Create a tenant

This how-to guides you to register a new Project Syn tenant. A Project Syn tenant is a prerequisite for synthesizing a cluster.



  1. Ensure Lieutenant permissions on

    • The subgroup cluster-catalogs exists in the customer’s group.

    • Lieutenant (GitLab account lieutenant-prod) has owner permissions on the subgroup cluster-catalogs.

    • Lieutenant has at least maintainer permissions on the customer’s group to create the tenant repository.

  2. Create tenant on To create the tenant follow the guidelines below regarding the fields to fill out.


    Choose a unique ID for the tenant. This field is limited to lower-case characters a-z, numbers 0-9 and -. The length is limited to 1-61 characters.

    This field cannot be changed after creation, it’s used as the Kubernetes object name for the tenant by Lieutenant.

    Choose the customer for which you’re creating the tenant.

    Odoo Customer for invoicing

    Choose the Odoo customer to whom the invoices for this tenant should be sent. Usually this will be the same value as field "Customer". Check with the Service Manager for the customer which Odoo customer should be billed for the customer’s Project Syn clusters.

    Repository Type

    Choose "auto".

    GitRepo URL

    Usually ssh://<customer>/syn-tenant-repo.git.

    Make sure that the GitLab user lieutenant-prod has permissions to create this repository.
    GitRepo Revision

    can usually be left blank.

    Global GitRepo URL

    can usually be left blank.

    Global GitRepo Revision

    can usually be left blank.

  3. Configure the clusterTemplate for the tenant. Generally you want to execute the following command.

    export LIEUTENANT_NS=lieutenant-prod
    export TENANT_ID=<tenant id> (1)
    export CUSTOMER_GROUP=<group name> (2)
    kubectl -n ${LIEUTENANT_NS} patch --type=merge tenant ${TENANT_ID} --patch-file /dev/stdin <<EOF
      "spec": {
        "clusterTemplate": {
          "gitRepoTemplate": {
            "path": "${CUSTOMER_GROUP}/cluster-catalogs",
            "repoName": "{{ .Name }}",
            "apiSecretRef": { "name": "vshn-gitlab" }
    1 Tenant ID from step 2
    2 The group namespace in (the group identifier in the URL)

    The cluster template reduces the amount of boiler-plate that you have to configure for each cluster belonging to the tenant. The patch command given in this step sets default for the following attributes of each cluster’s catalog repository:

    • path: the path in under which to create the catalog repository. We set the default value of this attribute to <customer-group>/cluster-catalogs.

    • repoName: the name of the cluster catalog repository. We set the default value of this attribute to a Go template which uses the cluster’s name (ID) as the catalog repo name.

    • apiSecretRef: the name of the secret holding the API credentials for We use the GitLab user (lieutenant-prod) for all tenants. This user’s credentials are available in the secret named vshn-gitlab which we set as the default.