This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Installation

How to install CAP Operator in a Kubernetes cluster

1: Prerequisites
2: Using Helm

2.1: Helm Values

3: Using CAP Operator Manager

This page provides an overview of available methods to install CAP Operator on a Kubernetes cluster.

1 - Prerequisites

How to prepare the cluster before installing CAP Operator

We recommend that you use a “Gardener” managed cluster to deploy CAP applications that are managed with CAP Operator.

The Kubernetes cluster must be set up with the following prerequisites before you install CAP Operator:

Istio (version >= 1.22)

Istio service mesh is used for HTTP traffic management. CAP Operator creates Istio resources to manage incoming HTTP requests to the application as well as to route requests on specific (tenant) subdomains.

It’s required that you determine the public ingress Gateway subdomain and the overall shoot domain for the system and specify them in the chart values. See here for an example.

Note: Istio promoted many of its APIs to v1 in 1.22 release. Hence as of CAP Operator release v0.11.0 istio version >= 1.22 is a prerequisite.

sap-btp-service-operator or cf-service-operator

These operators can be used for managing SAP BTP service instances and service bindings from within the Kubernetes cluster.

If some SAP BTP services are not available for Kubernetes platforms, you may use cf-service-operator, which creates the services for a Cloud Foundry space and inserts the required access credentials as Secrets into the Kubernetes cluster.

Please note that service credentials added as Kubernetes Secrets to a namespace by these operators, support additional metadata. If you don’t use this feature of these operators, use secretKey: credentials in the spec of these operators to ensure that the service credentials retain any JSON data as it is. We recommend that you use secretKey, even when credential metadata is available to reduce the overhead of interpreting parsing multiple JSON attributes.

“Gardener” certificate management

This component is available in clusters managed by “Gardener” and will be used to manage TLS certificates and issuers. “Gardener” manages encryption, issuing, and signing of certificates. Alternatively, you can use cert-manager.io cert-manager.

2 - Using Helm

How to deploy with Helm charts

To install CAP operator components, we recommend using the Helm chart that is published as an OCI package at oci://ghcr.io/sap/cap-operator-lifecycle/helm/cap-operator.

Installation

Create a namespace and install the Helm chart in that namespace by specifying the domain and the dnsTarget for your subscription server, either

As command line parameters:

kubectl create namespace cap-operator-system
helm upgrade -i -n cap-operator-system cap-operator oci://ghcr.io/sap/cap-operator-lifecycle/helm/cap-operator --set subscriptionServer.domain=cap-operator.<CLUSTER-DOMAIN> --set subscriptionServer.dnsTarget=public-ingress.<CLUSTER-DOMAIN>

Or as a `YAML` file with the values:

kubectl create namespace cap-operator-system
helm upgrade -i -n cap-operator-system cap-operator oci://ghcr.io/sap/cap-operator-lifecycle/helm/cap-operator -f my-cap-operator-values.yaml

In this example, the provided values file, my-cap-operator-values.yaml, can have the following content:

subscriptionServer:
  dnsTarget: public-ingress.<CLUSTER-DOMAIN>
  domain: cap-operator.<CLUSTER-DOMAIN>

Optional steps

Enable Service Monitors for metrics emitted by controller and subscription server
To enable Monitoring via metrics emitted by CAP Operator components, the following value can be specified:
```
monitoring:
  enabled: true # <-- This enables creation of service monitors, for metrics emitted by the cap operator components
```
Detailed operational metrics for the controller can be enabled with the following config:
```
controller:
    detailedOperationalMetrics: true
```
Setup Prometheus Integration for Version Monitoring
To use the Version Monitoring feature of the CAP Operator, a Prometheus server URL can be provided to the CAP Operator. When installing the CAP Operator using the Helm chart, the following values can be specified in the values:
```
controller:
  versionMonitoring:
    prometheusAddress: "http://prometheus-operated.monitoring.svc.cluster.local:9090" # <-- example of a Prometheus server running inside the same cluster
    promClientAcquireRetryDelay: "2h"
    metricsEvaluationInterval: "30m" # <-- duration after which version metrics are evaluated
```
When the controller is started, the operator will try to connect to the Prometheus server and fetch runtime information to verify the connection. If the connection is not successful, it will be retried after the duration specified as controller.versionMonitoring.promClientAcquireRetryDelay. Check default values for these attributes here.
Note
- When connecting the controller to a Prometheus server running inside the cluster, please ensure that NetworkPolicies required for connecting to the service in the namespace where Prometheus is running are also created.
- If the Prometheus service is configured to use TLS, the relevant CA root certificates which need to be trusted can be mounted as volumes to the controller.

2.1 - Helm Values

Discover all values supported by the latest CAP Operator helm chart

image:
  # -- Default image tag (can be overwritten on component level)
  tag: ""
  # -- Default image pull policy (can be overwritten on component level)
  pullPolicy: ""
# -- Default image pull secrets (can be overwritten on component level)
imagePullSecrets: []
# -- Default pod security content (can be overwritten on component level)
podSecurityContext: {}
# -- Default node selector (can be overwritten on component level)
nodeSelector: {}
# -- Default affinity settings (can be overwritten on component level)
affinity: {}
# -- Default tolerations (can be overwritten on component level)
tolerations: []
# -- Default priority class (can be overwritten on component level)
priorityClassName: ""
# -- Default topology spread constraints (can be overwritten on component level)
topologySpreadConstraints: []
# -- Additional pod labels for all components
podLabels: {}
# -- Additional pod annotations for all components
podAnnotations: {}
# -- Monitoring configuration for all components
monitoring:
  # -- Optionally enable Prometheus monitoring for all components (disabled by default)
  enabled: false
  # -- Prometheus service monitor selector labels
  serviceMonitorSelectorLabels: {}
  # -- Grafana configuration
  grafana:
    dashboard:
      # -- Labels for selecting ConfigMaps with dashboards in Grafana
      configMapLabels:
        grafana_dashboard: "1"

controller:
  # -- Replicas
  replicas: 1
  image:
    # -- Image repository
    repository: ghcr.io/sap/cap-operator/controller
    # -- Image tag
    tag: ""
    # -- Image pull policy
    pullPolicy: ""
  # -- Image pull secrets
  imagePullSecrets: []
  # -- Additional labels for controller pods
  podLabels: {}
  # -- Additional annotations for controller pods
  podAnnotations: {}
  # -- Pod security content
  podSecurityContext: {}
  # -- Node selector
  nodeSelector: {}
  # -- Affinity settings
  affinity: {}
  # -- Tolerations
  tolerations: []
  # -- Priority class
  priorityClassName: ""
  # -- Topology spread constraints
  topologySpreadConstraints: []
  # -- Security context
  securityContext: {}
  resources:
    limits:
      # -- Memory limit
      memory: 500Mi
      # -- CPU limit
      cpu: 0.2
    requests:
      # -- Memory request
      memory: 50Mi
      # -- CPU request
      cpu: 0.02
  # -- Optionally specify list of additional volumes for the controller pod(s)
  volumes: []
  # -- Optionally specify list of additional volumeMounts for the controller container(s)
  volumeMounts: []
  # -- The dns target mentioned on the public ingress gateway service used in the cluster
  dnsTarget: ""
  # -- Optionally enable detailed opertational metrics for the controller by setting this to true
  detailedOperationalMetrics: false
  versionMonitoring:
    # -- The URL of the Prometheus server from which metrics related to managed application versions can be queried
    prometheusAddress: ""
    # -- The duration (example 2h) after which versions are evaluated for deletion; based on specified workload metrics
    metricsEvaluationInterval: "1h"
    # -- The duration (example 10m) to wait before retrying to acquire Prometheus client and verify connection, after a failed attempt
    promClientAcquireRetryDelay: "1h"

subscriptionServer:
  # -- Replicas
  replicas: 1
  image:
    # -- Image repository
    repository: ghcr.io/sap/cap-operator/server
    # -- Image tag
    tag: ""
    # -- Image pull policy
    pullPolicy: ""
  # -- Image pull secrets
  imagePullSecrets: []
  # -- Additional labels for subscription server pods
  podLabels: {}
  # -- Additional annotations for subscription server pods
  podAnnotations: {}
  # -- Pod security content
  podSecurityContext: {}
  # -- Node selector
  nodeSelector: {}
  # -- Affinity settings
  affinity: {}
  # -- Tolerations
  tolerations: []
  # -- Priority class
  priorityClassName: ""
  # -- Topology spread constraints
  topologySpreadConstraints: []
  # -- Security context
  securityContext: {}
  resources:
    limits:
      # -- Memory limit
      memory: 200Mi
      # -- CPU limit
      cpu: 0.1
    requests:
      # -- Memory request
      memory: 20Mi
      # -- CPU request
      cpu: 0.01
  # -- Optionally specify list of additional volumes for the server pod(s)
  volumes: []
  # -- Optionally specify list of additional volumeMounts for the server container(s)
  volumeMounts: []
  # -- Service port
  port: 4000
  # -- The namespace in the cluster where istio system components are installed
  istioSystemNamespace: istio-system
  # -- Labels used to identify the istio ingress-gateway component
  ingressGatewayLabels:
    istio: ingressgateway
    app: istio-ingressgateway
  # -- The dns target mentioned on the public ingress gateway service used in the cluster
  dnsTarget: public-ingress.clusters.cs.services.sap # replace with the actual cluster domain
  # -- The domain under which the cap operator subscription server would be available
  domain: cap-operator.clusters.cs.services.sap # replace with actual cluster domain
  # -- Certificate manager which can be either `Gardener` or `CertManager`
  certificateManager: Gardener
  # -- Certificate configuration
  # @default -- the `additionalCACertificate` part will contain the "SAP Cloud Root CA" certificate by default
  certificateConfig:
    # -- Optionally specify the corresponding certificate configuration
    gardener:
      # -- Issuer name
      issuerName: ""
      # -- Issuer namespace
      issuerNamespace: ""
    # -- Cert Manager configuration
    certManager:
      # -- Issuer group
      issuerGroup: ""
      # -- Issuer kind
      issuerKind: ""
      # -- Issuer name
      issuerName: ""
    # -- Optionally specify additional CA Certificate
    # @default -- this will contain the "SAP Cloud Root CA" certificate by default
    additionalCACertificate: |
      -----BEGIN CERTIFICATE-----
      MIIFZjCCA06gAwIBAgIQGHcPvmUGa79M6pM42bGFYjANBgkqhkiG9w0BAQsFADBN
      MQswCQYDVQQGEwJERTERMA8GA1UEBwwIV2FsbGRvcmYxDzANBgNVBAoMBlNBUCBT
      RTEaMBgGA1UEAwwRU0FQIENsb3VkIFJvb3QgQ0EwHhcNMTkwMjEzMTExOTM2WhcN
      MzkwMjEzMTEyNjMyWjBNMQswCQYDVQQGEwJERTERMA8GA1UEBwwIV2FsbGRvcmYx
      DzANBgNVBAoMBlNBUCBTRTEaMBgGA1UEAwwRU0FQIENsb3VkIFJvb3QgQ0EwggIi
      MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQChbHLXJoe/zFag6fB3IcN3d3HT
      Y14nSkEZIuUzYs7B96GFxQi0T/2s971JFiLfB4KaCG+UcG3dLXf1H/wewq8ahArh
      FTsu4UR71ePUQiYlk/G68EFSy2zWYAJliXJS5k0DFMIWHD1lbSjCF3gPVJSUKf+v
      HmWD5e9vcuiPBlSCaEnSeimYRhg0ITmi3RJ4Wu7H0Xp7tDd5z4HUKuyi9XRinfvG
      kPALiBaX01QRC51cixmo0rhVe7qsNh7WDnLNBZeA0kkxNhLKDl8J6fQHKDdDEzmZ
      KhK5KxL5p5YIZWZ8eEdNRoYRMXR0PxmHvRanzRvSVlXSbfqxaKlORfJJ1ah1bRNt
      o0ngAQchTghsrRuf3Qh/2Kn29IuBy4bjKR9CdNLxGrClvX/q26rUUlz6A3lbXbwJ
      EHSRnendRfEiia+xfZD+NG2oZW0IdTXSqkCbnBnign+uxGH5ECjuLEtvtUx6i9Ae
      xAvK2FqIuud+AchqiZBKzmQAhUjKUoACzNP2Bx2zgJOeB0BqGvf6aldG0n2hYxJF
      8Xssc8TBlwvAqtiubP/UxJJPs+IHqU+zjm7KdP6dM2sbE+J9O3n8DzOP0SDyEmWU
      UCwnmoPOQlq1z6fH9ghcp9bDdbh6adXM8I+SUYUcfvupOzBU7rWHxDCXld/24tpI
      FA7FRzHwKXqMSjwtBQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/
      BAUwAwEB/zAdBgNVHQ4EFgQUHLxmKw7KjUufjZNxqQ/KZ0ZpEyIwDQYJKoZIhvcN
      AQELBQADggIBABdSKQsh3EfVoqplSIx6X43y2Pp+kHZLtEsRWMzgO5LhYy2/Fvel
      eRBw/XEiB5iKuEGhxHz/Gqe0gZixw3SsHB1Q464EbGT4tPQ2UiMhiiDho9hVe6tX
      qX1FhrhycAD1xHIxMxQP/buX9s9arFZauZrpw/Jj4tGp7aEj4hypWpO9tzjdBthy
      5vXSviU8L2HyiQpVND/Rp+dNJmVYTiFLuULRY28QbikgFO2xp9s4RNkDBnbDeTrT
      CKWcVsmlZLPJJQZm0n2p8CvoeAsKzIULT9YSbEEBwmeqRlmbUaoT/rUGoobSFcrP
      jrBg66y5hA2w7S3tDH0GjMpRu16b2u0hYQocUDuMlyhrkhsO+Qtqkz1ubwHCJ8PA
      RJw6zYl9VeBtgI5F69AEJdkAgYfvPw5DJipgVuQDSv7ezi6ZcI75939ENGjSyLVy
      4SuP99G7DuItG008T8AYFUHAM2h/yskVyvoZ8+gZx54TC9aY9gPIKyX++4bHv5BC
      qbEdU46N05R+AIBW2KvWozQkjhSQCbzcp6DHXLoZINI6y0WOImzXrvLUSIm4CBaj
      6MTXInIkmitdURnmpxTxLva5Kbng/u20u5ylIQKqpcD8HWX97lLVbmbnPkbpKxo+
      LvHPhNDM3rMsLu06agF4JTbO8ANYtWQTx0PVrZKJu+8fcIaUp7MVBIVZ
      -----END CERTIFICATE-----

webhook:
  # -- Side car to mount admission review
  sidecar: false
  # -- Replicas
  replicas: 1
  image:
    # -- Image repository
    repository: ghcr.io/sap/cap-operator/web-hooks
    # -- Image tag
    tag: ""
    # -- Image pull policy
    pullPolicy: ""
  # -- Image pull secrets
  imagePullSecrets: []
  # -- Additional labels for validating webhook pods
  podLabels: {}
  # -- Additional annotations for validating webhook pods
  podAnnotations: {}
  # -- Pod security content
  podSecurityContext: {}
  # -- Node selector
  nodeSelector: {}
  # -- Affinity settings
  affinity: {}
  # -- Tolerations
  tolerations: []
  # -- Priority class
  priorityClassName: ""
  # -- Topology spread constraints
  topologySpreadConstraints: []
  # -- Security context
  securityContext: {}
  resources:
    limits:
      # -- Memory limit
      memory: 200Mi
      # -- CPU limit
      cpu: 0.1
    requests:
      # -- Memory request
      memory: 20Mi
      # -- CPU request
      cpu: 0.01
  # -- Service port
  service:
    # -- Service type
    type: ClusterIP
    # -- Service port
    port: 443
    # -- Target port
    targetPort: 1443
  # -- Certificate manager which can be either `Default` or `CertManager`
  certificateManager: "Default"
  # -- Optionally specify the corresponding certificate configuration
  certificateConfig:
    certManager:
      # -- Issuer group
      issuerGroup: ""
      # -- Issuer kind
      issuerKind: ""
      # -- Issuer name
      issuerName: ""

3 - Using CAP Operator Manager

How to install CAP Operator using CAP Operator Manager in a Kubernetes cluster

To install the CAP Operator using CAP Operator Manager, please execute the following commands:

kubectl apply -f https://github.com/SAP/cap-operator-lifecycle/releases/latest/download/manager_manifest.yaml

The above command will create namespace cap-operator-system with CAP Operator Manager installed. Once the CAP Operator Manager pod is running, you can install the CAP operator by executing the following command:

kubectl apply -n cap-operator-system -f https://github.com/SAP/cap-operator-lifecycle/releases/latest/download/manager_default_CR.yaml

This would work only if the ingressGatewayLabels in your clusters matches the following values

ingressGatewayLabels:
  - name: istio
    value: ingressgateway
  - name: app
    value: istio-ingressgateway

If not, you will have to manually create the CAPOperator resource. For more details on the same, please refer to link.

Installation

1 - Prerequisites

Istio (version >= 1.22)

sap-btp-service-operator or cf-service-operator

“Gardener” certificate management

2 - Using Helm

Installation

As command line parameters:

Or as a YAML file with the values:

Optional steps

Enable Service Monitors for metrics emitted by controller and subscription server

Setup Prometheus Integration for Version Monitoring

Note

2.1 - Helm Values

3 - Using CAP Operator Manager

Or as a `YAML` file with the values: