--- title: Tanzu Application Platform 1.2 (Iterate Profile) をKindにインストールしHTTPSを有効にするメモ tags: ["Kubernetes", "Cartographer", "kind", "Tanzu", "TAP", "Knative"] categories: ["Dev", "CaaS", "Kubernetes", "TAP"] date: 2022-07-13T01:47:24Z updated: 2022-10-06T01:58:05Z --- [Tanzu Application Platform 1.2](https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.2/tap/GUID-overview.html) をKindにインストールします。 Intel版のMacで試しています。Apple Silicon版はまだ動かないと思います。 本記事ではTAPをInstallし、"Hello World"なアプリケーションをソースコードからデプロイする機能("Source to URL")を試します。 また、HTTPSを有効にします。 **目次** ### Kindクラスタの作成 ``` cat < kind-expose-port.yaml kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane extraPortMappings: - containerPort: 31443 # expose port 31443 of the node to port 80 on the host for use later by Contour ingress (envoy) hostPort: 443 - containerPort: 31080 # expose port 31080 of the node to port 80 on the host for use later by Contour ingress (envoy) hostPort: 80 EOF kind create cluster --config kind-expose-port.yaml --image kindest/node:v1.23.6 ``` ### Pivnet CLIのインストール ここでは [`pivnet`](https://github.com/pivotal-cf/pivnet-cli) CLIを使用して必要なソフトウェアをダウンロードします。 `pivnet` CLIはbrewでインストールできます。 ``` brew install pivotal/tap/pivnet-cli ``` [VMware Tanzu Network](https://network.tanzu.vmware.com/) のAPI Tokenを取得して、`pivnet` CLIでログインします。 ``` pivnet login --api-token= ``` ### EULAの承諾 初めてインストールする場合は、以下のコンポーネントのEULAをAcceptしてください。 * [Tanzu Application Platform](https://network.tanzu.vmware.com/products/tanzu-application-platform/) * [Cluster Essentials for VMware Tanzu](https://network.tanzu.vmware.com/products/tanzu-cluster-essentials/) > ⚠️ EULAで定められている使用期間は30日間です。とは言え、特にソフトウェア的に制限がかけられているわけではありません。 ### Tanzu CLIのインストール ``` # For Mac pivnet download-product-files --product-slug='tanzu-application-platform' --release-version='1.2.0' --glob='tanzu-framework-darwin-amd64.tar' # For Linux pivnet download-product-files --product-slug='tanzu-application-platform' --release-version='1.2.0' --glob='tanzu-framework-linux-amd64.tar' # For Windows pivnet download-product-files --product-slug='tanzu-application-platform' --release-version='1.2.0' --glob='tanzu-framework-windows-amd64.zip' ``` ``` tar xvf tanzu-framework-*-amd64.tar install cli/core/v0.11.6/tanzu-core-*_amd64 /usr/local/bin/tanzu export TANZU_CLI_NO_INIT=true ``` ``` $ tanzu version version: v0.11.6 buildDate: 2022-05-20 sha: 90440e2b ``` プラグインのインストール ``` tanzu plugin install --local cli all ``` ### Cluster Essentials for VMware Tanzuのインストール TAPのインストールに必要なKapp ControllerとSecretgen Controllerをデプロイするために [Cluster Essentials for VMware Tanzu](https://network.tanzu.vmware.com/products/tanzu-cluster-essentials/#/releases/1130414) をインストールします。 ``` # Mac pivnet download-product-files --product-slug='tanzu-cluster-essentials' --release-version='1.2.0' --glob='tanzu-cluster-essentials-darwin-amd64-*' # Linux pivnet download-product-files --product-slug='tanzu-cluster-essentials' --release-version='1.2.0' --glob='tanzu-cluster-essentials-linux-amd64-*' ``` ```yaml TANZUNET_USERNAME=... TANZUNET_PASSWORD=... mkdir tanzu-cluster-essentials tar xzvf tanzu-cluster-essentials-*-amd64-*.tgz -C tanzu-cluster-essentials export INSTALL_BUNDLE=registry.tanzu.vmware.com/tanzu-cluster-essentials/cluster-essentials-bundle:1.2.0 export INSTALL_REGISTRY_HOSTNAME=registry.tanzu.vmware.com export INSTALL_REGISTRY_USERNAME=${TANZUNET_USERNAME} export INSTALL_REGISTRY_PASSWORD=${TANZUNET_PASSWORD} cd tanzu-cluster-essentials ./install.sh --yes cd .. ``` ``` $ kubectl get pod -A NAMESPACE NAME READY STATUS RESTARTS AGE kapp-controller kapp-controller-bdd48d459-lcp7c 2/2 Running 0 5m58s kube-system coredns-64897985d-gldgr 1/1 Running 0 21m kube-system coredns-64897985d-vkpg9 1/1 Running 0 21m kube-system etcd-kind-control-plane 1/1 Running 0 21m kube-system kindnet-c44cp 1/1 Running 0 21m kube-system kube-apiserver-kind-control-plane 1/1 Running 0 21m kube-system kube-controller-manager-kind-control-plane 1/1 Running 0 21m kube-system kube-proxy-mp97k 1/1 Running 0 21m kube-system kube-scheduler-kind-control-plane 1/1 Running 0 21m local-path-storage local-path-provisioner-66b445c94-45hs9 1/1 Running 0 21m secretgen-controller secretgen-controller-65b6454479-p6fsl 1/1 Running 0 80s ``` ### Tanzu Application Platformのインストール #### TAP用Package Repositoryの登録 ``` TANZUNET_USERNAME=... TANZUNET_PASSWORD=... kubectl create ns tap-install tanzu secret registry add tap-registry \ --username "${TANZUNET_USERNAME}" \ --password "${TANZUNET_PASSWORD}" \ --server registry.tanzu.vmware.com \ --export-to-all-namespaces \ --yes \ --namespace tap-install tanzu package repository add tanzu-tap-repository \ --url registry.tanzu.vmware.com/tanzu-application-platform/tap-packages:1.2.0 \ --namespace tap-install ``` ``` $ tanzu package available list --namespace tap-install - Retrieving available packages... NAME DISPLAY-NAME SHORT-DESCRIPTION LATEST-VERSION accelerator.apps.tanzu.vmware.com Application Accelerator for VMware Tanzu Used to create new projects and configurations. 1.2.1 api-portal.tanzu.vmware.com API portal A unified user interface to enable search, discovery and try-out of API endpoints at ease. 1.0.21 backend.appliveview.tanzu.vmware.com Application Live View for VMware Tanzu App for monitoring and troubleshooting running apps 1.2.0 build.appliveview.tanzu.vmware.com Application Live View Conventions for VMware Tanzu Application Live View convention server 1.0.2 buildservice.tanzu.vmware.com Tanzu Build Service Tanzu Build Service enables the building and automation of containerized software workflows securely and at scale. 1.6.0 cartographer.tanzu.vmware.com Cartographer Kubernetes native Supply Chain Choreographer. 0.4.2 cnrs.tanzu.vmware.com Cloud Native Runtimes Cloud Native Runtimes is a serverless runtime based on Knative 1.3.0 connector.appliveview.tanzu.vmware.com Application Live View Connector for VMware Tanzu App for discovering and registering running apps 1.2.0 controller.conventions.apps.tanzu.vmware.com Convention Service for VMware Tanzu Convention Service enables app operators to consistently apply desired runtime configurations to fleets of workloads. 0.7.0 controller.source.apps.tanzu.vmware.com Tanzu Source Controller Tanzu Source Controller enables workload create/update from source code. 0.4.1 conventions.appliveview.tanzu.vmware.com Application Live View Conventions for VMware Tanzu Application Live View convention server 1.2.0 developer-conventions.tanzu.vmware.com Tanzu App Platform Developer Conventions Developer Conventions 0.7.0 fluxcd.source.controller.tanzu.vmware.com Flux Source Controller The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, Helm repositories and S3 buckets. 0.16.4 grype.scanning.apps.tanzu.vmware.com Grype for Supply Chain Security Tools - Scan Default scan templates using Anchore Grype 1.2.2 image-policy-webhook.signing.apps.tanzu.vmware.com Image Policy Webhook Image Policy Webhook enables defining of a policy to restrict unsigned container images. 1.1.3 learningcenter.tanzu.vmware.com Learning Center for Tanzu Application Platform Guided technical workshops 0.2.1 metadata-store.apps.tanzu.vmware.com Supply Chain Security Tools - Store Post SBoMs and query for image, package, and vulnerability metadata. 1.2.2 ootb-delivery-basic.tanzu.vmware.com Tanzu App Platform Out of The Box Delivery Basic Out of The Box Delivery Basic. 0.8.0-build.4 ootb-supply-chain-basic.tanzu.vmware.com Tanzu App Platform Out of The Box Supply Chain Basic Out of The Box Supply Chain Basic. 0.8.0-build.4 ootb-supply-chain-testing-scanning.tanzu.vmware.com Tanzu App Platform Out of The Box Supply Chain with Testing and Scanning Out of The Box Supply Chain with Testing and Scanning. 0.8.0-build.4 ootb-supply-chain-testing.tanzu.vmware.com Tanzu App Platform Out of The Box Supply Chain with Testing Out of The Box Supply Chain with Testing. 0.8.0-build.4 ootb-templates.tanzu.vmware.com Tanzu App Platform Out of The Box Templates Out of The Box Templates. 0.8.0-build.4 policy.apps.tanzu.vmware.com Supply Chain Security Tools - Policy Controller Policy Controller enables defining of a policy to restrict unsigned container images. 1.0.1 scanning.apps.tanzu.vmware.com Supply Chain Security Tools - Scan Scan for vulnerabilities and enforce policies directly within Kubernetes native Supply Chains. 1.2.2 service-bindings.labs.vmware.com Service Bindings for Kubernetes Service Bindings for Kubernetes implements the Service Binding Specification. 0.7.2 services-toolkit.tanzu.vmware.com Services Toolkit The Services Toolkit enables the management, lifecycle, discoverability and connectivity of Service Resources (databases, message queues, DNS records, etc.). 0.7.1 snyk.scanning.apps.tanzu.vmware.com Snyk for Supply Chain Security Tools - Scan Default scan templates using Snyk 1.0.0-beta.2 spring-boot-conventions.tanzu.vmware.com Tanzu Spring Boot Conventions Server Default Spring Boot convention server. 0.4.1 sso.apps.tanzu.vmware.com AppSSO Application Single Sign-On for Tanzu 1.0.0 tap-auth.tanzu.vmware.com Default roles for Tanzu Application Platform Default roles for Tanzu Application Platform 1.0.1 tap-gui.tanzu.vmware.com Tanzu Application Platform GUI web app graphical user interface for Tanzu Application Platform 1.2.3 tap-telemetry.tanzu.vmware.com Telemetry Collector for Tanzu Application Platform Tanzu Application Plaform Telemetry 0.2.0 tap.tanzu.vmware.com Tanzu Application Platform Package to install a set of TAP components to get you started based on your use case. 1.2.0 tekton.tanzu.vmware.com Tekton Pipelines Tekton Pipelines is a framework for creating CI/CD systems. 0.33.5 workshops.learningcenter.tanzu.vmware.com Workshop Building Tutorial Workshop Building Tutorial 0.2.1 ``` #### Iterate Profileのインストール ```yaml GITHUB_USERNAME=... GITHUB_API_TOKEN=... cat < tap-values.yml profile: iterate ceip_policy_disclosed: true cnrs: domain_name: vcap.me domain_template: "{{.Name}}-{{.Namespace}}.{{.Domain}}" default_tls_secret: tanzu-system-ingress/cnrs-default-tls provider: local buildservice: kp_default_repository: ghcr.io/${GITHUB_USERNAME}/build-service kp_default_repository_username: ${GITHUB_USERNAME} kp_default_repository_password: ${GITHUB_API_TOKEN} supply_chain: basic ootb_supply_chain_basic: registry: server: ghcr.io repository: ${GITHUB_USERNAME} gitops: ssh_secret: git-ssh contour: envoy: service: nodePorts: http: 31080 https: 31443 package_overlays: - name: cnrs secrets: - name: cnrs-default-tls EOF ``` > `*.vcap.me`は`127.0.0.1`に解決されます。 Cloud Native Runtimes (Knative) で使用するデフォルトのTLS証明書を用意するための次の定義をoverlayで作成します。以下のドキュメントを参考にしました。 * https://docs.vmware.com/en/Cloud-Native-Runtimes-for-VMware-Tanzu/1.3/tanzu-cloud-native-runtimes/GUID-knative-default-tls.html * https://knative.dev/docs/serving/using-a-tls-cert/#manually-adding-a-tls-certificate ```yaml cat < cnrs-default-tls.yml #@ load("@ytt:data", "data") #@ load("@ytt:overlay", "overlay") #@ namespace = data.values.ingress.external.namespace --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: cnrs-selfsigned-issuer namespace: #@ namespace spec: selfSigned: { } --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: cnrs-ca namespace: #@ namespace spec: commonName: cnrs-ca isCA: true issuerRef: kind: Issuer name: cnrs-selfsigned-issuer secretName: cnrs-ca --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: cnrs-ca-issuer namespace: #@ namespace spec: ca: secretName: cnrs-ca --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: cnrs-default-tls namespace: #@ namespace spec: dnsNames: - #@ "*.{}".format(data.values.domain_name) issuerRef: kind: Issuer name: cnrs-ca-issuer secretName: cnrs-default-tls --- apiVersion: projectcontour.io/v1 kind: TLSCertificateDelegation metadata: name: contour-delegation namespace: #@ namespace spec: delegations: - secretName: cnrs-default-tls targetNamespaces: - "*" #@overlay/match by=overlay.subset({"metadata":{"name":"config-network"}, "kind": "ConfigMap"}) --- data: #@overlay/match missing_ok=True default-external-scheme: https EOF ``` overlayファイルをSecretとして作成します。 ``` kubectl -n tap-install create secret generic cnrs-default-tls \ -o yaml \ --dry-run=client \ --from-file=cnrs-default-tls.yml \ | kubectl apply -f- ``` TAPをインストールします。 ``` tanzu package install tap -p tap.tanzu.vmware.com -v 1.2.0 --values-file tap-values.yml -n tap-install --poll-timeout 45m ``` インストールの進捗は次のコマンドで確認します。 ``` watch kubectl get app,pod -A ``` 全てのappが `Reconcile succeeded` になるまで待ちます。15-20分くらいかかります。 ``` $ kubectl get app -n tap-install NAME DESCRIPTION SINCE-DEPLOY AGE appliveview Reconcile succeeded 7m49s 7m56s appliveview-connector Reconcile succeeded 5m38s 16m appliveview-conventions Reconcile succeeded 10m 10m appsso Reconcile succeeded 57s 11m buildservice Reconcile succeeded 17s 16m cartographer Reconcile succeeded 13s 11m cert-manager Reconcile succeeded 109s 16m cnrs Reconcile succeeded 7m47s 7m57s contour Reconcile succeeded 11m 11m conventions-controller Reconcile succeeded 11s 11m developer-conventions Reconcile succeeded 10m 10m fluxcd-source-controller Reconcile succeeded 16m 16m image-policy-webhook Reconcile succeeded 11m 11m ootb-delivery-basic Reconcile succeeded 10m 10m ootb-supply-chain-basic Reconcile succeeded 10m 10m ootb-templates Reconcile succeeded 1s 10m policy-controller Reconcile succeeded 11m 11m service-bindings Reconcile succeeded 5m22s 16m services-toolkit Reconcile succeeded 16m 16m source-controller Reconcile succeeded 76s 11m spring-boot-conventions Reconcile succeeded 10m 10m tap Reconcile succeeded 88s 16m tap-auth Reconcile succeeded 6m18s 16m tap-telemetry Reconcile succeeded 5m59s 16m tekton-pipelines Reconcile succeeded 4m53s 16m ``` インストールされたパッケージは次の通りです。 ```` $ kubectl get packageinstall -n tap-install NAME PACKAGE NAME PACKAGE VERSION DESCRIPTION AGE appliveview backend.appliveview.tanzu.vmware.com 1.2.0 Reconcile succeeded 8m14s appliveview-connector connector.appliveview.tanzu.vmware.com 1.2.0 Reconcile succeeded 16m appliveview-conventions conventions.appliveview.tanzu.vmware.com 1.2.0 Reconcile succeeded 10m appsso sso.apps.tanzu.vmware.com 1.0.0 Reconcile succeeded 12m buildservice buildservice.tanzu.vmware.com 1.6.0 Reconcile succeeded 16m cartographer cartographer.tanzu.vmware.com 0.4.2 Reconcile succeeded 12m cert-manager cert-manager.tanzu.vmware.com 1.5.3+tap.2 Reconcile succeeded 16m cnrs cnrs.tanzu.vmware.com 1.3.0 Reconcile succeeded 8m14s contour contour.tanzu.vmware.com 1.18.2+tap.2 Reconcile succeeded 12m conventions-controller controller.conventions.apps.tanzu.vmware.com 0.7.0 Reconcile succeeded 12m developer-conventions developer-conventions.tanzu.vmware.com 0.7.0 Reconcile succeeded 10m fluxcd-source-controller fluxcd.source.controller.tanzu.vmware.com 0.16.4 Reconcile succeeded 16m image-policy-webhook image-policy-webhook.signing.apps.tanzu.vmware.com 1.1.3 Reconcile succeeded 12m ootb-delivery-basic ootb-delivery-basic.tanzu.vmware.com 0.8.0-build.4 Reconcile succeeded 10m ootb-supply-chain-basic ootb-supply-chain-basic.tanzu.vmware.com 0.8.0-build.4 Reconcile succeeded 10m ootb-templates ootb-templates.tanzu.vmware.com 0.8.0-build.4 Reconcile succeeded 10m policy-controller policy.apps.tanzu.vmware.com 1.0.1 Reconcile succeeded 12m service-bindings service-bindings.labs.vmware.com 0.7.2 Reconcile succeeded 16m services-toolkit services-toolkit.tanzu.vmware.com 0.7.1 Reconcile succeeded 16m source-controller controller.source.apps.tanzu.vmware.com 0.4.1 Reconcile succeeded 12m spring-boot-conventions spring-boot-conventions.tanzu.vmware.com 0.4.1 Reconcile succeeded 10m tap tap.tanzu.vmware.com 1.2.0 Reconcile succeeded 17m tap-auth tap-auth.tanzu.vmware.com 1.0.1 Reconcile succeeded 16m tap-telemetry tap-telemetry.tanzu.vmware.com 0.2.0 Reconcile succeeded 16m tekton-pipelines tekton.tanzu.vmware.com 0.33.5 Reconcile succeeded 16m ```` デプロイされたPodは次の通りです。 ``` $ kubectl get pod -A NAMESPACE NAME READY STATUS RESTARTS AGE app-live-view-connector application-live-view-connector-zk9l9 1/1 Running 0 16m app-live-view-conventions appliveview-webhook-6864556779-6s4w6 1/1 Running 0 10m app-live-view application-live-view-server-66dd4fb89c-8vt4l 1/1 Running 0 8m21s appsso operator-c94b4dd9c-9gxh6 1/1 Running 0 12m build-service build-pod-image-fetcher-tghls 5/5 Running 0 16m build-service dependency-updater-controller-5c4d9fb46b-cpmbt 1/1 Running 0 16m build-service secret-syncer-controller-8b66cfb7f-6z2mh 1/1 Running 0 16m build-service smart-warmer-image-fetcher-5ngmj 2/2 Running 0 9m13s build-service warmer-controller-6c574744dc-wwxcl 1/1 Running 0 16m cartographer-system cartographer-controller-69fbc785b5-dkr72 1/1 Running 0 12m cartographer-system cartographer-conventions-controller-manager-5cb8666745-xwzzb 1/1 Running 0 12m cert-injection-webhook cert-injection-webhook-5f5d44ccb-xwmsx 1/1 Running 0 16m cert-manager cert-manager-5dd5d847cc-rkrzj 1/1 Running 0 16m cert-manager cert-manager-cainjector-7c6dcb76c-2h8jz 1/1 Running 0 16m cert-manager cert-manager-webhook-854fc7875b-fhx82 1/1 Running 0 16m conventions-system conventions-controller-manager-78f78dcc99-2xlvv 1/1 Running 0 12m cosign-system policy-webhook-78c8c8c8f5-c4689 1/1 Running 0 12m cosign-system webhook-6655b65b58-vxlng 1/1 Running 0 12m developer-conventions webhook-7785857b9-jfb7h 1/1 Running 0 10m flux-system source-controller-6bfb9b855-qthlh 1/1 Running 0 16m image-policy-system image-policy-controller-manager-6c4cdf8b-zskmg 2/2 Running 0 12m kapp-controller kapp-controller-bdd48d459-lcp7c 2/2 Running 0 7h34m knative-eventing eventing-controller-66b559bb98-2zrzz 1/1 Running 0 8m5s knative-eventing eventing-webhook-5b94b5fd87-wcvhm 1/1 Running 0 8m5s knative-eventing imc-controller-7788f45885-5t75h 1/1 Running 0 8m4s knative-eventing imc-dispatcher-5f7585d8bc-6n6cz 1/1 Running 0 8m4s knative-eventing mt-broker-controller-747888dd99-6pm4l 1/1 Running 0 8m5s knative-eventing mt-broker-filter-77b9b9668b-ctdmn 1/1 Running 0 8m4s knative-eventing mt-broker-ingress-8449fccd46-m66w6 1/1 Running 0 8m3s knative-eventing rabbitmq-broker-controller-6d5d564bc9-gnfn9 1/1 Running 0 8m3s knative-eventing rabbitmq-broker-webhook-68d67b96c-mnhz2 1/1 Running 0 8m3s knative-eventing sugar-controller-754fc986f6-rk28n 1/1 Running 0 8m2s knative-serving activator-75f797df99-frzhp 1/1 Running 0 8m2s knative-serving autoscaler-66796d4b-sq4gl 1/1 Running 0 8m2s knative-serving autoscaler-hpa-5b4b8b6c77-57ndx 1/1 Running 0 8m knative-serving controller-69ffc8ff5-jbvzd 1/1 Running 0 8m1s knative-serving domain-mapping-777c99b4d7-2rr4l 1/1 Running 0 8m2s knative-serving domainmapping-webhook-7c98699c6-v7xnp 1/1 Running 0 8m2s knative-serving net-certmanager-controller-54b94b9ccc-f9r5p 1/1 Running 0 8m knative-serving net-certmanager-webhook-74d4646c56-jwh8c 1/1 Running 0 8m knative-serving net-contour-controller-5868857dc9-5fvhv 1/1 Running 0 8m5s knative-serving webhook-8cc7b694-gx945 1/1 Running 0 8m1s knative-sources rabbitmq-controller-manager-7d4444b8b6-xfcsz 1/1 Running 0 8m3s knative-sources rabbitmq-webhook-6cb87c8fd5-xvb5h 1/1 Running 0 8m3s kpack kpack-controller-7f5b5d567-z6l2z 1/1 Running 0 16m kpack kpack-webhook-b564f8dc7-tgz2f 1/1 Running 0 16m kube-system coredns-64897985d-gldgr 1/1 Running 0 7h49m kube-system coredns-64897985d-vkpg9 1/1 Running 0 7h49m kube-system etcd-kind-control-plane 1/1 Running 0 7h50m kube-system kindnet-c44cp 1/1 Running 0 7h49m kube-system kube-apiserver-kind-control-plane 1/1 Running 0 7h50m kube-system kube-controller-manager-kind-control-plane 1/1 Running 1 (5h21m ago) 7h50m kube-system kube-proxy-mp97k 1/1 Running 0 7h49m kube-system kube-scheduler-kind-control-plane 1/1 Running 1 (5h21m ago) 7h50m local-path-storage local-path-provisioner-66b445c94-45hs9 1/1 Running 0 7h49m secretgen-controller secretgen-controller-65b6454479-p6fsl 1/1 Running 0 7h29m service-bindings manager-5b49fcc58f-hxtpm 1/1 Running 0 16m services-toolkit resource-claims-apiserver-d4474586c-hl4mx 1/1 Running 0 16m services-toolkit services-toolkit-controller-manager-77fd48c95d-4pmrv 1/1 Running 0 16m source-system source-controller-manager-f4c6b754b-rcw92 1/1 Running 0 12m spring-boot-convention spring-boot-webhook-5d7c855499-t469f 1/1 Running 0 10m stacks-operator-system controller-manager-58c4d5dd7c-bhmpq 1/1 Running 0 16m tanzu-system-ingress contour-85644f6f69-dc2gg 1/1 Running 0 12m tanzu-system-ingress contour-85644f6f69-hmcls 1/1 Running 0 12m tanzu-system-ingress envoy-8b7hp 2/2 Running 0 12m tap-telemetry tap-telemetry-informer-77cb67758f-ghh77 1/1 Running 3 (8m30s ago) 16m tekton-pipelines tekton-pipelines-controller-59756cd86b-pt872 1/1 Running 0 16m tekton-pipelines tekton-pipelines-webhook-64b4df8fb5-xl5mv 1/1 Running 0 16m triggermesh aws-event-sources-controller-6cd69d669b-crdp4 1/1 Running 0 8m vmware-sources webhook-59854f84cb-ddqks 1/1 Running 0 8m1s ``` ClusterBuilderがREADYなことを確認します。 ``` $ kubectl get clusterbuilder NAME LATESTIMAGE READY base ghcr.io/making/build-service:clusterbuilder-base@sha256:8658a91787d152205096a59f1eaead7337e11e86deed87414fdd9c19b940b8ac True default ghcr.io/making/build-service:clusterbuilder-default@sha256:8658a91787d152205096a59f1eaead7337e11e86deed87414fdd9c19b940b8ac True ``` ### Workloadのデプロイ #### Workloadを作成するための事前準備 https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.2/tap/GUID-set-up-namespaces.html (一部変更しています) ``` kubectl create ns demo tanzu secret registry add registry-credentials --server ghcr.io --username ${GITHUB_USERNAME} --password ${GITHUB_API_TOKEN} --namespace demo ``` ```yaml cat < pod/hello-build-1-build-pod 0/1 Completed 0 6m5s 10.244.0.68 kind-control-plane pod/hello-config-writer-xttn4-pod 0/1 Completed 0 4m19s 10.244.0.69 kind-control-plane NAME URL READY STATUS AGE gitrepository.source.toolkit.fluxcd.io/hello https://github.com/making/hello-nodejs True Fetched revision: master/2a6bd559580592beb51f4bf6d00bbb3f3fac6c9b 6m11s NAME LATESTIMAGE READY image.kpack.io/hello ghcr.io/making/hello-demo@sha256:c99355fd11db011d7a08cd03b2ead8b6028358f20e95e01e99fa0835c4fea1a9 True NAME IMAGE SUCCEEDED build.kpack.io/hello-build-1 ghcr.io/making/hello-demo@sha256:c99355fd11db011d7a08cd03b2ead8b6028358f20e95e01e99fa0835c4fea1a9 True NAME READY REASON AGE podintent.conventions.apps.tanzu.vmware.com/hello True ConventionsApplied 4m34s NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME taskrun.tekton.dev/hello-config-writer-xttn4 True Succeeded 4m19s 2m25s NAME SOURCE DELIVERY READY REASON AGE deliverable.carto.run/hello ghcr.io/making/hello-demo-bundle:db5304ea-862d-4548-9773-f44ec983da8f delivery-basic True Ready 6m11s NAME IMAGE URL READY REASON AGE imagerepository.source.apps.tanzu.vmware.com/hello-delivery ghcr.io/making/hello-demo-bundle:db5304ea-862d-4548-9773-f44ec983da8f http://source-controller-manager-artifact-service.source-system.svc.cluster.local./imagerepository/demo/hello-delivery/da37404afd44183935553746bb8e870772a950a034d9bb7a85da277587cff7b3.tar.gz True Ready 6m8s NAME DESCRIPTION SINCE-DEPLOY AGE app.kappctrl.k14s.io/hello Reconcile succeeded 112s 113s NAME URL LATESTCREATED LATESTREADY READY REASON service.serving.knative.dev/hello https://hello-demo.vcap.me hello-00001 hello-00001 True ``` ``` $ tanzu apps workload get -n demo hello --- # hello: Ready --- Source type: git url: https://github.com/making/hello-nodejs branch: master Supply Chain name: source-to-url last update: 2m29s ready: True RESOURCE READY TIME source-provider True 6m19s deliverable True 6m22s image-builder True 4m45s config-provider True 4m33s app-config True 4m33s config-writer True 2m29s Issues No issues reported. Pods NAME STATUS RESTARTS AGE hello-00001-deployment-7979d95d87-jkgh2 Running 0 2m3s hello-build-1-build-pod Succeeded 0 6m16s hello-config-writer-xttn4-pod Succeeded 0 4m30s Knative Services NAME READY URL hello Ready https://hello-demo.vcap.me To see logs: "tanzu apps workload tail hello --namespace demo" ``` ``` $ curl -k https://hello-demo.vcap.me Hello Tanzu!! ``` > > ℹ️ [kubectl tree plugin](https://github.com/ahmetb/kubectl-tree)を使うとリソースの親子関係がわかりやすいです。 > > ``` > $ kubectl tree -n demo workload hello > NAMESPACE NAME READY REASON AGE > demo Workload/hello True Ready 8m34s > demo ├─ConfigMap/hello - 7m21s > demo ├─Deliverable/hello True Ready 8m31s > demo │ ├─App/hello - 6m22s > demo │ └─ImageRepository/hello-delivery True Ready 8m28s > demo ├─GitRepository/hello True GitOperationSucceed 8m31s > demo ├─Image/hello True 8m28s > demo │ ├─Build/hello-build-1 - 8m28s > demo │ │ └─Pod/hello-build-1-build-pod False PodCompleted 8m26s > demo │ ├─PersistentVolumeClaim/hello-cache - 8m28s > demo │ └─SourceResolver/hello-source True 8m28s > demo ├─PodIntent/hello True ConventionsApplied 7m33s > demo │ └─PodIntent/hello True ConventionsApplied 7m33s > demo └─Runnable/hello-config-writer True Ready 7m21s > demo └─TaskRun/hello-config-writer-bh2jc - 7m18s > demo └─Pod/hello-config-writer-bh2jc-pod False PodCompleted 7m18s > ``` 確認が終わればWorkloadを削除します。 ``` tanzu apps workload delete -n demo hello -y ``` #### Javaアプリのデプロイ ``` tanzu apps workload apply spring-music \ --app spring-music \ --git-repo https://github.com/scottfrederick/spring-music \ --git-branch tanzu \ --type web \ --annotation autoscaling.knative.dev/minScale=1 \ -n demo \ -y tanzu apps workload tail spring-music -n demo ``` 作成されるリソースを確認したければ次のコマンドをwatchしてください。 ``` watch kubectl get workload,pod,gitrepo,imgs,build,podintent,taskrun,deliverable,imagerepository,app,ksvc -n demo -owide ``` ``` $ kubectl get workload,pod,gitrepo,imgs,build,podintent,taskrun,imagerepository,app,ksvc -n demo -owide NAME SOURCE SUPPLYCHAIN READY REASON AGE workload.carto.run/spring-music https://github.com/scottfrederick/spring-music source-to-url True Ready 7m46s NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES pod/spring-music-00001-deployment-7db74f7946-c8hd2 2/2 Running 0 2m32s 10.244.0.76 kind-control-plane pod/spring-music-build-1-build-pod 0/1 Completed 0 7m38s 10.244.0.74 kind-control-plane pod/spring-music-config-writer-4tbjc-pod 0/1 Completed 0 3m7s 10.244.0.75 kind-control-plane NAME URL READY STATUS AGE gitrepository.source.toolkit.fluxcd.io/spring-music https://github.com/scottfrederick/spring-music True Fetched revision: tanzu/922a509361d1345984899cafeb34622ef7dd2086 7m43s NAME LATESTIMAGE READY image.kpack.io/spring-music ghcr.io/making/spring-music-demo@sha256:953b88e13550d875dc3723fc16b63f800631f4ad56d858d7bc7f858420296ceb True NAME IMAGE SUCCEEDED build.kpack.io/spring-music-build-1 ghcr.io/making/spring-music-demo@sha256:953b88e13550d875dc3723fc16b63f800631f4ad56d858d7bc7f858420296ceb True NAME READY REASON AGE podintent.conventions.apps.tanzu.vmware.com/spring-music True ConventionsApplied 3m21s NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME taskrun.tekton.dev/spring-music-config-writer-4tbjc True Succeeded 3m8s 2m58s NAME IMAGE URL READY REASON AGE imagerepository.source.apps.tanzu.vmware.com/spring-music-delivery ghcr.io/making/spring-music-demo-bundle:075dcd25-ffe1-4698-bdc5-e860f4a18ccf http://source-controller-manager-artifact-service.source-system.svc.cluster.local./imagerepository/demo/spring-music-delivery/fdd1b7a69bc9525655ac7e67982fc151f80410800df8c1a36fbee5d41e554f8a.tar.gz True Ready 7m41s NAME DESCRIPTION SINCE-DEPLOY AGE app.kappctrl.k14s.io/spring-music Reconcile succeeded 2m33s 2m33s NAME URL LATESTCREATED LATESTREADY READY REASON service.serving.knative.dev/spring-music https://spring-music-demo.vcap.me spring-music-00001 spring-music-00001 True ``` ``` $ tanzu apps workload get -n demo spring-music --- # spring-music: Ready --- Source type: git url: https://github.com/scottfrederick/spring-music branch: tanzu Supply Chain name: source-to-url last update: 3m13s ready: True RESOURCE READY TIME source-provider True 8m deliverable True 8m3s image-builder True 3m40s config-provider True 3m30s app-config True 3m30s config-writer True 3m13s Issues No issues reported. Pods NAME STATUS RESTARTS AGE spring-music-00001-deployment-7db74f7946-c8hd2 Running 0 2m52s spring-music-build-1-build-pod Succeeded 0 7m58s spring-music-config-writer-4tbjc-pod Succeeded 0 3m27s Knative Services NAME READY URL spring-music Ready https://spring-music-demo.vcap.me To see logs: "tanzu apps workload tail spring-music --namespace demo" ``` image "THIS IS UNSAFE"を入力 image 確認が終わればWorkloadを削除します。 ``` tanzu apps workload delete -n demo spring-music -y ``` ### GitOpsでデプロイする https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.2/tap/GUID-scc-gitops-vs-regops.html#gitops-0 まず、manifestを管理するgitレポジトリをGitHubで作成ます。READMEのみを含む https://github.com/making/hello-nodejs-manifests を作成しました。 image image GitレポジトリにpushするためのSecretを作成します。[HTTP(S) Basic-auth](https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.2/tap/GUID-scc-gitops-vs-regops.html#authentication-3)か[SSH](https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.2/tap/GUID-scc-gitops-vs-regops.html#ssh-4)が選べます。 ここではBasic-authを使用します。 https://github.com/settings/tokens からrepoへのアクセス権があるPersonal access tokensを生成してください。 image 次のコマンドでSecretを作成します。 ``` GITHUB_USERNAME=making GITHUB_API_TOKEN=ghp_****** kubectl create secret generic git-ssh -n demo \ --type kubernetes.io/basic-auth \ --from-literal=username=${GITHUB_USERNAME} \ --from-literal=password=${GITHUB_API_TOKEN} \ --dry-run=client -oyaml \ | kubectl apply -f- kubectl -n demo annotate secret git-ssh tekton.dev/git-0=https://github.com --overwrite=true kubectl patch -n demo serviceaccount default -p "{\"secrets\":[{\"name\":\"git-ssh\"}]}" ``` 次のコマンドでデプロイできます。 ``` tanzu apps workload apply hello \ --app hello \ --git-repo https://github.com/making/hello-nodejs \ --git-branch master \ --type web \ --param gitops_branch=main \ --param gitops_commit_message=Bump \ --param gitops_server_address=https://github.com \ --param gitops_repository_owner=making \ --param gitops_repository_name=tap-gitops-manifests \ --param gitops_user_email=makingx+bot@gmail.com \ --param gitops_user_name=making-bot \ --param gitops_ssh_secret=git-ssh \ -n demo \ -y tanzu apps workload tail hello -n demo ``` 作成されるリソースを確認したければ次のコマンドをwatchしてください。 ``` watch kubectl get workload,pod,gitrepo,imgs,build,podintent,taskrun,deliverable,imagerepository,app,ksvc -n demo -owide ``` kpackによるコンテナイメージのビルドが終わると、そのイメージのdigestを使用してmanifestをgit commit & pushがTektonによって行われます。 gitレポジトリを見ると次のコミットが自動で行われていることがわかります。 image pushされたmanifestは次の通りです。 image 作成されたリソースは以下の通りです。manifestの変更を検知するためのGitRepositoryリソース(`hello-tap-delivery`)ができていることがわかります。 ``` $ kubectl get workload,pod,gitrepo,imgs,build,podintent,taskrun,imagerepository,app,ksvc -n demo -owide NAME SOURCE SUPPLYCHAIN READY REASON AGE workload.carto.run/hello https://github.com/making/hello-nodejs source-to-url True Ready 2m38s NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES pod/hello-00001-deployment-7bdb4669fd-6fv9v 2/2 Running 0 18s 10.244.0.86 kind-control-plane pod/hello-build-1-build-pod 0/1 Completed 0 2m29s 10.244.0.84 kind-control-plane pod/hello-config-writer-csz5h-pod 0/1 Completed 0 72s 10.244.0.85 kind-control-plane NAME URL READY STATUS AGE gitrepository.source.toolkit.fluxcd.io/hello https://github.com/making/hello-nodejs True Fetched revision: master/19610d1789fb30d571e0b27a65ed03a7bdec2922 2m35s gitrepository.source.toolkit.fluxcd.io/hello-delivery ssh://git@github.com/making/tap-gitops-manifests.git True Fetched revision: main/b1029f402e24be4cac5b8807c79ecb1e2ca6cf10 2m32s NAME LATESTIMAGE READY image.kpack.io/hello ghcr.io/making/hello-demo@sha256:c9ed1990af739a56230eb8b8b5e45e50ec22901da6884daac969604e29791ace True NAME IMAGE SUCCEEDED build.kpack.io/hello-build-1 ghcr.io/making/hello-demo@sha256:c9ed1990af739a56230eb8b8b5e45e50ec22901da6884daac969604e29791ace True NAME READY REASON AGE podintent.conventions.apps.tanzu.vmware.com/hello True ConventionsApplied 86s NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME taskrun.tekton.dev/hello-config-writer-csz5h True Succeeded 72s 59s NAME DESCRIPTION SINCE-DEPLOY AGE app.kappctrl.k14s.io/hello Reconcile succeeded 19s 2m26s NAME URL LATESTCREATED LATESTREADY READY REASON service.serving.knative.dev/hello https://hello-demo.vcap.me hello-00001 hello-00001 True ``` URLにアクセスします。 ``` $ curl -k https://hello-demo.vcap.me Hello Tanzu! ``` ソースコードを変更してgit pushすると、新しいコンテナイメージがビルドされ、manifestも新しいイメージのdigestを使用するようにcommit & pushされます。 次のようなコミットになります。 image ### GitOpsでpull requestを使用する TAP 1.2からはmanifestの変更を直接commit & pushする代わり、pull requestを送ることができるようになりました。 https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.2/tap/GUID-scc-gitops-vs-regops.html#pull-requests-2 `tap-values.yml`の以下の行を追加します。デフォルトは`direct`です。 ```yaml # ... ootb_supply_chain_basic: # ... gitops: # ... commit_strategy: pull_request pull_request: server_kind: github commit_branch: "" pull_request_title: "ready for review" pull_request_body: "generated by supply chain" ``` 次のコマンドでTAPをアップデートします。 ``` tanzu package installed update -n tap-install tap -v 1.2.0 -f tap-values.yml ``` > Pull Reqeust版は、SSH認証ではなくHTTP(S) Basic-auth認証しかサポートしていません。Pull RequestのAPIを実行するためにアクセストークンが必要なため。 ソースコードに変更を加え、git pushすると、コンテナイメージ作成後に次のようなPull Requestが作成されます。 image image このPull Requestをマージすると、変更結果がデプロイされます。 確認が終わればWorkloadを削除します。 ``` tanzu apps workload delete -n demo hello -y ``` ### Kaniko経由でDockerfileを使う TAP 1.2からはコンテナイメージを作成する際にCloud Native Buildpacksではなく、Dockerfileを使用できます。
内部的にはkpackではなく、[kaniko](https://github.com/GoogleContainerTools/kaniko)が使用されます。 ``` tanzu apps workload apply hello \ --app hello \ --git-repo https://github.com/making/hello-nodejs \ --git-branch master \ --param dockerfile=./Dockerfile \ --type web \ -n demo \ -y tanzu apps workload tail hello -n demo ``` 確認が終わればWorkloadを削除します。 ``` tanzu apps workload delete -n demo hello -y ``` --- TAPを使うとCI/CDのフローを`tanzu apps workload`だけで作成できるのが便利ですね。