Decommission cluster or tenant

Prerequisites

Write access in the Project Syn "Clusters" and "Tenants" views on control.vshn.net.
Access to the Lieutenant cluster.

Decommission cluster

These instructions assume that the cluster itself will be decommissioned as well. Don’t hesitate to reach out to Project Syn IG if you need help with just "desynthesizing" a cluster which will not be decommissioned completely.

Clone the cluster catalog repo

export CLUSTER_ID=<cluster-id> (1)

export LIEUTENANT_URL=https://api.syn.vshn.net
git clone $(curl -sH"Authorization: Bearer $(commodore fetch-token)" \
    "${LIEUTENANT_URL}/clusters/${CLUSTER_ID}" | jq -r '.gitRepo.url')

1	Cluster ID of cluster to decommission

Remove all secrets referenced by the cluster catalog in Vault:

export VAULT_ADDR=https://vault-prod.syn.vshn.net

vault login -method=oidc

cd path/to/catalog/repo
for secret in $(find refs/ -type f -printf "clusters/kv/%P\n" \
    | sed -r 's#(.*)/.*#\1#' | grep -v '__shared__/__shared__' \
    | sort -u);
do
  vault kv delete "$secret"
done

vault kv delete doesn’t fully destroy the secret. You can restore secrets which were deleted with vault kv delete using vault kv undelete.

Remove cluster in control.vshn.net
- Search for the cluster
- Click the delete button on the right
This will also archive the cluster catalog Git repository on GitLab.

Decommission tenant

Decommission all clusters still associated with the tenant according to the previous section.
Delete tenant in control.vshn.net
- Search for the tenant
- Click the delete button on the right
  
  This should archive the tenant Git repository on GitLab.