull policy (can be overwritten on component level)
  pullPolicy: ""
# -- Default image pull secrets (can be overwritten on component level)
imagePullSecrets: []
# -- Default pod security content (can be overwritten on component level)
podSecurityContext: {}
# -- Default node selector (can be overwritten on component level)
nodeSelector: {}
# -- Default affinity settings (can be overwritten on component level)
affinity: {}
# -- Default tolerations (can be overwritten on component level)
tolerations: []
# -- Default priority class (can be overwritten on component level)
priorityClassName: ""
# -- Default topology spread constraints (can be overwritten on component level)
topologySpreadConstraints: []
# -- Additional pod labels for all components
podLabels: {}
# -- Additional pod annotations for all components
podAnnotations: {}
# -- Monitoring configuration for all components
monitoring:
  # -- Optionally enable Prometheus monitoring for all components (disabled by default)
  enabled: false
  # -- Prometheus service monitor selector labels
  serviceMonitorSelectorLabels: {}
  # -- Grafana configuration
  grafana:
    dashboard:
      # -- Labels for selecting ConfigMaps with dashboards in Grafana
      configMapLabels:
        grafana_dashboard: "1"

controller:
  # -- Replicas
  replicas: 1
  image:
    # -- Image repository
    repository: ghcr.io/sap/cap-operator/controller
    # -- Image tag
    tag: ""
    # -- Image pull policy
    pullPolicy: ""
  # -- Image pull secrets
  imagePullSecrets: []
  # -- Additional labels for controller pods
  podLabels: {}
  # -- Additional annotations for controller pods
  podAnnotations: {}
  # -- Pod security content
  podSecurityContext: {}
  # -- Node selector
  nodeSelector: {}
  # -- Affinity settings
  affinity: {}
  # -- Tolerations
  tolerations: []
  # -- Priority class
  priorityClassName: ""
  # -- Topology spread constraints
  topologySpreadConstraints: []
  # -- Security context
  securityContext: {}
  resources:
    limits:
      # -- Memory limit
      memory: 500Mi
      # -- CPU limit
      cpu: 0.2
    requests:
      # -- Memory request
      memory: 50Mi
      # -- CPU request
      cpu: 0.02
  # -- Optionally specify list of additional volumes for the controller pod(s)
  volumes: []
  # -- Optionally specify list of additional volumeMounts for the controller container(s)
  volumeMounts: []
  # -- The dns target mentioned on the public ingress gateway service used in the cluster
  dnsTarget: ""
  # -- Optionally enable detailed opertational metrics for the controller by setting this to true
  detailedOperationalMetrics: false
  maxConcurrentReconciles:
    # -- The maximum number of concurrent reconciles (e.g. "1") for the cap application
    capApplication: ""
    # -- The maximum number of concurrent reconciles (e.g. "3") for the cap application version
    capApplicationVersion: ""
    # -- The maximum number of concurrent reconciles (e.g. "10") for the cap tenant
    capTenant: ""
    # -- The maximum number of concurrent reconciles (e.g. "10") for the cap tenant operation
    capTenantOperation: ""
    # -- The maximum number of concurrent reconciles (e.g. "1") for the domain
    domain: ""
    # -- The maximum number of concurrent reconciles (e.g. "1") for the cluster domain
    clusterDomain: ""
  versionMonitoring:
    # -- The URL of the Prometheus server from which metrics related to managed application versions can be queried
    prometheusAddress: ""
    # -- The duration (example 2h) after which versions are evaluated for deletion; based on specified workload metrics
    metricsEvaluationInterval: "1h"
    # -- The duration (example 10m) to wait before retrying to acquire Prometheus client and verify connection, after a failed attempt
    promClientAcquireRetryDelay: "1h"

subscriptionServer:
  # -- Replicas
  replicas: 1
  image:
    # -- Image repository
    repository: ghcr.io/sap/cap-operator/server
    # -- Image tag
    tag: ""
    # -- Image pull policy
    pullPolicy: ""
  # -- Image pull secrets
  imagePullSecrets: []
  # -- Additional labels for subscription server pods
  podLabels: {}
  # -- Additional annotations for subscription server pods
  podAnnotations: {}
  # -- Pod security content
  podSecurityContext: {}
  # -- Node selector
  nodeSelector: {}
  # -- Affinity settings
  affinity: {}
  # -- Tolerations
  tolerations: []
  # -- Priority class
  priorityClassName: ""
  # -- Topology spread constraints
  topologySpreadConstraints: []
  # -- Security context
  securityContext: {}
  resources:
    limits:
      # -- Memory limit
      memory: 200Mi
      # -- CPU limit
      cpu: 0.1
    requests:
      # -- Memory request
      memory: 20Mi
      # -- CPU request
      cpu: 0.01
  # -- Optionally specify list of additional volumes for the server pod(s)
  volumes: []
  # -- Optionally specify list of additional volumeMounts for the server container(s)
  volumeMounts: []
  # -- Service port
  port: 4000
  # -- The namespace in the cluster where istio system components are installed
  istioSystemNamespace: istio-system
  # -- Labels used to identify the istio ingress-gateway component
  ingressGatewayLabels:
    istio: ingressgateway
    app: istio-ingressgateway
  # -- The dns target mentioned on the public ingress gateway service used in the cluster
  dnsTarget: public-ingress.clusters.cs.services.sap # replace with the actual cluster domain
  # -- The domain under which the cap operator subscription server would be available
  domain: cap-operator.clusters.cs.services.sap # replace with actual cluster domain
  # -- Certificate manager which can be either `Gardener` or `CertManager`
  certificateManager: Gardener
  # -- Certificate configuration
  # @default -- the `additionalCACertificate` part will contain the "SAP Cloud Root CA" certificate by default
  certificateConfig:
    # -- Optionally specify the corresponding certificate configuration
    gardener:
      # -- Issuer name
      issuerName: ""
      # -- Issuer namespace
      issuerNamespace: ""
    # -- Cert Manager configuration
    certManager:
      # -- Issuer group
      issuerGroup: ""
      # -- Issuer kind
      issuerKind: ""
      # -- Issuer name
      issuerName: ""
    # -- Optionally specify additional CA Certificate
    # @default -- this will contain the "SAP Cloud Root CA" certificate by default
    additionalCACertificate: |
      -----BEGIN CERTIFICATE-----
      MIIFZjCCA06gAwIBAgIQGHcPvmUGa79M6pM42bGFYjANBgkqhkiG9w0BAQsFADBN
      MQswCQYDVQQGEwJERTERMA8GA1UEBwwIV2FsbGRvcmYxDzANBgNVBAoMBlNBUCBT
      RTEaMBgGA1UEAwwRU0FQIENsb3VkIFJvb3QgQ0EwHhcNMTkwMjEzMTExOTM2WhcN
      MzkwMjEzMTEyNjMyWjBNMQswCQYDVQQGEwJERTERMA8GA1UEBwwIV2FsbGRvcmYx
      DzANBgNVBAoMBlNBUCBTRTEaMBgGA1UEAwwRU0FQIENsb3VkIFJvb3QgQ0EwggIi
      MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQChbHLXJoe/zFag6fB3IcN3d3HT
      Y14nSkEZIuUzYs7B96GFxQi0T/2s971JFiLfB4KaCG+UcG3dLXf1H/wewq8ahArh
      FTsu4UR71ePUQiYlk/G68EFSy2zWYAJliXJS5k0DFMIWHD1lbSjCF3gPVJSUKf+v
      HmWD5e9vcuiPBlSCaEnSeimYRhg0ITmi3RJ4Wu7H0Xp7tDd5z4HUKuyi9XRinfvG
      kPALiBaX01QRC51cixmo0rhVe7qsNh7WDnLNBZeA0kkxNhLKDl8J6fQHKDdDEzmZ
      KhK5KxL5p5YIZWZ8eEdNRoYRMXR0PxmHvRanzRvSVlXSbfqxaKlORfJJ1ah1bRNt
      o0ngAQchTghsrRuf3Qh/2Kn29IuBy4bjKR9CdNLxGrClvX/q26rUUlz6A3lbXbwJ
      EHSRnendRfEiia+xfZD+NG2oZW0IdTXSqkCbnBnign+uxGH5ECjuLEtvtUx6i9Ae
      xAvK2FqIuud+AchqiZBKzmQAhUjKUoACzNP2Bx2zgJOeB0BqGvf6aldG0n2hYxJF
      8Xssc8TBlwvAqtiubP/UxJJPs+IHqU+zjm7KdP6dM2sbE+J9O3n8DzOP0SDyEmWU
      UCwnmoPOQlq1z6fH9ghcp9bDdbh6adXM8I+SUYUcfvupOzBU7rWHxDCXld/24tpI
      FA7FRzHwKXqMSjwtBQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/
      BAUwAwEB/zAdBgNVHQ4EFgQUHLxmKw7KjUufjZNxqQ/KZ0ZpEyIwDQYJKoZIhvcN
      AQELBQADggIBABdSKQsh3EfVoqplSIx6X43y2Pp+kHZLtEsRWMzgO5LhYy2/Fvel
      eRBw/XEiB5iKuEGhxHz/Gqe0gZixw3SsHB1Q464EbGT4tPQ2UiMhiiDho9hVe6tX
      qX1FhrhycAD1xHIxMxQP/buX9s9arFZauZrpw/Jj4tGp7aEj4hypWpO9tzjdBthy
      5vXSviU8L2HyiQpVND/Rp+dNJmVYTiFLuULRY28QbikgFO2xp9s4RNkDBnbDeTrT
      CKWcVsmlZLPJJQZm0n2p8CvoeAsKzIULT9YSbEEBwmeqRlmbUaoT/rUGoobSFcrP
      jrBg66y5hA2w7S3tDH0GjMpRu16b2u0hYQocUDuMlyhrkhsO+Qtqkz1ubwHCJ8PA
      RJw6zYl9VeBtgI5F69AEJdkAgYfvPw5DJipgVuQDSv7ezi6ZcI75939ENGjSyLVy
      4SuP99G7DuItG008T8AYFUHAM2h/yskVyvoZ8+gZx54TC9aY9gPIKyX++4bHv5BC
      qbEdU46N05R+AIBW2KvWozQkjhSQCbzcp6DHXLoZINI6y0WOImzXrvLUSIm4CBaj
      6MTXInIkmitdURnmpxTxLva5Kbng/u20u5ylIQKqpcD8HWX97lLVbmbnPkbpKxo+
      LvHPhNDM3rMsLu06agF4JTbO8ANYtWQTx0PVrZKJu+8fcIaUp7MVBIVZ
      -----END CERTIFICATE-----

webhook:
  # -- Side car to mount admission review
  sidecar: false
  # -- Replicas
  replicas: 1
  image:
    # -- Image repository
    repository: ghcr.io/sap/cap-operator/web-hooks
    # -- Image tag
    tag: ""
    # -- Image pull policy
    pullPolicy: ""
  # -- Image pull secrets
  imagePullSecrets: []
  # -- Additional labels for validating webhook pods
  podLabels: {}
  # -- Additional annotations for validating webhook pods
  podAnnotations: {}
  # -- Pod security content
  podSecurityContext: {}
  # -- Node selector
  nodeSelector: {}
  # -- Affinity settings
  affinity: {}
  # -- Tolerations
  tolerations: []
  # -- Priority class
  priorityClassName: ""
  # -- Topology spread constraints
  topologySpreadConstraints: []
  # -- Security context
  securityContext: {}
  resources:
    limits:
      # -- Memory limit
      memory: 200Mi
      # -- CPU limit
      cpu: 0.1
    requests:
      # -- Memory request
      memory: 20Mi
      # -- CPU request
      cpu: 0.01
  # -- Service port
  service:
    # -- Service type
    type: ClusterIP
    # -- Service port
    port: 443
    # -- Target port
    targetPort: 1443
  # -- Certificate manager which can be either `Default` or `CertManager`
  certificateManager: "Default"
  # -- Optionally specify the corresponding certificate configuration
  certificateConfig:
    certManager:
      # -- Issuer group
      issuerGroup: ""
      # -- Issuer kind
      issuerKind: ""
      # -- Issuer name
      issuerName: ""

3 - Using CAP Operator Manager

How to install CAP Operator using CAP Operator Manager in a Kubernetes cluster

To install the CAP Operator using CAP Operator Manager, run the following command:

kubectl apply -f https://github.com/SAP/cap-operator-lifecycle/releases/latest/download/manager_manifest.yaml

This creates the cap-operator-system namespace with CAP Operator Manager installed. Once the CAP Operator Manager pod is running, install the CAP Operator by running:

kubectl apply -n cap-operator-system -f https://github.com/SAP/cap-operator-lifecycle/releases/latest/download/manager_default_CR.yaml

This works only if the ingressGatewayLabels in your cluster match the following values:

ingressGatewayLabels:
  - name: istio
    value: ingressgateway
  - name: app
    value: istio-ingressgateway

If not, you must create the CAPOperator resource manually. For details, see the documentation.

4 - Kyma Cluster

How to install CAP Operator in a Kyma cluster

See installation steps here: https://sap.github.io/cap-operator-lifecycle/docs/installation/kyma-cluster/

Installation

1 - Prerequisites

Istio (version >= 1.22)

sap-btp-service-operator or cf-service-operator

“Gardener” certificate management

2 - Using Helm

Installation

As command line parameters:

As a YAML values file:

Optional steps

Enable Service Monitors for metrics

Set up Prometheus integration for Version Monitoring

2.1 - Helm Values

3 - Using CAP Operator Manager

4 - Kyma Cluster

As a `YAML` values file: