Add a cluster to APPUiO Cloud

This guide describes the steps required to turn an OpenShift 4 cluster into an APPUiO Zone.

VSHN employees should follow Activate Zone instead of continuing this guide.

Configure Keycloak

  1. Create a new Keycloak Client with the following settings (leave the others at default value)

    Client ID = appuio_<c-cluster-id> (1)
Access Type = confidential
Valid Redirect URIs = https://oauth-openshift.apps.cluster-id.tld/oauth2callback/APPUiO
Base URL = https://console.cluster-id.tld/

[ Authentication Flow Overrides ]
Browser Flow = APPUiO Browser RBAC (2)
    1 For each enabled APPUiO Zone there shall be its own client using the cluster ID and the prefix appuio_ as name.
    2 See Setup RBAC
VSHN uses id.vshn.net as the IDP.

Configure openshift4-authentication

  1. After adding the cluster as a new client to APPUiO IdP, add the client secret to Vault. The value is being displayed in a grey box in the "Credentials" tab from the Keycloak client settings.

  2. Add component configuration

    parameters:
  openshift4_authentication:
    secrets:
      appuio-cloud-keycloak:
        clientSecret: '?{vaultkv:${cluster:tenant}/${cluster:name}/oidc/appuio-keycloak/clientSecret}' (1)

    identityProviders:
      appuio_keycloak:
        name: APPUiO-Cloud
        type: OpenID
        mappingMethod: add
        openID:
          issuer: https://id.appuio.cloud/auth/realms/appuio-cloud
          clientID: ${cluster:name}
          clientSecret:
            name: appuio-cloud-keycloak
          claims: (2)
            preferredUsername:
              - preferred_username
            name:
              - name
            email:
              - email
    1 The Vault path for client secret
    2 See also User object names in the OpenShift cluster

Configure group-sync-operator

The group-sync-operator is required to sync Keycloak groups to each APPUiO Zone.

  1. Add component configuration

    parameters:
  group_sync_operator:
    secrets:
      sync-appuio-keycloak-groups:
        stringData:
          username: '?{vaultkv:${cluster:tenant}/${cluster:name}/oidc/appuio-keycloak-sync/username}'
          password: '?{vaultkv:${cluster:tenant}/${cluster:name}/oidc/appuio-keycloak-sync/password}'
    sync:
      sync-keycloak-groups:
        schedule: '* * * * *'
        providers:
          keycloak:
            keycloak:
              url: https://id.appuio.cloud
              credentialsSecret:
                name: sync-appuio-keycloak-groups
              loginRealm: master
              realm: appuio-cloud
              scope: sub

Configure keycloak-attribute-sync-controller

The keycloak-attribute-sync-controller is required to sync Keycloak user attributes to each APPUiO Zone.

  1. Add component configuration

    parameters:
  keycloak_attribute_sync_controller:
    sync_credentials:
      sync-default-org-credentials:
        stringData:
          username: '?{vaultkv:${cluster:tenant}/${cluster:name}/oidc/appuio-keycloak-sync/username}' (1)
          password: '?{vaultkv:${cluster:tenant}/${cluster:name}/oidc/appuio-keycloak-sync/password}'

    sync_configurations:
      sync-default-org:
        url: https://id.appuio.cloud
        loginRealm: master
        credentialsSecret:
          name: sync-default-org-credentials
        realm: appuio-cloud
        attribute: appuio.io/default-organization
        targetAnnotation: appuio.io/default-organization
        schedule: '@every 1m'
    1 The user for syncing attributes is the same as the one used for group-sync-operator.

  2. Compile and push the cluster catalog

  3. Wait for Argo CD to sync the config

Configure Appcat ObjectStorage provider

Please refer to the dedicated page to setup AppCat ObjectStorage

Add Cluster to Status Page

  1. Login to Statuspal

  2. Select APPUiO Cloud status page

    You need Admin rights on the "APPUiO Cloud" status page to be able to add new services.

  3. Create a service for the APPUiO Zone

  4. Create the following other services and select the previously created APPUiO Zone service as their parent:

    1. OpenShift Console

      1. Description: URL to the OpenShift Console

      2. Select Statuspal monitoring

      3. Method: HEAD

      4. Ping url: URL to the OpenShift Console

      5. Check Automatically create incident

      6. Check Pause monitoring during maintenances

    2. OpenShift / Kubernetes API

      1. Description: URL to the OpenShift / Kubernetes API

      2. Select Statuspal monitoring

      3. Method: GET

      4. Ping url: URL to the OpenShift / Kubernetes API + /healthz

      5. Check Automatically create incident

      6. Check Pause monitoring during maintenances

    3. Image Registry

      1. Description: URL to the Image Registry

      2. Select Statuspal monitoring

      3. Method: HEAD

      4. Ping url: URL to the Image Registry

      5. Check Automatically create incident

      6. Check Pause monitoring during maintenances

    4. Logging

      1. Description: URL to the Logging

      2. Select Statuspal monitoring

      3. Method: HEAD

      4. Ping url: URL to the Logging + /app/kibana

      5. Check Automatically create incident

      6. Check Pause monitoring during maintenances

    5. Networking

    6. Ingress