From 35b97e1c25471ca92ce111db834783c962b6f5bb Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <username@users.noreply.github.com>
Date: Wed, 29 Apr 2026 14:56:30 +0000
Subject: [PATCH] Update install instructions from guided-setup

---
 .../guided-setup/cloudscale-decommission.adoc | 31 ++++++++++++++-----
 .../partials/guided-setup/cloudscale.adoc     | 22 ++++++++++---
 .../guided-setup/exoscale-decommission.adoc   | 24 +++++++++++---
 .../ROOT/partials/guided-setup/exoscale.adoc  | 22 ++++++++++---
 4 files changed, 77 insertions(+), 22 deletions(-)

diff --git a/docs/modules/ROOT/partials/guided-setup/cloudscale-decommission.adoc b/docs/modules/ROOT/partials/guided-setup/cloudscale-decommission.adoc
index 1695f66a..1b3a491b 100644
--- a/docs/modules/ROOT/partials/guided-setup/cloudscale-decommission.adoc
+++ b/docs/modules/ROOT/partials/guided-setup/cloudscale-decommission.adoc
@@ -124,6 +124,8 @@ You might use the WebUI at https://control.vshn.net/syn/lieutenantapiendpoints t
 ==== Outputs
 
 * `commodore_tenant_id`
+* `vault_address`
+* `vault_login_method`
 * `csp_region`
 
 ==== Script
@@ -147,6 +149,12 @@ region=$(curl -sH "Authorization: Bearer $(commodore fetch-token)" ${COMMODORE_A
 if test -z "$region" && test "$region" != "null" ; then { echo "❌ Failed to retrieve CSP region for cluster ID '$INPUT_commodore_cluster_id'."; exit 1; } ; else { echo "✅ Retrieved CSP region '$region' for cluster ID '$INPUT_commodore_cluster_id'."; } ; fi
 env -i "csp_region=$region" >> "$OUTPUT"
 
+echo "Retrieving Vault address and login method..."
+vault_addr=$(curl -s "${COMMODORE_API_URL}" | jq -r '.vault.addr')
+env -i "vault_address=${vault_addr}" >> "$OUTPUT"
+vault_login_method=$(curl -s "${COMMODORE_API_URL}" | jq -r '.vault.loginMethod')
+env -i "vault_login_method=${vault_login_method}" >> "$OUTPUT"
+
 
 # echo "# Outputs"
 # cat "$OUTPUT"
@@ -256,10 +264,8 @@ This step fetches the cluster's Cloudscale token and Floaty token from Vault.
 
 * `vault_address`: Address of the Vault server associated with the Lieutenant API to store cluster secrets.
 
-https://vault-prod.syn.vshn.net/ for production clusters.
-https://vault-int.syn.vshn.net/ for test clusters.
-
 
+* `vault_login_method`
 * `commodore_cluster_id`
 * `commodore_tenant_id`
 
@@ -275,12 +281,13 @@ https://vault-int.syn.vshn.net/ for test clusters.
 OUTPUT=$(mktemp)
 
 # export INPUT_vault_address=
+# export INPUT_vault_login_method=
 # export INPUT_commodore_cluster_id=
 # export INPUT_commodore_tenant_id=
 
 set -euo pipefail
 export VAULT_ADDR=${INPUT_vault_address}
-vault login -method=oidc
+vault login -method=${INPUT_vault_login_method}
 
 token=$(vault kv get -format=json \
   "clusters/kv/${INPUT_commodore_tenant_id}/${INPUT_commodore_cluster_id}/cloudscale" | \
@@ -396,6 +403,7 @@ during decommissioning.
 ==== Inputs
 
 * `vault_address`
+* `vault_login_method`
 * `commodore_cluster_id`
 
 ==== Script
@@ -405,11 +413,12 @@ during decommissioning.
 OUTPUT=$(mktemp)
 
 # export INPUT_vault_address=
+# export INPUT_vault_login_method=
 # export INPUT_commodore_cluster_id=
 
 set -euo pipefail
 export VAULT_ADDR=${INPUT_vault_address}
-vault login -method=oidc
+vault login -method=${INPUT_vault_login_method}
 OPSGENIE_KEY=$(vault kv get -format=json \
   clusters/kv/__shared__/__shared__/opsgenie/aldebaran | \
   jq -r '.data.data["heartbeat-password"]')
@@ -943,6 +952,7 @@ This step deletes the cluster's associated backup bucket from Cloudscale.
 
 * `cloudscale_token`
 * `vault_address`
+* `vault_login_method`
 * `commodore_cluster_id`
 * `commodore_api_url`
 * `backup_deletion_confirmation`: Really delete the cluster backup?
@@ -962,6 +972,7 @@ OUTPUT=$(mktemp)
 
 # export INPUT_cloudscale_token=
 # export INPUT_vault_address=
+# export INPUT_vault_login_method=
 # export INPUT_commodore_cluster_id=
 # export INPUT_commodore_api_url=
 # export INPUT_backup_deletion_confirmation=
@@ -991,7 +1002,7 @@ mkdir catalog
 git archive --remote "${REPO_URL}" master | tar -xC catalog
 
 export VAULT_ADDR=${INPUT_vault_address}
-vault login -method=oidc
+vault login -method=${INPUT_vault_login_method}
 
 # extract restic credentials from catalog and vault
 restic_repo=s3:$(yq -o=json 'select(.kind == "Schedule")| .spec.backend.s3 | .endpoint + "/" + .bucket' catalog/manifests/cluster-backup/10_object.yaml | tr -d '"')
@@ -1306,6 +1317,7 @@ This step cleans up all the cluster's Vault secrets.
 * `commodore_cluster_id`
 * `commodore_api_url`
 * `vault_address`
+* `vault_login_method`
 * `backup_deletion_confirmation`
 
 ==== Script
@@ -1317,6 +1329,7 @@ OUTPUT=$(mktemp)
 # export INPUT_commodore_cluster_id=
 # export INPUT_commodore_api_url=
 # export INPUT_vault_address=
+# export INPUT_vault_login_method=
 # export INPUT_backup_deletion_confirmation=
 
 set -euo pipefail
@@ -1338,7 +1351,7 @@ ID_KEY="$(yq -o=json 'select(.kind == "Secret" and .metadata.name == "objects-ba
 SECRET_KEY="$(yq -o=json 'select(.kind == "Secret" and .metadata.name == "objects-backup-s3-credentials") | .stringData.password' catalog/manifests/cluster-backup/10_object.yaml | cut -d: -f2)"
 
 export VAULT_ADDR=${INPUT_vault_address}
-vault login -method=oidc
+vault login -method=${INPUT_vault_login_method}
 
 for secret in $(find catalog/refs/ -type f \
   | sed -r -e 's#catalog/refs#clusters/kv#' -e 's#(.*)/.*#\1#' \
@@ -1374,6 +1387,7 @@ This step deletes the cluster's OpsGenie heartbeat.
 ==== Inputs
 
 * `vault_address`
+* `vault_login_method`
 * `commodore_cluster_id`
 
 ==== Script
@@ -1383,11 +1397,12 @@ This step deletes the cluster's OpsGenie heartbeat.
 OUTPUT=$(mktemp)
 
 # export INPUT_vault_address=
+# export INPUT_vault_login_method=
 # export INPUT_commodore_cluster_id=
 
 set -euo pipefail
 export VAULT_ADDR=${INPUT_vault_address}
-vault login -method=oidc
+vault login -method=${INPUT_vault_login_method}
 OPSGENIE_KEY=$(vault kv get -format=json \
   clusters/kv/__shared__/__shared__/opsgenie/aldebaran | \
   jq -r '.data.data["heartbeat-password"]')
diff --git a/docs/modules/ROOT/partials/guided-setup/cloudscale.adoc b/docs/modules/ROOT/partials/guided-setup/cloudscale.adoc
index 0c387e18..f6be7689 100644
--- a/docs/modules/ROOT/partials/guided-setup/cloudscale.adoc
+++ b/docs/modules/ROOT/partials/guided-setup/cloudscale.adoc
@@ -183,6 +183,8 @@ You might use the WebUI at https://control.vshn.net/syn/lieutenantapiendpoints t
 ==== Outputs
 
 * `commodore_tenant_id`
+* `vault_address`
+* `vault_login_method`
 * `csp_region`
 
 ==== Script
@@ -206,6 +208,12 @@ region=$(curl -sH "Authorization: Bearer $(commodore fetch-token)" ${COMMODORE_A
 if test -z "$region" && test "$region" != "null" ; then { echo "❌ Failed to retrieve CSP region for cluster ID '$INPUT_commodore_cluster_id'."; exit 1; } ; else { echo "✅ Retrieved CSP region '$region' for cluster ID '$INPUT_commodore_cluster_id'."; } ; fi
 env -i "csp_region=$region" >> "$OUTPUT"
 
+echo "Retrieving Vault address and login method..."
+vault_addr=$(curl -s "${COMMODORE_API_URL}" | jq -r '.vault.addr')
+env -i "vault_address=${vault_addr}" >> "$OUTPUT"
+vault_login_method=$(curl -s "${COMMODORE_API_URL}" | jq -r '.vault.loginMethod')
+env -i "vault_login_method=${vault_login_method}" >> "$OUTPUT"
+
 
 # echo "# Outputs"
 # cat "$OUTPUT"
@@ -679,9 +687,8 @@ This step stores the collected secrets and tokens in the ProjectSyn Vault.
 
 * `vault_address`: Address of the Vault server associated with the Lieutenant API to store cluster secrets.
 
-https://vault-prod.syn.vshn.net/ for production clusters.
-
 
+* `vault_login_method`
 * `commodore_cluster_id`
 * `commodore_tenant_id`
 * `bucket_user`
@@ -700,6 +707,7 @@ https://vault-prod.syn.vshn.net/ for production clusters.
 OUTPUT=$(mktemp)
 
 # export INPUT_vault_address=
+# export INPUT_vault_login_method=
 # export INPUT_commodore_cluster_id=
 # export INPUT_commodore_tenant_id=
 # export INPUT_bucket_user=
@@ -709,7 +717,7 @@ OUTPUT=$(mktemp)
 set -euo pipefail
 
 export VAULT_ADDR=${INPUT_vault_address}
-vault login -method=oidc
+vault login -method=${INPUT_vault_login_method}
 
 # Set the cloudscale.ch access secrets
 vault kv put clusters/kv/${INPUT_commodore_tenant_id}/${INPUT_commodore_cluster_id}/cloudscale \
@@ -887,6 +895,7 @@ the necessary installation files using Commodore.
 * `base_domain`
 * `cluster_domain`
 * `vault_address`
+* `vault_login_method`
 * `redhat_pull_secret`
 * `csp_region`
 * `bucket_user`
@@ -909,6 +918,7 @@ OUTPUT=$(mktemp)
 # export INPUT_base_domain=
 # export INPUT_cluster_domain=
 # export INPUT_vault_address=
+# export INPUT_vault_login_method=
 # export INPUT_redhat_pull_secret=
 # export INPUT_csp_region=
 # export INPUT_bucket_user=
@@ -922,7 +932,7 @@ openshift-install() {
 }
 
 export VAULT_ADDR="${INPUT_vault_address}"
-vault login -method=oidc
+vault login -method="${INPUT_vault_login_method}"
 
 ssh_private_key="$(pwd)/ssh_${INPUT_commodore_cluster_id}"
 ssh_public_key="${ssh_private_key}.pub"
@@ -1764,6 +1774,7 @@ and ingress loadbalancer.
 
 * `commodore_api_url`
 * `vault_address`
+* `vault_login_method`
 * `kubeconfig_path`
 
 ==== Script
@@ -1774,6 +1785,7 @@ OUTPUT=$(mktemp)
 
 # export INPUT_commodore_api_url=
 # export INPUT_vault_address=
+# export INPUT_vault_login_method=
 # export INPUT_kubeconfig_path=
 
 set -euo pipefail
@@ -1781,7 +1793,7 @@ export COMMODORE_API_URL="${INPUT_commodore_api_url}"
 export KUBECONFIG="${INPUT_kubeconfig_path}"
 
 export VAULT_ADDR=${INPUT_vault_address}
-vault login -method=oidc
+vault login -method=${INPUT_vault_login_method}
 
 echo '# Applying cert-manager ... #'
 kubectl apply -f catalog/manifests/cert-manager/00_namespace.yaml
diff --git a/docs/modules/ROOT/partials/guided-setup/exoscale-decommission.adoc b/docs/modules/ROOT/partials/guided-setup/exoscale-decommission.adoc
index 8aa7fcb9..95fa30aa 100644
--- a/docs/modules/ROOT/partials/guided-setup/exoscale-decommission.adoc
+++ b/docs/modules/ROOT/partials/guided-setup/exoscale-decommission.adoc
@@ -128,6 +128,8 @@ You might use the WebUI at https://control.vshn.net/syn/lieutenantapiendpoints t
 ==== Outputs
 
 * `commodore_tenant_id`
+* `vault_address`
+* `vault_login_method`
 * `csp_region`
 
 ==== Script
@@ -151,6 +153,12 @@ region=$(curl -sH "Authorization: Bearer $(commodore fetch-token)" ${COMMODORE_A
 if test -z "$region" && test "$region" != "null" ; then { echo "❌ Failed to retrieve CSP region for cluster ID '$INPUT_commodore_cluster_id'."; exit 1; } ; else { echo "✅ Retrieved CSP region '$region' for cluster ID '$INPUT_commodore_cluster_id'."; } ; fi
 env -i "csp_region=$region" >> "$OUTPUT"
 
+echo "Retrieving Vault address and login method..."
+vault_addr=$(curl -s "${COMMODORE_API_URL}" | jq -r '.vault.addr')
+env -i "vault_address=${vault_addr}" >> "$OUTPUT"
+vault_login_method=$(curl -s "${COMMODORE_API_URL}" | jq -r '.vault.loginMethod')
+env -i "vault_login_method=${vault_login_method}" >> "$OUTPUT"
+
 
 # echo "# Outputs"
 # cat "$OUTPUT"
@@ -400,6 +408,7 @@ during decommissioning.
 ==== Inputs
 
 * `vault_address`
+* `vault_login_method`
 * `commodore_cluster_id`
 
 ==== Script
@@ -409,11 +418,12 @@ during decommissioning.
 OUTPUT=$(mktemp)
 
 # export INPUT_vault_address=
+# export INPUT_vault_login_method=
 # export INPUT_commodore_cluster_id=
 
 set -euo pipefail
 export VAULT_ADDR=${INPUT_vault_address}
-vault login -method=oidc
+vault login -method=${INPUT_vault_login_method}
 OPSGENIE_KEY=$(vault kv get -format=json \
   clusters/kv/__shared__/__shared__/opsgenie/aldebaran | \
   jq -r '.data.data["heartbeat-password"]')
@@ -808,6 +818,7 @@ This step deletes the cluster's associated backup bucket from Exoscale.
 * `exoscale_key`
 * `exoscale_secret`
 * `vault_address`
+* `vault_login_method`
 * `commodore_cluster_id`
 * `commodore_api_url`
 * `backup_deletion_confirmation`: Really delete the cluster backup?
@@ -828,6 +839,7 @@ OUTPUT=$(mktemp)
 # export INPUT_exoscale_key=
 # export INPUT_exoscale_secret=
 # export INPUT_vault_address=
+# export INPUT_vault_login_method=
 # export INPUT_commodore_cluster_id=
 # export INPUT_commodore_api_url=
 # export INPUT_backup_deletion_confirmation=
@@ -860,7 +872,7 @@ mkdir catalog
 git archive --remote "${REPO_URL}" master | tar -xC catalog
 
 export VAULT_ADDR=${INPUT_vault_address}
-vault login -method=oidc
+vault login -method=${INPUT_vault_login_method}
 
 # extract restic credentials from catalog and vault
 restic_repo=s3:$(yq -o=json 'select(.kind == "Schedule")| .spec.backend.s3 | .endpoint + "/" + .bucket' catalog/manifests/cluster-backup/10_object.yaml | tr -d '"')
@@ -1150,6 +1162,7 @@ This step cleans up all the cluster's Vault secrets.
 * `commodore_cluster_id`
 * `commodore_api_url`
 * `vault_address`
+* `vault_login_method`
 * `backup_deletion_confirmation`
 
 ==== Script
@@ -1161,6 +1174,7 @@ OUTPUT=$(mktemp)
 # export INPUT_commodore_cluster_id=
 # export INPUT_commodore_api_url=
 # export INPUT_vault_address=
+# export INPUT_vault_login_method=
 # export INPUT_backup_deletion_confirmation=
 
 set -euo pipefail
@@ -1182,7 +1196,7 @@ ID_KEY="$(yq -o=json 'select(.kind == "Secret" and .metadata.name == "objects-ba
 SECRET_KEY="$(yq -o=json 'select(.kind == "Secret" and .metadata.name == "objects-backup-s3-credentials") | .stringData.password' catalog/manifests/cluster-backup/10_object.yaml | cut -d: -f2)"
 
 export VAULT_ADDR=${INPUT_vault_address}
-vault login -method=oidc
+vault login -method=${INPUT_vault_login_method}
 
 for secret in $(find catalog/refs/ -type f \
   | sed -r -e 's#catalog/refs#clusters/kv#' -e 's#(.*)/.*#\1#' \
@@ -1218,6 +1232,7 @@ This step deletes the cluster's OpsGenie heartbeat.
 ==== Inputs
 
 * `vault_address`
+* `vault_login_method`
 * `commodore_cluster_id`
 
 ==== Script
@@ -1227,11 +1242,12 @@ This step deletes the cluster's OpsGenie heartbeat.
 OUTPUT=$(mktemp)
 
 # export INPUT_vault_address=
+# export INPUT_vault_login_method=
 # export INPUT_commodore_cluster_id=
 
 set -euo pipefail
 export VAULT_ADDR=${INPUT_vault_address}
-vault login -method=oidc
+vault login -method=${INPUT_vault_login_method}
 OPSGENIE_KEY=$(vault kv get -format=json \
   clusters/kv/__shared__/__shared__/opsgenie/aldebaran | \
   jq -r '.data.data["heartbeat-password"]')
diff --git a/docs/modules/ROOT/partials/guided-setup/exoscale.adoc b/docs/modules/ROOT/partials/guided-setup/exoscale.adoc
index 2f5d078d..f2e9c88d 100644
--- a/docs/modules/ROOT/partials/guided-setup/exoscale.adoc
+++ b/docs/modules/ROOT/partials/guided-setup/exoscale.adoc
@@ -195,6 +195,8 @@ You might use the WebUI at https://control.vshn.net/syn/lieutenantapiendpoints t
 ==== Outputs
 
 * `commodore_tenant_id`
+* `vault_address`
+* `vault_login_method`
 * `csp_region`
 
 ==== Script
@@ -218,6 +220,12 @@ region=$(curl -sH "Authorization: Bearer $(commodore fetch-token)" ${COMMODORE_A
 if test -z "$region" && test "$region" != "null" ; then { echo "❌ Failed to retrieve CSP region for cluster ID '$INPUT_commodore_cluster_id'."; exit 1; } ; else { echo "✅ Retrieved CSP region '$region' for cluster ID '$INPUT_commodore_cluster_id'."; } ; fi
 env -i "csp_region=$region" >> "$OUTPUT"
 
+echo "Retrieving Vault address and login method..."
+vault_addr=$(curl -s "${COMMODORE_API_URL}" | jq -r '.vault.addr')
+env -i "vault_address=${vault_addr}" >> "$OUTPUT"
+vault_login_method=$(curl -s "${COMMODORE_API_URL}" | jq -r '.vault.loginMethod')
+env -i "vault_login_method=${vault_login_method}" >> "$OUTPUT"
+
 
 # echo "# Outputs"
 # cat "$OUTPUT"
@@ -876,9 +884,8 @@ This step stores the collected secrets and tokens in the ProjectSyn Vault.
 
 * `vault_address`: Address of the Vault server associated with the Lieutenant API to store cluster secrets.
 
-https://vault-prod.syn.vshn.net/ for production clusters.
-
 
+* `vault_login_method`
 * `commodore_cluster_id`
 * `commodore_tenant_id`
 * `s3_key`
@@ -900,6 +907,7 @@ https://vault-prod.syn.vshn.net/ for production clusters.
 OUTPUT=$(mktemp)
 
 # export INPUT_vault_address=
+# export INPUT_vault_login_method=
 # export INPUT_commodore_cluster_id=
 # export INPUT_commodore_tenant_id=
 # export INPUT_s3_key=
@@ -912,7 +920,7 @@ OUTPUT=$(mktemp)
 set -euo pipefail
 
 export VAULT_ADDR=${INPUT_vault_address}
-vault login -method=oidc
+vault login -method=${INPUT_vault_login_method}
 
 # Set the Exoscale object storage API key
 vault kv put clusters/kv/${INPUT_commodore_tenant_id}/${INPUT_commodore_cluster_id}/exoscale/storage_iam \
@@ -1085,6 +1093,7 @@ the necessary installation files using Commodore.
 * `base_domain`
 * `cluster_domain`
 * `vault_address`
+* `vault_login_method`
 * `redhat_pull_secret`
 * `ccm_key`
 * `ccm_secret`
@@ -1108,6 +1117,7 @@ OUTPUT=$(mktemp)
 # export INPUT_base_domain=
 # export INPUT_cluster_domain=
 # export INPUT_vault_address=
+# export INPUT_vault_login_method=
 # export INPUT_redhat_pull_secret=
 # export INPUT_ccm_key=
 # export INPUT_ccm_secret=
@@ -1122,7 +1132,7 @@ openshift-install() {
 }
 
 export VAULT_ADDR="${INPUT_vault_address}"
-vault login -method=oidc
+vault login -method="${INPUT_vault_login_method}"
 
 ssh_private_key="$(pwd)/ssh_${INPUT_commodore_cluster_id}"
 ssh_public_key="${ssh_private_key}.pub"
@@ -1852,6 +1862,7 @@ and ingress loadbalancer.
 
 * `commodore_api_url`
 * `vault_address`
+* `vault_login_method`
 * `kubeconfig_path`
 
 ==== Script
@@ -1862,6 +1873,7 @@ OUTPUT=$(mktemp)
 
 # export INPUT_commodore_api_url=
 # export INPUT_vault_address=
+# export INPUT_vault_login_method=
 # export INPUT_kubeconfig_path=
 
 set -euo pipefail
@@ -1870,7 +1882,7 @@ export COMMODORE_API_URL="${INPUT_commodore_api_url}"
 export KUBECONFIG="${INPUT_kubeconfig_path}"
 
 export VAULT_ADDR=${INPUT_vault_address}
-vault login -method=oidc
+vault login -method=${INPUT_vault_login_method}
 
 echo '# Applying cert-manager ... #'
 kubectl apply -f catalog/manifests/cert-manager/00_namespace.yaml