IK.AM

@making's tech note


Tanzu Application Platform 1.2 (Iterate Profile) をKindにインストールしHTTPSを有効にするメモ

🗃 {Dev/CaaS/Kubernetes/TAP}
🏷 Kubernetes 🏷 Cartographer 🏷 kind 🏷 Tanzu 🏷 TAP 🏷 Knative 
🗓 Updated at 2022-07-20T14:22:52+09:00  🗓 Created at 2022-07-13T10:47:24+09:00 {✒️️ Edit  ⏰ History  🗑 Delete}

Tanzu Application Platform 1.2 をKindにインストールします。

Intel版のMacで試しています。Apple Silicon版はまだ動かないと思います。

本記事ではTAPをInstallし、"Hello World"なアプリケーションをソースコードからデプロイする機能("Source to URL")を試します。 また、HTTPSを有効にします。

目次

Kindクラスタの作成

cat <<EOF > kind-expose-port.yaml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
 - role: control-plane
   extraPortMappings:
   - containerPort: 31443 # expose port 31443 of the node to port 80 on the host for use later by Contour ingress (envoy)
     hostPort: 443
   - containerPort: 31080 # expose port 31080 of the node to port 80 on the host for use later by Contour ingress (envoy)
     hostPort: 80
EOF
kind create cluster --config kind-expose-port.yaml --image kindest/node:v1.23.6

Pivnet CLIのインストール

ここでは pivnet CLIを使用して必要なソフトウェアをダウンロードします。 pivnet CLIはbrewでインストールできます。

brew install pivotal/tap/pivnet-cli

VMware Tanzu Network のAPI Tokenを取得して、pivnet CLIでログインします。

pivnet login --api-token=<API Token>

EULAの承諾

初めてインストールする場合は、以下のコンポーネントのEULAをAcceptしてください。

⚠️ EULAで定められている使用期間は30日間です。とは言え、特にソフトウェア的に制限がかけられているわけではありません。

Tanzu CLIのインストール

# For Mac
pivnet download-product-files --product-slug='tanzu-application-platform' --release-version='1.2.0' --glob='tanzu-framework-darwin-amd64.tar'
# For Linux
pivnet download-product-files --product-slug='tanzu-application-platform' --release-version='1.2.0' --glob='tanzu-framework-linux-amd64.tar'
# For Windows
pivnet download-product-files --product-slug='tanzu-application-platform' --release-version='1.2.0' --glob='tanzu-framework-windows-amd64.zip'
tar xvf tanzu-framework-*-amd64.tar
install cli/core/v0.11.6/tanzu-core-*_amd64 /usr/local/bin/tanzu
export TANZU_CLI_NO_INIT=true
$ tanzu version
version: v0.11.6
buildDate: 2022-05-20
sha: 90440e2b

プラグインのインストール

tanzu plugin install --local cli all

Cluster Essentials for VMware Tanzuのインストール

TAPのインストールに必要なKapp ControllerとSecretgen Controllerをデプロイするために Cluster Essentials for VMware Tanzu をインストールします。

# Mac
pivnet download-product-files --product-slug='tanzu-cluster-essentials' --release-version='1.2.0' --glob='tanzu-cluster-essentials-darwin-amd64-*'
# Linux
pivnet download-product-files --product-slug='tanzu-cluster-essentials' --release-version='1.2.0' --glob='tanzu-cluster-essentials-linux-amd64-*'
TANZUNET_USERNAME=...
TANZUNET_PASSWORD=...

mkdir tanzu-cluster-essentials
tar xzvf tanzu-cluster-essentials-*-amd64-*.tgz -C tanzu-cluster-essentials

export INSTALL_BUNDLE=registry.tanzu.vmware.com/tanzu-cluster-essentials/cluster-essentials-bundle:1.2.0
export INSTALL_REGISTRY_HOSTNAME=registry.tanzu.vmware.com
export INSTALL_REGISTRY_USERNAME=${TANZUNET_USERNAME}
export INSTALL_REGISTRY_PASSWORD=${TANZUNET_PASSWORD}
cd tanzu-cluster-essentials
./install.sh --yes
cd ..
$ kubectl get pod -A
NAMESPACE              NAME                                         READY   STATUS    RESTARTS   AGE
kapp-controller        kapp-controller-bdd48d459-lcp7c              2/2     Running   0          5m58s
kube-system            coredns-64897985d-gldgr                      1/1     Running   0          21m
kube-system            coredns-64897985d-vkpg9                      1/1     Running   0          21m
kube-system            etcd-kind-control-plane                      1/1     Running   0          21m
kube-system            kindnet-c44cp                                1/1     Running   0          21m
kube-system            kube-apiserver-kind-control-plane            1/1     Running   0          21m
kube-system            kube-controller-manager-kind-control-plane   1/1     Running   0          21m
kube-system            kube-proxy-mp97k                             1/1     Running   0          21m
kube-system            kube-scheduler-kind-control-plane            1/1     Running   0          21m
local-path-storage     local-path-provisioner-66b445c94-45hs9       1/1     Running   0          21m
secretgen-controller   secretgen-controller-65b6454479-p6fsl        1/1     Running   0          80s

Tanzu Application Platformのインストール

TAP用Package Repositoryの登録

TANZUNET_USERNAME=...
TANZUNET_PASSWORD=...

kubectl create ns tap-install

tanzu secret registry add tap-registry \
  --username "${TANZUNET_USERNAME}" \
  --password "${TANZUNET_PASSWORD}" \
  --server registry.tanzu.vmware.com \
  --export-to-all-namespaces \
  --yes \
  --namespace tap-install

tanzu package repository add tanzu-tap-repository \
  --url registry.tanzu.vmware.com/tanzu-application-platform/tap-packages:1.2.0 \
  --namespace tap-install
$ tanzu package available list --namespace tap-install
- Retrieving available packages... 
  NAME                                                 DISPLAY-NAME                                                              SHORT-DESCRIPTION                                                                                                                                              LATEST-VERSION  
  accelerator.apps.tanzu.vmware.com                    Application Accelerator for VMware Tanzu                                  Used to create new projects and configurations.                                                                                                                1.2.1           
  api-portal.tanzu.vmware.com                          API portal                                                                A unified user interface to enable search, discovery and try-out of API endpoints at ease.                                                                     1.0.21          
  backend.appliveview.tanzu.vmware.com                 Application Live View for VMware Tanzu                                    App for monitoring and troubleshooting running apps                                                                                                            1.2.0           
  build.appliveview.tanzu.vmware.com                   Application Live View Conventions for VMware Tanzu                        Application Live View convention server                                                                                                                        1.0.2           
  buildservice.tanzu.vmware.com                        Tanzu Build Service                                                       Tanzu Build Service enables the building and automation of containerized software workflows securely and at scale.                                             1.6.0           
  cartographer.tanzu.vmware.com                        Cartographer                                                              Kubernetes native Supply Chain Choreographer.                                                                                                                  0.4.2           
  cnrs.tanzu.vmware.com                                Cloud Native Runtimes                                                     Cloud Native Runtimes is a serverless runtime based on Knative                                                                                                 1.3.0           
  connector.appliveview.tanzu.vmware.com               Application Live View Connector for VMware Tanzu                          App for discovering and registering running apps                                                                                                               1.2.0           
  controller.conventions.apps.tanzu.vmware.com         Convention Service for VMware Tanzu                                       Convention Service enables app operators to consistently apply desired runtime configurations to fleets of workloads.                                          0.7.0           
  controller.source.apps.tanzu.vmware.com              Tanzu Source Controller                                                   Tanzu Source Controller enables workload create/update from source code.                                                                                       0.4.1           
  conventions.appliveview.tanzu.vmware.com             Application Live View Conventions for VMware Tanzu                        Application Live View convention server                                                                                                                        1.2.0           
  developer-conventions.tanzu.vmware.com               Tanzu App Platform Developer Conventions                                  Developer Conventions                                                                                                                                          0.7.0           
  fluxcd.source.controller.tanzu.vmware.com            Flux Source Controller                                                    The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, Helm repositories and S3 buckets.      0.16.4          
  grype.scanning.apps.tanzu.vmware.com                 Grype for Supply Chain Security Tools - Scan                              Default scan templates using Anchore Grype                                                                                                                     1.2.2           
  image-policy-webhook.signing.apps.tanzu.vmware.com   Image Policy Webhook                                                      Image Policy Webhook enables defining of a policy to restrict unsigned container images.                                                                       1.1.3           
  learningcenter.tanzu.vmware.com                      Learning Center for Tanzu Application Platform                            Guided technical workshops                                                                                                                                     0.2.1           
  metadata-store.apps.tanzu.vmware.com                 Supply Chain Security Tools - Store                                       Post SBoMs and query for image, package, and vulnerability metadata.                                                                                           1.2.2           
  ootb-delivery-basic.tanzu.vmware.com                 Tanzu App Platform Out of The Box Delivery Basic                          Out of The Box Delivery Basic.                                                                                                                                 0.8.0-build.4   
  ootb-supply-chain-basic.tanzu.vmware.com             Tanzu App Platform Out of The Box Supply Chain Basic                      Out of The Box Supply Chain Basic.                                                                                                                             0.8.0-build.4   
  ootb-supply-chain-testing-scanning.tanzu.vmware.com  Tanzu App Platform Out of The Box Supply Chain with Testing and Scanning  Out of The Box Supply Chain with Testing and Scanning.                                                                                                         0.8.0-build.4   
  ootb-supply-chain-testing.tanzu.vmware.com           Tanzu App Platform Out of The Box Supply Chain with Testing               Out of The Box Supply Chain with Testing.                                                                                                                      0.8.0-build.4   
  ootb-templates.tanzu.vmware.com                      Tanzu App Platform Out of The Box Templates                               Out of The Box Templates.                                                                                                                                      0.8.0-build.4   
  policy.apps.tanzu.vmware.com                         Supply Chain Security Tools - Policy Controller                           Policy Controller enables defining of a policy to restrict unsigned container images.                                                                          1.0.1           
  scanning.apps.tanzu.vmware.com                       Supply Chain Security Tools - Scan                                        Scan for vulnerabilities and enforce policies directly within Kubernetes native Supply Chains.                                                                 1.2.2           
  service-bindings.labs.vmware.com                     Service Bindings for Kubernetes                                           Service Bindings for Kubernetes implements the Service Binding Specification.                                                                                  0.7.2           
  services-toolkit.tanzu.vmware.com                    Services Toolkit                                                          The Services Toolkit enables the management, lifecycle, discoverability and connectivity of Service Resources (databases, message queues, DNS records, etc.).  0.7.1           
  snyk.scanning.apps.tanzu.vmware.com                  Snyk for Supply Chain Security Tools - Scan                               Default scan templates using Snyk                                                                                                                              1.0.0-beta.2    
  spring-boot-conventions.tanzu.vmware.com             Tanzu Spring Boot Conventions Server                                      Default Spring Boot convention server.                                                                                                                         0.4.1           
  sso.apps.tanzu.vmware.com                            AppSSO                                                                    Application Single Sign-On for Tanzu                                                                                                                           1.0.0           
  tap-auth.tanzu.vmware.com                            Default roles for Tanzu Application Platform                              Default roles for Tanzu Application Platform                                                                                                                   1.0.1           
  tap-gui.tanzu.vmware.com                             Tanzu Application Platform GUI                                            web app graphical user interface for Tanzu Application Platform                                                                                                1.2.3           
  tap-telemetry.tanzu.vmware.com                       Telemetry Collector for Tanzu Application Platform                        Tanzu Application Plaform Telemetry                                                                                                                            0.2.0           
  tap.tanzu.vmware.com                                 Tanzu Application Platform                                                Package to install a set of TAP components to get you started based on your use case.                                                                          1.2.0           
  tekton.tanzu.vmware.com                              Tekton Pipelines                                                          Tekton Pipelines is a framework for creating CI/CD systems.                                                                                                    0.33.5          
  workshops.learningcenter.tanzu.vmware.com            Workshop Building Tutorial                                                Workshop Building Tutorial                                                                                                                                     0.2.1 

Iterate Profileのインストール

GITHUB_USERNAME=...
GITHUB_API_TOKEN=...

cat <<EOF > tap-values.yml
profile: iterate

ceip_policy_disclosed: true

cnrs:
  domain_name: vcap.me
  domain_template: "{{.Name}}-{{.Namespace}}.{{.Domain}}"
  default_tls_secret: tanzu-system-ingress/cnrs-default-tls
  provider: local

buildservice:
  kp_default_repository: ghcr.io/${GITHUB_USERNAME}/build-service
  kp_default_repository_username: ${GITHUB_USERNAME}
  kp_default_repository_password: ${GITHUB_API_TOKEN}

supply_chain: basic

ootb_supply_chain_basic:
  registry:
    server: ghcr.io
    repository: ${GITHUB_USERNAME}
  gitops:
    ssh_secret: git-ssh

contour:
  envoy:
    service:
      nodePorts:
        http: 31080
        https: 31443

package_overlays:
- name: cnrs
  secrets:
  - name: cnrs-default-tls        
EOF

*.vcap.me127.0.0.1に解決されます。

Cloud Native Runtimes (Knative) で使用するデフォルトのTLS証明書を用意するための次の定義をoverlayで作成します。以下のドキュメントを参考にしました。

cat <<EOF > cnrs-default-tls.yml
#@ load("@ytt:data", "data")
#@ load("@ytt:overlay", "overlay")
#@ namespace = data.values.ingress.external.namespace
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: cnrs-selfsigned-issuer
  namespace: #@ namespace
spec:
  selfSigned: { }
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cnrs-ca
  namespace: #@ namespace
spec:
  commonName: cnrs-ca
  isCA: true
  issuerRef:
    kind: Issuer
    name: cnrs-selfsigned-issuer
  secretName: cnrs-ca
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: cnrs-ca-issuer
  namespace: #@ namespace
spec:
  ca:
    secretName: cnrs-ca
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cnrs-default-tls
  namespace: #@ namespace
spec:
  dnsNames:
  - #@ "*.{}".format(data.values.domain_name)
  issuerRef:
    kind: Issuer
    name: cnrs-ca-issuer
  secretName: cnrs-default-tls
---
apiVersion: projectcontour.io/v1
kind: TLSCertificateDelegation
metadata:
  name: contour-delegation
  namespace: #@ namespace
spec:
  delegations:
  - secretName: cnrs-default-tls
    targetNamespaces:
    - "*"
#@overlay/match by=overlay.subset({"metadata":{"name":"config-network"}, "kind": "ConfigMap"})
---
data:
  #@overlay/match missing_ok=True
  default-external-scheme: https
EOF

overlayファイルをSecretとして作成します。

kubectl -n tap-install create secret generic cnrs-default-tls \
  -o yaml \
  --dry-run=client \
  --from-file=cnrs-default-tls.yml \
  | kubectl apply -f-

TAPをインストールします。

tanzu package install tap -p tap.tanzu.vmware.com -v 1.2.0 --values-file tap-values.yml -n tap-install --poll-timeout 45m

インストールの進捗は次のコマンドで確認します。

watch kubectl get app,pod -A

全てのappが Reconcile succeeded になるまで待ちます。15-20分くらいかかります。

$ kubectl get app -n tap-install 
NAME                       DESCRIPTION           SINCE-DEPLOY   AGE
appliveview                Reconcile succeeded   7m49s          7m56s
appliveview-connector      Reconcile succeeded   5m38s          16m
appliveview-conventions    Reconcile succeeded   10m            10m
appsso                     Reconcile succeeded   57s            11m
buildservice               Reconcile succeeded   17s            16m
cartographer               Reconcile succeeded   13s            11m
cert-manager               Reconcile succeeded   109s           16m
cnrs                       Reconcile succeeded   7m47s          7m57s
contour                    Reconcile succeeded   11m            11m
conventions-controller     Reconcile succeeded   11s            11m
developer-conventions      Reconcile succeeded   10m            10m
fluxcd-source-controller   Reconcile succeeded   16m            16m
image-policy-webhook       Reconcile succeeded   11m            11m
ootb-delivery-basic        Reconcile succeeded   10m            10m
ootb-supply-chain-basic    Reconcile succeeded   10m            10m
ootb-templates             Reconcile succeeded   1s             10m
policy-controller          Reconcile succeeded   11m            11m
service-bindings           Reconcile succeeded   5m22s          16m
services-toolkit           Reconcile succeeded   16m            16m
source-controller          Reconcile succeeded   76s            11m
spring-boot-conventions    Reconcile succeeded   10m            10m
tap                        Reconcile succeeded   88s            16m
tap-auth                   Reconcile succeeded   6m18s          16m
tap-telemetry              Reconcile succeeded   5m59s          16m
tekton-pipelines           Reconcile succeeded   4m53s          16m

インストールされたパッケージは次の通りです。

$ kubectl get packageinstall -n tap-install 
NAME                       PACKAGE NAME                                         PACKAGE VERSION   DESCRIPTION           AGE
appliveview                backend.appliveview.tanzu.vmware.com                 1.2.0             Reconcile succeeded   8m14s
appliveview-connector      connector.appliveview.tanzu.vmware.com               1.2.0             Reconcile succeeded   16m
appliveview-conventions    conventions.appliveview.tanzu.vmware.com             1.2.0             Reconcile succeeded   10m
appsso                     sso.apps.tanzu.vmware.com                            1.0.0             Reconcile succeeded   12m
buildservice               buildservice.tanzu.vmware.com                        1.6.0             Reconcile succeeded   16m
cartographer               cartographer.tanzu.vmware.com                        0.4.2             Reconcile succeeded   12m
cert-manager               cert-manager.tanzu.vmware.com                        1.5.3+tap.2       Reconcile succeeded   16m
cnrs                       cnrs.tanzu.vmware.com                                1.3.0             Reconcile succeeded   8m14s
contour                    contour.tanzu.vmware.com                             1.18.2+tap.2      Reconcile succeeded   12m
conventions-controller     controller.conventions.apps.tanzu.vmware.com         0.7.0             Reconcile succeeded   12m
developer-conventions      developer-conventions.tanzu.vmware.com               0.7.0             Reconcile succeeded   10m
fluxcd-source-controller   fluxcd.source.controller.tanzu.vmware.com            0.16.4            Reconcile succeeded   16m
image-policy-webhook       image-policy-webhook.signing.apps.tanzu.vmware.com   1.1.3             Reconcile succeeded   12m
ootb-delivery-basic        ootb-delivery-basic.tanzu.vmware.com                 0.8.0-build.4     Reconcile succeeded   10m
ootb-supply-chain-basic    ootb-supply-chain-basic.tanzu.vmware.com             0.8.0-build.4     Reconcile succeeded   10m
ootb-templates             ootb-templates.tanzu.vmware.com                      0.8.0-build.4     Reconcile succeeded   10m
policy-controller          policy.apps.tanzu.vmware.com                         1.0.1             Reconcile succeeded   12m
service-bindings           service-bindings.labs.vmware.com                     0.7.2             Reconcile succeeded   16m
services-toolkit           services-toolkit.tanzu.vmware.com                    0.7.1             Reconcile succeeded   16m
source-controller          controller.source.apps.tanzu.vmware.com              0.4.1             Reconcile succeeded   12m
spring-boot-conventions    spring-boot-conventions.tanzu.vmware.com             0.4.1             Reconcile succeeded   10m
tap                        tap.tanzu.vmware.com                                 1.2.0             Reconcile succeeded   17m
tap-auth                   tap-auth.tanzu.vmware.com                            1.0.1             Reconcile succeeded   16m
tap-telemetry              tap-telemetry.tanzu.vmware.com                       0.2.0             Reconcile succeeded   16m
tekton-pipelines           tekton.tanzu.vmware.com                              0.33.5            Reconcile succeeded   16m

デプロイされたPodは次の通りです。

$ kubectl get pod -A
NAMESPACE                   NAME                                                           READY   STATUS    RESTARTS        AGE
app-live-view-connector     application-live-view-connector-zk9l9                          1/1     Running   0               16m
app-live-view-conventions   appliveview-webhook-6864556779-6s4w6                           1/1     Running   0               10m
app-live-view               application-live-view-server-66dd4fb89c-8vt4l                  1/1     Running   0               8m21s
appsso                      operator-c94b4dd9c-9gxh6                                       1/1     Running   0               12m
build-service               build-pod-image-fetcher-tghls                                  5/5     Running   0               16m
build-service               dependency-updater-controller-5c4d9fb46b-cpmbt                 1/1     Running   0               16m
build-service               secret-syncer-controller-8b66cfb7f-6z2mh                       1/1     Running   0               16m
build-service               smart-warmer-image-fetcher-5ngmj                               2/2     Running   0               9m13s
build-service               warmer-controller-6c574744dc-wwxcl                             1/1     Running   0               16m
cartographer-system         cartographer-controller-69fbc785b5-dkr72                       1/1     Running   0               12m
cartographer-system         cartographer-conventions-controller-manager-5cb8666745-xwzzb   1/1     Running   0               12m
cert-injection-webhook      cert-injection-webhook-5f5d44ccb-xwmsx                         1/1     Running   0               16m
cert-manager                cert-manager-5dd5d847cc-rkrzj                                  1/1     Running   0               16m
cert-manager                cert-manager-cainjector-7c6dcb76c-2h8jz                        1/1     Running   0               16m
cert-manager                cert-manager-webhook-854fc7875b-fhx82                          1/1     Running   0               16m
conventions-system          conventions-controller-manager-78f78dcc99-2xlvv                1/1     Running   0               12m
cosign-system               policy-webhook-78c8c8c8f5-c4689                                1/1     Running   0               12m
cosign-system               webhook-6655b65b58-vxlng                                       1/1     Running   0               12m
developer-conventions       webhook-7785857b9-jfb7h                                        1/1     Running   0               10m
flux-system                 source-controller-6bfb9b855-qthlh                              1/1     Running   0               16m
image-policy-system         image-policy-controller-manager-6c4cdf8b-zskmg                 2/2     Running   0               12m
kapp-controller             kapp-controller-bdd48d459-lcp7c                                2/2     Running   0               7h34m
knative-eventing            eventing-controller-66b559bb98-2zrzz                           1/1     Running   0               8m5s
knative-eventing            eventing-webhook-5b94b5fd87-wcvhm                              1/1     Running   0               8m5s
knative-eventing            imc-controller-7788f45885-5t75h                                1/1     Running   0               8m4s
knative-eventing            imc-dispatcher-5f7585d8bc-6n6cz                                1/1     Running   0               8m4s
knative-eventing            mt-broker-controller-747888dd99-6pm4l                          1/1     Running   0               8m5s
knative-eventing            mt-broker-filter-77b9b9668b-ctdmn                              1/1     Running   0               8m4s
knative-eventing            mt-broker-ingress-8449fccd46-m66w6                             1/1     Running   0               8m3s
knative-eventing            rabbitmq-broker-controller-6d5d564bc9-gnfn9                    1/1     Running   0               8m3s
knative-eventing            rabbitmq-broker-webhook-68d67b96c-mnhz2                        1/1     Running   0               8m3s
knative-eventing            sugar-controller-754fc986f6-rk28n                              1/1     Running   0               8m2s
knative-serving             activator-75f797df99-frzhp                                     1/1     Running   0               8m2s
knative-serving             autoscaler-66796d4b-sq4gl                                      1/1     Running   0               8m2s
knative-serving             autoscaler-hpa-5b4b8b6c77-57ndx                                1/1     Running   0               8m
knative-serving             controller-69ffc8ff5-jbvzd                                     1/1     Running   0               8m1s
knative-serving             domain-mapping-777c99b4d7-2rr4l                                1/1     Running   0               8m2s
knative-serving             domainmapping-webhook-7c98699c6-v7xnp                          1/1     Running   0               8m2s
knative-serving             net-certmanager-controller-54b94b9ccc-f9r5p                    1/1     Running   0               8m
knative-serving             net-certmanager-webhook-74d4646c56-jwh8c                       1/1     Running   0               8m
knative-serving             net-contour-controller-5868857dc9-5fvhv                        1/1     Running   0               8m5s
knative-serving             webhook-8cc7b694-gx945                                         1/1     Running   0               8m1s
knative-sources             rabbitmq-controller-manager-7d4444b8b6-xfcsz                   1/1     Running   0               8m3s
knative-sources             rabbitmq-webhook-6cb87c8fd5-xvb5h                              1/1     Running   0               8m3s
kpack                       kpack-controller-7f5b5d567-z6l2z                               1/1     Running   0               16m
kpack                       kpack-webhook-b564f8dc7-tgz2f                                  1/1     Running   0               16m
kube-system                 coredns-64897985d-gldgr                                        1/1     Running   0               7h49m
kube-system                 coredns-64897985d-vkpg9                                        1/1     Running   0               7h49m
kube-system                 etcd-kind-control-plane                                        1/1     Running   0               7h50m
kube-system                 kindnet-c44cp                                                  1/1     Running   0               7h49m
kube-system                 kube-apiserver-kind-control-plane                              1/1     Running   0               7h50m
kube-system                 kube-controller-manager-kind-control-plane                     1/1     Running   1 (5h21m ago)   7h50m
kube-system                 kube-proxy-mp97k                                               1/1     Running   0               7h49m
kube-system                 kube-scheduler-kind-control-plane                              1/1     Running   1 (5h21m ago)   7h50m
local-path-storage          local-path-provisioner-66b445c94-45hs9                         1/1     Running   0               7h49m
secretgen-controller        secretgen-controller-65b6454479-p6fsl                          1/1     Running   0               7h29m
service-bindings            manager-5b49fcc58f-hxtpm                                       1/1     Running   0               16m
services-toolkit            resource-claims-apiserver-d4474586c-hl4mx                      1/1     Running   0               16m
services-toolkit            services-toolkit-controller-manager-77fd48c95d-4pmrv           1/1     Running   0               16m
source-system               source-controller-manager-f4c6b754b-rcw92                      1/1     Running   0               12m
spring-boot-convention      spring-boot-webhook-5d7c855499-t469f                           1/1     Running   0               10m
stacks-operator-system      controller-manager-58c4d5dd7c-bhmpq                            1/1     Running   0               16m
tanzu-system-ingress        contour-85644f6f69-dc2gg                                       1/1     Running   0               12m
tanzu-system-ingress        contour-85644f6f69-hmcls                                       1/1     Running   0               12m
tanzu-system-ingress        envoy-8b7hp                                                    2/2     Running   0               12m
tap-telemetry               tap-telemetry-informer-77cb67758f-ghh77                        1/1     Running   3 (8m30s ago)   16m
tekton-pipelines            tekton-pipelines-controller-59756cd86b-pt872                   1/1     Running   0               16m
tekton-pipelines            tekton-pipelines-webhook-64b4df8fb5-xl5mv                      1/1     Running   0               16m
triggermesh                 aws-event-sources-controller-6cd69d669b-crdp4                  1/1     Running   0               8m
vmware-sources              webhook-59854f84cb-ddqks                                       1/1     Running   0               8m1s

ClusterBuilderがREADYなことを確認します。

$ kubectl get clusterbuilder
NAME      LATESTIMAGE                                                                                                                   READY
base      ghcr.io/making/build-service:clusterbuilder-base@sha256:8658a91787d152205096a59f1eaead7337e11e86deed87414fdd9c19b940b8ac      True
default   ghcr.io/making/build-service:clusterbuilder-default@sha256:8658a91787d152205096a59f1eaead7337e11e86deed87414fdd9c19b940b8ac   True

Workloadのデプロイ

Workloadを作成するための事前準備

https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.2/tap/GUID-set-up-namespaces.html (一部変更しています)

kubectl create ns demo
tanzu secret registry add registry-credentials --server ghcr.io --username ${GITHUB_USERNAME} --password ${GITHUB_API_TOKEN} --namespace demo
cat <<EOF | kubectl -n demo apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: tap-registry
  annotations:
    secretgen.carvel.dev/image-pull-secret: ""
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: e30K
---
apiVersion: v1
kind: Secret
metadata:
  name: git-ssh
  annotations:
    tekton.dev/git-0: github.com
type: kubernetes.io/ssh-auth
data:
  ssh-privatekey: 8J+UkQ==
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
secrets:
- name: registry-credentials
- name: git-ssh
imagePullSecrets:
- name: registry-credentials
- name: tap-registry
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: default-permit-deliverable
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: deliverable
subjects:
  - kind: ServiceAccount
    name: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: default-permit-workload
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: workload
subjects:
- kind: ServiceAccount
  name: default
EOF

Node.jsアプリのデプロイ

tanzu apps workload apply hello \
  --app hello \
  --git-repo https://github.com/making/hello-nodejs \
  --git-branch master \
  --type web \
  -n demo \
  -y
tanzu apps workload tail hello -n demo

作成されるリソースを確認したければ次のコマンドをwatchしてください。

watch kubectl get workload,pod,gitrepo,imgs,build,podintent,taskrun,deliverable,imagerepository,app,ksvc -n demo -owide
$ kubectl get workload,pod,gitrepo,imgs,build,podintent,taskrun,imagerepository,app,ksvc -n demo -owide

NAME                       SOURCE                                   SUPPLYCHAIN     READY   REASON   AGE
workload.carto.run/hello   https://github.com/making/hello-nodejs   source-to-url   True    Ready    6m14s

NAME                                          READY   STATUS      RESTARTS   AGE     IP            NODE                 NOMINATED NODE   READINESS GATES
pod/hello-00001-deployment-7979d95d87-jkgh2   2/2     Running     0          112s    10.244.0.70   kind-control-plane   <none>           <none>
pod/hello-build-1-build-pod                   0/1     Completed   0          6m5s    10.244.0.68   kind-control-plane   <none>           <none>
pod/hello-config-writer-xttn4-pod             0/1     Completed   0          4m19s   10.244.0.69   kind-control-plane   <none>           <none>

NAME                                           URL                                      READY   STATUS                                                              AGE
gitrepository.source.toolkit.fluxcd.io/hello   https://github.com/making/hello-nodejs   True    Fetched revision: master/2a6bd559580592beb51f4bf6d00bbb3f3fac6c9b   6m11s

NAME                   LATESTIMAGE                                                                                         READY
image.kpack.io/hello   ghcr.io/making/hello-demo@sha256:c99355fd11db011d7a08cd03b2ead8b6028358f20e95e01e99fa0835c4fea1a9   True

NAME                           IMAGE                                                                                               SUCCEEDED
build.kpack.io/hello-build-1   ghcr.io/making/hello-demo@sha256:c99355fd11db011d7a08cd03b2ead8b6028358f20e95e01e99fa0835c4fea1a9   True

NAME                                                READY   REASON               AGE
podintent.conventions.apps.tanzu.vmware.com/hello   True    ConventionsApplied   4m34s

NAME                                           SUCCEEDED   REASON      STARTTIME   COMPLETIONTIME
taskrun.tekton.dev/hello-config-writer-xttn4   True        Succeeded   4m19s       2m25s

NAME                          SOURCE                                                                  DELIVERY         READY   REASON   AGE
deliverable.carto.run/hello   ghcr.io/making/hello-demo-bundle:db5304ea-862d-4548-9773-f44ec983da8f   delivery-basic   True    Ready    6m11s

NAME                                                          IMAGE                                                                   URL                                                                                                                                                                                              READY   REASON   AGE
imagerepository.source.apps.tanzu.vmware.com/hello-delivery   ghcr.io/making/hello-demo-bundle:db5304ea-862d-4548-9773-f44ec983da8f   http://source-controller-manager-artifact-service.source-system.svc.cluster.local./imagerepository/demo/hello-delivery/da37404afd44183935553746bb8e870772a950a034d9bb7a85da277587cff7b3.tar.gz   True    Ready    6m8s

NAME                         DESCRIPTION           SINCE-DEPLOY   AGE
app.kappctrl.k14s.io/hello   Reconcile succeeded   112s           113s

NAME                                URL                          LATESTCREATED   LATESTREADY   READY   REASON
service.serving.knative.dev/hello   https://hello-demo.vcap.me   hello-00001     hello-00001   True  
$ tanzu apps workload get -n demo hello
---
# hello: Ready
---
Source
type:     git
url:      https://github.com/making/hello-nodejs
branch:   master

Supply Chain
name:          source-to-url
last update:   2m29s
ready:         True

RESOURCE          READY   TIME
source-provider   True    6m19s
deliverable       True    6m22s
image-builder     True    4m45s
config-provider   True    4m33s
app-config        True    4m33s
config-writer     True    2m29s

Issues
No issues reported.

Pods
NAME                                      STATUS      RESTARTS   AGE
hello-00001-deployment-7979d95d87-jkgh2   Running     0          2m3s
hello-build-1-build-pod                   Succeeded   0          6m16s
hello-config-writer-xttn4-pod             Succeeded   0          4m30s

Knative Services
NAME    READY   URL
hello   Ready   https://hello-demo.vcap.me

To see logs: "tanzu apps workload tail hello --namespace demo"
$ curl -k https://hello-demo.vcap.me  
Hello Tanzu!!

ℹ️ kubectl tree pluginを使うとリソースの親子関係がわかりやすいです。

$ kubectl tree -n demo workload hello
NAMESPACE  NAME                                     READY  REASON               AGE  
demo       Workload/hello                           True   Ready                8m34s
demo       ├─ConfigMap/hello                        -                           7m21s
demo       ├─Deliverable/hello                      True   Ready                8m31s
demo       │ ├─App/hello                            -                           6m22s
demo       │ └─ImageRepository/hello-delivery       True   Ready                8m28s
demo       ├─GitRepository/hello                    True   GitOperationSucceed  8m31s
demo       ├─Image/hello                            True                        8m28s
demo       │ ├─Build/hello-build-1                  -                           8m28s
demo       │ │ └─Pod/hello-build-1-build-pod        False  PodCompleted         8m26s
demo       │ ├─PersistentVolumeClaim/hello-cache    -                           8m28s
demo       │ └─SourceResolver/hello-source          True                        8m28s
demo       ├─PodIntent/hello                        True   ConventionsApplied   7m33s
demo       │ └─PodIntent/hello                      True   ConventionsApplied   7m33s
demo       └─Runnable/hello-config-writer           True   Ready                7m21s
demo         └─TaskRun/hello-config-writer-bh2jc    -                           7m18s
demo           └─Pod/hello-config-writer-bh2jc-pod  False  PodCompleted         7m18s

確認が終わればWorkloadを削除します。

tanzu apps workload delete -n demo hello -y

Javaアプリのデプロイ

tanzu apps workload apply spring-music \
  --app spring-music \
  --git-repo https://github.com/scottfrederick/spring-music \
  --git-branch tanzu \
  --type web \
  --annotation autoscaling.knative.dev/minScale=1 \
  -n demo \
  -y
tanzu apps workload tail spring-music -n demo   

作成されるリソースを確認したければ次のコマンドをwatchしてください。

watch kubectl get workload,pod,gitrepo,imgs,build,podintent,taskrun,deliverable,imagerepository,app,ksvc -n demo -owide
$ kubectl get workload,pod,gitrepo,imgs,build,podintent,taskrun,imagerepository,app,ksvc -n demo -owide
NAME                              SOURCE                                           SUPPLYCHAIN     READY   REASON   AGE
workload.carto.run/spring-music   https://github.com/scottfrederick/spring-music   source-to-url   True    Ready    7m46s

NAME                                                 READY   STATUS      RESTARTS   AGE     IP            NODE                 NOMINATED NODE   READINESS GATES
pod/spring-music-00001-deployment-7db74f7946-c8hd2   2/2     Running     0          2m32s   10.244.0.76   kind-control-plane   <none>           <none>
pod/spring-music-build-1-build-pod                   0/1     Completed   0          7m38s   10.244.0.74   kind-control-plane   <none>           <none>
pod/spring-music-config-writer-4tbjc-pod             0/1     Completed   0          3m7s    10.244.0.75   kind-control-plane   <none>           <none>

NAME                                                  URL                                              READY   STATUS                                                             AGE
gitrepository.source.toolkit.fluxcd.io/spring-music   https://github.com/scottfrederick/spring-music   True    Fetched revision: tanzu/922a509361d1345984899cafeb34622ef7dd2086   7m43s

NAME                          LATESTIMAGE                                                                                                READY
image.kpack.io/spring-music   ghcr.io/making/spring-music-demo@sha256:953b88e13550d875dc3723fc16b63f800631f4ad56d858d7bc7f858420296ceb   True

NAME                                  IMAGE                                                                                                      SUCCEEDED
build.kpack.io/spring-music-build-1   ghcr.io/making/spring-music-demo@sha256:953b88e13550d875dc3723fc16b63f800631f4ad56d858d7bc7f858420296ceb   True

NAME                                                       READY   REASON               AGE
podintent.conventions.apps.tanzu.vmware.com/spring-music   True    ConventionsApplied   3m21s

NAME                                                  SUCCEEDED   REASON      STARTTIME   COMPLETIONTIME
taskrun.tekton.dev/spring-music-config-writer-4tbjc   True        Succeeded   3m8s        2m58s

NAME                                                                 IMAGE                                                                          URL                                                                                                                                                                                                     READY   REASON   AGE
imagerepository.source.apps.tanzu.vmware.com/spring-music-delivery   ghcr.io/making/spring-music-demo-bundle:075dcd25-ffe1-4698-bdc5-e860f4a18ccf   http://source-controller-manager-artifact-service.source-system.svc.cluster.local./imagerepository/demo/spring-music-delivery/fdd1b7a69bc9525655ac7e67982fc151f80410800df8c1a36fbee5d41e554f8a.tar.gz   True    Ready    7m41s

NAME                                DESCRIPTION           SINCE-DEPLOY   AGE
app.kappctrl.k14s.io/spring-music   Reconcile succeeded   2m33s          2m33s

NAME                                       URL                                 LATESTCREATED        LATESTREADY          READY   REASON
service.serving.knative.dev/spring-music   https://spring-music-demo.vcap.me   spring-music-00001   spring-music-00001   True    
$ tanzu apps workload get -n demo spring-music
---
# spring-music: Ready
---
Source
type:     git
url:      https://github.com/scottfrederick/spring-music
branch:   tanzu

Supply Chain
name:          source-to-url
last update:   3m13s
ready:         True

RESOURCE          READY   TIME
source-provider   True    8m
deliverable       True    8m3s
image-builder     True    3m40s
config-provider   True    3m30s
app-config        True    3m30s
config-writer     True    3m13s

Issues
No issues reported.

Pods
NAME                                             STATUS      RESTARTS   AGE
spring-music-00001-deployment-7db74f7946-c8hd2   Running     0          2m52s
spring-music-build-1-build-pod                   Succeeded   0          7m58s
spring-music-config-writer-4tbjc-pod             Succeeded   0          3m27s

Knative Services
NAME           READY   URL
spring-music   Ready   https://spring-music-demo.vcap.me

To see logs: "tanzu apps workload tail spring-music --namespace demo"
image

"THIS IS UNSAFE"を入力

image

確認が終わればWorkloadを削除します。

tanzu apps workload delete -n demo spring-music -y

GitOpsでデプロイする

https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.2/tap/GUID-scc-gitops-vs-regops.html#gitops-0

まず、manifestを管理するgitレポジトリをGitHubで作成ます。READMEのみを含む https://github.com/making/hello-nodejs-manifests を作成しました。 image

image

GitレポジトリにpushするためのSecretを作成します。HTTP(S) Basic-authSSHが選べます。 ここではSSHを使用します。

⚠️ 後で気付きましたが、Pull Requestモードを使用する場合は、SSHではなく、HTTP(S) Basic-authを使用する必要がありました。
Basic-authの設定方法は下記のPull Request編で説明しますが、最初からBasic-authにすれば良かったです。

次のコマンドでssh鍵を作成します。

mkdir -p $HOME/tap
cd $HOME/tap
ssh-keygen -t ssh-ed25519 -q -b 4096 -f "identity" -N "" -C ""
ssh-keyscan github.com > ./known_hosts

identity.pubをDeploy Keysに登録します。忘れずにAllow write accessにチェックを入れてください

image

次のコマンドでSecretを作成します。

kubectl create secret generic git-ssh -n demo \
    --type kubernetes.io/ssh-auth \
    --from-file=./known_hosts \
    --from-file=./identity \
    --from-file=./identity.pub \
    --from-file=ssh-privatekey=./identity \
    --dry-run=client -oyaml \
 | kubectl apply -f- 
kubectl -n demo annotate secret git-ssh tekton.dev/git-0=github.com --overwrite=true   
kubectl patch -n demo serviceaccount default -p "{\"secrets\":[{\"name\":\"git-ssh\"}]}"

次のコマンドでデプロイできます。

tanzu apps workload apply hello \
  --app hello \
  --git-repo https://github.com/making/hello-nodejs \
  --git-branch master \
  --type web \
  --param gitops_branch=main \
  --param gitops_commit_message=Bump \
  --param gitops_server_address=ssh://git@github.com \
  --param gitops_repository_owner=making \
  --param gitops_repository_name=tap-gitops-manifests \
  --param gitops_user_email=makingx+bot@gmail.com \
  --param gitops_user_name=making-bot \
  --param gitops_ssh_secret=git-ssh \
  -n demo \
  -y
tanzu apps workload tail hello -n demo

作成されるリソースを確認したければ次のコマンドをwatchしてください。

watch kubectl get workload,pod,gitrepo,imgs,build,podintent,taskrun,deliverable,imagerepository,app,ksvc -n demo -owide

kpackによるコンテナイメージのビルドが終わると、そのイメージのdigestを使用してmanifestをgit commit & pushがTektonによって行われます。 gitレポジトリを見ると次のコミットが自動で行われていることがわかります。

image

pushされたmanifestは次の通りです。

image

作成されたリソースは以下の通りです。manifestの変更を検知するためのGitRepositoryリソース(hello-tap-delivery)ができていることがわかります。

$ kubectl get workload,pod,gitrepo,imgs,build,podintent,taskrun,imagerepository,app,ksvc -n demo -owide 

NAME                       SOURCE                                   SUPPLYCHAIN     READY   REASON   AGE
workload.carto.run/hello   https://github.com/making/hello-nodejs   source-to-url   True    Ready    2m38s

NAME                                          READY   STATUS      RESTARTS   AGE     IP            NODE                 NOMINATED NODE   READINESS GATES
pod/hello-00001-deployment-7bdb4669fd-6fv9v   2/2     Running     0          18s     10.244.0.86   kind-control-plane   <none>           <none>
pod/hello-build-1-build-pod                   0/1     Completed   0          2m29s   10.244.0.84   kind-control-plane   <none>           <none>
pod/hello-config-writer-csz5h-pod             0/1     Completed   0          72s     10.244.0.85   kind-control-plane   <none>           <none>

NAME                                                    URL                                                    READY   STATUS                                                              AGE
gitrepository.source.toolkit.fluxcd.io/hello            https://github.com/making/hello-nodejs                 True    Fetched revision: master/19610d1789fb30d571e0b27a65ed03a7bdec2922   2m35s
gitrepository.source.toolkit.fluxcd.io/hello-delivery   ssh://git@github.com/making/tap-gitops-manifests.git   True    Fetched revision: main/b1029f402e24be4cac5b8807c79ecb1e2ca6cf10     2m32s

NAME                   LATESTIMAGE                                                                                         READY
image.kpack.io/hello   ghcr.io/making/hello-demo@sha256:c9ed1990af739a56230eb8b8b5e45e50ec22901da6884daac969604e29791ace   True

NAME                           IMAGE                                                                                               SUCCEEDED
build.kpack.io/hello-build-1   ghcr.io/making/hello-demo@sha256:c9ed1990af739a56230eb8b8b5e45e50ec22901da6884daac969604e29791ace   True

NAME                                                READY   REASON               AGE
podintent.conventions.apps.tanzu.vmware.com/hello   True    ConventionsApplied   86s

NAME                                           SUCCEEDED   REASON      STARTTIME   COMPLETIONTIME
taskrun.tekton.dev/hello-config-writer-csz5h   True        Succeeded   72s         59s

NAME                         DESCRIPTION           SINCE-DEPLOY   AGE
app.kappctrl.k14s.io/hello   Reconcile succeeded   19s            2m26s

NAME                                URL                          LATESTCREATED   LATESTREADY   READY   REASON
service.serving.knative.dev/hello   https://hello-demo.vcap.me   hello-00001     hello-00001   True 

URLにアクセスします。

$ curl -k https://hello-demo.vcap.me
Hello Tanzu!

ソースコードを変更してgit pushすると、新しいコンテナイメージがビルドされ、manifestも新しいイメージのdigestを使用するようにcommit & pushされます。 次のようなコミットになります。

image

GitOpsでpull requestを使用する

TAP 1.2からはmanifestの変更を直接commit & pushする代わり、pull requestを送ることができるようになりました。

https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.2/tap/GUID-scc-gitops-vs-regops.html#pull-requests-2

tap-values.ymlの以下の行を追加します。デフォルトはdirectです。

# ...
ootb_supply_chain_basic:
  # ...
  gitops:
    # ...
    commit_strategy: pull_request  
    pull_request:
      server_kind: github
      commit_branch: ""
      pull_request_title: "ready for review"
      pull_request_body: "generated by supply chain"

次のコマンドでTAPをアップデートします。

tanzu package installed update -n tap-install tap -v 1.2.0 -f tap-values.yml

Pull Reqeust版は、SSH認証ではなくHTTP(S) Basic-auth認証しかサポートしていないので、secretを作成しなおします。

https://github.com/settings/tokens からrepoへのアクセス権があるPersonal access tokensを生成してください。

image

次のコマンドでSecretを作成します。

GITHUB_USERNAME=making
GITHUB_API_TOKEN=ghp_******

kubectl delete secret git-ssh -n demo
kubectl create secret generic git-ssh -n demo \
    --type kubernetes.io/basic-auth \
    --from-literal=username=${GITHUB_USERNAME} \
    --from-literal=password=${GITHUB_API_TOKEN} \
    --dry-run=client -oyaml \
 | kubectl apply -f- 
kubectl -n demo annotate secret git-ssh tekton.dev/git-0=https://github.com --overwrite=true   
kubectl patch -n demo serviceaccount default -p "{\"secrets\":[{\"name\":\"git-ssh\"}]}"

次のコマンドでWorkloadをアップデートします。

tanzu apps workload apply hello \
  --app hello \
  --git-repo https://github.com/making/hello-nodejs \
  --git-branch master \
  --type web \
  --param gitops_branch=main \
  --param gitops_commit_message=Bump \
  --param gitops_server_address=https://github.com \
  --param gitops_repository_owner=making \
  --param gitops_repository_name=tap-gitops-manifests \
  --param gitops_user_email=makingx+bot@gmail.com \
  --param gitops_user_name=making-bot \
  --param gitops_ssh_secret=git-ssh \
  -n demo \
  -y
tanzu apps workload tail hello -n demo

ソースコードに変更を加え、git pushすると、コンテナイメージ作成後に次のようなPull Requestが作成されます。

image image

このPull Requestをマージすると、変更結果がデプロイされます。

確認が終わればWorkloadを削除します。

tanzu apps workload delete -n demo hello -y

Kaniko経由でDockerfileを使う

TAP 1.2からはコンテナイメージを作成する際にCloud Native Buildpacksではなく、Dockerfileを使用できます。
内部的にはkpackではなく、kanikoが使用されます。

tanzu apps workload apply hello \
  --app hello \
  --git-repo https://github.com/making/hello-nodejs \
  --git-branch master \
  --param dockerfile=./Dockerfile \
  --type web \
  -n demo \
  -y
tanzu apps workload tail hello -n demo

確認が終わればWorkloadを削除します。

tanzu apps workload delete -n demo hello -y

TAPを使うとCI/CDのフローをtanzu apps workloadだけで作成できるのが便利ですね。