The globalAccountId field in the CAPApplication spec is deprecated and will be removed in a future release. Update your CAPApplication resources to use providerSubaccountId instead.
ClusterDomain
ClusterDomain resource2 minute read
A ClusterDomain resource is cluster-scoped and intended for domains shared across multiple applications or namespaces. All sub-resources — Gateway, DNSEntry, and (with Gardener certificate manager) the Certificate — are created in the namespace where CAP Operator is installed.
apiVersion: sme.sap.com/v1alpha1
kind: ClusterDomain
metadata:
name: common-external-domain
spec:
domain: my.example.com
ingressSelector:
app: istio-ingressgateway
istio: ingressgateway
tlsMode: Simple # Simple (default), Mutual, or OptionalMutual
dnsMode: Subdomain # None (default), Wildcard, Subdomain, or Custom
dnsTarget: public-ingress.cluster.domain # Optional
certConfig: # Optional; only relevant when tlsMode is Mutual or OptionalMutual
additionalCACertificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Fields
domain — the DNS domain name. The TLS certificate is issued for the wildcard *.domain.
ingressSelector — label selector used to locate the Istio Ingress Gateway pods. The operator discovers the gateway’s namespace and load balancer service from these pods, and applies the selector to the Istio Gateway resource.
tlsMode — TLS mode for the Istio Gateway:
Simple(default) — server-side TLS only.Mutual— mutual TLS; client certificate required.OptionalMutual— mutual TLS; client certificate optional.
dnsMode — controls DNS entry creation (Gardener external-dns-management only; ignored otherwise):
None(default) — no DNS entries created.Wildcard— creates a single*.domainentry pointing todnsTarget.Subdomain— creates<subdomain>.domainentries for each subdomain observed across referencing applications.Custom— creates entries defined bydnsTemplates; each template has anameandtargetfield rendered as Go templates. Available variables:{{.domain}},{{.dnsTarget}},{{.subDomain}}. See Custom DNS Templates for details.
dnsTarget (optional) — the load balancer hostname or IP address to use as the DNS target. Resolved in order: explicit dnsTarget field → DNS_TARGET environment variable → load balancer service annotation on the Istio Ingress Gateway service.
certConfig.additionalCACertificate (optional) — PEM-encoded CA certificate Istio uses to verify client certificates when tlsMode is Mutual or OptionalMutual. See Configuring Additional CA Certificates for details.
Created resources
Sub-resources are mainly created in the CAP Operator namespace:
- Istio
Gateway— always created. DNSEntry— Gardener DNS manager only.Certificate(Gardener cert-manager) — the certificate’ssecretRefpoints to the Istio Ingress Gateway namespace, which supports cross-namespace secret references.Certificate(cert-manager) — created in the Istio Ingress Gateway namespace; cert-manager does not support cross-namespace secret references.- CA certificate
Secret— created in the Istio Ingress Gateway namespace; only whencertConfig.additionalCACertificateis set.