Register Downstream Clusters

Agent-initiated refers to a pattern in which the downstream cluster installs an agent with a cluster registration token and optionally a client ID. The cluster agent will then make a API request to the SUSE® Rancher Prime Continuous Delivery manager and initiate the registration process. Using this process the Manager will never make an outbound API request to the downstream clusters and will thus never need to have direct network access. The downstream cluster only needs to make outbound HTTPS calls to the manager.

Manager-initiated registration is a process in which you register an existing Kubernetes cluster with the SUSE® Rancher Prime Continuous Delivery manager and the SUSE® Rancher Prime Continuous Delivery manager will make an API call to the downstream cluster to deploy the agent. This style can place additional network access requirements because the Fleet manager must be able to communicate with the downstream cluster API server for the registration process. After the cluster is registered there is no further need for the manager to contact the downstream cluster API. This style is more compatible if you wish to manage the creation of all your Kubernetes clusters through GitOps using something like cluster-api or Rancher.

The cluster registration token is a credential that will authorize the downstream cluster agent to be able to initiate the registration process. This is required. The cluster registration token is manifested as a values.yaml file that will be passed to the helm install process. Alternatively one can pass the token directly to the helm install command via --set token="$token".

There are two styles of registering an agent. You can have the cluster for this agent dynamically created, in which case you will probably want to specify cluster labels upon registration. Or you can have the agent register to a predefined cluster in the SUSE® Rancher Prime Continuous Delivery manager, in which case you will need a client ID. The former approach is typically the easiest.

The SUSE® Rancher Prime Continuous Delivery agent is installed as a Helm chart. Following are explanations how to determine and set its parameters.

First, follow the cluster registration token instructions to obtain the values.yaml which contains the registration token to authenticate against the SUSE® Rancher Prime Continuous Delivery cluster.

Second, optionally you can define labels that will assigned to the newly created cluster upon registration. After registration is completed an agent cannot change the labels of the cluster. To add cluster labels add --set-string labels.KEY=VALUE to the below Helm command. To add the labels foo=bar and bar=baz then you would add --set-string labels.foo=bar --set-string labels.bar=baz to the command line.

Third, set variables with the SUSE® Rancher Prime Continuous Delivery cluster’s API Server URL and CA, for the downstream cluster to use for connecting.

Value in API_SERVER_CA_DATA can be obtained from a .kube/config file with valid data to connect to the upstream cluster (under the certificate-authority-data key). Alternatively it can be obtained from within the upstream cluster itself, by looking up the default ServiceAccount secret name (typically prefixed with default-token-, in the default namespace), under the ca.crt key.

Add Fleet’s Helm repo.

Finally, install the agent using Helm.

The agent should now be deployed.

Additionally you should see a new cluster registered in the SUSE® Rancher Prime Continuous Delivery manager. Below is an example of checking that a new cluster was registered in the clusters namespace. Please ensure your ${HOME}/.kube/config is pointed to the Fleet manager to run this command.

Client IDs are for the purpose of predefining clusters in the SUSE® Rancher Prime Continuous Delivery manager with existing labels and repos targeted to them. A client ID is not required and is just one approach to managing clusters. The client ID is a unique string that will identify the cluster. This string is user generated and opaque to the SUSE® Rancher Prime Continuous Delivery manager and agent. It is assumed to be sufficiently unique. For security reasons one should not be able to easily guess this value as then one cluster could impersonate another. The client ID is optional and if not specified the UID field of the kube-system namespace resource will be used as the client ID. Upon registration if the client ID is found on a Cluster resource in the SUSE® Rancher Prime Continuous Delivery manager it will associate the agent with that Cluster. If no Cluster resource is found with that client ID a new Cluster resource will be created with the specific client ID.

The SUSE® Rancher Prime Continuous Delivery agent is installed as a Helm chart. The only parameters to the helm chart installation should be the cluster registration token, which is represented by the values.yaml file and the client ID. The client ID is optional.

First, create a Cluster in the SUSE® Rancher Prime Continuous Delivery Manager with the random client ID you have chosen.

Second, follow the [cluster registration token instructions]((#create-cluster-registration-tokens) to obtain the values.yaml file to be used.

Third, setup your environment to use the client ID.

Add Fleet’s Helm repo.

Finally, install the agent using Helm.

The agent should now be deployed.

Additionally you should see a new cluster registered in the SUSE® Rancher Prime Continuous Delivery manager. Below is an example of checking that a new cluster was registered in the clusters namespace. Please ensure your ${HOME}/.kube/config is pointed to the Fleet manager to run this command.

For an agent-initiated registration the downstream cluster must have a cluster registration token. Cluster registration tokens are used to establish a new identity for a cluster. Internally cluster registration tokens are managed by creating Kubernetes service accounts that have the permissions to create ClusterRegistrationRequests within a specific namespace. Once the cluster is registered a new ServiceAccount is created for that cluster that is used as the unique identity of the cluster. The agent is designed to forget the cluster registration token after registration. While the agent will not maintain a reference to the cluster registration token after a successful registration please note that usually other system bootstrap scripts do.

Since the cluster registration token is forgotten, if you need to re-register a cluster you must give the cluster a new registration token.

Cluster registration tokens can be reused by any cluster in a namespace. The tokens can be given a TTL such that it will expire after a specific time.

The ClusterRegistationToken is a namespaced type and should be created in the same namespace in which you will create GitRepo and ClusterGroup resources. For in depth details on how namespaces are used in SUSE® Rancher Prime Continuous Delivery refer to the documentation on namespaces. Create a new token with the below YAML.

After the ClusterRegistrationToken is created, SUSE® Rancher Prime Continuous Delivery will create a corresponding Secret with the same name. As the Secret creation is performed asynchronously, you will need to wait until it’s available before using it.

One way to do so is via the following one-liner:

The token value contains YAML content for a values.yaml file that is expected to be passed to helm install to install the SUSE® Rancher Prime Continuous Delivery agent on a downstream cluster.

Such value is contained in the values field of the Secret mentioned above. To obtain the YAML content for the above example one can run the following one-liner:

Once the values.yaml is ready it can be used repeatedly by clusters to register until the TTL expires.

The format of this secret is intended to match the format of the kubeconfig secret used in cluster-api. This means you can use cluster-api to create a cluster that is dynamically registered withSUSE® Rancher Prime Continuous Delivery.

The cluster resource needs to reference the kubeconfig secret.