Tanzu Application Platform 1.2 をKindにインストールします。
Intel版のMacで試しています。Apple Silicon版はまだ動かないと思います。
本記事ではTAPをInstallし、"Hello World"なアプリケーションをソースコードからデプロイする機能("Source to URL")を試します。 また、HTTPSを有効にします。
目次
- Kindクラスタの作成
- Pivnet CLIのインストール
- EULAの承諾
- Tanzu CLIのインストール
- Cluster Essentials for VMware Tanzuのインストール
- Tanzu Application Platformのインストール
- Workloadのデプロイ
- GitOpsでデプロイする
- GitOpsでpull requestを使用する
- Kaniko経由でDockerfileを使う
Kindクラスタの作成
cat <<EOF > kind-expose-port.yaml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
extraPortMappings:
- containerPort: 31443 # expose port 31443 of the node to port 80 on the host for use later by Contour ingress (envoy)
hostPort: 443
- containerPort: 31080 # expose port 31080 of the node to port 80 on the host for use later by Contour ingress (envoy)
hostPort: 80
EOF
kind create cluster --config kind-expose-port.yaml --image kindest/node:v1.23.6
Pivnet CLIのインストール
ここでは pivnet
CLIを使用して必要なソフトウェアをダウンロードします。
pivnet
CLIはbrewでインストールできます。
brew install pivotal/tap/pivnet-cli
VMware Tanzu Network のAPI Tokenを取得して、pivnet
CLIでログインします。
pivnet login --api-token=<API Token>
EULAの承諾
初めてインストールする場合は、以下のコンポーネントのEULAをAcceptしてください。
⚠️ EULAで定められている使用期間は30日間です。とは言え、特にソフトウェア的に制限がかけられているわけではありません。
Tanzu CLIのインストール
# For Mac
pivnet download-product-files --product-slug='tanzu-application-platform' --release-version='1.2.0' --glob='tanzu-framework-darwin-amd64.tar'
# For Linux
pivnet download-product-files --product-slug='tanzu-application-platform' --release-version='1.2.0' --glob='tanzu-framework-linux-amd64.tar'
# For Windows
pivnet download-product-files --product-slug='tanzu-application-platform' --release-version='1.2.0' --glob='tanzu-framework-windows-amd64.zip'
tar xvf tanzu-framework-*-amd64.tar
install cli/core/v0.11.6/tanzu-core-*_amd64 /usr/local/bin/tanzu
export TANZU_CLI_NO_INIT=true
$ tanzu version
version: v0.11.6
buildDate: 2022-05-20
sha: 90440e2b
プラグインのインストール
tanzu plugin install --local cli all
Cluster Essentials for VMware Tanzuのインストール
TAPのインストールに必要なKapp ControllerとSecretgen Controllerをデプロイするために Cluster Essentials for VMware Tanzu をインストールします。
# Mac
pivnet download-product-files --product-slug='tanzu-cluster-essentials' --release-version='1.2.0' --glob='tanzu-cluster-essentials-darwin-amd64-*'
# Linux
pivnet download-product-files --product-slug='tanzu-cluster-essentials' --release-version='1.2.0' --glob='tanzu-cluster-essentials-linux-amd64-*'
TANZUNET_USERNAME=...
TANZUNET_PASSWORD=...
mkdir tanzu-cluster-essentials
tar xzvf tanzu-cluster-essentials-*-amd64-*.tgz -C tanzu-cluster-essentials
export INSTALL_BUNDLE=registry.tanzu.vmware.com/tanzu-cluster-essentials/cluster-essentials-bundle:1.2.0
export INSTALL_REGISTRY_HOSTNAME=registry.tanzu.vmware.com
export INSTALL_REGISTRY_USERNAME=${TANZUNET_USERNAME}
export INSTALL_REGISTRY_PASSWORD=${TANZUNET_PASSWORD}
cd tanzu-cluster-essentials
./install.sh --yes
cd ..
$ kubectl get pod -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kapp-controller kapp-controller-bdd48d459-lcp7c 2/2 Running 0 5m58s
kube-system coredns-64897985d-gldgr 1/1 Running 0 21m
kube-system coredns-64897985d-vkpg9 1/1 Running 0 21m
kube-system etcd-kind-control-plane 1/1 Running 0 21m
kube-system kindnet-c44cp 1/1 Running 0 21m
kube-system kube-apiserver-kind-control-plane 1/1 Running 0 21m
kube-system kube-controller-manager-kind-control-plane 1/1 Running 0 21m
kube-system kube-proxy-mp97k 1/1 Running 0 21m
kube-system kube-scheduler-kind-control-plane 1/1 Running 0 21m
local-path-storage local-path-provisioner-66b445c94-45hs9 1/1 Running 0 21m
secretgen-controller secretgen-controller-65b6454479-p6fsl 1/1 Running 0 80s
Tanzu Application Platformのインストール
TAP用Package Repositoryの登録
TANZUNET_USERNAME=...
TANZUNET_PASSWORD=...
kubectl create ns tap-install
tanzu secret registry add tap-registry \
--username "${TANZUNET_USERNAME}" \
--password "${TANZUNET_PASSWORD}" \
--server registry.tanzu.vmware.com \
--export-to-all-namespaces \
--yes \
--namespace tap-install
tanzu package repository add tanzu-tap-repository \
--url registry.tanzu.vmware.com/tanzu-application-platform/tap-packages:1.2.0 \
--namespace tap-install
$ tanzu package available list --namespace tap-install
- Retrieving available packages...
NAME DISPLAY-NAME SHORT-DESCRIPTION LATEST-VERSION
accelerator.apps.tanzu.vmware.com Application Accelerator for VMware Tanzu Used to create new projects and configurations. 1.2.1
api-portal.tanzu.vmware.com API portal A unified user interface to enable search, discovery and try-out of API endpoints at ease. 1.0.21
backend.appliveview.tanzu.vmware.com Application Live View for VMware Tanzu App for monitoring and troubleshooting running apps 1.2.0
build.appliveview.tanzu.vmware.com Application Live View Conventions for VMware Tanzu Application Live View convention server 1.0.2
buildservice.tanzu.vmware.com Tanzu Build Service Tanzu Build Service enables the building and automation of containerized software workflows securely and at scale. 1.6.0
cartographer.tanzu.vmware.com Cartographer Kubernetes native Supply Chain Choreographer. 0.4.2
cnrs.tanzu.vmware.com Cloud Native Runtimes Cloud Native Runtimes is a serverless runtime based on Knative 1.3.0
connector.appliveview.tanzu.vmware.com Application Live View Connector for VMware Tanzu App for discovering and registering running apps 1.2.0
controller.conventions.apps.tanzu.vmware.com Convention Service for VMware Tanzu Convention Service enables app operators to consistently apply desired runtime configurations to fleets of workloads. 0.7.0
controller.source.apps.tanzu.vmware.com Tanzu Source Controller Tanzu Source Controller enables workload create/update from source code. 0.4.1
conventions.appliveview.tanzu.vmware.com Application Live View Conventions for VMware Tanzu Application Live View convention server 1.2.0
developer-conventions.tanzu.vmware.com Tanzu App Platform Developer Conventions Developer Conventions 0.7.0
fluxcd.source.controller.tanzu.vmware.com Flux Source Controller The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, Helm repositories and S3 buckets. 0.16.4
grype.scanning.apps.tanzu.vmware.com Grype for Supply Chain Security Tools - Scan Default scan templates using Anchore Grype 1.2.2
image-policy-webhook.signing.apps.tanzu.vmware.com Image Policy Webhook Image Policy Webhook enables defining of a policy to restrict unsigned container images. 1.1.3
learningcenter.tanzu.vmware.com Learning Center for Tanzu Application Platform Guided technical workshops 0.2.1
metadata-store.apps.tanzu.vmware.com Supply Chain Security Tools - Store Post SBoMs and query for image, package, and vulnerability metadata. 1.2.2
ootb-delivery-basic.tanzu.vmware.com Tanzu App Platform Out of The Box Delivery Basic Out of The Box Delivery Basic. 0.8.0-build.4
ootb-supply-chain-basic.tanzu.vmware.com Tanzu App Platform Out of The Box Supply Chain Basic Out of The Box Supply Chain Basic. 0.8.0-build.4
ootb-supply-chain-testing-scanning.tanzu.vmware.com Tanzu App Platform Out of The Box Supply Chain with Testing and Scanning Out of The Box Supply Chain with Testing and Scanning. 0.8.0-build.4
ootb-supply-chain-testing.tanzu.vmware.com Tanzu App Platform Out of The Box Supply Chain with Testing Out of The Box Supply Chain with Testing. 0.8.0-build.4
ootb-templates.tanzu.vmware.com Tanzu App Platform Out of The Box Templates Out of The Box Templates. 0.8.0-build.4
policy.apps.tanzu.vmware.com Supply Chain Security Tools - Policy Controller Policy Controller enables defining of a policy to restrict unsigned container images. 1.0.1
scanning.apps.tanzu.vmware.com Supply Chain Security Tools - Scan Scan for vulnerabilities and enforce policies directly within Kubernetes native Supply Chains. 1.2.2
service-bindings.labs.vmware.com Service Bindings for Kubernetes Service Bindings for Kubernetes implements the Service Binding Specification. 0.7.2
services-toolkit.tanzu.vmware.com Services Toolkit The Services Toolkit enables the management, lifecycle, discoverability and connectivity of Service Resources (databases, message queues, DNS records, etc.). 0.7.1
snyk.scanning.apps.tanzu.vmware.com Snyk for Supply Chain Security Tools - Scan Default scan templates using Snyk 1.0.0-beta.2
spring-boot-conventions.tanzu.vmware.com Tanzu Spring Boot Conventions Server Default Spring Boot convention server. 0.4.1
sso.apps.tanzu.vmware.com AppSSO Application Single Sign-On for Tanzu 1.0.0
tap-auth.tanzu.vmware.com Default roles for Tanzu Application Platform Default roles for Tanzu Application Platform 1.0.1
tap-gui.tanzu.vmware.com Tanzu Application Platform GUI web app graphical user interface for Tanzu Application Platform 1.2.3
tap-telemetry.tanzu.vmware.com Telemetry Collector for Tanzu Application Platform Tanzu Application Plaform Telemetry 0.2.0
tap.tanzu.vmware.com Tanzu Application Platform Package to install a set of TAP components to get you started based on your use case. 1.2.0
tekton.tanzu.vmware.com Tekton Pipelines Tekton Pipelines is a framework for creating CI/CD systems. 0.33.5
workshops.learningcenter.tanzu.vmware.com Workshop Building Tutorial Workshop Building Tutorial 0.2.1
Iterate Profileのインストール
GITHUB_USERNAME=...
GITHUB_API_TOKEN=...
cat <<EOF > tap-values.yml
profile: iterate
ceip_policy_disclosed: true
cnrs:
domain_name: vcap.me
domain_template: "{{.Name}}-{{.Namespace}}.{{.Domain}}"
default_tls_secret: tanzu-system-ingress/cnrs-default-tls
provider: local
buildservice:
kp_default_repository: ghcr.io/${GITHUB_USERNAME}/build-service
kp_default_repository_username: ${GITHUB_USERNAME}
kp_default_repository_password: ${GITHUB_API_TOKEN}
supply_chain: basic
ootb_supply_chain_basic:
registry:
server: ghcr.io
repository: ${GITHUB_USERNAME}
gitops:
ssh_secret: git-ssh
contour:
envoy:
service:
nodePorts:
http: 31080
https: 31443
package_overlays:
- name: cnrs
secrets:
- name: cnrs-default-tls
EOF
*.vcap.me
は127.0.0.1
に解決されます。
Cloud Native Runtimes (Knative) で使用するデフォルトのTLS証明書を用意するための次の定義をoverlayで作成します。以下のドキュメントを参考にしました。
- https://docs.vmware.com/en/Cloud-Native-Runtimes-for-VMware-Tanzu/1.3/tanzu-cloud-native-runtimes/GUID-knative-default-tls.html
- https://knative.dev/docs/serving/using-a-tls-cert/#manually-adding-a-tls-certificate
cat <<EOF > cnrs-default-tls.yml
#@ load("@ytt:data", "data")
#@ load("@ytt:overlay", "overlay")
#@ namespace = data.values.ingress.external.namespace
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: cnrs-selfsigned-issuer
namespace: #@ namespace
spec:
selfSigned: { }
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cnrs-ca
namespace: #@ namespace
spec:
commonName: cnrs-ca
isCA: true
issuerRef:
kind: Issuer
name: cnrs-selfsigned-issuer
secretName: cnrs-ca
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: cnrs-ca-issuer
namespace: #@ namespace
spec:
ca:
secretName: cnrs-ca
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cnrs-default-tls
namespace: #@ namespace
spec:
dnsNames:
- #@ "*.{}".format(data.values.domain_name)
issuerRef:
kind: Issuer
name: cnrs-ca-issuer
secretName: cnrs-default-tls
---
apiVersion: projectcontour.io/v1
kind: TLSCertificateDelegation
metadata:
name: contour-delegation
namespace: #@ namespace
spec:
delegations:
- secretName: cnrs-default-tls
targetNamespaces:
- "*"
#@overlay/match by=overlay.subset({"metadata":{"name":"config-network"}, "kind": "ConfigMap"})
---
data:
#@overlay/match missing_ok=True
default-external-scheme: https
EOF
overlayファイルをSecretとして作成します。
kubectl -n tap-install create secret generic cnrs-default-tls \
-o yaml \
--dry-run=client \
--from-file=cnrs-default-tls.yml \
| kubectl apply -f-
TAPをインストールします。
tanzu package install tap -p tap.tanzu.vmware.com -v 1.2.0 --values-file tap-values.yml -n tap-install --poll-timeout 45m
インストールの進捗は次のコマンドで確認します。
watch kubectl get app,pod -A
全てのappが Reconcile succeeded
になるまで待ちます。15-20分くらいかかります。
$ kubectl get app -n tap-install
NAME DESCRIPTION SINCE-DEPLOY AGE
appliveview Reconcile succeeded 7m49s 7m56s
appliveview-connector Reconcile succeeded 5m38s 16m
appliveview-conventions Reconcile succeeded 10m 10m
appsso Reconcile succeeded 57s 11m
buildservice Reconcile succeeded 17s 16m
cartographer Reconcile succeeded 13s 11m
cert-manager Reconcile succeeded 109s 16m
cnrs Reconcile succeeded 7m47s 7m57s
contour Reconcile succeeded 11m 11m
conventions-controller Reconcile succeeded 11s 11m
developer-conventions Reconcile succeeded 10m 10m
fluxcd-source-controller Reconcile succeeded 16m 16m
image-policy-webhook Reconcile succeeded 11m 11m
ootb-delivery-basic Reconcile succeeded 10m 10m
ootb-supply-chain-basic Reconcile succeeded 10m 10m
ootb-templates Reconcile succeeded 1s 10m
policy-controller Reconcile succeeded 11m 11m
service-bindings Reconcile succeeded 5m22s 16m
services-toolkit Reconcile succeeded 16m 16m
source-controller Reconcile succeeded 76s 11m
spring-boot-conventions Reconcile succeeded 10m 10m
tap Reconcile succeeded 88s 16m
tap-auth Reconcile succeeded 6m18s 16m
tap-telemetry Reconcile succeeded 5m59s 16m
tekton-pipelines Reconcile succeeded 4m53s 16m
インストールされたパッケージは次の通りです。
$ kubectl get packageinstall -n tap-install
NAME PACKAGE NAME PACKAGE VERSION DESCRIPTION AGE
appliveview backend.appliveview.tanzu.vmware.com 1.2.0 Reconcile succeeded 8m14s
appliveview-connector connector.appliveview.tanzu.vmware.com 1.2.0 Reconcile succeeded 16m
appliveview-conventions conventions.appliveview.tanzu.vmware.com 1.2.0 Reconcile succeeded 10m
appsso sso.apps.tanzu.vmware.com 1.0.0 Reconcile succeeded 12m
buildservice buildservice.tanzu.vmware.com 1.6.0 Reconcile succeeded 16m
cartographer cartographer.tanzu.vmware.com 0.4.2 Reconcile succeeded 12m
cert-manager cert-manager.tanzu.vmware.com 1.5.3+tap.2 Reconcile succeeded 16m
cnrs cnrs.tanzu.vmware.com 1.3.0 Reconcile succeeded 8m14s
contour contour.tanzu.vmware.com 1.18.2+tap.2 Reconcile succeeded 12m
conventions-controller controller.conventions.apps.tanzu.vmware.com 0.7.0 Reconcile succeeded 12m
developer-conventions developer-conventions.tanzu.vmware.com 0.7.0 Reconcile succeeded 10m
fluxcd-source-controller fluxcd.source.controller.tanzu.vmware.com 0.16.4 Reconcile succeeded 16m
image-policy-webhook image-policy-webhook.signing.apps.tanzu.vmware.com 1.1.3 Reconcile succeeded 12m
ootb-delivery-basic ootb-delivery-basic.tanzu.vmware.com 0.8.0-build.4 Reconcile succeeded 10m
ootb-supply-chain-basic ootb-supply-chain-basic.tanzu.vmware.com 0.8.0-build.4 Reconcile succeeded 10m
ootb-templates ootb-templates.tanzu.vmware.com 0.8.0-build.4 Reconcile succeeded 10m
policy-controller policy.apps.tanzu.vmware.com 1.0.1 Reconcile succeeded 12m
service-bindings service-bindings.labs.vmware.com 0.7.2 Reconcile succeeded 16m
services-toolkit services-toolkit.tanzu.vmware.com 0.7.1 Reconcile succeeded 16m
source-controller controller.source.apps.tanzu.vmware.com 0.4.1 Reconcile succeeded 12m
spring-boot-conventions spring-boot-conventions.tanzu.vmware.com 0.4.1 Reconcile succeeded 10m
tap tap.tanzu.vmware.com 1.2.0 Reconcile succeeded 17m
tap-auth tap-auth.tanzu.vmware.com 1.0.1 Reconcile succeeded 16m
tap-telemetry tap-telemetry.tanzu.vmware.com 0.2.0 Reconcile succeeded 16m
tekton-pipelines tekton.tanzu.vmware.com 0.33.5 Reconcile succeeded 16m
デプロイされたPodは次の通りです。
$ kubectl get pod -A
NAMESPACE NAME READY STATUS RESTARTS AGE
app-live-view-connector application-live-view-connector-zk9l9 1/1 Running 0 16m
app-live-view-conventions appliveview-webhook-6864556779-6s4w6 1/1 Running 0 10m
app-live-view application-live-view-server-66dd4fb89c-8vt4l 1/1 Running 0 8m21s
appsso operator-c94b4dd9c-9gxh6 1/1 Running 0 12m
build-service build-pod-image-fetcher-tghls 5/5 Running 0 16m
build-service dependency-updater-controller-5c4d9fb46b-cpmbt 1/1 Running 0 16m
build-service secret-syncer-controller-8b66cfb7f-6z2mh 1/1 Running 0 16m
build-service smart-warmer-image-fetcher-5ngmj 2/2 Running 0 9m13s
build-service warmer-controller-6c574744dc-wwxcl 1/1 Running 0 16m
cartographer-system cartographer-controller-69fbc785b5-dkr72 1/1 Running 0 12m
cartographer-system cartographer-conventions-controller-manager-5cb8666745-xwzzb 1/1 Running 0 12m
cert-injection-webhook cert-injection-webhook-5f5d44ccb-xwmsx 1/1 Running 0 16m
cert-manager cert-manager-5dd5d847cc-rkrzj 1/1 Running 0 16m
cert-manager cert-manager-cainjector-7c6dcb76c-2h8jz 1/1 Running 0 16m
cert-manager cert-manager-webhook-854fc7875b-fhx82 1/1 Running 0 16m
conventions-system conventions-controller-manager-78f78dcc99-2xlvv 1/1 Running 0 12m
cosign-system policy-webhook-78c8c8c8f5-c4689 1/1 Running 0 12m
cosign-system webhook-6655b65b58-vxlng 1/1 Running 0 12m
developer-conventions webhook-7785857b9-jfb7h 1/1 Running 0 10m
flux-system source-controller-6bfb9b855-qthlh 1/1 Running 0 16m
image-policy-system image-policy-controller-manager-6c4cdf8b-zskmg 2/2 Running 0 12m
kapp-controller kapp-controller-bdd48d459-lcp7c 2/2 Running 0 7h34m
knative-eventing eventing-controller-66b559bb98-2zrzz 1/1 Running 0 8m5s
knative-eventing eventing-webhook-5b94b5fd87-wcvhm 1/1 Running 0 8m5s
knative-eventing imc-controller-7788f45885-5t75h 1/1 Running 0 8m4s
knative-eventing imc-dispatcher-5f7585d8bc-6n6cz 1/1 Running 0 8m4s
knative-eventing mt-broker-controller-747888dd99-6pm4l 1/1 Running 0 8m5s
knative-eventing mt-broker-filter-77b9b9668b-ctdmn 1/1 Running 0 8m4s
knative-eventing mt-broker-ingress-8449fccd46-m66w6 1/1 Running 0 8m3s
knative-eventing rabbitmq-broker-controller-6d5d564bc9-gnfn9 1/1 Running 0 8m3s
knative-eventing rabbitmq-broker-webhook-68d67b96c-mnhz2 1/1 Running 0 8m3s
knative-eventing sugar-controller-754fc986f6-rk28n 1/1 Running 0 8m2s
knative-serving activator-75f797df99-frzhp 1/1 Running 0 8m2s
knative-serving autoscaler-66796d4b-sq4gl 1/1 Running 0 8m2s
knative-serving autoscaler-hpa-5b4b8b6c77-57ndx 1/1 Running 0 8m
knative-serving controller-69ffc8ff5-jbvzd 1/1 Running 0 8m1s
knative-serving domain-mapping-777c99b4d7-2rr4l 1/1 Running 0 8m2s
knative-serving domainmapping-webhook-7c98699c6-v7xnp 1/1 Running 0 8m2s
knative-serving net-certmanager-controller-54b94b9ccc-f9r5p 1/1 Running 0 8m
knative-serving net-certmanager-webhook-74d4646c56-jwh8c 1/1 Running 0 8m
knative-serving net-contour-controller-5868857dc9-5fvhv 1/1 Running 0 8m5s
knative-serving webhook-8cc7b694-gx945 1/1 Running 0 8m1s
knative-sources rabbitmq-controller-manager-7d4444b8b6-xfcsz 1/1 Running 0 8m3s
knative-sources rabbitmq-webhook-6cb87c8fd5-xvb5h 1/1 Running 0 8m3s
kpack kpack-controller-7f5b5d567-z6l2z 1/1 Running 0 16m
kpack kpack-webhook-b564f8dc7-tgz2f 1/1 Running 0 16m
kube-system coredns-64897985d-gldgr 1/1 Running 0 7h49m
kube-system coredns-64897985d-vkpg9 1/1 Running 0 7h49m
kube-system etcd-kind-control-plane 1/1 Running 0 7h50m
kube-system kindnet-c44cp 1/1 Running 0 7h49m
kube-system kube-apiserver-kind-control-plane 1/1 Running 0 7h50m
kube-system kube-controller-manager-kind-control-plane 1/1 Running 1 (5h21m ago) 7h50m
kube-system kube-proxy-mp97k 1/1 Running 0 7h49m
kube-system kube-scheduler-kind-control-plane 1/1 Running 1 (5h21m ago) 7h50m
local-path-storage local-path-provisioner-66b445c94-45hs9 1/1 Running 0 7h49m
secretgen-controller secretgen-controller-65b6454479-p6fsl 1/1 Running 0 7h29m
service-bindings manager-5b49fcc58f-hxtpm 1/1 Running 0 16m
services-toolkit resource-claims-apiserver-d4474586c-hl4mx 1/1 Running 0 16m
services-toolkit services-toolkit-controller-manager-77fd48c95d-4pmrv 1/1 Running 0 16m
source-system source-controller-manager-f4c6b754b-rcw92 1/1 Running 0 12m
spring-boot-convention spring-boot-webhook-5d7c855499-t469f 1/1 Running 0 10m
stacks-operator-system controller-manager-58c4d5dd7c-bhmpq 1/1 Running 0 16m
tanzu-system-ingress contour-85644f6f69-dc2gg 1/1 Running 0 12m
tanzu-system-ingress contour-85644f6f69-hmcls 1/1 Running 0 12m
tanzu-system-ingress envoy-8b7hp 2/2 Running 0 12m
tap-telemetry tap-telemetry-informer-77cb67758f-ghh77 1/1 Running 3 (8m30s ago) 16m
tekton-pipelines tekton-pipelines-controller-59756cd86b-pt872 1/1 Running 0 16m
tekton-pipelines tekton-pipelines-webhook-64b4df8fb5-xl5mv 1/1 Running 0 16m
triggermesh aws-event-sources-controller-6cd69d669b-crdp4 1/1 Running 0 8m
vmware-sources webhook-59854f84cb-ddqks 1/1 Running 0 8m1s
ClusterBuilderがREADYなことを確認します。
$ kubectl get clusterbuilder
NAME LATESTIMAGE READY
base ghcr.io/making/build-service:clusterbuilder-base@sha256:8658a91787d152205096a59f1eaead7337e11e86deed87414fdd9c19b940b8ac True
default ghcr.io/making/build-service:clusterbuilder-default@sha256:8658a91787d152205096a59f1eaead7337e11e86deed87414fdd9c19b940b8ac True
Workloadのデプロイ
Workloadを作成するための事前準備
https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.2/tap/GUID-set-up-namespaces.html (一部変更しています)
kubectl create ns demo
tanzu secret registry add registry-credentials --server ghcr.io --username ${GITHUB_USERNAME} --password ${GITHUB_API_TOKEN} --namespace demo
cat <<EOF | kubectl -n demo apply -f -
apiVersion: v1
kind: Secret
metadata:
name: tap-registry
annotations:
secretgen.carvel.dev/image-pull-secret: ""
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: e30K
---
apiVersion: v1
kind: Secret
metadata:
name: git-ssh
annotations:
tekton.dev/git-0: github.com
type: kubernetes.io/ssh-auth
data:
ssh-privatekey: 8J+UkQ==
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
secrets:
- name: registry-credentials
- name: git-ssh
imagePullSecrets:
- name: registry-credentials
- name: tap-registry
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: default-permit-deliverable
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: deliverable
subjects:
- kind: ServiceAccount
name: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: default-permit-workload
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: workload
subjects:
- kind: ServiceAccount
name: default
EOF
Node.jsアプリのデプロイ
tanzu apps workload apply hello \
--app hello \
--git-repo https://github.com/making/hello-nodejs \
--git-branch master \
--type web \
-n demo \
-y
tanzu apps workload tail hello -n demo
作成されるリソースを確認したければ次のコマンドをwatchしてください。
watch kubectl get workload,pod,gitrepo,imgs,build,podintent,taskrun,deliverable,imagerepository,app,ksvc -n demo -owide
$ kubectl get workload,pod,gitrepo,imgs,build,podintent,taskrun,imagerepository,app,ksvc -n demo -owide
NAME SOURCE SUPPLYCHAIN READY REASON AGE
workload.carto.run/hello https://github.com/making/hello-nodejs source-to-url True Ready 6m14s
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/hello-00001-deployment-7979d95d87-jkgh2 2/2 Running 0 112s 10.244.0.70 kind-control-plane <none> <none>
pod/hello-build-1-build-pod 0/1 Completed 0 6m5s 10.244.0.68 kind-control-plane <none> <none>
pod/hello-config-writer-xttn4-pod 0/1 Completed 0 4m19s 10.244.0.69 kind-control-plane <none> <none>
NAME URL READY STATUS AGE
gitrepository.source.toolkit.fluxcd.io/hello https://github.com/making/hello-nodejs True Fetched revision: master/2a6bd559580592beb51f4bf6d00bbb3f3fac6c9b 6m11s
NAME LATESTIMAGE READY
image.kpack.io/hello ghcr.io/making/hello-demo@sha256:c99355fd11db011d7a08cd03b2ead8b6028358f20e95e01e99fa0835c4fea1a9 True
NAME IMAGE SUCCEEDED
build.kpack.io/hello-build-1 ghcr.io/making/hello-demo@sha256:c99355fd11db011d7a08cd03b2ead8b6028358f20e95e01e99fa0835c4fea1a9 True
NAME READY REASON AGE
podintent.conventions.apps.tanzu.vmware.com/hello True ConventionsApplied 4m34s
NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME
taskrun.tekton.dev/hello-config-writer-xttn4 True Succeeded 4m19s 2m25s
NAME SOURCE DELIVERY READY REASON AGE
deliverable.carto.run/hello ghcr.io/making/hello-demo-bundle:db5304ea-862d-4548-9773-f44ec983da8f delivery-basic True Ready 6m11s
NAME IMAGE URL READY REASON AGE
imagerepository.source.apps.tanzu.vmware.com/hello-delivery ghcr.io/making/hello-demo-bundle:db5304ea-862d-4548-9773-f44ec983da8f http://source-controller-manager-artifact-service.source-system.svc.cluster.local./imagerepository/demo/hello-delivery/da37404afd44183935553746bb8e870772a950a034d9bb7a85da277587cff7b3.tar.gz True Ready 6m8s
NAME DESCRIPTION SINCE-DEPLOY AGE
app.kappctrl.k14s.io/hello Reconcile succeeded 112s 113s
NAME URL LATESTCREATED LATESTREADY READY REASON
service.serving.knative.dev/hello https://hello-demo.vcap.me hello-00001 hello-00001 True
$ tanzu apps workload get -n demo hello
---
# hello: Ready
---
Source
type: git
url: https://github.com/making/hello-nodejs
branch: master
Supply Chain
name: source-to-url
last update: 2m29s
ready: True
RESOURCE READY TIME
source-provider True 6m19s
deliverable True 6m22s
image-builder True 4m45s
config-provider True 4m33s
app-config True 4m33s
config-writer True 2m29s
Issues
No issues reported.
Pods
NAME STATUS RESTARTS AGE
hello-00001-deployment-7979d95d87-jkgh2 Running 0 2m3s
hello-build-1-build-pod Succeeded 0 6m16s
hello-config-writer-xttn4-pod Succeeded 0 4m30s
Knative Services
NAME READY URL
hello Ready https://hello-demo.vcap.me
To see logs: "tanzu apps workload tail hello --namespace demo"
$ curl -k https://hello-demo.vcap.me
Hello Tanzu!!
ℹ️ kubectl tree pluginを使うとリソースの親子関係がわかりやすいです。
$ kubectl tree -n demo workload hello NAMESPACE NAME READY REASON AGE demo Workload/hello True Ready 8m34s demo ├─ConfigMap/hello - 7m21s demo ├─Deliverable/hello True Ready 8m31s demo │ ├─App/hello - 6m22s demo │ └─ImageRepository/hello-delivery True Ready 8m28s demo ├─GitRepository/hello True GitOperationSucceed 8m31s demo ├─Image/hello True 8m28s demo │ ├─Build/hello-build-1 - 8m28s demo │ │ └─Pod/hello-build-1-build-pod False PodCompleted 8m26s demo │ ├─PersistentVolumeClaim/hello-cache - 8m28s demo │ └─SourceResolver/hello-source True 8m28s demo ├─PodIntent/hello True ConventionsApplied 7m33s demo │ └─PodIntent/hello True ConventionsApplied 7m33s demo └─Runnable/hello-config-writer True Ready 7m21s demo └─TaskRun/hello-config-writer-bh2jc - 7m18s demo └─Pod/hello-config-writer-bh2jc-pod False PodCompleted 7m18s
確認が終わればWorkloadを削除します。
tanzu apps workload delete -n demo hello -y
Javaアプリのデプロイ
tanzu apps workload apply spring-music \
--app spring-music \
--git-repo https://github.com/scottfrederick/spring-music \
--git-branch tanzu \
--type web \
--annotation autoscaling.knative.dev/minScale=1 \
-n demo \
-y
tanzu apps workload tail spring-music -n demo
作成されるリソースを確認したければ次のコマンドをwatchしてください。
watch kubectl get workload,pod,gitrepo,imgs,build,podintent,taskrun,deliverable,imagerepository,app,ksvc -n demo -owide
$ kubectl get workload,pod,gitrepo,imgs,build,podintent,taskrun,imagerepository,app,ksvc -n demo -owide
NAME SOURCE SUPPLYCHAIN READY REASON AGE
workload.carto.run/spring-music https://github.com/scottfrederick/spring-music source-to-url True Ready 7m46s
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/spring-music-00001-deployment-7db74f7946-c8hd2 2/2 Running 0 2m32s 10.244.0.76 kind-control-plane <none> <none>
pod/spring-music-build-1-build-pod 0/1 Completed 0 7m38s 10.244.0.74 kind-control-plane <none> <none>
pod/spring-music-config-writer-4tbjc-pod 0/1 Completed 0 3m7s 10.244.0.75 kind-control-plane <none> <none>
NAME URL READY STATUS AGE
gitrepository.source.toolkit.fluxcd.io/spring-music https://github.com/scottfrederick/spring-music True Fetched revision: tanzu/922a509361d1345984899cafeb34622ef7dd2086 7m43s
NAME LATESTIMAGE READY
image.kpack.io/spring-music ghcr.io/making/spring-music-demo@sha256:953b88e13550d875dc3723fc16b63f800631f4ad56d858d7bc7f858420296ceb True
NAME IMAGE SUCCEEDED
build.kpack.io/spring-music-build-1 ghcr.io/making/spring-music-demo@sha256:953b88e13550d875dc3723fc16b63f800631f4ad56d858d7bc7f858420296ceb True
NAME READY REASON AGE
podintent.conventions.apps.tanzu.vmware.com/spring-music True ConventionsApplied 3m21s
NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME
taskrun.tekton.dev/spring-music-config-writer-4tbjc True Succeeded 3m8s 2m58s
NAME IMAGE URL READY REASON AGE
imagerepository.source.apps.tanzu.vmware.com/spring-music-delivery ghcr.io/making/spring-music-demo-bundle:075dcd25-ffe1-4698-bdc5-e860f4a18ccf http://source-controller-manager-artifact-service.source-system.svc.cluster.local./imagerepository/demo/spring-music-delivery/fdd1b7a69bc9525655ac7e67982fc151f80410800df8c1a36fbee5d41e554f8a.tar.gz True Ready 7m41s
NAME DESCRIPTION SINCE-DEPLOY AGE
app.kappctrl.k14s.io/spring-music Reconcile succeeded 2m33s 2m33s
NAME URL LATESTCREATED LATESTREADY READY REASON
service.serving.knative.dev/spring-music https://spring-music-demo.vcap.me spring-music-00001 spring-music-00001 True
$ tanzu apps workload get -n demo spring-music
---
# spring-music: Ready
---
Source
type: git
url: https://github.com/scottfrederick/spring-music
branch: tanzu
Supply Chain
name: source-to-url
last update: 3m13s
ready: True
RESOURCE READY TIME
source-provider True 8m
deliverable True 8m3s
image-builder True 3m40s
config-provider True 3m30s
app-config True 3m30s
config-writer True 3m13s
Issues
No issues reported.
Pods
NAME STATUS RESTARTS AGE
spring-music-00001-deployment-7db74f7946-c8hd2 Running 0 2m52s
spring-music-build-1-build-pod Succeeded 0 7m58s
spring-music-config-writer-4tbjc-pod Succeeded 0 3m27s
Knative Services
NAME READY URL
spring-music Ready https://spring-music-demo.vcap.me
To see logs: "tanzu apps workload tail spring-music --namespace demo"

"THIS IS UNSAFE"を入力

確認が終わればWorkloadを削除します。
tanzu apps workload delete -n demo spring-music -y
GitOpsでデプロイする
まず、manifestを管理するgitレポジトリをGitHubで作成ます。READMEのみを含む https://github.com/making/hello-nodejs-manifests を作成しました。

GitレポジトリにpushするためのSecretを作成します。HTTP(S) Basic-authかSSHが選べます。 ここではBasic-authを使用します。
https://github.com/settings/tokens からrepoへのアクセス権があるPersonal access tokensを生成してください。

次のコマンドでSecretを作成します。
GITHUB_USERNAME=making
GITHUB_API_TOKEN=ghp_******
kubectl create secret generic git-ssh -n demo \
--type kubernetes.io/basic-auth \
--from-literal=username=${GITHUB_USERNAME} \
--from-literal=password=${GITHUB_API_TOKEN} \
--dry-run=client -oyaml \
| kubectl apply -f-
kubectl -n demo annotate secret git-ssh tekton.dev/git-0=https://github.com --overwrite=true
kubectl patch -n demo serviceaccount default -p "{\"secrets\":[{\"name\":\"git-ssh\"}]}"
次のコマンドでデプロイできます。
tanzu apps workload apply hello \
--app hello \
--git-repo https://github.com/making/hello-nodejs \
--git-branch master \
--type web \
--param gitops_branch=main \
--param gitops_commit_message=Bump \
--param gitops_server_address=https://github.com \
--param gitops_repository_owner=making \
--param gitops_repository_name=tap-gitops-manifests \
--param gitops_user_email=makingx+bot@gmail.com \
--param gitops_user_name=making-bot \
--param gitops_ssh_secret=git-ssh \
-n demo \
-y
tanzu apps workload tail hello -n demo
作成されるリソースを確認したければ次のコマンドをwatchしてください。
watch kubectl get workload,pod,gitrepo,imgs,build,podintent,taskrun,deliverable,imagerepository,app,ksvc -n demo -owide
kpackによるコンテナイメージのビルドが終わると、そのイメージのdigestを使用してmanifestをgit commit & pushがTektonによって行われます。 gitレポジトリを見ると次のコミットが自動で行われていることがわかります。

pushされたmanifestは次の通りです。

作成されたリソースは以下の通りです。manifestの変更を検知するためのGitRepositoryリソース(hello-tap-delivery
)ができていることがわかります。
$ kubectl get workload,pod,gitrepo,imgs,build,podintent,taskrun,imagerepository,app,ksvc -n demo -owide
NAME SOURCE SUPPLYCHAIN READY REASON AGE
workload.carto.run/hello https://github.com/making/hello-nodejs source-to-url True Ready 2m38s
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/hello-00001-deployment-7bdb4669fd-6fv9v 2/2 Running 0 18s 10.244.0.86 kind-control-plane <none> <none>
pod/hello-build-1-build-pod 0/1 Completed 0 2m29s 10.244.0.84 kind-control-plane <none> <none>
pod/hello-config-writer-csz5h-pod 0/1 Completed 0 72s 10.244.0.85 kind-control-plane <none> <none>
NAME URL READY STATUS AGE
gitrepository.source.toolkit.fluxcd.io/hello https://github.com/making/hello-nodejs True Fetched revision: master/19610d1789fb30d571e0b27a65ed03a7bdec2922 2m35s
gitrepository.source.toolkit.fluxcd.io/hello-delivery ssh://git@github.com/making/tap-gitops-manifests.git True Fetched revision: main/b1029f402e24be4cac5b8807c79ecb1e2ca6cf10 2m32s
NAME LATESTIMAGE READY
image.kpack.io/hello ghcr.io/making/hello-demo@sha256:c9ed1990af739a56230eb8b8b5e45e50ec22901da6884daac969604e29791ace True
NAME IMAGE SUCCEEDED
build.kpack.io/hello-build-1 ghcr.io/making/hello-demo@sha256:c9ed1990af739a56230eb8b8b5e45e50ec22901da6884daac969604e29791ace True
NAME READY REASON AGE
podintent.conventions.apps.tanzu.vmware.com/hello True ConventionsApplied 86s
NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME
taskrun.tekton.dev/hello-config-writer-csz5h True Succeeded 72s 59s
NAME DESCRIPTION SINCE-DEPLOY AGE
app.kappctrl.k14s.io/hello Reconcile succeeded 19s 2m26s
NAME URL LATESTCREATED LATESTREADY READY REASON
service.serving.knative.dev/hello https://hello-demo.vcap.me hello-00001 hello-00001 True
URLにアクセスします。
$ curl -k https://hello-demo.vcap.me
Hello Tanzu!
ソースコードを変更してgit pushすると、新しいコンテナイメージがビルドされ、manifestも新しいイメージのdigestを使用するようにcommit & pushされます。 次のようなコミットになります。

GitOpsでpull requestを使用する
TAP 1.2からはmanifestの変更を直接commit & pushする代わり、pull requestを送ることができるようになりました。
tap-values.yml
の以下の行を追加します。デフォルトはdirect
です。
# ...
ootb_supply_chain_basic:
# ...
gitops:
# ...
commit_strategy: pull_request
pull_request:
server_kind: github
commit_branch: ""
pull_request_title: "ready for review"
pull_request_body: "generated by supply chain"
次のコマンドでTAPをアップデートします。
tanzu package installed update -n tap-install tap -v 1.2.0 -f tap-values.yml
Pull Reqeust版は、SSH認証ではなくHTTP(S) Basic-auth認証しかサポートしていません。Pull RequestのAPIを実行するためにアクセストークンが必要なため。
ソースコードに変更を加え、git pushすると、コンテナイメージ作成後に次のようなPull Requestが作成されます。


このPull Requestをマージすると、変更結果がデプロイされます。
確認が終わればWorkloadを削除します。
tanzu apps workload delete -n demo hello -y
Kaniko経由でDockerfileを使う
TAP 1.2からはコンテナイメージを作成する際にCloud Native Buildpacksではなく、Dockerfileを使用できます。
内部的にはkpackではなく、kanikoが使用されます。
tanzu apps workload apply hello \
--app hello \
--git-repo https://github.com/making/hello-nodejs \
--git-branch master \
--param dockerfile=./Dockerfile \
--type web \
-n demo \
-y
tanzu apps workload tail hello -n demo
確認が終わればWorkloadを削除します。
tanzu apps workload delete -n demo hello -y
TAPを使うとCI/CDのフローをtanzu apps workload
だけで作成できるのが便利ですね。