Activate APPUiO Zone

This guide is targeted at VSHN employees.

  1. Add the cluster as a new client to APPUiO IdP id.vshn.net.

    Client ID = appuio_<c-cluster-id> (1)
Access Type = confidential
Valid Redirect URIs = https://oauth-openshift.apps.cluster-id.tld/oauth2callback/APPUiO
Base URL = https://console.cluster-id.tld/

[ Authentication Flow Overrides ]
Browser Flow = Browser With WebAuthn (APPUiO Cloud)

[ Client Scopes -> Default Client Scopes ]
Assigned Default Client Scopes: Add `appuio_cloud_roles`
    1 For each enabled APPUiO Zone there shall be its own client using the cluster ID and the prefix appuio_ as name.
Default Client Scopes
Figure 1. Default Client Scopes

  1. Create an S3 bucket for APPUiO metering which can be accessed using the same credentials as the cluster’s registry bucket. Use name ${CLUSTER_ID}-appuio-metering for the bucket.

  2. Add the Commodore class to your cluster:

    classes:
  - global.apps.appuio-cloud-zone

  3. Create the following secrets in Vault:

    vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/oidc/appuio-keycloak-sync password=... username=... (1)
vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/oidc/appuio-keycloak clientSecret=... (2)
    1 The API user for syncing groups and attributes from APPUiO IdP. Retrieve the credentials from the Vault entry in the cluster where APPUiO Cloud Global is running on.
    2 The generated client secret when configuring the cluster as a client in APPUiO IdP in previous step.

  4. Compile and push cluster catalog