Each SAP BTP, Kyma runtime instance in the Kyma Environment Broker (KEB) database belongs to a global account and to a subaccount.
Subaccount Cleanup is an application that periodically calls the CIS service and notifies about SUBACCOUNT_DELETE events.
Based on these events, Subaccount Cleanup triggers the deprovisioning action on the Kyma runtime instances belonging to the given subaccount.
The Subaccount Cleanup workflow is divided into several steps:
-
Fetch
SUBACCOUNT_DELETEevents from the CIS service.a. CIS client makes a call to the CIS service and as a response, it gets a list of events divided into pages.
b. CIS client fetches the rest of the events by making a call to each page one by one.
c. A subaccount ID is taken from each event and kept in an array.
d. When the CIS client ends its workflow, it displays logs with information on how many subaccounts were fetched.
-
Find all instances in the KEB database based on the fetched subaccount IDs. The subaccounts pool is divided into pieces. For each piece, a query is made to the database to fetch instances.
-
Trigger the deprovisioning operation for each instance found in step 2.
Logs inform about the status of each triggered action:
deprovisioning for instance <InstanceID> (SubAccountID: <SubAccountID>) was triggered, operation: <OperationID>Subaccount Cleanup also uses logs to inform about the end of the deprovisioning operation.
Subaccount Cleanup requires access to:
- CIS service to receive all SUBACCOUNT_DELETE events
- the KEB database to get the instance ID for each subaccount ID from the SUBACCOUNT_DELETE event
- KEB to trigger Kyma runtime instance deprovisioning
Use the following environment variables to configure the application:
| Environment variable | Description |
|---|---|
| APP_CLIENT_VERSION | Specifies the service version from which events are fetched. The possible values are v1.0 or v2.0. |
| APP_CIS_CLIENT_ID | Specifies the client ID for the OAuth2 authentication in CIS. |
| APP_CIS_CLIENT_SECRET | Specifies the client secret for the OAuth2 authentication in CIS. |
| APP_CIS_AUTH_URL | Specifies the endpoint for the CIS OAuth token. |
| APP_CIS_EVENT_SERVICE_URL | Specifies the endpoint for CIS events. |
| APP_DATABASE_USER | Specifies the username for the database. |
| APP_DATABASE_PASSWORD | Specifies the user password for the database. |
| APP_DATABASE_HOST | Specifies the host of the database. |
| APP_DATABASE_PORT | Specifies the port for the database. |
| APP_DATABASE_NAME | Specifies the name of the database. |
| APP_DATABASE_SSLMODE | Activates the SSL mode for PostgrSQL. See all the possible values. |
| APP_DATABASE_SSLROOTCERT | Specifies the location of CA cert of PostgreSQL. (Optional) |
| APP_BROKER_URL | Specifies the Kyma Environment Broker URL. |
| APP_BROKER_TOKEN_URL | Specifies the endpoint for the Kyma Environment Broker OAuth token. |
| APP_BROKER_CLIENT_ID | Specifies the username for the OAuth2 authentication in KEB. |
| APP_BROKER_CLIENT_SECRET | Specifies the password for the OAuth2 authentication in KEB. |
| APP_BROKER_SCOPE | Specifies the scope of the OAuth2 authentication in KEB. |
For more details, see the resource definition file.