Registration & SSO

2.5.1 Overview

The goal of Cloud18 registration in replication-manager is to connect your open source instance to free additional community resources, additional commercial services like support — turning a standalone monitoring tool into a fully supported on-premise solution — and cloud infrastructures for deploying database applications as a service.

Definition — Cloud18: the commercial infrastructure and services that extend the open source replication-manager. It has two dimensions:

  1. Signal18 commercial infrastructure — a set of hosted services that enrich the open source replication-manager experience with additional features and support
  2. DBaaS marketplace — a marketplace delivered by Signal18 and partner infrastructures where complex database applications can be consumed as a service via replication-manager, deployed on Docker or Podman containers and in some cases on virtual machines

Registering your replication-manager instance with Cloud18 just links your instance under a free plan to a Signal18 identity found at gitlab.signal18.io, and brings:

  • Config backup and restore — all replication-manager configurations versioned in a private GitLab repository, recoverable on any new instance in one command
  • Community security alert plugins and score — security auditing, CIS Benchmark checks, and scoring plugins kept up to date automatically
  • Community workload alert plugins and tags — workload anomaly detection, performance monitoring, and configuration tag plugins
  • Community resource documentation and blogs — access to community knowledge base, documentation, and blog content
  • Cluster role sharing — grant scoped access to any cluster to other registered SSO users without sharing credentials
  • Direct chat — real-time messaging with the Signal18 team and partners via the replication-manager GUI or Mattermost clients
  • Arbitration for monitoring HA — external arbitrator service for automatic split-brain resolution between active/standby replication-manager pairs
  • Enterprise advisory plugin updates — automatic daily refreshes of security CVE, replication bug, workload regression, and compliance advisory databases without waiting for a new release
  • Alert forwarding — cluster ALERT/ALERTOK notifications forwarded to the Signal18 operations team
  • Bug fixes and feature requests — direct engineering support for issues and feature development
  • Developer sponsorship — fund development of specific features or integrations
  • Professional service remote engagement — remote DBA consulting, troubleshooting sessions, and on-site services
  • Marketplace namespace — consume clusters provided by other participants or publish your own
  • Marketplace credit — free credit to get started on the cloud
  • Marketplace provider — expose your replication-manager infrastructure for sale

See Subscription Plans for the full plan comparison.


2.5.2 Concepts — Domain, Subdomain, Zone

Every registered instance is identified by three slugs that together form a unique identifier to your replication-manager running instance:

Field Role Example
domain Organisation or company namespace — maps to a GitLab group mycompany
subdomain Datacenter or environment label ovh
zone Cluster zone identifier fr-1

The three fields are combined as domain.subdomain.zone (the URI) when calling the API.

Inside GitLab the following objects are created:

Object Path
GitLab group gitlab.signal18.io/mycompany/
Main config repository gitlab.signal18.io/mycompany/mycompany-ovh-fr-1.git
Peer distribution repository gitlab.signal18.io/mycompany/mycompany-ovh-fr-1-pull.git

subdomain.zone must be unique within the same domain. domain.subdomain.zone is globally unique across all registered instances.


2.5.3 Registering via the API

Registration is a two-step process. The admin user calls both endpoints in sequence.

Step 1 — Create the GitLab account

# Obtain an admin token first
TOKEN=$(curl -s -X POST https://repman-host:10005/api/login \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"repman"}' | jq -r .token)

# Step 1: create the GitLab account — GitLab sends a confirmation email
curl -X POST https://repman-host:10005/api/register \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "email":    "[email protected]",
    "password": "gitlab_password",
    "uri":      "mycompany.ovh.fr-1"
  }'

This creates a GitLab account at gitlab.signal18.io and triggers GitLab's own email confirmation. No external mailer is needed — GitLab handles all email delivery through its built-in SMTP.

Step 1 request fields:

Field Required Description
email Yes Email address — used as the GitLab username
password Yes Password for the new GitLab account (min 8 chars)
uri Yes domain.subdomain.zone — all lowercase, alphanumeric and hyphens

Step 1 responses:

HTTP Meaning
202 Accepted GitLab account created — confirmation email sent by GitLab
400 Bad Request Invalid input (missing field, bad URI format, weak password)
401 Unauthorized No valid JWT provided
403 Forbidden Authenticated user is not admin
409 Conflict Email already confirmed or zone already registered
502 Bad Gateway CRM API unreachable

Step 2 — Confirm email and complete registration

Click the confirmation link in the GitLab email, then call:

# Step 2: confirm email and create group + projects
curl -X POST https://repman-host:10005/api/register/confirm \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "email":    "[email protected]",
    "password": "gitlab_password",
    "uri":      "mycompany.ovh.fr-1"
  }'

The CRM verifies that the GitLab account is confirmed (confirmed_at is set), then creates the domain group and both Git projects. On success, replication-manager automatically runs the connect flow — no restart required.

Step 2 responses:

HTTP Meaning
201 Created Registration complete — Cloud18 connect flow ran successfully
201 Created + connect_error field Projects created but connect failed — see 2.5.4
400 Bad Request Email not yet confirmed — click the GitLab confirmation link first
401 Unauthorized No valid JWT provided
403 Forbidden Authenticated user is not admin
404 Not Found GitLab account not found — complete step 1 first
409 Conflict Zone already registered
502 Bad Gateway CRM API unreachable

2.5.4 What Happens on Success

When the CRM API returns 201 on the confirm step, replication-manager automatically runs the connect flow without requiring a restart:

  1. Sets cloud18-domain, cloud18-sub-domain, cloud18-sub-domain-zone from the URI
  2. Stores the GitLab credentials (cloud18-gitlab-user, cloud18-gitlab-password)
  3. Authenticates to gitlab.signal18.io with basic auth and obtains an OAuth token
  4. Creates a personal access token named domain-subdomain-zone in GitLab
  5. Idempotently creates the main and pull Git projects under the domain group
  6. Sets git-url and git-url-pull in the running configuration
  7. Clones the config repository into the working directory (if monitoring-restore-config-on-start is set)

After this, replication-manager continuously pushes configuration changes to GitLab on every tick — no restart required.

If step 3–7 fail (e.g. GitLab is temporarily unreachable), the response still returns 201 but includes a connect_error field. In that case trigger connect manually by setting cloud18=true in global settings once GitLab is reachable.


2.5.5 Registering via the CLI

The replication-manager-cli register command drives the same two-step flow from the terminal. It prompts for the GitLab password interactively (hidden input) so the password never appears in shell history.

Default mode — register and wait

replication-manager-cli register \
  --host  repman-host \
  --port  10005 \
  --user  admin \
  --email [email protected] \
  --uri   mycompany.ovh.fr-1
GitLab password for [email protected]: ••••••••
GitLab account requested for [email protected].
A confirmation email will be sent by GitLab. Please click the link to confirm.
Waiting for confirmation (up to 5 minutes) …
Registration complete. Cloud18 is now active for mycompany.ovh.fr-1.

The CLI polls GET /api/register/status every 10 seconds for up to 5 minutes while you click the GitLab confirmation link. Once confirmed it exits with a success message.

Manual confirm mode

If the background poller already ran (or you want explicit control), pass --confirm after clicking the link:

replication-manager-cli register \
  --host  repman-host \
  --port  10005 \
  --user  admin \
  --email [email protected] \
  --uri   mycompany.ovh.fr-1 \
  --confirm

This calls POST /api/register/confirm once and exits immediately with the result.

Flags

Flag Required Description
--email Yes Email address for the GitLab account
--uri Yes Registration URI in domain.subdomain.zone format
--confirm No Skip polling — call confirm endpoint directly (use after clicking the email link)
--host Yes replication-manager server hostname or IP
--port No API port (default 10005)
--user No API user (default admin)

2.5.6 Subscription Plans

Every registered instance starts on the Free plan. Plans are per URI — a user with several repman instances can put each on a different tier.

Plan Value Description
Free free Default — community plugins (security, workload advisor), config backup & restore, cluster role sharing, marketplace access, direct chat
Support support All Free features plus arbitration for monitoring HA, automatic enterprise advisory updates, alert forwarding, bug fixes, developer sponsorship, feature requests
Support + Services support-services All Support features plus 12 days per year of DBA professional services and remote engagement
Partner partner All Support features plus marketplace provider — publish clusters for sale

What each plan unlocks

Feature Free Support Support + Services Partner
Community security alert plugins and score x x x x
Community workload alert plugins and tags x x x x
Community resource documentation and blogs x x x x
Configuration backup and restore via GitLab x x x x
Cluster role sharing with external SSO users x x x x
Marketplace namespace (consumer) x x x x
Marketplace free credit x x x x
Direct chat with Signal18 team and partners x x x x
Enterprise advisory plugins (embedded defaults) x x x x
Automatic enterprise advisory plugin updates (daily) x x x
Arbitration for monitoring HA (split-brain resolution) x x x
Alert forwarding to Signal18 operations team x x x
Bug fixes and feature requests x x x
Developer sponsorship x x x
12 days/year DBA professional services x x
Professional service remote engagement x x
Marketplace provider (publish clusters for sale) x
Per-database and per-application unit pricing x
Infrastructure description via Google Spreadsheet x
CRM invoicing for marketplace customers x
Partner-level collaboration and SLA coordination x

Plans can be changed at any time from Global Settings → Register → Marketplace in the GUI, or via the API:

TOKEN=$(curl -s -X POST https://repman-host:10005/api/login \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"repman"}' | jq -r .token)

# Get the current plan for your instance
curl -s "https://repman-host:10005/api/register/subscription?uri=mycompany.ovh.fr-1" \
  -H "Authorization: Bearer $TOKEN"

# Change to the Support plan
curl -s -X POST https://repman-host:10005/api/register/subscription \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"uri":"mycompany.ovh.fr-1","plan":"support"}'

2.5.7 Registering via the GUI

Open Global Settings → Register in the replication-manager dashboard. Click Register to open the two-step wizard:

  1. Step 1 — fill in email, GitLab password, domain, subdomain, and zone, then click Send Confirmation Email. GitLab sends a confirmation link to the provided address.
  2. Step 2 — click the link in the GitLab email to confirm your account, then return to the dashboard and click Complete Registration. The server verifies the confirmation and creates the group and projects automatically.

The Register button is disabled while Cloud18 is already connected. Disconnect first to re-register.


2.5.8 Starting Fresh from GitLab (Restore)

To bootstrap a new replication-manager host from an existing GitLab config repository:

# config.toml
cloud18                          = true
cloud18-domain                   = "mycompany"
cloud18-sub-domain               = "ovh"
cloud18-sub-domain-zone          = "fr-1"
cloud18-gitlab-user              = "[email protected]"
cloud18-gitlab-password          = "gitlab_password"
monitoring-restore-config-on-start = true

Or as command-line flags:

replication-manager monitor \
  --cloud18 \
  --monitoring-restore-config-on-start \
  --cloud18-domain          mycompany \
  --cloud18-sub-domain      ovh \
  --cloud18-sub-domain-zone fr-1 \
  --cloud18-gitlab-user     [email protected] \
  --cloud18-gitlab-password gitlab_password

When monitoring-restore-config-on-start is set, replication-manager:

  1. Authenticates to gitlab.signal18.io and obtains a personal access token
  2. Clones gitlab.signal18.io/mycompany/mycompany-ovh-fr-1.git into the working directory — replacing any existing local config
  3. Clones the pull mirror mycompany-ovh-fr-1-pull.git into <working-dir>/.pull
  4. Clears the flag so the restore does not repeat on the next restart
  5. Reads cloud18.toml and reconstructs all cluster definitions

2.5.9 Configuration Reference

Parameter Default Scope Description
cloud18 false server Enable GitLab config sync and SSO integration
cloud18-domain "" server Organisation namespace (maps to GitLab group)
cloud18-sub-domain "" server Datacenter or environment label
cloud18-sub-domain-zone "" server Geo-zone identifier
cloud18-gitlab-user "" server GitLab username or email used to authenticate
cloud18-gitlab-password "" server GitLab password (stored AES-encrypted)
cloud18-crm-api-url https://api.crm.ovh-fr-2.signal18.cloud18.io server CRM API base URL called by POST /api/register
monitoring-restore-config-on-start false server Clone config from GitLab on startup and wipe local working directory

2.5.10 GitLab Object Mapping

replication-manager concept GitLab object
Organisation (domain) GitLab group gitlab.signal18.io/<domain>/
Instance slot (subdomain-zone) GitLab project <domain>-<subdomain>-<zone> under the group
Peer distribution GitLab project <domain>-<subdomain>-<zone>-pull under the group
Config history Commits in the main project repository
Team access GitLab group and project membership with role assignments

2.5.11 Secret Storage

All secrets (passwords, encryption keys) are AES-encrypted at the replication-manager host before being written to GitLab. The encryption key is generated locally and never leaves the host.

replication-manager host
    └─ AES encryption key  (local only — never synced)
           │
           ▼
     encrypted value  →  GitLab repository  (ciphertext only)

See Security — Configuration Guide for key generation and rotation.