Custom DNS Templates
How to configure Custom DNS mode for Domain or ClusterDomain
The globalAccountId field in the CAPApplication spec is deprecated and will be removed in a future release. Update your CAPApplication resources to use providerSubaccountId instead.
3 minute read
CAP Operator manages networking for CAP applications through Domain and ClusterDomain resources. These resources control TLS handling, ingress routing, and DNS setup for your application’s domains. A CAPApplication references them via domainRefs.
Use a Domain resource for a domain that belongs to a specific application namespace. The operator creates the Gateway and DNSEntry in that namespace. The Certificate placement depends on the certificate manager in use — see the Domain resource reference for details.
apiVersion: sme.sap.com/v1alpha1
kind: Domain
metadata:
namespace: cap-app-01
name: cap-app-01-primary
spec:
domain: my.cluster.shoot.url.k8s.example.com
ingressSelector:
app: istio-ingressgateway
istio: ingressgateway
tlsMode: Simple # Simple (default), Mutual, or OptionalMutual
dnsMode: Wildcard # None (default), Wildcard, Subdomain, or Custom
The dnsTarget field is optional. If omitted, the target is derived from the Istio Ingress Gateway selected by ingressSelector.
Use a ClusterDomain resource for a domain shared across multiple applications or namespaces. The operator creates the Gateway and DNSEntry in the CAP Operator installation namespace. The Certificate placement depends on the certificate manager in use — see the ClusterDomain resource reference for details.
apiVersion: sme.sap.com/v1alpha1
kind: ClusterDomain
metadata:
name: common-external-domain
spec:
domain: my.example.com
ingressSelector:
app: istio-ingressgateway
istio: ingressgateway
tlsMode: Simple # Simple (default) or Mutual
dnsMode: Subdomain # None (default), Wildcard, Subdomain, or Custom
When X509 client authentication is required (tlsMode: Mutual or OptionalMutual), provide additional CA certificates for Istio to verify client certificates via certConfig.additionalCACertificate.
Once your Domain and ClusterDomain resources are defined, reference them in the CAPApplication spec using domainRefs:
apiVersion: sme.sap.com/v1alpha1
kind: CAPApplication
metadata:
name: cap-app-01
namespace: cap-app-01
spec:
domainRefs:
- kind: Domain
name: cap-app-01-primary # Namespaced Domain resource
- kind: ClusterDomain
name: common-external-domain # Shared ClusterDomain resource
The first entry in domainRefs is treated as the primary domain. You can mix Domain and ClusterDomain references in the same application.
domains sectionEarlier versions of CAP Operator used an inline domains section directly in CAPApplication. This section is deprecated and no longer supported. If you are still using it, migrate to domainRefs as described below.
domains sectionapiVersion: sme.sap.com/v1alpha1
kind: CAPApplication
metadata:
name: cap-app-01
namespace: cap-app-01
spec:
domains:
istioIngressGatewayLabels:
- name: app
value: istio-ingressgateway
- name: istio
value: ingressgateway
primary: my.cluster.shoot.url.k8s.example.com
secondary:
- my.example.com
domainRefs with explicit resourcesCreate the Domain and ClusterDomain resources manually (see sections above), then update your CAPApplication to use domainRefs.
A mutation webhook ensures consistency: if a CAPApplication is submitted with a domains section, the webhook converts it to Domain/ClusterDomain resources and populates domainRefs automatically.
The webhook rejects updates that reintroduce the deprecated domains section. If you add or modify the domains section in your manifest, the webhook rejects the change and provides an error message instructing you to use domainRefs instead.
The automatic migration routine was available from v0.15.0 through v0.25.0 and has been removed as of v0.26.0. If you need this migration, first upgrade to v0.25.0 (or lower), allow the migration to complete, and then upgrade to the latest release.
Upgrading to CAP Operator v0.15.0 through v0.25.0 triggered an automatic migration routine that:
CAPApplication resources.domains.Domain or ClusterDomain resources.CAPApplication resources to use domainRefs.After migrating, confirm the resources are in the expected state:
kubectl get capapplication -n <your-app-namespace> <your-ca-name> -o yaml
Ensure that:
domains section is absent.domainRefs entries are present.Domain or ClusterDomain resources exist in the cluster.How to configure Custom DNS mode for Domain or ClusterDomain
How to configure Additional CA Certificates for Domain or ClusterDomain