IK.AM

@making's tech note


Tanzu Application Platform 1.3 (Iterate Profile) をKindにインストールしHTTPSを有効にするメモ

🗃 {Dev/CaaS/Kubernetes/TAP}
🏷 Kubernetes 🏷 Cartographer 🏷 kind 🏷 Tanzu 🏷 TAP 🏷 Knative 
🗓 Updated at 2022-11-29T15:39:54Z  🗓 Created at 2022-11-29T05:33:50Z   🌎 English Page

⚠️ 本記事の内容はVMwareによってサポートされていません。 記事の内容で生じた問題については自己責任で対応し、 VMwareサポート窓口には問い合わせないでください

Tanzu Application Platform 1.3 をKindにインストールします。

Intel版のMacで試しています。

本記事ではTAPをInstallし、"Hello World"なアプリケーションをソースコードからデプロイする機能("Source to URL")を試します。 また、HTTPSを有効にします。

目次

Kindクラスタの作成

Dockerには4 CPU, 4 GBメモリ以上を割り当ててください。

cat <<EOF > kind-expose-port.yaml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
 - role: control-plane
   extraPortMappings:
   - containerPort: 31443 # expose port 31443 of the node to port 80 on the host for use later by Contour ingress (envoy)
     hostPort: 443
   - containerPort: 31080 # expose port 31080 of the node to port 80 on the host for use later by Contour ingress (envoy)
     hostPort: 80
EOF
kind create cluster --config kind-expose-port.yaml --image kindest/node:v1.23.12

Pivnet CLIのインストール

ここでは pivnet CLIを使用して必要なソフトウェアをダウンロードします。 pivnet CLIはbrewでインストールできます。

brew install pivotal/tap/pivnet-cli

VMware Tanzu Network のAPI Tokenを取得して、pivnet CLIでログインします。

pivnet login --api-token=<API Token>

EULAの承諾

初めてインストールする場合は、以下のコンポーネントのEULAをAcceptしてください。

⚠️ EULAで定められている使用期間は30日間です。とは言え、特にソフトウェア的に制限がかけられているわけではありません。

Tanzu CLIのインストール

# For Mac
pivnet download-product-files --product-slug='tanzu-application-platform' --release-version='1.3.2' --glob='tanzu-framework-darwin-amd64-*.tar'
# For Linux
pivnet download-product-files --product-slug='tanzu-application-platform' --release-version='1.3.2' --glob='tanzu-framework-linux-amd64-*.tar'
# For Windows
pivnet download-product-files --product-slug='tanzu-application-platform' --release-version='1.3.2' --glob='tanzu-framework-windows-amd64-*.zip'
tar xvf tanzu-framework-*-amd64-*.tar
install cli/core/v0.25.0/tanzu-core-*_amd64 /usr/local/bin/tanzu
export TANZU_CLI_NO_INIT=true
$ tanzu version
version: v0.25.0
buildDate: 2022-08-25
sha: 6288c751-dirty

プラグインのインストール

tanzu plugin install --local cli all

Cluster Essentials for VMware Tanzuのインストール

TAPのインストールに必要なKapp ControllerとSecretgen Controllerをデプロイするために Cluster Essentials for VMware Tanzu をインストールします。

# Mac
pivnet download-product-files --product-slug='tanzu-cluster-essentials' --release-version='1.3.0' --glob='tanzu-cluster-essentials-darwin-amd64-*'
# Linux
pivnet download-product-files --product-slug='tanzu-cluster-essentials' --release-version='1.3.0' --glob='tanzu-cluster-essentials-linux-amd64-*'
TANZUNET_USERNAME=...
TANZUNET_PASSWORD=...

mkdir tanzu-cluster-essentials
tar xzvf tanzu-cluster-essentials-*-amd64-*.tgz -C tanzu-cluster-essentials

export INSTALL_BUNDLE=registry.tanzu.vmware.com/tanzu-cluster-essentials/cluster-essentials-bundle:1.3.0
export INSTALL_REGISTRY_HOSTNAME=registry.tanzu.vmware.com
export INSTALL_REGISTRY_USERNAME=${TANZUNET_USERNAME}
export INSTALL_REGISTRY_PASSWORD=${TANZUNET_PASSWORD}
cd tanzu-cluster-essentials
./install.sh --yes
cd ..
$ kubectl get pod -n kapp-controller
NAME                               READY   STATUS    RESTARTS   AGE
kapp-controller-77466557f5-tz6b8   2/2     Running   0          61s

$ kubectl get pod -n secretgen-controller 
NAME                                   READY   STATUS    RESTARTS   AGE
secretgen-controller-7c88f487c-54tlb   1/1     Running   0          39s

Tanzu Application Platformのインストール

TAP用Package Repositoryの登録

TANZUNET_USERNAME=...
TANZUNET_PASSWORD=...

kubectl create ns tap-install

tanzu secret registry add tap-registry \
  --username "${TANZUNET_USERNAME}" \
  --password "${TANZUNET_PASSWORD}" \
  --server registry.tanzu.vmware.com \
  --export-to-all-namespaces \
  --yes \
  --namespace tap-install

tanzu package repository add tanzu-tap-repository \
  --url registry.tanzu.vmware.com/tanzu-application-platform/tap-packages:1.3.2 \
  --namespace tap-install
$ tanzu package available list --namespace tap-install
  NAME                                                 DISPLAY-NAME                                                              SHORT-DESCRIPTION                                                                 LATEST-VERSION  
  accelerator.apps.tanzu.vmware.com                    Application Accelerator for VMware Tanzu                                  Used to create new projects and configurations.                                   1.3.2           
  api-portal.tanzu.vmware.com                          API portal                                                                A unified user interface for API discovery and exploration at scale.              1.2.5           
  apis.apps.tanzu.vmware.com                           API Auto Registration for VMware Tanzu                                    A TAP component to automatically register API exposing workloads as API entities  0.1.2           
                                                                                                                                 in TAP GUI.                                                                                       
  backend.appliveview.tanzu.vmware.com                 Application Live View for VMware Tanzu                                    App for monitoring and troubleshooting running apps                               1.3.1           
  buildservice.tanzu.vmware.com                        Tanzu Build Service                                                       Tanzu Build Service enables the building and automation of containerized          1.7.4           
                                                                                                                                 software workflows securely and at scale.                                                         
  carbonblack.scanning.apps.tanzu.vmware.com           VMware Carbon Black for Supply Chain Security Tools - Scan                Default scan templates using VMware Carbon Black                                  1.0.0-beta.2    
  cartographer.tanzu.vmware.com                        Cartographer                                                              Kubernetes native Supply Chain Choreographer.                                     0.5.4           
  cnrs.tanzu.vmware.com                                Cloud Native Runtimes                                                     Cloud Native Runtimes is a serverless runtime based on Knative                    2.0.2           
  connector.appliveview.tanzu.vmware.com               Application Live View Connector for VMware Tanzu                          App for discovering and registering running apps                                  1.3.1           
  controller.conventions.apps.tanzu.vmware.com         Convention Service for VMware Tanzu                                       Convention Service enables app operators to consistently apply desired runtime    0.7.1           
                                                                                                                                 configurations to fleets of workloads.                                                            
  controller.source.apps.tanzu.vmware.com              Tanzu Source Controller                                                   Tanzu Source Controller enables workload create/update from source code.          0.5.1           
  conventions.appliveview.tanzu.vmware.com             Application Live View Conventions for VMware Tanzu                        Application Live View convention server                                           1.3.1           
  developer-conventions.tanzu.vmware.com               Tanzu App Platform Developer Conventions                                  Developer Conventions                                                             0.8.0           
  eventing.tanzu.vmware.com                            Eventing                                                                  Eventing is an event-driven architecture platform based on Knative Eventing       2.0.2           
  fluxcd.source.controller.tanzu.vmware.com            Flux Source Controller                                                    The source-controller is a Kubernetes operator, specialised in artifacts          0.27.0+tap.1    
                                                                                                                                 acquisition from external sources such as Git, Helm repositories and S3 buckets.                  
  grype.scanning.apps.tanzu.vmware.com                 Grype for Supply Chain Security Tools - Scan                              Default scan templates using Anchore Grype                                        1.3.1           
  image-policy-webhook.signing.apps.tanzu.vmware.com   Image Policy Webhook                                                      Image Policy Webhook enables defining of a policy to restrict unsigned container  1.1.9           
                                                                                                                                 images.                                                                                           
  learningcenter.tanzu.vmware.com                      Learning Center for Tanzu Application Platform                            Guided technical workshops                                                        0.2.4           
  metadata-store.apps.tanzu.vmware.com                 Supply Chain Security Tools - Store                                       Post SBoMs and query for image, package, and vulnerability metadata.              1.3.4           
  ootb-delivery-basic.tanzu.vmware.com                 Tanzu App Platform Out of The Box Delivery Basic                          Out of The Box Delivery Basic.                                                    0.10.5          
  ootb-supply-chain-basic.tanzu.vmware.com             Tanzu App Platform Out of The Box Supply Chain Basic                      Out of The Box Supply Chain Basic.                                                0.10.5          
  ootb-supply-chain-testing-scanning.tanzu.vmware.com  Tanzu App Platform Out of The Box Supply Chain with Testing and Scanning  Out of The Box Supply Chain with Testing and Scanning.                            0.10.5          
  ootb-supply-chain-testing.tanzu.vmware.com           Tanzu App Platform Out of The Box Supply Chain with Testing               Out of The Box Supply Chain with Testing.                                         0.10.5          
  ootb-templates.tanzu.vmware.com                      Tanzu App Platform Out of The Box Templates                               Out of The Box Templates.                                                         0.10.5          
  policy.apps.tanzu.vmware.com                         Supply Chain Security Tools - Policy Controller                           Policy Controller enables defining of a policy to restrict unsigned container     1.1.3           
                                                                                                                                 images.                                                                                           
  scanning.apps.tanzu.vmware.com                       Supply Chain Security Tools - Scan                                        Scan for vulnerabilities and enforce policies directly within Kubernetes native   1.3.1           
                                                                                                                                 Supply Chains.                                                                                    
  service-bindings.labs.vmware.com                     Service Bindings for Kubernetes                                           Service Bindings for Kubernetes implements the Service Binding Specification.     0.8.1           
  services-toolkit.tanzu.vmware.com                    Services Toolkit                                                          The Services Toolkit enables the management, lifecycle, discoverability and       0.8.1           
                                                                                                                                 connectivity of Service Resources (databases, message queues, DNS records,                        
                                                                                                                                 etc.).                                                                                            
  snyk.scanning.apps.tanzu.vmware.com                  Snyk for Supply Chain Security Tools - Scan                               Default scan templates using Snyk                                                 1.0.0-beta.5    
  spring-boot-conventions.tanzu.vmware.com             Tanzu Spring Boot Conventions Server                                      Default Spring Boot convention server.                                            0.5.0           
  sso.apps.tanzu.vmware.com                            AppSSO                                                                    Application Single Sign-On for Tanzu                                              2.0.0           
  tap-auth.tanzu.vmware.com                            Default roles for Tanzu Application Platform                              Default roles for Tanzu Application Platform                                      1.1.0           
  tap-gui.tanzu.vmware.com                             Tanzu Application Platform GUI                                            web app graphical user interface for Tanzu Application Platform                   1.3.3           
  tap-telemetry.tanzu.vmware.com                       Telemetry Collector for Tanzu Application Platform                        Tanzu Application Plaform Telemetry                                               0.3.2           
  tap.tanzu.vmware.com                                 Tanzu Application Platform                                                Package to install a set of TAP components to get you started based on your use   1.3.2           
                                                                                                                                 case.                                                                                             
  tekton.tanzu.vmware.com                              Tekton Pipelines                                                          Tekton Pipelines is a framework for creating CI/CD systems.                       0.39.0+tap.2    
  workshops.learningcenter.tanzu.vmware.com            Workshop Building Tutorial                                                Workshop Building Tutorial                                                        0.2.3           

自己署名CA証明書の作成

mkdir -p certs
rm -f certs/*
docker run --rm -v ${PWD}/certs:/certs hitch openssl req -new -nodes -out /certs/ca.csr -keyout /certs/ca.key -subj "/CN=default-ca/O=TAP/C=JP"
chmod og-rwx ca.key
docker run --rm -v ${PWD}/certs:/certs hitch openssl x509 -req -in /certs/ca.csr -days 3650 -extfile /etc/ssl/openssl.cnf -extensions v3_ca -signkey /certs/ca.key -out /certs/ca.crt

Iterate Profileのインストール

iterate profileをインストールするために、次のtap-values.yamlを作成します。 4CPUでもインストールできるように不要なpackageをexcluded_packagesに追加しています。

GITHUB_USERNAME=...
GITHUB_API_TOKEN=...

cat <<EOF > tap-values.yaml
shared:
  ingress_domain: 127-0-0-1.sslip.io
  image_registry:
    project_path: ghcr.io/${GITHUB_USERNAME}
    username: ${GITHUB_USERNAME}
    password: ${GITHUB_API_TOKEN}
  ca_cert_data: |
$(cat certs/ca.crt | sed 's/^/    /g')

ceip_policy_disclosed: true
profile: iterate

supply_chain: basic

contour:
  contour:
    replicas: 1
  envoy:
    service:
      type: NodePort
      nodePorts:
        http: 31080
        https: 31443
    hostPorts:
      enable: true

cnrs:
  domain_template: "{{.Name}}-{{.Namespace}}.{{.Domain}}"
  default_tls_secret: tanzu-system-ingress/tap-default-tls
  provider: local

package_overlays:
- name: contour
  secrets:
  - name: contour-default-tls
- name: cnrs
  secrets:
  - name: cnrs-https
- name: tap-telemetry
  secrets:
  - name: tap-telemetry-remove

excluded_packages:
- policy.apps.tanzu.vmware.com
- image-policy-webhook.signing.apps.tanzu.vmware.com
- eventing.tanzu.vmware.com
- sso.apps.tanzu.vmware.com
EOF

*.127-0-0-1.sslip.io127.0.0.1に解決されます。

Contour/Knativeで使用するデフォルトのTLS証明書を用意するための次の定義をoverlayで作成します。

mkdir -p overlays
cat <<EOF > overlays/contour-default-tls.yaml                                                                                                                                                                                                                          
#@ load("@ytt:data", "data")
#@ load("@ytt:overlay", "overlay")
#@ namespace = data.values.namespace
---
apiVersion: v1
kind: Secret
metadata:
  name: default-ca
  namespace: #@ namespace
type: kubernetes.io/tls
stringData:
  tls.crt: |
$(cat certs/ca.crt | sed 's/^/    /g')
  tls.key: |
$(cat certs/ca.key | sed 's/^/    /g')
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: default-ca-issuer
  namespace: #@ namespace
spec:
  ca:
    secretName: default-ca
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: tap-default-tls
  namespace: #@ namespace
spec:
  dnsNames:
  - #@ "*.127-0-0-1.sslip.io"
  issuerRef:
    kind: Issuer
    name: default-ca-issuer
  secretName: tap-default-tls
---
apiVersion: projectcontour.io/v1
kind: TLSCertificateDelegation
metadata:
  name: contour-delegation
  namespace: #@ namespace
spec:
  delegations:
  - secretName: tap-default-tls
    targetNamespaces:
    - "*"
EOF

cat <<EOF > overlays/cnrs-https.yaml
#@ load("@ytt:overlay", "overlay")
#@overlay/match by=overlay.subset({"metadata":{"name":"config-network"}, "kind": "ConfigMap"})
---
data:
  #@overlay/match missing_ok=True
  default-external-scheme: https
EOF

cat <<EOF > overlays/tap-telemetry-remove.yaml
#@ load("@ytt:overlay", "overlay")
#@overlay/match by=overlay.subset({"metadata":{"namespace":"tap-telemetry"}}), expects="1+"
#@overlay/remove
---
EOF

overlayファイルをSecretとして作成します。

kubectl -n tap-install create secret generic contour-default-tls \
  -o yaml \
  --dry-run=client \
  --from-file=overlays/contour-default-tls.yaml \
  | kubectl apply -f-

kubectl -n tap-install create secret generic cnrs-https \
  -o yaml \
  --dry-run=client \
  --from-file=overlays/cnrs-https.yaml \
  | kubectl apply -f-

kubectl -n tap-install create secret generic tap-telemetry-remove \
  -o yaml \
  --dry-run=client \
  --from-file=overlays/tap-telemetry-remove.yaml \
  | kubectl apply -f-

TAPをインストールします。

tanzu package install tap \
  -p tap.tanzu.vmware.com \
  -v 1.3.2 \
  --values-file tap-values.yaml \
  -n tap-install \
  --wait=false

インストールの進捗は次のコマンドで確認します。

while [ "$(kubectl -n tap-install get app tap -o=jsonpath='{.status.friendlyDescription}')" != "Reconcile succeeded" ];do
  date
  kubectl get app -n tap-install
  echo "---------------------------------------------------------------------"
  sleep 10
done
echo "✅ Install succeeded"

全てのappが Reconcile succeeded になるまで待ちます。10分くらいかかります。

$ kubectl get app -n tap-install 
NAME                       DESCRIPTION           SINCE-DEPLOY   AGE
api-auto-registration      Reconcile succeeded   9m54s          10m
appliveview-connector      Reconcile succeeded   9m54s          10m
appliveview-conventions    Reconcile succeeded   5m50s          5m57s
buildservice               Reconciling           9m51s          9m59s
cartographer               Reconcile succeeded   8m2s           8m9s
cert-manager               Reconcile succeeded   9m53s          10m
cnrs                       Reconcile succeeded   4m28s          4m35s
contour                    Reconcile succeeded   8m2s           8m9s
conventions-controller     Reconcile succeeded   8m3s           8m9s
developer-conventions      Reconcile succeeded   5m51s          5m58s
fluxcd-source-controller   Reconcile succeeded   9m53s          10m
ootb-delivery-basic        Reconcile succeeded   5m18s          5m25s
ootb-supply-chain-basic    Reconcile succeeded   5m19s          5m25s
ootb-templates             Reconcile succeeded   5m27s          5m33s
service-bindings           Reconcile succeeded   9m54s          10m
services-toolkit           Reconcile succeeded   9m43s          9m58s
source-controller          Reconcile succeeded   8m2s           8m9s
spring-boot-conventions    Reconcile succeeded   5m52s          5m58s
tap                        Reconciling           10m            10m
tap-auth                   Reconcile succeeded   9m54s          10m
tap-telemetry              Reconcile succeeded   9m52s          9m59s
tekton-pipelines           Reconcile succeeded   9m54s          10m

インストールされたパッケージは次の通りです。

$ tanzu package installed list -n tap-install

  NAME                      PACKAGE-NAME                                  PACKAGE-VERSION  STATUS               
  api-auto-registration     apis.apps.tanzu.vmware.com                    0.1.2            Reconcile succeeded  
  appliveview-connector     connector.appliveview.tanzu.vmware.com        1.3.1            Reconcile succeeded  
  appliveview-conventions   conventions.appliveview.tanzu.vmware.com      1.3.1            Reconcile succeeded  
  buildservice              buildservice.tanzu.vmware.com                 1.7.4            Reconcile succeeded  
  cartographer              cartographer.tanzu.vmware.com                 0.5.4            Reconcile succeeded  
  cert-manager              cert-manager.tanzu.vmware.com                 1.7.2+tap.1      Reconcile succeeded  
  cnrs                      cnrs.tanzu.vmware.com                         2.0.2            Reconcile succeeded  
  contour                   contour.tanzu.vmware.com                      1.22.0+tap.5     Reconcile succeeded  
  conventions-controller    controller.conventions.apps.tanzu.vmware.com  0.7.1            Reconcile succeeded  
  developer-conventions     developer-conventions.tanzu.vmware.com        0.8.0            Reconcile succeeded  
  fluxcd-source-controller  fluxcd.source.controller.tanzu.vmware.com     0.27.0+tap.1     Reconcile succeeded  
  ootb-delivery-basic       ootb-delivery-basic.tanzu.vmware.com          0.10.5           Reconcile succeeded  
  ootb-supply-chain-basic   ootb-supply-chain-basic.tanzu.vmware.com      0.10.5           Reconcile succeeded  
  ootb-templates            ootb-templates.tanzu.vmware.com               0.10.5           Reconcile succeeded  
  service-bindings          service-bindings.labs.vmware.com              0.8.1            Reconcile succeeded  
  services-toolkit          services-toolkit.tanzu.vmware.com             0.8.1            Reconcile succeeded  
  source-controller         controller.source.apps.tanzu.vmware.com       0.5.1            Reconcile succeeded  
  spring-boot-conventions   spring-boot-conventions.tanzu.vmware.com      0.5.0            Reconcile succeeded  
  tap                       tap.tanzu.vmware.com                          1.3.2            Reconcile succeeded  
  tap-auth                  tap-auth.tanzu.vmware.com                     1.1.0            Reconcile succeeded  
  tap-telemetry             tap-telemetry.tanzu.vmware.com                0.3.2            Reconcile succeeded  
  tekton-pipelines          tekton.tanzu.vmware.com                       0.39.0+tap.2     Reconcile succeeded 

デプロイされたPodは次の通りです。

$ kubectl get pod -A
NAMESPACE                   NAME                                                           READY   STATUS    RESTARTS   AGE
api-auto-registration       api-auto-registration-controller-675dcfbb6f-s79cx              1/1     Running   0          16m
app-live-view-connector     application-live-view-connector-zvlw9                          1/1     Running   0          16m
app-live-view-conventions   appliveview-webhook-69f8765bff-lzzkb                           1/1     Running   0          12m
build-service               build-pod-image-fetcher-twsch                                  5/5     Running   0          16m
build-service               dependency-updater-controller-789db96d9c-4s4dj                 1/1     Running   0          16m
build-service               secret-syncer-controller-5d4b99bb46-bvdtt                      1/1     Running   0          16m
build-service               smart-warmer-image-fetcher-dqn6v                               3/3     Running   0          7m46s
build-service               warmer-controller-5ddd8c9768-9hv4t                             1/1     Running   0          16m
cartographer-system         cartographer-controller-9498cf75-s2cw2                         1/1     Running   0          14m
cartographer-system         cartographer-conventions-controller-manager-75478d544b-rxvbm   1/1     Running   0          14m
cert-injection-webhook      cert-injection-webhook-9b999bf6f-xqhtl                         1/1     Running   0          16m
cert-manager                cert-manager-687f5f56bf-kwlfd                                  1/1     Running   0          16m
cert-manager                cert-manager-cainjector-69c87566b8-kvhxn                       1/1     Running   0          16m
cert-manager                cert-manager-webhook-656694bcf5-nznqt                          1/1     Running   0          16m
conventions-system          conventions-controller-manager-5b5db64df6-cbwsj                1/1     Running   0          14m
developer-conventions       webhook-75596db5c4-b7cmc                                       1/1     Running   0          12m
flux-system                 fluxcd-source-controller-56f889f644-8vb75                      1/1     Running   0          16m
kapp-controller             kapp-controller-77466557f5-tz6b8                               2/2     Running   0          49m
knative-serving             activator-57f6877df6-dnmns                                     1/1     Running   0          10m
knative-serving             autoscaler-8b477dff7-7ws6k                                     1/1     Running   0          10m
knative-serving             autoscaler-hpa-76c95b69d8-kzz69                                1/1     Running   0          10m
knative-serving             controller-6f7d858bdc-65jjb                                    1/1     Running   0          10m
knative-serving             domain-mapping-846b8744c6-sm6lj                                1/1     Running   0          10m
knative-serving             domainmapping-webhook-6cddd6644-vwpkk                          1/1     Running   0          10m
knative-serving             net-certmanager-controller-87d5885fc-6dcg5                     1/1     Running   0          10m
knative-serving             net-certmanager-webhook-78fb75fb59-56xtc                       1/1     Running   0          10m
knative-serving             net-contour-controller-85cfd8b599-5rzn4                        1/1     Running   0          10m
knative-serving             webhook-b55dc57d-wpmw2                                         1/1     Running   0          10m
kpack                       kpack-controller-8674b8df76-6vj76                              1/1     Running   0          16m
kpack                       kpack-webhook-6d49b65755-2mrpc                                 1/1     Running   0          16m
kube-system                 coredns-64897985d-6znqq                                        1/1     Running   0          116m
kube-system                 coredns-64897985d-b4prw                                        1/1     Running   0          116m
kube-system                 etcd-kind-control-plane                                        1/1     Running   0          117m
kube-system                 kindnet-9prdc                                                  1/1     Running   0          116m
kube-system                 kube-apiserver-kind-control-plane                              1/1     Running   0          117m
kube-system                 kube-controller-manager-kind-control-plane                     1/1     Running   0          117m
kube-system                 kube-proxy-w4tv7                                               1/1     Running   0          116m
kube-system                 kube-scheduler-kind-control-plane                              1/1     Running   0          117m
local-path-storage          local-path-provisioner-58dc9cd8d9-trltg                        1/1     Running   0          116m
secretgen-controller        secretgen-controller-7c88f487c-54tlb                           1/1     Running   0          49m
service-bindings            manager-b6c6d689c-9gpxf                                        1/1     Running   0          16m
services-toolkit            resource-claims-apiserver-649b79fcd4-7q4qr                     1/1     Running   0          16m
services-toolkit            services-toolkit-controller-manager-6645b85b77-q74nq           1/1     Running   0          16m
source-system               source-controller-manager-69dcffd958-t2qrp                     1/1     Running   0          14m
spring-boot-convention      spring-boot-webhook-6959dd9567-hcs6h                           1/1     Running   0          12m
stacks-operator-system      controller-manager-765f5c768d-gxqct                            1/1     Running   0          16m
tanzu-system-ingress        contour-769c5b87c7-b8qs9                                       1/1     Running   0          14m
tanzu-system-ingress        envoy-c9kp4                                                    2/2     Running   0          14m
tekton-pipelines            tekton-pipelines-controller-66b8768b68-zj9rn                   1/1     Running   0          16m
tekton-pipelines            tekton-pipelines-webhook-74d6959b76-l9hg2                      1/1     Running   0          16m

ClusterBuilderがREADYなことを確認します。

$ kubectl get clusterbuilder
NAME         LATESTIMAGE                                                                                                                     READY
base         ghcr.io/making/buildservice:clusterbuilder-base@sha256:6f6f2178be677884e78353eb39bf37cc55b0f7483cc59740e50dbf958dec7f65         True
base-jammy   ghcr.io/making/buildservice:clusterbuilder-base-jammy@sha256:064c5d5314dd9357a7978e41f62f8d44b6ffc2cf18fba78a73d85ebc25d8d51e   True
default      ghcr.io/making/buildservice:clusterbuilder-default@sha256:6f6f2178be677884e78353eb39bf37cc55b0f7483cc59740e50dbf958dec7f65      True

Workloadのデプロイ

Workloadを作成するための事前準備

https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.3/tap/GUID-set-up-namespaces.html (一部変更しています)

kubectl create ns demo
tanzu secret registry add registry-credentials \
  --server ghcr.io \
  --username ${GITHUB_USERNAME} \
  --password ${GITHUB_API_TOKEN} \
  --namespace demo
cat <<EOF > rbac.yaml
apiVersion: v1
kind: Secret
metadata:
  name: tap-registry
  annotations:
    secretgen.carvel.dev/image-pull-secret: ""
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: e30K
---
apiVersion: v1
kind: Secret
metadata:
  name: git-ssh
  annotations:
    tekton.dev/git-0: github.com
type: kubernetes.io/ssh-auth
data:
  ssh-privatekey: 8J+UkQ==
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
secrets:
- name: registry-credentials
- name: git-ssh
imagePullSecrets:
- name: registry-credentials
- name: tap-registry
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: default-permit-deliverable
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: deliverable
subjects:
  - kind: ServiceAccount
    name: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: default-permit-workload
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: workload
subjects:
- kind: ServiceAccount
  name: default
EOF

kubectl -n demo apply -f rbac.yaml

Node.jsアプリのデプロイ

tanzu apps workload apply hello-nodejs \
  --app hello-nodejs \
  --git-repo https://github.com/making/hello-nodejs \
  --git-branch master \
  --type web \
  -n demo \
  -y

ログはsternを使うとわかりやすいです。

stern -n demo hello-nodejs

Supply Chainの進捗は次のコマンドで確認できます。

$ tanzu apps workload get -n demo hello-nodejs

📡 Overview
   name:   hello-nodejs
   type:   web

💾 Source
   type:     git
   url:      https://github.com/making/hello-nodejs
   branch:   master

📦 Supply Chain
   name:   source-to-url

   RESOURCE           READY     HEALTHY   TIME   OUTPUT
   source-provider    True      True      9s     GitRepository/hello-nodejs
   image-provider     Unknown   Unknown   9s     Image/hello-nodejs
   config-provider    False     Unknown   11s    not found
   app-config         False     True      11s    not found
   service-bindings   False     True      11s    not found
   api-descriptors    False     True      11s    not found
   config-writer      False     Unknown   11s    not found

🚚 Delivery
   name:   delivery-basic

   RESOURCE          READY   HEALTHY   TIME   OUTPUT
   source-provider   False   False     7s     ImageRepository/hello-nodejs-delivery
   deployer          False   Unknown   9s     not found

💬 Messages
   Workload [MissingValueAtPath]:   waiting to read value [.status.latestImage] from resource [image.kpack.io/hello-nodejs] in namespace [demo]
   Deliverable [HealthyConditionRule]:   unable to resolve image "ghcr.io/making/workloads/hello-nodejs-demo-bundle:519e7cea-20ad-4568-9b56-84002d42ba2c": GET https://ghcr.io/v2/making/workloads/hello-nodejs-demo-bundle/manifests/519e7cea-20ad-4568-9b56-84002d42ba2c: MANIFEST_UNKNOWN: manifest unknown

🛶 Pods
   NAME                             READY   STATUS     RESTARTS   AGE
   hello-nodejs-build-1-build-pod   0/1     Init:1/6   0          8s

To see logs: "tanzu apps workload tail hello-nodejs --namespace demo"

"Knative Services"の欄が出力され、"Ready"になればアプリでのデプロイは完了です。

$ tanzu apps workload get -n demo hello-nodejs

📡 Overview
   name:   hello-nodejs
   type:   web

💾 Source
   type:     git
   url:      https://github.com/making/hello-nodejs
   branch:   master

📦 Supply Chain
   name:   source-to-url

   RESOURCE           READY   HEALTHY   TIME   OUTPUT
   source-provider    True    True      85s    GitRepository/hello-nodejs
   image-provider     True    True      38s    Image/hello-nodejs
   config-provider    True    True      31s    PodIntent/hello-nodejs
   app-config         True    True      31s    ConfigMap/hello-nodejs
   service-bindings   True    True      31s    ConfigMap/hello-nodejs-with-claims
   api-descriptors    True    True      31s    ConfigMap/hello-nodejs-with-api-descriptors
   config-writer      True    True      17s    Runnable/hello-nodejs-config-writer

🚚 Delivery
   name:   delivery-basic

   RESOURCE          READY   HEALTHY   TIME   OUTPUT
   source-provider   True    True      11s    ImageRepository/hello-nodejs-delivery
   deployer          True    True      9s     App/hello-nodejs

💬 Messages
   No messages found.

🛶 Pods
   NAME                                             READY   STATUS      RESTARTS   AGE
   hello-nodejs-00001-deployment-5cfbcf8f56-bkwg9   2/2     Running     0          11s
   hello-nodejs-build-1-build-pod                   0/1     Completed   0          84s
   hello-nodejs-config-writer-w6lmp-pod             0/1     Completed   0          29s

🚢 Knative Services
   NAME           READY   URL
   hello-nodejs   Ready   https://hello-nodejs-demo.127-0-0-1.sslip.io

To see logs: "tanzu apps workload tail hello-nodejs --namespace demo"
$ curl -k https://hello-nodejs-demo.127-0-0-1.sslip.io  
Hello World!

確認が終わればWorkloadを削除します。

tanzu apps workload delete -n demo hello-nodejs -y

Javaアプリのデプロイ

tanzu apps workload apply spring-music \
  --app spring-music \
  --git-repo https://github.com/scottfrederick/spring-music \
  --git-branch tanzu \
  --type web \
  --annotation autoscaling.knative.dev/minScale=1 \
  -n demo \
  -y

ログはsternを使うとわかりやすいです。

stern -n demo spring-music

次のコマンドを実行し、"Knative Services"の欄が出力され、"Ready"になればアプリでのデプロイは完了です。

$ tanzu apps workload get -n demo spring-music

📡 Overview
   name:   spring-music
   type:   web

💾 Source
   type:     git
   url:      https://github.com/scottfrederick/spring-music
   branch:   tanzu

📦 Supply Chain
   name:   source-to-url

   RESOURCE           READY   HEALTHY   TIME    OUTPUT
   source-provider    True    True      5m28s   GitRepository/spring-music
   image-provider     True    True      102s    Image/spring-music
   config-provider    True    True      93s     PodIntent/spring-music
   app-config         True    True      93s     ConfigMap/spring-music
   service-bindings   True    True      93s     ConfigMap/spring-music-with-claims
   api-descriptors    True    True      93s     ConfigMap/spring-music-with-api-descriptors
   config-writer      True    True      79s     Runnable/spring-music-config-writer

🚚 Delivery
   name:   delivery-basic

   RESOURCE          READY   HEALTHY   TIME   OUTPUT
   source-provider   True    True      21s    ImageRepository/spring-music-delivery
   deployer          True    True      19s    App/spring-music

💬 Messages
   No messages found.

🛶 Pods
   NAME                                             READY   STATUS      RESTARTS   AGE
   spring-music-00001-deployment-55fcc4c676-7dpdg   2/2     Running     0          21s
   spring-music-build-1-build-pod                   0/1     Completed   0          5m17s
   spring-music-config-writer-lbnp7-pod             0/1     Completed   0          91s

🚢 Knative Services
   NAME           READY   URL
   spring-music   Ready   https://spring-music-demo.127-0-0-1.sslip.io

To see logs: "tanzu apps workload tail spring-music --namespace demo"
image

"THIS IS UNSAFE"を入力

image

確認が終わればWorkloadを削除します。

tanzu apps workload delete -n demo spring-music -y

GitOpsでデプロイする

https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.3/tap/GUID-scc-gitops-vs-regops.html#gitops-0

まず、manifestを管理するgitレポジトリをGitHubで作成ます。READMEのみを含む https://github.com/making/hello-nodejs-manifests を作成しました。 image

image

GitレポジトリにpushするためのSecretを作成します。HTTP(S) Basic-authSSHが選べます。 ここではBasic-authを使用します。

https://github.com/settings/tokens からrepoへのアクセス権があるPersonal access tokensを生成してください。

image

次のコマンドでSecretを作成します。

GITHUB_USERNAME=making
GITHUB_API_TOKEN=ghp_******

kubectl create secret generic git-basic -n demo \
    --type kubernetes.io/basic-auth \
    --from-literal=username=${GITHUB_USERNAME} \
    --from-literal=password=${GITHUB_API_TOKEN} \
    --dry-run=client -oyaml \
 | kubectl apply -f- 
kubectl -n demo annotate secret git-basic tekton.dev/git-0=https://github.com --overwrite=true   
kubectl patch -n demo serviceaccount default -p "{\"secrets\":[{\"name\":\"git-basic\"}]}"

次のコマンドでデプロイできます。

tanzu apps workload apply hello-nodejs \
  --app hello-nodejs \
  --git-repo https://github.com/making/hello-nodejs \
  --git-branch master \
  --type web \
  --param gitops_branch=main \
  --param gitops_commit_message=Bump \
  --param gitops_server_address=https://github.com \
  --param gitops_repository_owner=making \
  --param gitops_repository_name=tap-gitops-manifests \
  --param gitops_user_email=makingx+bot@gmail.com \
  --param gitops_user_name=making-bot \
  --param gitops_ssh_secret=git-basic \
  -n demo \
  -y

ログはsternを使うとわかりやすいです。

stern -n demo hello-nodejs

次のコマンドを実行し、"Knative Services"の欄が出力され、"Ready"になればアプリでのデプロイは完了です。

$ tanzu apps workload get hello-nodejs -n demo

kpackによるコンテナイメージのビルドが終わると、そのイメージのdigestを使用してmanifestをgit commit & pushがTektonによって行われます。 gitレポジトリを見ると次のコミットが自動で行われていることがわかります。

image

URLにアクセスします。

$ curl -k https://hello-demo.127-0-0-1.sslip.io
Hello World!

ソースコードを変更してgit pushすると、新しいコンテナイメージがビルドされ、manifestも新しいイメージのdigestを使用するようにcommit & pushされます。 次のようなコミットになります。

image

GitOpsでpull requestを使用する

TAP 1.2からはmanifestの変更を直接commit & pushする代わり、pull requestを送ることができるようになりました。

https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.3/tap/GUID-scc-gitops-vs-regops.html#pull-requests-2

tap-values.yamlの以下の行を追加します。デフォルトはdirectです。

# ...
ootb_supply_chain_basic:
  gitops:
    commit_strategy: pull_request  
    pull_request:
      server_kind: github
      commit_branch: ""
      pull_request_title: "ready for review"
      pull_request_body: "generated by supply chain"

次のコマンドでTAPをアップデートします。

tanzu package installed update -n tap-install tap -f tap-values.yaml

ソースコードに変更を加え、git pushすると、コンテナイメージ作成後に次のようなPull Requestが作成されます。

image image

このPull Requestをマージすると、変更結果がデプロイされます。

確認が終わればWorkloadを削除します。

tanzu apps workload delete -n demo hello -y

Kaniko経由でDockerfileを使う

TAP 1.2からはコンテナイメージを作成する際にCloud Native Buildpacksではなく、Dockerfileを使用できます。
内部的にはkpackではなく、kanikoが使用されます。

tanzu apps workload apply hello-nodejs \
  --app hello-nodejs \
  --git-repo https://github.com/making/hello-nodejs \
  --git-branch master \
  --param dockerfile=./Dockerfile \
  --type web \
  -n demo \
  -y
tanzu apps workload tail hello -n demo

確認が終わればWorkloadを削除します。

tanzu apps workload delete -n demo hello-nodejs -y

TAPを使うとCI/CDのフローをtanzu apps workloadだけで作成できるのが便利ですね。


✒️️ Edit  ⏰ History  🗑 Delete