This is the multi-page printable view of this section. Click here to print.
Usage
- 1: Prerequisites
- 2: Deploying a CAP Application
- 3: Domain Management
- 4: Tenant Subscription
- 5: Application Upgrade
- 6: Service Exposure
- 7: Rollout on Credential Update
- 8: Version Monitoring
- 9: Operator Metrics
- 10: Security
- 11: Resources
- 11.1: CAPApplication
- 11.2: CAPApplicationVersion
- 11.3: CAPTenant
- 11.4: CAPTenantOperation
- 11.5: CAPTenantOutput
- 11.6: Domain
- 11.7: ClusterDomain
1 - Prerequisites
Prepare the SAP BTP global account and provider subaccount
CAP-based applications use various SAP BTP services created in a provider subaccount. Before deploying the application, create a global account and entitle the required services, then create a provider subaccount where the service instances can be created. See the SAP BTP account administration documentation for details.
Create service instances and bindings
A multi-tenant CAP-based application consumes the following SAP BTP services. Some parameters require special attention during service instance creation. Service keys (bindings) generate access credentials that must be provided as Kubernetes Secrets in the namespace where the application is deployed.
Other services (not listed here) may also be required depending on your application (for example, SAP HTML5 Application Repository service for SAP BTP, Business Logging, and others).
Note: If some SAP BTP services are not available on Kubernetes, enable Cloud Foundry for the provider subaccount. In such cases, use the cf-service-operator to manage service instances and bindings directly from within the Kubernetes cluster. It automatically generates Secrets containing service access credentials based on the service bindings.
SAP Authorization and Trust Management Service
The parameter oauth2-configuration.redirect-uris must include the domain used by the application. For example, if the application is hosted in a “Gardener” managed cluster, the entry may have the form https://*<application-specific-prefix>.<cluster-id>.<gardener-project-id>.shoot.url.k8s.example.com/**.
Scopes required for asynchronous tenant subscription operations must also be included. Additionally, check the CAP Multitenancy documentation for additional required scopes.
parameters:
authorities:
- $XSAPPNAME.mtcallback
- $XSAPPNAME.mtdeployment
oauth2-configuration:
redirect-uris:
- https://*my-cap-app.cluster-x.my-project.shoot.url.k8s.example.com/**
role-collections:
...
role-templates:
...
scopes:
- description: UAA
name: uaa.user
- description: With this scope set, the callbacks for tenant onboarding, offboarding, and getDependencies can be called
grant-as-authority-to-apps:
- $XSAPPNAME(application,sap-provisioning,tenant-onboarding)
name: $XSAPPNAME.Callback
- description: Async callback to update the saas-registry (provisioning succeeded/failed)
name: $XSAPPNAME.subscription.write
- description: Deploy applications
name: $XSAPPNAME.mtdeployment
- description: Subscribe to applications
grant-as-authority-to-apps:
- $XSAPPNAME(application,sap-provisioning,tenant-onboarding)
name: $XSAPPNAME.mtcallback
...
When using multiple SAP Authorization and Trust Management Service instances in the application (for example, one for application and another for apiaccess), set the primary instance using the annotation sme.sap.com/primary-xsuaa with the name of the service instance:
apiVersion: sme.sap.com/v1alpha1
kind: CAPApplication
metadata:
annotations:
"sme.sap.com/primary-xsuaa": "my-cap-app-uaa" # Tells CAP Operator which UAA instance to use for the application
name: test-cap-01
...
spec:
btp:
services:
- class: xsuaa
name: my-cap-app-uaa-api
secret: my-cap-app-uaa-api-bind-cf
- class: xsuaa
name: my-cap-app-uaa
secret: my-cap-app-uaa-bind-cf
- class: saas-registry
name: my-cap-app-saas-registry
secret: my-cap-app-saas-bind-cf
...
btpAppName: my-cap-app
...
SAP Software-as-a-Service Provisioning service
When creating an instance of the SaaS Provisioning service, configure asynchronous tenant subscription callbacks. See Register Your Multi-Tenant Application/Service in SaaS Provisioning for details.
parameters:
appName: <short-application-name>
appUrls:
callbackTimeoutMillis: 300000 # <-- fails the subscription process when no response is received within this timeout
getDependencies: https://<cap-operator-subscription-server-domain>/dependencies/<providerSubaccountId>/<btpAppName>/ # the /getDependencies route is forwarded directly to CAP Operator (Subscription Server) and must be specified as such
onSubscription: https://<cap-operator-subscription-server-domain>/provision/tenants/{tenantId} # <-- the /provision route is forwarded directly to CAP Operator (Subscription Server) and must be specified as such
onSubscriptionAsync: true
onUnSubscriptionAsync: true
SAP HANA Cloud
An SAP HANA Cloud instance (preferably shared and accessible from the provider subaccount) is required. Note the instance ID of the database for use in relevant workloads. The SAP HANA Schemas & HDI Containers service must also be entitled for the provider subaccount.
SAP Service Manager service
The SAP Service Manager service allows CAP to retrieve schema-specific (tenant-specific) credentials for connecting to the SAP HANA Cloud database.
2 - Deploying a CAP Application
Deploying a multi-tenant CAP application involves defining several key resources provided by CAP Operator. These resources manage the application’s runtime components and external traffic routing.
Key Resources
CAPApplication (
capapplications.sme.sap.com): A namespaced resource that represents the application.CAPApplicationVersion (
capapplicationversions.sme.sap.com): A namespaced resource that specifies the version of the application being deployed. It ensures that all runtime components (Deployments, Services, and Jobs) are created with the specified image version in the same namespace.Domain resources: These resources determine how external traffic reaches the application and how DNS and TLS settings are applied. You can choose between:
- Domain (
domains.sme.sap.com): A namespaced resource for a single application. - ClusterDomain (
clusterdomains.sme.sap.com): A cluster-scoped resource that can be shared across multiple applications.
- Domain (
Deployment Process
Create the CAPApplication and CAPApplicationVersion resources in the same namespace. This allows CAP Operator to manage all associated runtime components. For external traffic management, define either a Domain or ClusterDomain resource.
apiVersion: sme.sap.com/v1alpha1
kind: Domain
metadata:
namespace: cap-app-01
name: cap-app-01-primary
spec:
domain: my.cluster.shoot.url.k8s.example.com
ingressSelector:
app: istio-ingressgateway
istio: ingressgateway
tlsMode: Simple
dnsMode: Wildcard
The ClusterDomain resource is cluster-scoped and suited for global or shared domain configurations — for example, when multiple applications share the same external domain. See API Reference.
apiVersion: sme.sap.com/v1alpha1
kind: ClusterDomain
metadata:
name: common-external-domain
spec:
domain: my.example.com
ingressSelector:
app: istio-ingressgateway
istio: ingressgateway
tlsMode: Simple
dnsMode: Subdomain
The CAPApplication resource describes the high-level attributes of an application: the SAP BTP account where it is hosted, the consumed SAP BTP services, and references to Domain and ClusterDomain resources. See API Reference.
apiVersion: sme.sap.com/v1alpha1
kind: CAPApplication
metadata:
name: cap-app-01
namespace: cap-app-01
spec:
btpAppName: cap-app-01 # <-- short name (equivalent to SAP BTP XSAPPNAME)
btp:
services:
- class: xsuaa # <-- SAP BTP service technical name
name: app-uaa # <-- name of the service instance
secret: cap-app-01-uaa-bind-cf # <-- secret containing credentials for accessing the service (must exist in the same namespace)
- class: saas-registry
name: app-saas-registry
secret: cap-app-01-saas-bind-cf
- class: service-manager
name: app-service-manager
secret: cap-app-01-svc-man-bind-cf
- class: destination
name: app-destination
secret: cap-app-01-dest-bind-cf
- class: html5-apps-repo
name: app-html5-repo-host
secret: cap-app-01-html5-repo-bind-cf
- class: html5-apps-repo
name: app-html5-repo-runtime
secret: cap-app-01-html5-rt-bind-cf
- class: portal
name: app-portal
secret: cap-app-01-portal-bind-cf
domainRefs:
- kind: Domain
name: cap-app-01-primary # <-- reference to Domain resource in the same namespace
- kind: ClusterDomain
name: common-external-domain # <-- reference to ClusterDomain resource in the cluster
providerSubaccountId: provider-subaccount-id
The CAPApplicationVersion describes the components of an application version, including the container images to use and the services consumed by each component. It must be created in the same namespace as the CAPApplication and must reference it. See API Reference.
apiVersion: sme.sap.com/v1alpha1
kind: CAPApplicationVersion
metadata:
name: cav-cap-app-01-1
namespace: cap-app-01
spec:
capApplicationInstance: cap-app-01 # <-- reference to CAPApplication in the same namespace
version: "1" # <-- semantic version
registrySecrets:
- regcred
workloads:
- name: cap-backend
consumedBTPServices: # <-- services used by the application server (defined in CAPApplication). Credential secrets are mounted as volumes on component pods.
- app-uaa
- app-service-manager
- app-saas-registry
deploymentDefinition:
type: CAP # <-- indicates the CAP application server
image: app.some.repo.example.com/srv/server:0.0.1
env:
- name: CDS_ENV
value: production
- name: CDS_CONFIG
value: '{ "requires":{"cds.xt.DeploymentService":{"hdi": { "create":{ "database_id": "16e25c51-5455-4b17-a4d7-43545345345" } } } } }'
- name: app-router
consumedBTPServices:
- app-uaa
- app-destination
- app-saas-registry
- app-html5-repo-runtime
- app-portal
deploymentDefinition:
type: Router
image: app.some.repo.example.com/approuter/approuter:0.0.1
env:
- name: PORT
value: 4000
- name: TENANT_HOST_PATTERN
value: "^(.*).(my.cluster.shoot.url.k8s.example.com|my.example.com)"
- name: service-content
consumedBTPServices:
- app-uaa
- app-html5-repo-host
- app-portal
jobDefinition:
type: Content
image: app.some.repo.example.com/approuter/content:0.0.1
backoffLimit: 1
- name: tenant-op
consumedBTPServices:
- app-uaa
jobDefinition:
type: Content
image: app.some.repo.example.com/srv/mtxs:0.0.1
backoffLimit: 1
NOTE: The example above shows a minimal
CAPApplicationVersion. For a complete configuration with explanations, see here.
The CAP Operator controller reacts to these objects and creates additional resources that constitute a running application:
- Deployment (and Service) for the application server, with SAP BTP service credentials injected as the
VCAP_SERVICESenvironment variable - Deployment (and Service) for the Approuter, with destination mappings to the application server and subscription server (for tenant provisioning)
- Job for the version content deployer
- TLS certificates for the specified domains using either “Gardener” cert-management or cert-manager.io cert-manager
- Istio Gateway resource for the application domains
The content deployer deploys content or configuration to SAP BTP services before they are consumed.
Once these resources are available, the CAPApplicationVersion status changes to Ready. The controller reconciles tenants once subscriptions are triggered for the application. See tenant subscription for details on how the CAPTenant resource is reconciled.
The
CAPApplicationVersionresource is immutable — its spec must not be modified after deployment. This is enforced by webhooks, which we recommend keeping active (the default).
NOTE: Follow the recommended security measures to safeguard exposed workloads.
NOTE: If SAP BTP service credentials are rotated after deployment, CAP Operator can automatically restart affected workloads. See Rollout on Credential Update to learn how to enable this.
3 - Domain Management
CAP Operator manages networking for CAP applications through Domain and ClusterDomain resources. These resources control TLS handling, ingress routing, and DNS setup for your application’s domains. A CAPApplication references them via domainRefs.
Domain Resources
Use a Domain resource for a domain that belongs to a specific application namespace. The operator creates the Gateway and DNSEntry in that namespace. The Certificate placement depends on the certificate manager in use — see the Domain resource reference for details.
apiVersion: sme.sap.com/v1alpha1
kind: Domain
metadata:
namespace: cap-app-01
name: cap-app-01-primary
spec:
domain: my.cluster.shoot.url.k8s.example.com
ingressSelector:
app: istio-ingressgateway
istio: ingressgateway
tlsMode: Simple # Simple (default), Mutual, or OptionalMutual
dnsMode: Wildcard # None (default), Wildcard, Subdomain, or Custom
The dnsTarget field is optional. If omitted, the target is derived from the Istio Ingress Gateway selected by ingressSelector.
ClusterDomain Resources
Use a ClusterDomain resource for a domain shared across multiple applications or namespaces. The operator creates the Gateway and DNSEntry in the CAP Operator installation namespace. The Certificate placement depends on the certificate manager in use — see the ClusterDomain resource reference for details.
apiVersion: sme.sap.com/v1alpha1
kind: ClusterDomain
metadata:
name: common-external-domain
spec:
domain: my.example.com
ingressSelector:
app: istio-ingressgateway
istio: ingressgateway
tlsMode: Simple # Simple (default) or Mutual
dnsMode: Subdomain # None (default), Wildcard, Subdomain, or Custom
When X509 client authentication is required (tlsMode: Mutual or OptionalMutual), provide additional CA certificates for Istio to verify client certificates via certConfig.additionalCACertificate.
Referencing Domains in CAPApplication
Once your Domain and ClusterDomain resources are defined, reference them in the CAPApplication spec using domainRefs:
apiVersion: sme.sap.com/v1alpha1
kind: CAPApplication
metadata:
name: cap-app-01
namespace: cap-app-01
spec:
domainRefs:
- kind: Domain
name: cap-app-01-primary # Namespaced Domain resource
- kind: ClusterDomain
name: common-external-domain # Shared ClusterDomain resource
The first entry in domainRefs is treated as the primary domain. You can mix Domain and ClusterDomain references in the same application.
Migration
Migrating from the deprecated domains section
Update Your Application Manifests
Earlier versions of CAP Operator used an inline domains section directly in CAPApplication. This section is deprecated and no longer supported. If you are still using it, migrate to domainRefs as described below.
Before: deprecated domains section
apiVersion: sme.sap.com/v1alpha1
kind: CAPApplication
metadata:
name: cap-app-01
namespace: cap-app-01
spec:
domains:
istioIngressGatewayLabels:
- name: app
value: istio-ingressgateway
- name: istio
value: ingressgateway
primary: my.cluster.shoot.url.k8s.example.com
secondary:
- my.example.com
After: domainRefs with explicit resources
Create the Domain and ClusterDomain resources manually (see sections above), then update your CAPApplication to use domainRefs.
Mutation Webhook
A mutation webhook ensures consistency: if a CAPApplication is submitted with a domains section, the webhook converts it to Domain/ClusterDomain resources and populates domainRefs automatically.
The webhook rejects updates that reintroduce the deprecated domains section. If you add or modify the domains section in your manifest, the webhook rejects the change and provides an error message instructing you to use domainRefs instead.
Automatic Migration (v0.15.0 – v0.25.0)
The automatic migration routine was available from v0.15.0 through v0.25.0 and has been removed as of v0.26.0. If you need this migration, first upgrade to v0.25.0 (or lower), allow the migration to complete, and then upgrade to the latest release.
Upgrading to CAP Operator v0.15.0 through v0.25.0 triggered an automatic migration routine that:
- Scanned existing
CAPApplicationresources. - Removed network-related resources (Gateways, DNSEntries, Certificates) linked to the deprecated
domains. - Created equivalent
DomainorClusterDomainresources. - Updated
CAPApplicationresources to usedomainRefs.
Verify Migration
After migrating, confirm the resources are in the expected state:
kubectl get capapplication -n <your-app-namespace> <your-ca-name> -o yaml
Ensure that:
- The
domainssection is absent. - The
domainRefsentries are present. - The corresponding
DomainorClusterDomainresources exist in the cluster.
3.1 - Custom DNS Templates
Domain or ClusterDomainWhen dnsMode is set to Custom, the operator creates DNS entries according to the dnsTemplates field instead of the fixed patterns used by Wildcard and Subdomain modes. This lets you generate multiple DNS records per domain, map subdomains to external names, or combine wildcard and per-subdomain entries in one resource.
DNS entry creation requires the Gardener external-dns-management controller. When using the Kubernetes DNS manager, dnsMode is ignored and no DNS entries are created regardless of the mode chosen.
Templates
Each entry in dnsTemplates produces one or more DNS records. Up to 10 templates are allowed per resource. The name and target fields are rendered using Go templates. A template has two fields:
| Field | Description |
|---|---|
name | DNS name for the record — rendered as a Go template |
target | DNS target (hostname or IP) — rendered as a Go template |
Available variables
The following variables are available in both name and target:
| Variable | Value |
|---|---|
{{.domain}} | The value of spec.domain |
{{.dnsTarget}} | The effective ingress target: spec.dnsTarget, or DNS_TARGET env var, or the load balancer service annotation on the Istio Ingress Gateway |
{{.subDomain}} | A subdomain collected from referencing applications — see Subdomain expansion |
Functions from the Slim Sprig library are available in all templates.
Subdomain expansion
When {{.subDomain}} appears in a template’s name, the operator expands that template once for each subdomain observed across all CAPApplication resources that reference the domain. A template whose name does not contain {{.subDomain}} is rendered exactly once.
Subdomains are collected from two sources and tracked in CAPApplication.status.observedSubdomains:
CAPTenant.spec.subDomain— each tenant’s subdomainCAPApplicationVersion.spec.serviceExposures[].subDomain— subdomains declared in version service exposures
{{.subDomain}} may also be used in target, but only when name also contains {{.subDomain}}.
If the same subdomain appears in two different CAPApplication resources that both reference the same domain, that subdomain is skipped for the second application and a SubdomainAlreadyInUse warning event is raised on it.
Example
The following configuration combines a wildcard record with per-subdomain records on the primary domain, and a CNAME chain that maps each subdomain on an external domain to the corresponding subdomain on the primary domain:
apiVersion: sme.sap.com/v1alpha1
kind: Domain # also applies to ClusterDomain
metadata:
namespace: cap-app-01
name: cap-app-01-primary
spec:
domain: my.cluster.shoot.url.k8s.example.com
ingressSelector:
app: istio-ingressgateway
istio: ingressgateway
dnsMode: Custom
dnsTemplates:
- name: '*.{{ .domain }}'
target: '{{ .dnsTarget }}'
- name: '{{ .subDomain }}.{{ .domain }}'
target: '{{ .dnsTarget }}'
- name: '{{ .subDomain }}.myapp.com'
target: '{{ .subDomain }}.{{ .domain }}'
For an application with subdomains tenant-a and tenant-b, this produces five DNS records:
| DNS name | Target |
|---|---|
*.my.cluster.shoot.url.k8s.example.com | <ingress target> |
tenant-a.my.cluster.shoot.url.k8s.example.com | <ingress target> |
tenant-b.my.cluster.shoot.url.k8s.example.com | <ingress target> |
tenant-a.myapp.com | tenant-a.my.cluster.shoot.url.k8s.example.com |
tenant-b.myapp.com | tenant-b.my.cluster.shoot.url.k8s.example.com |
3.2 - Configuring Additional CA Certificates
Domain or ClusterDomainWhen tlsMode is set to Mutual or OptionalMutual on a Domain or ClusterDomain, Istio requires a CA certificate to verify client certificates presented during the TLS handshake. Provide this certificate via certConfig.additionalCACertificate.
The operator stores the certificate as a Kubernetes Secret (key: ca.crt) in the Istio Ingress Gateway namespace, where Istio reads it.
apiVersion: sme.sap.com/v1alpha1
kind: ClusterDomain # also applies to Domain
metadata:
name: cap-example-domain
spec:
domain: myapp.example.com
ingressSelector:
app: istio-ingressgateway
istio: ingressgateway
tlsMode: Mutual
certConfig:
additionalCACertificate: |
-----BEGIN CERTIFICATE-----
MIIFZjCCA06gAwIBAgIQGHcPvmUGa79M6pM42bGFYjANBgkqhkiG9w0BAQsFADBN
...
-----END CERTIFICATE-----
Removing certConfig.additionalCACertificate from the spec causes the operator to delete the corresponding secret.
4 - Tenant Subscription
In CAP Operator, a valid tenant for an application is represented by the CAPTenant resource. It references the CAPApplication it belongs to and specifies the details of the SAP BTP subaccount that represents the tenant.
apiVersion: sme.sap.com/v1alpha1
kind: CAPTenant
metadata:
name: cap-app-01-consumer
namespace: cap-app-01
spec:
capApplicationInstance: cap-app-01 # <-- reference to the CAPApplication
subDomain: app-consumer
tenantId: aa2bae55d7b5-1279-456564-a7b0-aa2bae55d7b5
version: "1.0.0" # <-- expected version of the application
versionUpgradeStrategy: always # <-- always / never
Tenant Provisioning
Tenant provisioning begins when a consumer subaccount subscribes to the application, either via the SAP BTP cockpit or using the SaaS Provisioning service APIs. This triggers an asynchronous callback from the SaaS Provisioning service into the cluster, which is handled by the subscription server. The subscription server validates the request and creates a CAPTenant instance for the identified CAPApplication.
CAPTenant instances must not be created or deleted manually. They are managed exclusively by the subscription server in response to provisioning calls from the SaaS Provisioning service.
The controller, observing the new CAPTenant, initiates the provisioning process by creating a CAPTenantOperation resource representing the provisioning operation.
apiVersion: sme.sap.com/v1alpha1
kind: CAPTenantOperation
metadata:
name: cap-app-01-consumer-sgz8b
namespace: cap-app-01
spec:
capApplicationVersionInstance: cav-cap-app-01-1 # <-- latest CAPApplicationVersion in Ready state
subDomain: app-consumer
tenantId: aa2bae55d7b5-1279-456564-a7b0-aa2bae55d7b5
operation: provisioning # <-- valid values are provisioning, deprovisioning and upgrade
steps:
- name: tenant-operation # <-- derived from the workload of type TenantOperation defined in the CAPApplicationVersion
type: TenantOperation
The CAPTenantOperation is reconciled to create Kubernetes Jobs (steps) derived from the latest CAPApplicationVersion in Ready state. The steps include a TenantOperation job and optional CustomTenantOperation steps. The TenantOperation step uses built-in CLI-based tenant operations from @sap/cds-mtxs to execute tenant provisioning.
The CAPTenant reaches a Ready state only after:
- All
CAPTenantOperationsteps complete successfully, and - An Istio
VirtualServiceis created to route HTTP requests on the tenant subdomain to the application.
Get Dependencies
During provisioning, the SaaS Provisioning service calls a getDependencies endpoint to retrieve the list of reuse services that the multitenant application requires. The CAP Operator subscription server exposes this endpoint and resolves dependencies by inspecting the BTP services defined in the CAPApplication.
The subscription server exposes the following endpoint:
GET /dependencies/{providerSubaccountId}/{appName}/
The providerSubaccountId and appName path parameters identify the corresponding CAPApplication resource. The system authorizes the request using the same mechanism as the provisioning endpoints (Bearer token).
The appName value in the URL must match spec.btpAppName of the CAPApplication resource. Because it is also registered with the SaaS Provisioning service, it should follow the service’s xsappname conventions.
A successful response returns a JSON array of objects. Each object contains the xsappname of a qualifying service:
[
{ "xsappname": "my-destination-service!b42" },
{ "xsappname": "my-auditlog-service!b7" }
]
Service Qualification
The subscription server iterates over all BTP services listed in CAPApplication.spec.btp.services. For each service, it reads the associated Kubernetes secret, parses the credentials, and determines whether to include the service in the response.
The xsappname is read from either the top-level xsappname field or the nested uaa.xsappname field in the service credentials. If not found, the service is excluded from the response.
Configuring Dependencies with subscriptionDependency
Each entry in spec.btp.services can include an optional subscriptionDependency field that controls whether the service is included:
| Value | Behaviour |
|---|---|
Auto (default) | The operator determines inclusion based on service class and credentials (see below) |
Always | Includes the service regardless of class |
Never | Excludes the service regardless of class or credentials |
spec:
btp:
services:
- name: my-destination
class: destination
secret: my-destination-secret
subscriptionDependency: Always # force inclusion
- name: my-xsuaa
class: xsuaa
secret: my-xsuaa-secret
subscriptionDependency: Never # force exclusion
- name: my-auditlog
class: auditlog
secret: my-auditlog-secret
# subscriptionDependency omitted → Auto
Auto qualification rules
When subscriptionDependency is set to Auto or omitted, the system includes the service if any of the following conditions apply:
- The service credentials contain
"saasregistryenabled": true - Service
classisdestination - Service
classisconnectivity - Service
classisauditlogand the credentialplanisoauth2
This behavior aligns with the implementation in the @sap/approuter package.
Tenant Deprovisioning
When a tenant unsubscribes from the application, the subscription server receives the request, validates the existence and status of the CAPTenant, and submits a deletion request to the Kubernetes API server.
The controller identifies the pending deletion but defers it until a CAPTenantOperation of type deprovisioning is created and completes successfully. The CAPTenantOperation creates the corresponding Jobs (steps) that execute the tenant deprovisioning.
5 - Application Upgrade
An important lifecycle aspect of operating multi-tenant CAP applications is the tenant upgrade process. With CAP Operator, tenant upgrades can be fully automated by providing a new CAPApplicationVersion custom resource.
As covered in initial deployment, the CAPApplicationVersion resource describes the workloads of an application version, including the container image and services consumed by each component. To upgrade the application, create a new CAPApplicationVersion with updated image values for each component and a higher semantic version in the version field. See API Reference.
apiVersion: sme.sap.com/v1alpha1
kind: CAPApplicationVersion
metadata:
name: cav-cap-app-01-2
namespace: cap-app-01
spec:
capApplicationInstance: cap-cap-app-01 # <-- reference to CAPApplication in the same namespace
version: "2.0.1" # <-- semantic version
registrySecrets:
- regcred
workloads:
- name: cap-backend
consumedBTPServices:
- app-uaa
- app-service-manager
- app-saas-registry
deploymentDefinition:
type: CAP # <-- indicates the CAP application server
image: app.some.repo.example.com/srv/server:0.0.2
env:
- name: CDS_ENV
value: production
- name: CDS_CONFIG
value: '{ "requires":{"cds.xt.DeploymentService":{"hdi": { "create":{ "database_id": "16e25c51-5455-4b17-a4d7-43545345345" } } } } }'
- name: app-router
consumedBTPServices:
- app-uaa
- app-destination
- app-saas-registry
- app-html5-repo-runtime
- app-portal
deploymentDefinition:
type: Router
image: app.some.repo.example.com/approuter/approuter:0.0.2
env:
- name: PORT
value: 4000
- name: TENANT_HOST_PATTERN
value: "^(.*).(my.cluster.shoot.url.k8s.example.com|my.example.com)"
- name: service-content
consumedBTPServices:
- app-uaa
- app-html5-repo-host
- app-portal
jobDefinition:
type: Content
image: app.some.repo.example.com/approuter/content:0.0.2
backoffLimit: 1
- name: tenant-operation
consumedBTPServices:
- app-uaa
- app-service-manager
- app-saas-registry
jobDefinition:
type: TenantOperation
image: app.some.repo.example.com/approuter/content:0.0.2
env:
- name: CDS_ENV
value: production
- name: CDS_CONFIG
value: '{ "requires":{"cds.xt.DeploymentService":{"hdi": { "create":{ "database_id": "16e25c51-5455-4b17-a4d7-43545345345" } } } } }'
- name: notify-upgrade
consumedBTPServices: []
jobDefinition:
type: CustomTenantOperation
image: app.some.repo.example.com/approuter/content:0.0.2
command: ["npm", "run", "notify:upgrade"]
backoffLimit: 1
env:
- name: TARGET_DL
value: group_xyz@sap.com
tenantOperations:
upgrade:
- workloadName: tenant-operation
- workloadName: notify-upgrade
continueOnFailure: true
Note that compared to version “1” used for initial deployment, new workloads of type TenantOperation and CustomTenantOperation have been added.
The CAP Operator controller reacts to the new CAPApplicationVersion resource by triggering a new Deployment for the application server and router, and running the content deployment Job. Once the new CAPApplicationVersion is Ready, the controller automatically upgrades all relevant tenants by updating the version attribute on the CAPTenant resources.
CAPTenant reconciliation changes the tenant state to Upgrading and creates a CAPTenantOperation resource of type upgrade.
apiVersion: sme.sap.com/v1alpha1
kind: CAPTenantOperation
metadata:
name: cap-app-01-provider-fgdfg
namespace: cap-app-01
spec:
capApplicationVersionInstance: cav-cap-app-01-2
subDomain: cap-provider
tenantId: aa2bae55d7b5-1279-456564-a7b0-aa2bae55d7b5
operation: upgrade # possible values are provisioning / upgrade / deprovisioning
steps:
- name: "tenant-operation"
type: TenantOperation
- name: "notify-upgrade"
type: CustomTenantOperation
continueOnFailure: true # <-- indicates that the overall operation may proceed even if this step fails
The CAPTenantOperation creates Jobs for each step and executes them sequentially until all Jobs complete or one fails. The CAPTenant is notified of the result and updates its state accordingly.
When the CAPTenantOperation completes successfully, the VirtualService managed by the CAPTenant is updated to route HTTP traffic to the Deployments of the newer CAPApplicationVersion. Once all tenants are upgraded, the outdated CAPApplicationVersion can be deleted.
Version Affinity during Upgrade (Experimental)
You can optionally enable Version Affinity for multi-tenant applications by adding the annotation sme.sap.com/enable-version-affinity: "true" to the CAPApplication resource. With this experimental feature, users remain on their currently active CAPApplicationVersion during an upgrade until their session expires or they log out.
apiVersion: sme.sap.com/v1alpha1
kind: CAPApplication
metadata:
name: test-ca-01
namespace: default
annotations:
sme.sap.com/enable-version-affinity: "true" # <-- enable version affinity
spec:
btp:
services:
- class: xsuaa
name: cap-uaa
secret: cap-cap-01-uaa-bind-cf
....
....
By default, CAP Operator recognizes logout and logoff as logout endpoints. If your application uses a different endpoint, specify it using the sme.sap.com/logout-endpoint annotation on your CAPApplicationVersion resource (without a leading slash).
apiVersion: sme.sap.com/v1alpha1
kind: CAPApplicationVersion
metadata:
name: cav-cap-app-01-2
namespace: cap-app-01
annotations:
sme.sap.com/logout-endpoint: "custom-logout" # <-- specify custom logout endpoint
spec:
capApplicationInstance: cap-cap-app-01
version: "2.0.1"
registrySecrets:
- regcred
6 - Service Exposure
Exposing Service Workloads
This guide explains how to deploy applications with tenant-agnostic service workloads. These workloads can be part of multi-tenant applications or standalone applications that are entirely tenant-agnostic.
Configuration
Service Exposure Setup
The serviceExposures section in the CAPApplicationVersion configuration is used to expose workloads. Each entry in the serviceExposures array specifies a subdomain under which workloads are accessible, with support for multiple routes per subdomain.
For details on configuring routes, see the Route API reference.
Example Configuration
spec:
workloads:
- name: cap-backend-service
consumedBTPServices:
- cap-uaa
- cap-saas-reg
deploymentDefinition:
type: CAP # <-- possible values are CAP / Router / Additional / Service
image: some.repo.example.com/cap-app/server:3.22.11
env:
- name: HOME
value: "SAP"
replicas: 3
ports:
- name: app-port
port: 4004
- name: tech-port
port: 4005
- name: api
port: 8000
- name: api-v2
port: 8001
appProtocol: http
- name: router
consumedBTPServices:
- cap-uaa
- cap-apps-repo
deploymentDefinition:
type: Router
image: some.repo.example.com/cap-app/app-router:1.0.1
ports:
- name: router-port
port: 5000
- name: app
consumedBTPServices:
- cap-uaa
- cap-db
deploymentDefinition:
type: Service
image: some.repo.example.com/cap-app/app:4.0.1
ports:
- name: app-port
port: 5000
- name: service-content
consumedBTPServices:
- app-uaa
- app-html5-repo-host
- app-portal
jobDefinition:
type: Content
image: some.repo.example.com/cap-app/content:0.0.1
backoffLimit: 1
serviceExposures:
- subDomain: service
routes:
- workloadName: cap-backend-service
port: 4004
- subDomain: api
routes:
- workloadName: cap-backend-service
port: 8001
path: /api/v2
- workloadName: cap-backend-service
port: 8000
path: /api
- subDomain: app
routes:
- workloadName: app
port: 5000
Result:
For a cluster domain like my.cluster.shoot.url.k8s.example.com, the configuration generates URLs like:
service.my.cluster.shoot.url.k8s.example.comforcap-backend-serviceon port4004.api.my.cluster.shoot.url.k8s.example.com/api/v2forcap-backend-serviceon port8001.api.my.cluster.shoot.url.k8s.example.com/apiforcap-backend-serviceon port8000app.my.cluster.shoot.url.k8s.example.comforappon port5000.
In the example above, the router workload is not exposed through serviceExposures. However, in multi-tenant scenarios, it may be exposed per tenant subdomain as usual.
Route Ordering
Ensure routes are ordered correctly to prevent routing errors. When multiple routes are defined for a subdomain, more specific paths must come before more general ones. For example, in the configuration above, the api subdomain requires /api/v2 to be defined before /api.
Deploying Services-Only Applications
Services-only applications do not require tenant-specific configurations. Therefore, the provider section is omitted from the CAPApplication resource. The CAPApplicationVersion may include only Content jobs and no tenant-related jobs. The rest of the configuration for your services-only application remains the same.
Application Configuration
Create a CAPApplication resource without a provider section:
apiVersion: sme.sap.com/v1alpha1
kind: CAPApplication
metadata:
name: test-ca-01
namespace: default
spec:
btp:
services:
- class: xsuaa
name: cap-uaa
secret: cap-cap-01-uaa-bind-cf
- class: xsuaa
name: cap-uaa2
secret: cap-cap-01-uaa2-bind-cf
- class: service-manager
name: cap-service-manager
secret: cap-cap-01-svc-man-bind-cf
btpAppName: test-cap-01
domainRefs:
- kind: Domain
name: cap-app-01-primary
- kind: ClusterDomain
name: common-external-domain
providerSubaccountId: provider-subaccount-id
Version Configuration
Create a CAPApplicationVersion in the same namespace as the CAPApplication with service workloads and any content jobs.
apiVersion: sme.sap.com/v1alpha1
kind: CAPApplicationVersion
metadata:
name: cav-ca-app-01-1
namespace: default # Same namespace as CAPApplication
spec:
capApplicationInstance: test-ca-01 # Reference to the CAPApplication
version: "0.0.1"
registrySecrets:
- regcred
workloads:
- name: cap-backend-service
consumedBTPServices: # Services used by this workload
- app-uaa
- app-db
- app-saas-registry
deploymentDefinition:
type: CAP
image: app.some.repo.example.com/srv/server:0.0.1
env:
- name: CDS_ENV
value: production
ports:
- name: server
port: 4004
appProtocol: http
- name: api
port: 8000
appProtocol: http
- name: metrics
port: 4005
appProtocol: http
- name: api
consumedBTPServices: # Services used by this workload
- app-uaa
- app-db
deploymentDefinition:
type: Service
image: app.some.repo.example.com/srv/api:0.0.1
env:
- name: CDS_ENV
value: production
ports:
- name: apiv2
port: 8000
appProtocol: http
- name: api
port: 8001
appProtocol: http
- name: service-content # Example content job
consumedBTPServices:
- app-uaa
- app-html5-repo-host
- app-portal
jobDefinition:
type: Content
image: app.some.repo.example.com/approuter/content:0.0.1
backoffLimit: 1
serviceExposures:
- subDomain: service
routes:
- workloadName: cap-backend-service
port: 4004
- subDomain: api
routes:
- workloadName: api
port: 8000
path: /api/v2
- workloadName: api
port: 8001
path: /api
Important Considerations
- No tenant-related resources are created for services-only applications.
- A successful upgrade of the
CAPApplicationVersioncauses any service-relatedVirtualServiceresources to route HTTP traffic to the workloads of thatCAPApplicationVersion. - Choose the appropriate application mode from the start: services-only or multi-tenant. Switching modes later is not possible.
- Follow the recommended security measures to safeguard any exposed workloads.
7 - Rollout on Credential Update
When SAP BTP service credentials are rotated — for example, by a credential rotation tool or by re-binding a service instance — the Kubernetes Secrets holding those credentials are updated. By default, running application workloads are not restarted and continue to use the old credentials until the next deployment or a manual rollout.
Enabling rolloutOnCredentialUpdate on a CAPApplication resource instructs CAP Operator to watch the referenced BTP service credential Secrets and automatically trigger a rolling restart of affected Deployments whenever their credentials change.
Benefits
| Benefit | Description |
|---|---|
| No stale credentials in running pods | Pods pick up fresh credentials without a manual rollout or a new CAPApplicationVersion. |
| Selective restarts | Only Deployments that actually consume the updated service are restarted; unaffected workloads are left untouched. |
| Resilient to operator restarts | On startup, CAP Operator re-checks all relevant Secrets so that credential changes that occurred while the operator was down are not missed. |
| Batched processing | Multiple Secret updates arriving within the batching window are accumulated and processed in a single pass, avoiding redundant rollouts. |
Enabling the Feature
Set rolloutOnCredentialUpdate: true in the CAPApplication spec:
apiVersion: sme.sap.com/v1alpha1
kind: CAPApplication
metadata:
name: cap-app-01
namespace: cap-app-01
spec:
rolloutOnCredentialUpdate: true # opt-in to automatic rollout on credential rotation
btpAppName: cap-app-01
btp:
services:
- class: xsuaa
name: app-uaa
secret: cap-app-01-uaa-bind-cf
- class: saas-registry
name: app-saas-registry
secret: cap-app-01-saas-bind-cf
- class: service-manager
name: app-service-manager
secret: cap-app-01-svc-man-bind-cf
domainRefs:
- kind: ClusterDomain
name: common-external-domain
providerSubaccountId: provider-subaccount-id
The field is optional and defaults to false. See the API Reference for the full spec.
How It Works
Once enabled, the operator follows this flow whenever a watched Secret changes:
Secret watch — CAP Operator watches all Kubernetes Secrets in the namespace of any
CAPApplicationthat hasrolloutOnCredentialUpdate: true. When a Secret is updated, the namespace is scheduled for processing after a configurable batching window (see Operator Configuration).Batching — any additional Secret changes arriving in the same namespace within the batching window are accumulated. When the window expires, all collected changes are processed together in a single pass, preventing redundant rollouts when multiple services are rotated at once.
Affected workload detection — for each
CAPApplicationVersioncurrently in use (the latest ready version, plus any version still serving active tenants), the operator checks which Deployments declare the rotated service in theirconsumedBTPServiceslist.VCAP secret comparison — the operator rebuilds the
VCAP_SERVICESdata for each affected Deployment using the new credential data. If the payload is identical to the existing one, the Deployment is left untouched and no restart is triggered.Rolling restart — when the data has changed, a new
VCAP_SERVICESsecret is created and the Deployment’senvFromreference is updated to point to it. Kubernetes detects the change and performs a rolling restart of the pods, ensuring zero downtime.
Note: Only Deployments are restarted. Job workloads (content deployers, tenant operation jobs) are not affected by this feature.
Note: The rollout covers all ready
CAPApplicationVersionresources currently serving tenants, not only the latest version. This ensures credentials are refreshed consistently across all active versions during an upgrade transition.
Operator Configuration
The batching window duration is configurable via an environment variable on the CAP Operator deployment.
| Environment Variable | Description | Default | Minimum |
|---|---|---|---|
ROLLOUT_DELAY | How long the operator waits after a credential Secret is updated before processing the rollout. Secret changes arriving within this window for the same namespace are batched into a single pass. Accepts any Go duration string (e.g. 30m, 2h). | 1h | 30s |
If the configured value cannot be parsed, the operator logs an error and falls back to the default (1h). If the parsed value is below the minimum (30s), the operator logs an error and clamps it to 30s.
Recommendations
Keep Old Credentials Valid Long After Rotation
When rotating credentials, do not invalidate the old Secret immediately. CAP Operator needs time to:
- detect the Secret change,
- wait out the batching window (
ROLLOUT_DELAY), - rebuild and compare the
VCAP_SERVICESpayload, and - wait for Kubernetes to complete the rolling restart of every affected Deployment.
Only once all pods are running with the new credentials is it safe to revoke the old ones.
As a rule of thumb, keep the old credentials valid for at least 24 hours after issuing the new ones. This provides a generous buffer that covers the batching delay, the rollout duration, and any transient failures or retries in the operator’s reconciliation loop.
Revoking credentials too soon risks pods being restarted mid-rollout with no valid credentials available, which causes application downtime.
8 - Version Monitoring
In a continuous delivery environment where new application versions are deployed frequently, monitoring and cleaning up older unused versions is important for conserving cluster resources (compute, memory, storage) and keeping the system manageable. CAP Operator allows application developers and operations teams to define how an application version is monitored for usage.
Integration with Prometheus
Prometheus is the industry standard for monitoring application metrics and provides a wide variety of tools for managing and reporting metrics. The CAP Operator controller can be connected to a Prometheus server by setting the PROMETHEUS_ADDRESS environment variable (see Configuration). The controller then queries application-related metrics based on the workload specification of CAPApplicationVersion resources. Prometheus is only required to evaluate workloads that declare deletionRules. When PROMETHEUS_ADDRESS is not set, or the configured server is unreachable, the cleanup loop still runs. Versions whose deployment workloads declare no deletionRules can still be cleaned up in that case. Versions that do declare deletionRules are skipped — they are neither deleted nor surfaced as errors — and will be re-evaluated on the next cycle once Prometheus becomes available again.
Configure CAPApplication
Version cleanup monitoring must be explicitly enabled for a CAP application using the annotation sme.sap.com/enable-cleanup-monitoring. The annotation accepts the following values:
| Value | Behavior |
|---|---|
dry-run | When a CAPApplicationVersion is evaluated as eligible for cleanup, a ReadyForDeletion event is emitted without deleting the version. |
true | When a CAPApplicationVersion is evaluated as eligible for cleanup, the version is deleted and a ReadyForDeletion event is emitted. |
Configure CAPApplicationVersion
For each deployment workload in a CAPApplicationVersion, you can define:
- Deletion rules: Criteria based on metrics that, when satisfied, mark the workload as eligible for removal.
- Scrape configuration: Defines how metrics are scraped from the workload service.
Deletion Rules (Variant 1) Based on Metric Type
The following example shows a workload named backend configured with deletion rules based on multiple metrics.
apiVersion: sme.sap.com/v1alpha1
kind: CAPApplicationVersion
metadata:
namespace: demo
name: cav-demo-app-1
spec:
workloads:
- name: backend
deploymentDefinition:
monitoring:
deletionRules:
metrics:
- calculationPeriod: 90m
name: current_sessions
thresholdValue: "0"
type: Gauge
- calculationPeriod: 2h
name: total_http_requests
thresholdValue: "0.00005"
type: Counter
This tells CAP Operator that workload backend provides two metrics that can be monitored for usage.
Metric
current_sessionsis of typeGauge, representing an absolute value at any point in time. CAP Operator queries Prometheus with a PromQL expression that calculates the average value over the specified calculation period. The average values from each time series are summed to get the evaluated value, which is then compared against the threshold to determine eligibility for cleanup.Evaluation steps for metric type GaugeExecute PromQL expression sum(avg_over_time(current_sessions{job="cav-demo-app-1-backend-svc",namespace="demo"}[90m]))to get the evaluated valueCheck whether evaluated value <= 0 (the specified thresholdValue)Metric
total_http_requestsis of typeCounter, representing a cumulative value that can only increase. CAP Operator queries Prometheus with a PromQL expression that calculates the rate of increase over the specified period. The rates from each time series are summed to get the evaluated value, which is compared against the threshold.Evaluation steps for metric type CounterExecute PromQL expression sum(rate(total_http_requests{job="cav-demo-app-1-backend-svc",namespace="demo"}[2h]))to get the evaluated valueCheck whether evaluated value <= 0.00005 (the specified thresholdValue)
- Prometheus stores metric data as multiple time series by label set. The number of time series for a single metric depends on the possible label combinations. The
joblabel represents the metric source and (within Kubernetes) corresponds to the service representing the workload. - CAP Operator supports only the
GaugeandCounterPrometheus metric types. Learn more about metric types here.
All specified metrics of a workload must satisfy the evaluation criteria for the workload to be eligible for cleanup.
Deletion Rules (Variant 2) as a PromQL Expression
You can also specify deletion criteria for a workload by providing a PromQL expression that returns a boolean scalar.
apiVersion: sme.sap.com/v1alpha1
kind: CAPApplicationVersion
metadata:
namespace: demo
name: cav-demo-app-1
spec:
workloads:
- name: backend
deploymentDefinition:
monitoring:
deletionRules:
expression: scalar(sum(avg_over_time(current_sessions{job="cav-demo-app-1-backend-svc",namespace="demo"}[2h]))) <= bool 5
The PromQL expression is executed as a Prometheus query. The expected result is a scalar boolean (0 or 1). Use comparison binary operators with the bool modifier to produce the expected result. If the evaluation result is true (1), the workload is eligible for removal.
This variant is useful when:
- The predefined metric-type evaluation is insufficient for determining workload usage.
- Custom scraping configurations are used where the
joblabel in the collected time series data does not match the name of the Kubernetes Service created for the workload.
Scrape Configuration
Prometheus Operator is a popular Kubernetes operator for managing Prometheus and related monitoring components. A common way to set up scrape targets is by creating the ServiceMonitor resource, which specifies which services (and ports) to scrape for application metrics.
The scrapeConfig feature is available only when the ServiceMonitor custom resource is available on the Kubernetes cluster.
CAP Operator can automatically create ServiceMonitor resources targeting the services created for version workloads. The following sample shows how to configure this.
kind: CAPApplicationVersion
metadata:
namespace: demo
name: cav-demo-app-1
spec:
workloads:
- name: backend
deploymentDefinition:
ports:
- appProtocol: http
name: metrics-port
networkPolicy: Cluster
port: 9000
monitoring:
deletionRules:
expression: scalar(sum(avg_over_time(current_sessions{job="cav-demo-app-1-backend-svc",namespace="demo"}[2h]))) <= bool 5
scrapeConfig:
interval: 15s
path: /metrics
port: metrics-port
With this configuration, CAP Operator creates a ServiceMonitor targeting the workload service. The scrapeConfig.port must match the name of one of the ports specified on the workload.
The scrapeConfig feature is designed for a minimal configuration that covers the most common use case (scraping the workload service via a defined port). For more complex ServiceMonitor configurations, create them separately. If scrapeConfig is empty, CAP Operator will not create the related ServiceMonitor.
Evaluating CAPApplicationVersion Resources for Cleanup
At specified intervals (controlled by the controller environment variable METRICS_EVAL_INTERVAL), CAP Operator selects versions as candidates for evaluation.
- Only versions for
CAPApplicationresources with the annotationsme.sap.com/enable-cleanup-monitoringare considered. - Versions with a
spec.versionhigher than the highestReadyversion are excluded from evaluation. If no version hasReadystatus, no versions are evaluated. - Versions linked to a
CAPTenantare excluded. This includes versions referenced by the followingCAPTenantfields:status.currentCAPApplicationVersionInstance— the tenant’s current version.spec.version— the version a tenant is upgrading to.
Workloads from the identified versions are then evaluated against their deletionRules. Workloads without deletionRules are automatically eligible for cleanup regardless of whether Prometheus is configured or reachable. All deployment workloads of a version must satisfy the evaluation criteria for the version to be deleted.
When a workload declares deletionRules and the Prometheus client is currently unavailable — either because no PROMETHEUS_ADDRESS has been configured, or because the Runtimeinfo probe against the configured server is failing — that workload is treated as not eligible and the version is left untouched until the next evaluation cycle. Reachability is re-checked at most once per PROM_ACQUIRE_CLIENT_RETRY_DELAY interval, so a recovered Prometheus server will be detected and used on the next cycle after that delay elapses.
9 - Operator Metrics
Overview
CAP Operator includes built-in Prometheus metrics that enable you to effectively monitor and analyze the operator’s performance. These metrics provide insights into resource usage, potential issues, and overall operator health. The metrics are accessible at the /metrics endpoint on port 9090 of both the Controller and the Subscription Server.
Controller Metrics
The Controller emits several types of metrics, including:
- Standard Go Metrics: These metrics are provided by the Prometheus Go client and include runtime statistics.
- Workqueue Metrics: These metrics are relevant to the resources being reconciled and are based on the MetricsProvider.
- Specific metrics: mentioned below.
Specific Metrics
- Reconcile Errors –
cap_op_reconcile_errors, e.g.:
cap_op_reconcile_errors{kind="CAPApplication",name="my-app",namespace="app"} 11
- Type: Counter
- Description: This metric tracks the total number of resources that failed to reconcile for each resource kind, such as
CAPApplication.
- Tenant Operations –
cap_op_tenant_operations, e.g.
cap_op_tenant_operations{app="<hash>",operation="provisioning"} 83
- Type: Counter
- Description: This metric provides insights into overall tenant operations being performed.
Detailed Operational Metrics
To gain deeper insights, you can enable more granular metrics by setting the environment variable DETAILED_OPERATIONAL_METRICS to "true".
- Failed Tenant Operations –
cap_op_tenant_operation_failures, e.g.:
cap_op_tenant_operation_failures{app="<hash>",operation="upgrade",tenant_id="<guid>",namespace="app",name="my-app-tenant-op-xxyyz"} 2
- Type: Counter
- Description: This metric reveals the number of failed tenant operations, categorized by application, tenant ID, and specific operation details.
- Last Tenant Operation Duration –
cap_op_last_tenant_operation_duration_seconds, e.g.:
cap_op_last_tenant_operation_duration_seconds{app="<hash>",tenant_id="<guid>"} 17
- Type: Gauge
- Description: This metric measures the duration (in seconds) of the last tenant operation for a specified application and tenant.
Subscription Server Metrics
The Subscription Server emits the following metrics:
- Standard Go Metrics: These metrics are provided by the Prometheus Go client and include runtime statistics.
- Specific metrics: mentioned below.
Specific Metrics
- Subscription Requests Total –
cap_op_subscription_requests_total, e.g.:
cap_op_subscription_requests_total{code="202",method="POST"} 2024
- Type: Counter
- Description: This metric tracks the total number of subscription requests that were processed, categorized by HTTP method and response code.
- Inflight Subscription Requests –
cap_op_subscription_requests_inflight, e.g.:
cap_op_subscription_requests_inflight{} 4
- Type: Gauge
- Description: This metric indicates the number of subscription requests currently being processed by the server.
Conclusion
CAP Operator provides a rich set of metrics to facilitate monitoring and operational insights. By leveraging these metrics, you can monitor and ensure the reliability and performance of your applications. For further details, explore the Prometheus documentation and integrate these metrics into your monitoring systems.
10 - Security
Securing Applications
We strongly recommend that applications implement the necessary authentication and authorization mechanisms to safeguard exposed workloads. This includes implicitly exposed tenant workloads and explicitly exposed service workloads.
When using SAP Authorization and Trust Management Service in the application, this can be done as explained in this guide.
Istio
You may also consider using Istio’s security features, for instance using specific workload selectors to secure exposed workloads.
11 - Resources
11.1 - CAPApplication
CAPApplication resourceHere’s an example of a fully configured CAPApplication:
apiVersion: sme.sap.com/v1alpha1
kind: CAPApplication
metadata:
name: cap-app
namespace: cap-ns
spec:
btp:
services:
- class: xsuaa
name: cap-uaa
secret: cap-uaa-bind
- class: saas-registry
name: cap-saas-reg
secret: cap-saas-reg-bind
- class: service-manager
name: cap-service-manager
secret: cap-svc-man-bind
- class: destination
name: cap-destination
secret: cap-bem-02-dest-bind
- class: html5-apps-repo
name: cap-html5-repo-host
secret: cap-html5-repo-bind
- class: html5-apps-repo
name: cap-html5-repo-runtime
secret: cap-html5-rt-bind
- class: portal
name: cap-portal
secret: cap-portal-bind
- class: business-logging
name: cap-business-logging
secret: cap-business-logging-bind
btpAppName: cap-app
domainRefs:
- kind: Domain
name: cap-app-01-primary
- kind: ClusterDomain
name: common-external-domain
providerSubaccountId: 7a49218f-c750-4e1f-a248-7f1cefa13010
The btp.services array specifies all SAP BTP service instances and their corresponding Kubernetes Secrets (containing credentials) required by the application. These service instances are assumed to exist in the provider subaccount. You can use operators such as cf-service-operator or sap-btp-service-operator to declaratively create these service instances and their credentials as Kubernetes resources.
The providerSubaccountId identifies the provider subaccount linked to the application. The combination of providerSubaccountId and btpAppName (equivalent to XSAPPNAME) must be unique, as it is used in various SAP BTP service and application constructs.
The provider section is deprecated and may be completely ommited as of version 0.31.0 even for multi-tenant applications, this also skips the creation of a provider tenant.
The domainRefs section references one or more Domain or ClusterDomain resources.
NOTE: While the same secondary domain can technically be shared across applications using
ClusterDomain, tenant subdomains must be unique across all applications sharing that domain.
NOTE: The
providersection must always be omitted for services-only applications.
The optional rolloutOnCredentialUpdate field enables automatic rolling restarts of affected Deployments when the referenced BTP service credential Secrets are updated. See Rollout on Credential Update for details.
11.2 - CAPApplicationVersion
CAPApplicationVersion resourceThe CAPApplicationVersion has the following high-level structure:
apiVersion: sme.sap.com/v1alpha1
kind: CAPApplicationVersion
metadata:
name: cav-cap-app-v1
namespace: cap-ns
spec:
version: 3.2.1 # <-- semantic version (must be unique within the versions of a CAP application)
capApplicationInstance: cap-app
registrySecrets: # <-- image pull secrets to be used in the workloads
- regcred
workloads: # <-- define deployments and jobs used for this application version
- name: "cap-backend"
deploymentDefinition: # ...
consumedBTPServices: # ...
- name: "app-router"
deploymentDefinition: # ...
consumedBTPServices: # ...
- name: "service-content"
jobDefinition: # ...
consumedBTPServices: # ...
- name: "tenant-operation"
jobDefinition: # ...
consumedBTPServices: # ...
tenantOperations: # ... <-- (optional)
- A
CAPApplicationVersionis always associated with aCAPApplicationin the same namespace, referenced via thecapApplicationInstanceattribute. - The
workloadsarray defines the software components of the application. Examples include a deployment for the CAP application server or a job for tenant operations. Each workload must have either adeploymentDefinitionor ajobDefinition. See the next section for details. - The optional
tenantOperationsattribute defines a sequence of steps (jobs) to execute during tenant operations (provisioning, upgrade, or deprovisioning).
The
CAPApplicationVersionresource is immutable — its spec must not be modified after deployment. This is enforced by webhooks, which we recommend keeping active (the default).
Workloads with deploymentDefinition
name: cap-backend
consumedBTPServices: # <-- an array of service instance names referencing the SAP BTP services defined in the CAPApplication resource
- cap-uaa
- cap-saas-reg
deploymentDefinition:
type: CAP # <-- possible values are CAP / Router / Additional / Service
image: some.repo.example.com/cap-app/server:3.22.11 # <-- container image
env: # <-- (optional) same as in core v1 pod.spec.containers.env
- name: SAY
value: "I'm GROOT"
replicas: 3 # <-- (optional) replicas for scaling
ports:
- name: app-port
port: 4004
routerDestinationName: cap-server-url
- name: tech-port
port: 4005
monitoring:
scrapeConfig:
port: tech--port
deletionRules:
expression: scalar(sum(avg_over_time(current_sessions{job="cav-cap-app-v1-cap-backend-svc",namespace="cap-ns"}[2h]))) <= bool 5
The type of the deployment indicates how the operator handles this workload (for example, injection of destinations used by the Approuter). Valid values are:
CAPto indicate a CAP application server. Only one workload of this type is allowed.Routerto indicate a version of the Approuter. Only one workload of this type is allowed.Additionalto indicate supporting components deployed alongside the CAP application server.Serviceto indicate workloads that are tenant-agnostic.
You can define optional attributes such as replicas, env, resources, probes, securityContext, initContainers, and ports to configure the deployment.
Port configuration
You can define which ports (and how many) exposed by a deployment container are made available inside the cluster (via Services of type ClusterIP). The port definition includes a name in addition to the port number being exposed.
For deploymentDefinition types other than Router, you can specify a routerDestinationName that is used as a named destination injected into the Approuter.
The port configurations are not mandatory and can be omitted. When omitted, the operator applies the following defaults:
- For workloads of type
CAP, the default port4004is added to the Service, and a destination namedsrv-apiis added to the Approuter referencing this service port (any existingdestinationsenvironment configuration for this workload is preserved, with only theURLoverwritten). - For workloads of type
Router, port5000is exposed in the Service. This Service is used as the target for HTTP traffic reaching the application domain (domains are specified in theCAPApplicationresource).
NOTE: If multiple ports are configured for a workload of type
Router, the first port is used to target external traffic to the application domain.
Monitoring configuration
For each deployment workload in a CAPApplicationVersion, you can define:
- Deletion rules: Criteria based on metrics that, when satisfied, indicate the workload can be removed.
- Scrape configuration: Defines how metrics are scraped from the workload service.
Details of how to configure workload monitoring can be found here.
Workloads with jobDefinition
workloads:
# ... deployment workloads have been omitted in this example
- name: "content-deployer"
consumedServices: # ...
jobDefinition:
type: Content
image: some.repo.example.com/cap-app/content:1.0.1
- name: "tenant-operation"
consumedServices: # ...
jobDefinition:
type: TenantOperation
image: some.repo.example.com/cap-app/server:3.22.11
backoffLimit: 2 # <-- determines retry attempts for the job on failure (default is 6)
ttlSecondsAfterFinished: 300 # <-- the job will be cleaned up after this duration
env:
- name: CDS_ENV
value: production
- name: CDS_CONFIG
value: '{ "requires":{"cds.xt.DeploymentService":{"hdi": { "create":{ "database_id": "16e25c51-5455-4b17-a4d7-43545345345" } } } } }'
- name: "notify-upgrade"
consumedServices: # ...
jobDefinition:
type: CustomTenantOperation
image: # ...
command: ["npm", "run", "notify:upgrade"] # <-- custom entry point for the container allows reuse of a container image with multiple entry points
backoffLimit: 1
- name: "create-test-data"
consumedServices: # ...
jobDefinition:
type: CustomTenantOperation
image: # ...
command: ["npm", "run ", "deploy:testdata"]
Workloads with a jobDefinition represent a job that executes at a particular point in the lifecycle of the application or tenant. The following values are allowed for type in such workloads:
Content: A content deployer job that deploys SAP BTP service-specific content from the application version. This job runs as soon as a newCAPApplicationVersionresource is created in the cluster. Multiple workloads of this type may be defined, and the order in which they run can be specified viaContentJobs.TenantOperation: A job executed during provisioning, upgrade, or deprovisioning of a tenant (CAPTenant). These jobs are controlled by the operator and use thecds/mtxsAPIs to perform HDI content deployment by default. A workload of typeTenantOperationmust always be defined in theCAPApplicationVersionfor multi-tenant applications. Ifcds/mtxsAPIs are used,commandcan be specified to trigger tenant operations with a custom command.CustomTenantOperation: An optional job that runs before or after theTenantOperation, allowing the application to perform tenant-specific tasks (for example, creating test data).
Sequencing tenant operations
A tenant operation refers to provisioning, upgrade, or deprovisioning, which are executed in the context of a CAP application for individual tenants (using the cds/mtxs or similar modules provided by CAP). Within the workloads, two types of jobs are valid for such operations: TenantOperation and CustomTenantOperation.
The TenantOperation is mandatory for all tenant operations.
In addition, you can choose which CustomTenantOperation jobs run for a specific operation and in which order. For example, a CustomTenantOperation that deploys test data to the tenant database schema should run during provisioning but must not run during deprovisioning.
The field tenantOperations specifies which jobs run during the different tenant operations and their execution order.
spec:
workloads: # ...
tenantOperations:
provisioning:
- workloadName: "tenant-operation"
- workloadName: "create-test-data"
upgrade:
- workloadName: "notify-upgrade"
continueOnFailure: true # <-- indicates the overall operation may proceed even if this step fails
- workloadName: "tenant-operation"
- workloadName: "create-test-data"
# <-- as the deprovisioning steps are not specified, only the `TenantOperation` workload (first available) will be executed
In the example above, for each tenant operation, the valid jobs (steps) and their execution order are specified. Each step in an operation is defined with:
workloadNamerefers to the job workload executed in this operation step.continueOnFailureis valid only forCustomTenantOperationsteps and indicates whether the overall tenant operation can proceed when this step fails.
NOTE:
tenantOperationsis only required ifCustomTenantOperations are used. If not specified, each operation consists only of theTenantOperationstep (the first one found inworkloads).- A workload of type
TenantOperationmust always be present in theCAPApplicationVersion. The previous behaviour of falling back to theCAPdeployment workload when noTenantOperationjob was defined is no longer supported.- The
tenantOperationssequencing applies only to tenants provisioned (or deprovisioned) on thisCAPApplicationVersionand to tenants being upgraded to it.
Sequencing content jobs
When you create a CAPApplicationVersion, you can define multiple content jobs. The order in which these jobs run is important, as some jobs may depend on the output of others. The ContentJobs property specifies the execution order of content jobs.
spec:
workloads: # ...
tenantOperations: # ...
contentJobs:
- content-deployer-service
- content-deployer-ui
ServiceExposures Configuration
See Service Exposure page for details.
Other attributes can be configured as documented.
Port configuration
You can define which ports (and how many) exposed by a deployment container are made available inside the cluster (via Services of type ClusterIP). The port definition includes a name in addition to the port number being exposed.
For service-only workloads, the routerDestinationName is not relevant.
The port configurations are mandatory and cannot be omitted.
Full Example
apiVersion: sme.sap.com/v1alpha1
kind: CAPApplicationVersion
metadata:
name: cav-cap-app-v1
namespace: cap-ns
spec:
version: 3.2.1
capApplicationInstance: cap-app
registrySecrets:
- regcred
workloads:
- name: cap-backend
consumedBTPServices:
- cap-uaa
- cap-service-manager
- cap-saas-reg
deploymentDefinition:
type: CAP
image: some.repo.example.com/cap-app/server:3.22.11
env:
- name: CDS_ENV
value: production
- name: CDS_CONFIG
value: '{ "requires":{"cds.xt.DeploymentService":{"hdi": { "create":{ "database_id": "16e25c51-5455-4b17-a4d7-43545345345" } } } } }'
replicas: 3
ports:
- name: app-port
port: 4004
routerDestinationName: cap-server-url
- name: tech-port
port: 4005
appProtocol: grpc
monitoring:
scrapeConfig:
port: tech--port
deletionRules:
expression: scalar(sum(avg_over_time(current_sessions{job="cav-cap-app-v1-cap-backend-svc",namespace="cap-ns"}[2h]))) <= bool 5
livenessProbe:
failureThreshold: 3
httpGet:
path: /
port: 4005
initialDelaySeconds: 20
periodSeconds: 10
timeoutSeconds: 2
readinessProbe:
failureThreshold: 3
httpGet:
path: /
port: 4005
initialDelaySeconds: 20
periodSeconds: 10
timeoutSeconds: 2
resources:
limits:
cpu: 200m
memory: 500Mi
requests:
cpu: 20m
memory: 50Mi
securityContext:
runAsUser: 1000
runAsGroup: 2000
- name: "app-router"
consumedBTPServices:
- cap-uaa
- cap-saas-reg
- cap-html5-repo-rt
deploymentDefinition:
type: Router
image: some.repo.example.com/cap-app/router:4.0.1
env:
- name: PORT
value: "3000"
ports:
- name: router-port
port: 3000
livenessProbe:
failureThreshold: 3
httpGet:
path: /
port: 3000
initialDelaySeconds: 20
periodSeconds: 10
timeoutSeconds: 2
readinessProbe:
failureThreshold: 3
httpGet:
path: /
port: 3000
initialDelaySeconds: 20
periodSeconds: 10
timeoutSeconds: 2
resources:
limits:
cpu: 200m
memory: 500Mi
requests:
cpu: 20m
memory: 50Mi
podSecurityContext:
runAsUser: 2000
fsGroup: 2000
- name: "service-content"
consumedServices:
- cap-uaa
- cap-portal
- cap-html5-repo-host
jobDefinition:
type: Content
image: some.repo.example.com/cap-app/content:1.0.1
securityContext:
runAsUser: 1000
runAsGroup: 2000
- name: "ui-content"
consumedServices:
- cap-uaa
- cap-portal
- cap-html5-repo-host
jobDefinition:
type: Content
image: some.repo.example.com/cap-app/ui-content:1.0.1
securityContext:
runAsUser: 1000
runAsGroup: 2000
- name: "tenant-operation"
consumedServices: # ...
jobDefinition:
type: TenantOperation
image: some.repo.example.com/cap-app/server:3.22.11
backoffLimit: 2
ttlSecondsAfterFinished: 300
env:
- name: CDS_ENV
value: production
- name: CDS_CONFIG
value: '{ "requires":{"cds.xt.DeploymentService":{"hdi": { "create":{ "database_id": "16e25c51-5455-4b17-a4d7-43545345345" } } } } }'
- name: "notify-upgrade"
consumedServices: []
jobDefinition:
type: CustomTenantOperation
image: some.repo.example.com/cap-app/server:3.22.11
command: ["npm", "run", "notify:upgrade"]
backoffLimit: 1
- name: "create-test-data"
consumedServices:
- cap-service-manager
jobDefinition:
type: CustomTenantOperation
image: some.repo.example.com/cap-app/server:3.22.11
command: ["npm", "run ", "deploy:testdata"]
tenantOperations:
provisioning:
- workloadName: "tenant-operation"
- workloadName: "create-test-data"
upgrade:
- workloadName: "notify-upgrade"
continueOnFailure: true
- workloadName: "tenant-operation"
- workloadName: "create-test-data"
contentJobs:
- service-content
- ui-content
NOTE: The CAP Operator workloads support several configurations (drawn from the Kubernetes API), which can be found in the API reference:
- Common API reference for generic container configuration
- Deployment API reference for deployment-specific configuration
- Job API reference for job-specific configuration
The supported configurations are intentionally kept minimal to keep the overall API simple, covering only the most commonly used options.
Note:
initContainershave access to nearly the same environment variables as the main container, including theVCAP_SERVICESenvironment variable.
11.3 - CAPTenant
CAPTenant resourceThe CAPTenant resource is completely managed by CAP Operator and must not be created or modified manually. For details of how CAPTenant is created, see tenant subscription.
The CAPTenant resource indicates the existence of a tenant in the related application (or one that is currently being provisioned). The resource starts with a Provisioning state and moves to Ready when successfully provisioned. Managing tenants as Kubernetes resources allows you to control not only the lifecycle of the entity, but also other requirements that must be fulfilled for the application to serve tenant-specific requests (for example, creating networking resources).
apiVersion: sme.sap.com/v1alpha1
kind: CAPTenant
metadata:
name: cap-app-consumer-ge455
namespace: cap-ns
spec:
capApplicationInstance: cap-app
subDomain: consumer-x
tenantId: cb46733-1279-48be-fdf434-aa2bae55d7b5
version: "1"
versionUpgradeStrategy: always
The specification contains attributes relevant to SAP BTP that identify a tenant, such as tenantId and subDomain.
The version field corresponds to the CAPApplicationVersion on which the tenant is provisioned or to which it was upgraded. When a newer CAPApplicationVersion is available, the operator automatically increments the tenant version, which triggers the upgrade process. The versionUpgradeStrategy defaults to always, but can be set to never in exceptional cases to prevent automatic upgrades of the tenant.
11.4 - CAPTenantOperation
CAPTenantOperation resourceThe CAPTenantOperation resource is managed by CAP Operator and must not be created or modified manually. It is created by the CAPTenant to execute provisioning, deprovisioning, or upgrade operations.
apiVersion: sme.sap.com/v1alpha1
kind: CAPTenantOperation
metadata:
name: cap-app-consumer-ge455-77kb9
namespace: cap-ns
spec:
capApplicationVersionInstance: cav-cap-app-v2
operation: upgrade
steps:
- continueOnFailure: true
name: tenant-operation
type: CustomTenantOperation
- name: tenant-operation
type: TenantOperation
- name: create-test-data
type: CustomTenantOperation
subDomain: consumer-x
tenantId: cb46733-1279-48be-fdf434-aa2bae55d7b5
The example above shows a CAPTenantOperation for an upgrade operation. In addition to tenant details, it specifies the CAPApplicationVersion to use. For upgrade and provisioning operations, this is the target version; for deprovisioning, it is the tenant’s current version.
The operation executes a series of steps (jobs) specified in or derived from the CAPApplicationVersion. Each step refers to a workload of type TenantOperation or CustomTenantOperation. When CAP Operator creates a CAPTenantOperation, at least one step of type TenantOperation must be present (this is the job that performs the database schema update using CAP-provided modules).
CustomTenantOperation jobs are hooks that the application can execute before or after the TenantOperation. To help applications identify the execution context, each job receives the following environment variables:
CAPOP_APP_VERSION: The semantic version from the relevantCAPApplicationVersionCAPOP_TENANT_ID: The tenant identifierCAPOP_TENANT_OPERATION: The operation type —provisioning,deprovisioning, orupgradeCAPOP_TENANT_SUBDOMAIN: The subdomain (from the subaccount) of the tenantCAPOP_TENANT_TYPE: The tenant type —providerorconsumerCAPOP_APP_NAME: The BTP app name from the correspondingCAPApplicationCAPOP_GLOBAL_ACCOUNT_ID: The global account identifier from the correspondingCAPApplication(Deprecated: Will be removed soon).CAPOP_PROVIDER_SUBACCOUNT_ID: The provider subaccount identifier from the correspondingCAPApplicationCAPOP_PROVIDER_TENANT_ID: The provider tenant identifier (if it exists) from the correspondingCAPApplication(Deprecated: Will be removed soon).CAPOP_PROVIDER_SUBDOMAIN: The provider tenant subdomain (if it exists) from the correspondingCAPApplication(Deprecated: Will be removed soon).
All of the above environment variables are also available on the corresponding initContainers, along with relevant VCAP_SERVICES credentials.
11.5 - CAPTenantOutput
CAPTenantOutput resourceCAPTenantOutput can be used to add additional data to the asynchronous callback parameters sent by the SaaS Provisioning service during tenant onboarding. The resource is not reconciled; it is consumed by the subscription server to generate additional callback data. It has the following structure:
apiVersion: sme.sap.com/v1alpha1
kind: CAPTenantOutput
metadata:
name: cap-app-consumer-output
namespace: cap-ns
labels:
sme.sap.com/btp-tenant-id: cb46733-1279-48be-fdf434-aa2bae55d7b5
spec:
subscriptionCallbackData: '{foo: bar}'
The example above shows a resource associated with a tenant via the sme.sap.com/btp-tenant-id label, which must be set by consumers.
This resource is intended to be created or updated during tenant operations, such as those triggered during tenant onboarding. Its primary purpose is to enhance the parameters of the subscription callback during tenant onboarding, though it may be used for additional scenarios in the future.
Any RBAC changes required to create or modify this resource (for example, in a custom tenant operation) must be handled by consumers and assigned to the relevant job via the serviceAccountName configuration for that workload.
All instances of this resource for a given tenant are cleaned up before any CAPTenantOperation is created.
11.6 - Domain
Domain resourceA Domain resource is namespace-scoped. All sub-resources — Gateway, DNSEntry, and (with Gardener certificate manager) the Certificate — are created in the same namespace as the Domain.
apiVersion: sme.sap.com/v1alpha1
kind: Domain
metadata:
namespace: cap-app-01
name: cap-app-01-primary
spec:
domain: my.cluster.shoot.url.k8s.example.com
ingressSelector:
app: istio-ingressgateway
istio: ingressgateway
tlsMode: Simple # Simple (default), Mutual, or OptionalMutual
dnsMode: Wildcard # None (default), Wildcard, Subdomain, or Custom
dnsTarget: public-ingress.cluster.domain # Optional
certConfig: # Optional; only relevant when tlsMode is Mutual or OptionalMutual
additionalCACertificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Fields
domain — the DNS domain name. The TLS certificate is issued for the wildcard *.domain.
ingressSelector — label selector used to locate the Istio Ingress Gateway pods. The operator discovers the gateway’s namespace and load balancer service from these pods, and applies the selector to the Istio Gateway resource.
tlsMode — TLS mode for the Istio Gateway:
Simple(default) — server-side TLS only.Mutual— mutual TLS; client certificate required.OptionalMutual— mutual TLS; client certificate optional.
dnsMode — controls DNS entry creation (Gardener external-dns-management only; ignored otherwise):
None(default) — no DNS entries created.Wildcard— creates a single*.domainentry pointing todnsTarget.Subdomain— creates<subdomain>.domainentries for each subdomain observed across referencing applications.Custom— creates entries defined bydnsTemplates; each template has anameandtargetfield rendered as Go templates. Available variables:{{.domain}},{{.dnsTarget}},{{.subDomain}}. See Custom DNS Templates for details.
dnsTarget (optional) — the load balancer hostname or IP address to use as the DNS target. Resolved in order: explicit dnsTarget field → DNS_TARGET environment variable → load balancer service annotation on the Istio Ingress Gateway service.
certConfig.additionalCACertificate (optional) — PEM-encoded CA certificate Istio uses to verify client certificates when tlsMode is Mutual or OptionalMutual. See Configuring Additional CA Certificates for details.
Created resources
Sub-resources are mainly created in the Domain namespace:
- Istio
Gateway— always created. DNSEntry— Gardener DNS manager only.Certificate(Gardener cert-manager) — the certificate’ssecretRefpoints to the Istio Ingress Gateway namespace, which supports cross-namespace secret references.Certificate(cert-manager) — created in the Istio Ingress Gateway namespace; cert-manager does not support cross-namespace secret references.- CA certificate
Secret— created in the Istio Ingress Gateway namespace; only whencertConfig.additionalCACertificateis set.
11.7 - ClusterDomain
ClusterDomain resourceA ClusterDomain resource is cluster-scoped and intended for domains shared across multiple applications or namespaces. All sub-resources — Gateway, DNSEntry, and (with Gardener certificate manager) the Certificate — are created in the namespace where CAP Operator is installed.
apiVersion: sme.sap.com/v1alpha1
kind: ClusterDomain
metadata:
name: common-external-domain
spec:
domain: my.example.com
ingressSelector:
app: istio-ingressgateway
istio: ingressgateway
tlsMode: Simple # Simple (default), Mutual, or OptionalMutual
dnsMode: Subdomain # None (default), Wildcard, Subdomain, or Custom
dnsTarget: public-ingress.cluster.domain # Optional
certConfig: # Optional; only relevant when tlsMode is Mutual or OptionalMutual
additionalCACertificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Fields
domain — the DNS domain name. The TLS certificate is issued for the wildcard *.domain.
ingressSelector — label selector used to locate the Istio Ingress Gateway pods. The operator discovers the gateway’s namespace and load balancer service from these pods, and applies the selector to the Istio Gateway resource.
tlsMode — TLS mode for the Istio Gateway:
Simple(default) — server-side TLS only.Mutual— mutual TLS; client certificate required.OptionalMutual— mutual TLS; client certificate optional.
dnsMode — controls DNS entry creation (Gardener external-dns-management only; ignored otherwise):
None(default) — no DNS entries created.Wildcard— creates a single*.domainentry pointing todnsTarget.Subdomain— creates<subdomain>.domainentries for each subdomain observed across referencing applications.Custom— creates entries defined bydnsTemplates; each template has anameandtargetfield rendered as Go templates. Available variables:{{.domain}},{{.dnsTarget}},{{.subDomain}}. See Custom DNS Templates for details.
dnsTarget (optional) — the load balancer hostname or IP address to use as the DNS target. Resolved in order: explicit dnsTarget field → DNS_TARGET environment variable → load balancer service annotation on the Istio Ingress Gateway service.
certConfig.additionalCACertificate (optional) — PEM-encoded CA certificate Istio uses to verify client certificates when tlsMode is Mutual or OptionalMutual. See Configuring Additional CA Certificates for details.
Created resources
Sub-resources are mainly created in the CAP Operator namespace:
- Istio
Gateway— always created. DNSEntry— Gardener DNS manager only.Certificate(Gardener cert-manager) — the certificate’ssecretRefpoints to the Istio Ingress Gateway namespace, which supports cross-namespace secret references.Certificate(cert-manager) — created in the Istio Ingress Gateway namespace; cert-manager does not support cross-namespace secret references.- CA certificate
Secret— created in the Istio Ingress Gateway namespace; only whencertConfig.additionalCACertificateis set.