Connect Zone to Control-API

Prerequisites

kustomize
yq yq YAML processor (version 4 or higher - use the go version by mikefarah, not the jq wrapper by kislyuk)
vault Vault CLI
connection to control-api cluster through kubectl

Connect Zone

Create zone

If the control-api cluster is managed by Commodore refer to the zones documentation.

If the control-api cluster is not managed by Commodore, create the zone manually:

# e.g. exoscale-ch-gva-2-0
ZONE_NAME=my-zone

cat > kustomization.yaml <<EOF
resources:
- https://github.com/appuio/appuio-cloud-agent.git//config/foreign_rbac?ref=usage-profiles

namePrefix: ${ZONE_NAME}-
EOF

kubectl apply -k .

Get the created token from the secret

# e.g. exoscale-ch-gva-2-0
ZONE_NAME=my-zone

ZONE_TOKEN=$(kubectl get secrets ${ZONE_NAME}-cloud-agent -oyaml | yq '.data.token' | base64 --decode)

Store the token in Vault

export CLUSTER_ID=<lieutenant-cluster-id> # Looks like: c-<something>
export TENANT_ID=$(curl -sH "Authorization: Bearer $(commodore fetch-token)" ${COMMODORE_API_URL}/clusters/${CLUSTER_ID} | jq -r .tenant)

export VAULT_ADDR=https://vault-prod.syn.vshn.net
vault login -method=oidc

vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/agent-control-api-token \
  bearer_token=${ZONE_TOKEN}

Configure the agent

appuio_cloud:
  secrets:
    agent-control-api-token:
      stringData:
        token: "?{vaultkv:${cluster:tenant}/${cluster:name}/agent-control-api-token/bearer_token}"
  agent:
    extraArgs:
    - -control-api-url=https://api.appuio.cloud
    extraEnv:
      CONTROL_API_BEARER_TOKEN:
        valueFrom:
          secretKeyRef:
            key: token
            name: agent-control-api-token