Activate APPUiO Cloud Global Environment

This guide is targeted at VSHN employees.


  • working Commodore setup

  • SMTP server for sending out emails from Keycloak

  • Access to

  • vault

Configure Cluster

  1. Add the Commodore class to your cluster:

      - global.apps.appuio-cloud-global

Configure Keycloak

  1. Configure outgoing email settings in appuio-cloud (realm)  Realm Settings  Email

    Host =
    Port = 25
    From Display Name = APPUiO Cloud
    From =
    Envelope From =
    Enable StartTLS = true
  2. Allow the cluster’s egress IP address(es) to relay mails on the configured SMTP host

  3. Add an API user in master (realm)  Users  Add user with the following properties:

    Username = appuio-keycloak-sync
    [ Credentials tab ] (1)
    Password = <Password>
    Temporary = False
    [ Role Mappings tab ] (1)
    Client Roles = appuio-cloud-realm
    Assigned Roles = view-users
    1 The tabs are visible after saving the new user first.

Configure Cloudscale Metrics Collector

  1. Login to Vault.

    export VAULT_ADDR=
    vault login -method=oidc
  2. Login to

  3. Create a new API token within the VSHN AppCat objects-lpg-2 project, give it a memorable name like cloudscale-metrics-collector and read-only access.

  4. Save the token in Vault.

    vault kv put "${parent}" token=<the-cloudscale-token>

Configure Exoscale Metrics Collector

The buckets are fetched from exoscale S3 storage and matched with the buckets from the cluster they were created.

  1. Login to

  2. Create a new IAM key within the VSHN AppCat objects-ch-gva-2-0 project, give it a memorable name like exoscale-metrics-collector and read-only access. The credentials will be saved later in Vault.

  3. Login to the end cluster from where the exoscale buckets will be fetched, example APPUiO Cloud exoscale-ch-gva-2-0.

  4. Create a ServiceAccount, ClusterRole and ClusterRoleBinding

    oc -n <a-namespace> create serviceaccount exoscale-metrics-collector --as cluster-admin
    oc create clusterrole exoscale-metrics-collector --verb=get,list,watch --resource=namespaces, --as cluster-admin
    oc create clusterrolebinding exoscale-metrics-collector --clusterrole=exoscale-metrics-collector --serviceaccount=<a-namespace>:exoscale-metrics-collector
  5. Get the ServiceAccount token

    tokenname=$(oc -n <a-namespace> get serviceaccount exoscale-metrics-collector -o jsonpath='{.secrets[0].name}' --as cluster-admin)
    oc -n <a-namespace> get secret ${tokenname} -o jsonpath='{.data.token}' --as cluster-admin | base64 --decode
  6. Login to Vault.

    export VAULT_ADDR=
    vault login -method=oidc
  7. Save the exoscale access-key, secret-key, cluster-server and cluster-token from previous steps in Vault.

    parent="clusters/kv/${TENANT_ID}/${CLUSTER_ID}/exoscale-metrics-collector/${instance-alias}" (1)
    vault kv put "${parent}" exoscale-key=<exoscale-access-key>
    vault kv put "${parent}" exoscale-secret=<exoscale-secret-key>
    vault kv put "${parent}" cluster-server=<cluster-server>
    vault kv put "${parent}" cluster-token=<cluster-server>
    1 ${instance-alias} is the component’s alias in case of multiple instances of exoscale-metrics-collector are used in a cluster catalog. It defaults to exoscale-metrics-collector in case of single instance.