Tanzu Application Platform 1.3 をKindにインストールします。
Intel版のMacで試しています。
本記事ではTAPをInstallし、"Hello World"なアプリケーションをソースコードからデプロイする機能("Source to URL")を試します。 また、HTTPSを有効にします。
目次
- Kindクラスタの作成
- Pivnet CLIのインストール
- EULAの承諾
- Tanzu CLIのインストール
- Cluster Essentials for VMware Tanzuのインストール
- Tanzu Application Platformのインストール
- Workloadのデプロイ
- GitOpsでデプロイする
- GitOpsでpull requestを使用する
- Kaniko経由でDockerfileを使う
Kindクラスタの作成
Dockerには4 CPU, 4 GBメモリ以上を割り当ててください。
cat <<EOF > kind-expose-port.yaml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
extraPortMappings:
- containerPort: 31443 # expose port 31443 of the node to port 80 on the host for use later by Contour ingress (envoy)
hostPort: 443
- containerPort: 31080 # expose port 31080 of the node to port 80 on the host for use later by Contour ingress (envoy)
hostPort: 80
EOF
kind create cluster --config kind-expose-port.yaml --image kindest/node:v1.23.12
Pivnet CLIのインストール
ここでは pivnet CLIを使用して必要なソフトウェアをダウンロードします。
pivnet CLIはbrewでインストールできます。
brew install pivotal/tap/pivnet-cli
VMware Tanzu Network のAPI Tokenを取得して、pivnet CLIでログインします。
pivnet login --api-token=<API Token>
EULAの承諾
初めてインストールする場合は、以下のコンポーネントのEULAをAcceptしてください。
⚠️ EULAで定められている使用期間は30日間です。とは言え、特にソフトウェア的に制限がかけられているわけではありません。
Tanzu CLIのインストール
# For Mac
pivnet download-product-files --product-slug='tanzu-application-platform' --release-version='1.3.2' --glob='tanzu-framework-darwin-amd64-*.tar'
# For Linux
pivnet download-product-files --product-slug='tanzu-application-platform' --release-version='1.3.2' --glob='tanzu-framework-linux-amd64-*.tar'
# For Windows
pivnet download-product-files --product-slug='tanzu-application-platform' --release-version='1.3.2' --glob='tanzu-framework-windows-amd64-*.zip'
tar xvf tanzu-framework-*-amd64-*.tar
install cli/core/v0.25.0/tanzu-core-*_amd64 /usr/local/bin/tanzu
export TANZU_CLI_NO_INIT=true
$ tanzu version
version: v0.25.0
buildDate: 2022-08-25
sha: 6288c751-dirty
プラグインのインストール
tanzu plugin install --local cli all
Cluster Essentials for VMware Tanzuのインストール
TAPのインストールに必要なKapp ControllerとSecretgen Controllerをデプロイするために Cluster Essentials for VMware Tanzu をインストールします。
# Mac
pivnet download-product-files --product-slug='tanzu-cluster-essentials' --release-version='1.3.0' --glob='tanzu-cluster-essentials-darwin-amd64-*'
# Linux
pivnet download-product-files --product-slug='tanzu-cluster-essentials' --release-version='1.3.0' --glob='tanzu-cluster-essentials-linux-amd64-*'
TANZUNET_USERNAME=...
TANZUNET_PASSWORD=...
mkdir tanzu-cluster-essentials
tar xzvf tanzu-cluster-essentials-*-amd64-*.tgz -C tanzu-cluster-essentials
export INSTALL_BUNDLE=registry.tanzu.vmware.com/tanzu-cluster-essentials/cluster-essentials-bundle:1.3.0
export INSTALL_REGISTRY_HOSTNAME=registry.tanzu.vmware.com
export INSTALL_REGISTRY_USERNAME=${TANZUNET_USERNAME}
export INSTALL_REGISTRY_PASSWORD=${TANZUNET_PASSWORD}
cd tanzu-cluster-essentials
./install.sh --yes
cd ..
$ kubectl get pod -n kapp-controller
NAME READY STATUS RESTARTS AGE
kapp-controller-77466557f5-tz6b8 2/2 Running 0 61s
$ kubectl get pod -n secretgen-controller
NAME READY STATUS RESTARTS AGE
secretgen-controller-7c88f487c-54tlb 1/1 Running 0 39s
Tanzu Application Platformのインストール
TAP用Package Repositoryの登録
TANZUNET_USERNAME=...
TANZUNET_PASSWORD=...
kubectl create ns tap-install
tanzu secret registry add tap-registry \
--username "${TANZUNET_USERNAME}" \
--password "${TANZUNET_PASSWORD}" \
--server registry.tanzu.vmware.com \
--export-to-all-namespaces \
--yes \
--namespace tap-install
tanzu package repository add tanzu-tap-repository \
--url registry.tanzu.vmware.com/tanzu-application-platform/tap-packages:1.3.2 \
--namespace tap-install
$ tanzu package available list --namespace tap-install
NAME DISPLAY-NAME SHORT-DESCRIPTION LATEST-VERSION
accelerator.apps.tanzu.vmware.com Application Accelerator for VMware Tanzu Used to create new projects and configurations. 1.3.2
api-portal.tanzu.vmware.com API portal A unified user interface for API discovery and exploration at scale. 1.2.5
apis.apps.tanzu.vmware.com API Auto Registration for VMware Tanzu A TAP component to automatically register API exposing workloads as API entities 0.1.2
in TAP GUI.
backend.appliveview.tanzu.vmware.com Application Live View for VMware Tanzu App for monitoring and troubleshooting running apps 1.3.1
buildservice.tanzu.vmware.com Tanzu Build Service Tanzu Build Service enables the building and automation of containerized 1.7.4
software workflows securely and at scale.
carbonblack.scanning.apps.tanzu.vmware.com VMware Carbon Black for Supply Chain Security Tools - Scan Default scan templates using VMware Carbon Black 1.0.0-beta.2
cartographer.tanzu.vmware.com Cartographer Kubernetes native Supply Chain Choreographer. 0.5.4
cnrs.tanzu.vmware.com Cloud Native Runtimes Cloud Native Runtimes is a serverless runtime based on Knative 2.0.2
connector.appliveview.tanzu.vmware.com Application Live View Connector for VMware Tanzu App for discovering and registering running apps 1.3.1
controller.conventions.apps.tanzu.vmware.com Convention Service for VMware Tanzu Convention Service enables app operators to consistently apply desired runtime 0.7.1
configurations to fleets of workloads.
controller.source.apps.tanzu.vmware.com Tanzu Source Controller Tanzu Source Controller enables workload create/update from source code. 0.5.1
conventions.appliveview.tanzu.vmware.com Application Live View Conventions for VMware Tanzu Application Live View convention server 1.3.1
developer-conventions.tanzu.vmware.com Tanzu App Platform Developer Conventions Developer Conventions 0.8.0
eventing.tanzu.vmware.com Eventing Eventing is an event-driven architecture platform based on Knative Eventing 2.0.2
fluxcd.source.controller.tanzu.vmware.com Flux Source Controller The source-controller is a Kubernetes operator, specialised in artifacts 0.27.0+tap.1
acquisition from external sources such as Git, Helm repositories and S3 buckets.
grype.scanning.apps.tanzu.vmware.com Grype for Supply Chain Security Tools - Scan Default scan templates using Anchore Grype 1.3.1
image-policy-webhook.signing.apps.tanzu.vmware.com Image Policy Webhook Image Policy Webhook enables defining of a policy to restrict unsigned container 1.1.9
images.
learningcenter.tanzu.vmware.com Learning Center for Tanzu Application Platform Guided technical workshops 0.2.4
metadata-store.apps.tanzu.vmware.com Supply Chain Security Tools - Store Post SBoMs and query for image, package, and vulnerability metadata. 1.3.4
ootb-delivery-basic.tanzu.vmware.com Tanzu App Platform Out of The Box Delivery Basic Out of The Box Delivery Basic. 0.10.5
ootb-supply-chain-basic.tanzu.vmware.com Tanzu App Platform Out of The Box Supply Chain Basic Out of The Box Supply Chain Basic. 0.10.5
ootb-supply-chain-testing-scanning.tanzu.vmware.com Tanzu App Platform Out of The Box Supply Chain with Testing and Scanning Out of The Box Supply Chain with Testing and Scanning. 0.10.5
ootb-supply-chain-testing.tanzu.vmware.com Tanzu App Platform Out of The Box Supply Chain with Testing Out of The Box Supply Chain with Testing. 0.10.5
ootb-templates.tanzu.vmware.com Tanzu App Platform Out of The Box Templates Out of The Box Templates. 0.10.5
policy.apps.tanzu.vmware.com Supply Chain Security Tools - Policy Controller Policy Controller enables defining of a policy to restrict unsigned container 1.1.3
images.
scanning.apps.tanzu.vmware.com Supply Chain Security Tools - Scan Scan for vulnerabilities and enforce policies directly within Kubernetes native 1.3.1
Supply Chains.
service-bindings.labs.vmware.com Service Bindings for Kubernetes Service Bindings for Kubernetes implements the Service Binding Specification. 0.8.1
services-toolkit.tanzu.vmware.com Services Toolkit The Services Toolkit enables the management, lifecycle, discoverability and 0.8.1
connectivity of Service Resources (databases, message queues, DNS records,
etc.).
snyk.scanning.apps.tanzu.vmware.com Snyk for Supply Chain Security Tools - Scan Default scan templates using Snyk 1.0.0-beta.5
spring-boot-conventions.tanzu.vmware.com Tanzu Spring Boot Conventions Server Default Spring Boot convention server. 0.5.0
sso.apps.tanzu.vmware.com AppSSO Application Single Sign-On for Tanzu 2.0.0
tap-auth.tanzu.vmware.com Default roles for Tanzu Application Platform Default roles for Tanzu Application Platform 1.1.0
tap-gui.tanzu.vmware.com Tanzu Application Platform GUI web app graphical user interface for Tanzu Application Platform 1.3.3
tap-telemetry.tanzu.vmware.com Telemetry Collector for Tanzu Application Platform Tanzu Application Plaform Telemetry 0.3.2
tap.tanzu.vmware.com Tanzu Application Platform Package to install a set of TAP components to get you started based on your use 1.3.2
case.
tekton.tanzu.vmware.com Tekton Pipelines Tekton Pipelines is a framework for creating CI/CD systems. 0.39.0+tap.2
workshops.learningcenter.tanzu.vmware.com Workshop Building Tutorial Workshop Building Tutorial 0.2.3
自己署名CA証明書の作成
mkdir -p certs
rm -f certs/*
docker run --rm -v ${PWD}/certs:/certs hitch openssl req -new -nodes -out /certs/ca.csr -keyout /certs/ca.key -subj "/CN=default-ca/O=TAP/C=JP"
chmod og-rwx ca.key
docker run --rm -v ${PWD}/certs:/certs hitch openssl x509 -req -in /certs/ca.csr -days 3650 -extfile /etc/ssl/openssl.cnf -extensions v3_ca -signkey /certs/ca.key -out /certs/ca.crt
Iterate Profileのインストール
iterate profileをインストールするために、次のtap-values.yamlを作成します。
4CPUでもインストールできるように不要なpackageをexcluded_packagesに追加しています。
GITHUB_USERNAME=...
GITHUB_API_TOKEN=...
cat <<EOF > tap-values.yaml
shared:
ingress_domain: 127-0-0-1.sslip.io
image_registry:
project_path: ghcr.io/${GITHUB_USERNAME}
username: ${GITHUB_USERNAME}
password: ${GITHUB_API_TOKEN}
ca_cert_data: |
$(cat certs/ca.crt | sed 's/^/ /g')
ceip_policy_disclosed: true
profile: iterate
supply_chain: basic
contour:
contour:
replicas: 1
envoy:
service:
type: NodePort
nodePorts:
http: 31080
https: 31443
hostPorts:
enable: true
cnrs:
domain_template: "{{.Name}}-{{.Namespace}}.{{.Domain}}"
default_tls_secret: tanzu-system-ingress/tap-default-tls
provider: local
package_overlays:
- name: contour
secrets:
- name: contour-default-tls
- name: cnrs
secrets:
- name: cnrs-https
- name: tap-telemetry
secrets:
- name: tap-telemetry-remove
excluded_packages:
- policy.apps.tanzu.vmware.com
- image-policy-webhook.signing.apps.tanzu.vmware.com
- eventing.tanzu.vmware.com
- sso.apps.tanzu.vmware.com
EOF
*.127-0-0-1.sslip.ioは127.0.0.1に解決されます。
Contour/Knativeで使用するデフォルトのTLS証明書を用意するための次の定義をoverlayで作成します。
mkdir -p overlays
cat <<EOF > overlays/contour-default-tls.yaml
#@ load("@ytt:data", "data")
#@ load("@ytt:overlay", "overlay")
#@ namespace = data.values.namespace
---
apiVersion: v1
kind: Secret
metadata:
name: default-ca
namespace: #@ namespace
type: kubernetes.io/tls
stringData:
tls.crt: |
$(cat certs/ca.crt | sed 's/^/ /g')
tls.key: |
$(cat certs/ca.key | sed 's/^/ /g')
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: default-ca-issuer
namespace: #@ namespace
spec:
ca:
secretName: default-ca
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: tap-default-tls
namespace: #@ namespace
spec:
dnsNames:
- #@ "*.127-0-0-1.sslip.io"
issuerRef:
kind: Issuer
name: default-ca-issuer
secretName: tap-default-tls
---
apiVersion: projectcontour.io/v1
kind: TLSCertificateDelegation
metadata:
name: contour-delegation
namespace: #@ namespace
spec:
delegations:
- secretName: tap-default-tls
targetNamespaces:
- "*"
EOF
cat <<EOF > overlays/cnrs-https.yaml
#@ load("@ytt:overlay", "overlay")
#@overlay/match by=overlay.subset({"metadata":{"name":"config-network"}, "kind": "ConfigMap"})
---
data:
#@overlay/match missing_ok=True
default-external-scheme: https
EOF
cat <<EOF > overlays/tap-telemetry-remove.yaml
#@ load("@ytt:overlay", "overlay")
#@overlay/match by=overlay.subset({"metadata":{"namespace":"tap-telemetry"}}), expects="1+"
#@overlay/remove
---
EOF
overlayファイルをSecretとして作成します。
kubectl -n tap-install create secret generic contour-default-tls \
-o yaml \
--dry-run=client \
--from-file=overlays/contour-default-tls.yaml \
| kubectl apply -f-
kubectl -n tap-install create secret generic cnrs-https \
-o yaml \
--dry-run=client \
--from-file=overlays/cnrs-https.yaml \
| kubectl apply -f-
kubectl -n tap-install create secret generic tap-telemetry-remove \
-o yaml \
--dry-run=client \
--from-file=overlays/tap-telemetry-remove.yaml \
| kubectl apply -f-
TAPをインストールします。
tanzu package install tap \
-p tap.tanzu.vmware.com \
-v 1.3.2 \
--values-file tap-values.yaml \
-n tap-install \
--wait=false
インストールの進捗は次のコマンドで確認します。
while [ "$(kubectl -n tap-install get app tap -o=jsonpath='{.status.friendlyDescription}')" != "Reconcile succeeded" ];do
date
kubectl get app -n tap-install
echo "---------------------------------------------------------------------"
sleep 10
done
echo "✅ Install succeeded"
全てのappが Reconcile succeeded になるまで待ちます。10分くらいかかります。
$ kubectl get app -n tap-install
NAME DESCRIPTION SINCE-DEPLOY AGE
api-auto-registration Reconcile succeeded 9m54s 10m
appliveview-connector Reconcile succeeded 9m54s 10m
appliveview-conventions Reconcile succeeded 5m50s 5m57s
buildservice Reconciling 9m51s 9m59s
cartographer Reconcile succeeded 8m2s 8m9s
cert-manager Reconcile succeeded 9m53s 10m
cnrs Reconcile succeeded 4m28s 4m35s
contour Reconcile succeeded 8m2s 8m9s
conventions-controller Reconcile succeeded 8m3s 8m9s
developer-conventions Reconcile succeeded 5m51s 5m58s
fluxcd-source-controller Reconcile succeeded 9m53s 10m
ootb-delivery-basic Reconcile succeeded 5m18s 5m25s
ootb-supply-chain-basic Reconcile succeeded 5m19s 5m25s
ootb-templates Reconcile succeeded 5m27s 5m33s
service-bindings Reconcile succeeded 9m54s 10m
services-toolkit Reconcile succeeded 9m43s 9m58s
source-controller Reconcile succeeded 8m2s 8m9s
spring-boot-conventions Reconcile succeeded 5m52s 5m58s
tap Reconciling 10m 10m
tap-auth Reconcile succeeded 9m54s 10m
tap-telemetry Reconcile succeeded 9m52s 9m59s
tekton-pipelines Reconcile succeeded 9m54s 10m
インストールされたパッケージは次の通りです。
$ tanzu package installed list -n tap-install
NAME PACKAGE-NAME PACKAGE-VERSION STATUS
api-auto-registration apis.apps.tanzu.vmware.com 0.1.2 Reconcile succeeded
appliveview-connector connector.appliveview.tanzu.vmware.com 1.3.1 Reconcile succeeded
appliveview-conventions conventions.appliveview.tanzu.vmware.com 1.3.1 Reconcile succeeded
buildservice buildservice.tanzu.vmware.com 1.7.4 Reconcile succeeded
cartographer cartographer.tanzu.vmware.com 0.5.4 Reconcile succeeded
cert-manager cert-manager.tanzu.vmware.com 1.7.2+tap.1 Reconcile succeeded
cnrs cnrs.tanzu.vmware.com 2.0.2 Reconcile succeeded
contour contour.tanzu.vmware.com 1.22.0+tap.5 Reconcile succeeded
conventions-controller controller.conventions.apps.tanzu.vmware.com 0.7.1 Reconcile succeeded
developer-conventions developer-conventions.tanzu.vmware.com 0.8.0 Reconcile succeeded
fluxcd-source-controller fluxcd.source.controller.tanzu.vmware.com 0.27.0+tap.1 Reconcile succeeded
ootb-delivery-basic ootb-delivery-basic.tanzu.vmware.com 0.10.5 Reconcile succeeded
ootb-supply-chain-basic ootb-supply-chain-basic.tanzu.vmware.com 0.10.5 Reconcile succeeded
ootb-templates ootb-templates.tanzu.vmware.com 0.10.5 Reconcile succeeded
service-bindings service-bindings.labs.vmware.com 0.8.1 Reconcile succeeded
services-toolkit services-toolkit.tanzu.vmware.com 0.8.1 Reconcile succeeded
source-controller controller.source.apps.tanzu.vmware.com 0.5.1 Reconcile succeeded
spring-boot-conventions spring-boot-conventions.tanzu.vmware.com 0.5.0 Reconcile succeeded
tap tap.tanzu.vmware.com 1.3.2 Reconcile succeeded
tap-auth tap-auth.tanzu.vmware.com 1.1.0 Reconcile succeeded
tap-telemetry tap-telemetry.tanzu.vmware.com 0.3.2 Reconcile succeeded
tekton-pipelines tekton.tanzu.vmware.com 0.39.0+tap.2 Reconcile succeeded
デプロイされたPodは次の通りです。
$ kubectl get pod -A
NAMESPACE NAME READY STATUS RESTARTS AGE
api-auto-registration api-auto-registration-controller-675dcfbb6f-s79cx 1/1 Running 0 16m
app-live-view-connector application-live-view-connector-zvlw9 1/1 Running 0 16m
app-live-view-conventions appliveview-webhook-69f8765bff-lzzkb 1/1 Running 0 12m
build-service build-pod-image-fetcher-twsch 5/5 Running 0 16m
build-service dependency-updater-controller-789db96d9c-4s4dj 1/1 Running 0 16m
build-service secret-syncer-controller-5d4b99bb46-bvdtt 1/1 Running 0 16m
build-service smart-warmer-image-fetcher-dqn6v 3/3 Running 0 7m46s
build-service warmer-controller-5ddd8c9768-9hv4t 1/1 Running 0 16m
cartographer-system cartographer-controller-9498cf75-s2cw2 1/1 Running 0 14m
cartographer-system cartographer-conventions-controller-manager-75478d544b-rxvbm 1/1 Running 0 14m
cert-injection-webhook cert-injection-webhook-9b999bf6f-xqhtl 1/1 Running 0 16m
cert-manager cert-manager-687f5f56bf-kwlfd 1/1 Running 0 16m
cert-manager cert-manager-cainjector-69c87566b8-kvhxn 1/1 Running 0 16m
cert-manager cert-manager-webhook-656694bcf5-nznqt 1/1 Running 0 16m
conventions-system conventions-controller-manager-5b5db64df6-cbwsj 1/1 Running 0 14m
developer-conventions webhook-75596db5c4-b7cmc 1/1 Running 0 12m
flux-system fluxcd-source-controller-56f889f644-8vb75 1/1 Running 0 16m
kapp-controller kapp-controller-77466557f5-tz6b8 2/2 Running 0 49m
knative-serving activator-57f6877df6-dnmns 1/1 Running 0 10m
knative-serving autoscaler-8b477dff7-7ws6k 1/1 Running 0 10m
knative-serving autoscaler-hpa-76c95b69d8-kzz69 1/1 Running 0 10m
knative-serving controller-6f7d858bdc-65jjb 1/1 Running 0 10m
knative-serving domain-mapping-846b8744c6-sm6lj 1/1 Running 0 10m
knative-serving domainmapping-webhook-6cddd6644-vwpkk 1/1 Running 0 10m
knative-serving net-certmanager-controller-87d5885fc-6dcg5 1/1 Running 0 10m
knative-serving net-certmanager-webhook-78fb75fb59-56xtc 1/1 Running 0 10m
knative-serving net-contour-controller-85cfd8b599-5rzn4 1/1 Running 0 10m
knative-serving webhook-b55dc57d-wpmw2 1/1 Running 0 10m
kpack kpack-controller-8674b8df76-6vj76 1/1 Running 0 16m
kpack kpack-webhook-6d49b65755-2mrpc 1/1 Running 0 16m
kube-system coredns-64897985d-6znqq 1/1 Running 0 116m
kube-system coredns-64897985d-b4prw 1/1 Running 0 116m
kube-system etcd-kind-control-plane 1/1 Running 0 117m
kube-system kindnet-9prdc 1/1 Running 0 116m
kube-system kube-apiserver-kind-control-plane 1/1 Running 0 117m
kube-system kube-controller-manager-kind-control-plane 1/1 Running 0 117m
kube-system kube-proxy-w4tv7 1/1 Running 0 116m
kube-system kube-scheduler-kind-control-plane 1/1 Running 0 117m
local-path-storage local-path-provisioner-58dc9cd8d9-trltg 1/1 Running 0 116m
secretgen-controller secretgen-controller-7c88f487c-54tlb 1/1 Running 0 49m
service-bindings manager-b6c6d689c-9gpxf 1/1 Running 0 16m
services-toolkit resource-claims-apiserver-649b79fcd4-7q4qr 1/1 Running 0 16m
services-toolkit services-toolkit-controller-manager-6645b85b77-q74nq 1/1 Running 0 16m
source-system source-controller-manager-69dcffd958-t2qrp 1/1 Running 0 14m
spring-boot-convention spring-boot-webhook-6959dd9567-hcs6h 1/1 Running 0 12m
stacks-operator-system controller-manager-765f5c768d-gxqct 1/1 Running 0 16m
tanzu-system-ingress contour-769c5b87c7-b8qs9 1/1 Running 0 14m
tanzu-system-ingress envoy-c9kp4 2/2 Running 0 14m
tekton-pipelines tekton-pipelines-controller-66b8768b68-zj9rn 1/1 Running 0 16m
tekton-pipelines tekton-pipelines-webhook-74d6959b76-l9hg2 1/1 Running 0 16m
ClusterBuilderがREADYなことを確認します。
$ kubectl get clusterbuilder
NAME LATESTIMAGE READY
base ghcr.io/making/buildservice:clusterbuilder-base@sha256:6f6f2178be677884e78353eb39bf37cc55b0f7483cc59740e50dbf958dec7f65 True
base-jammy ghcr.io/making/buildservice:clusterbuilder-base-jammy@sha256:064c5d5314dd9357a7978e41f62f8d44b6ffc2cf18fba78a73d85ebc25d8d51e True
default ghcr.io/making/buildservice:clusterbuilder-default@sha256:6f6f2178be677884e78353eb39bf37cc55b0f7483cc59740e50dbf958dec7f65 True
Workloadのデプロイ
Workloadを作成するための事前準備
https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.3/tap/GUID-set-up-namespaces.html (一部変更しています)
kubectl create ns demo
tanzu secret registry add registry-credentials \
--server ghcr.io \
--username ${GITHUB_USERNAME} \
--password ${GITHUB_API_TOKEN} \
--namespace demo
cat <<EOF > rbac.yaml
apiVersion: v1
kind: Secret
metadata:
name: tap-registry
annotations:
secretgen.carvel.dev/image-pull-secret: ""
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: e30K
---
apiVersion: v1
kind: Secret
metadata:
name: git-ssh
annotations:
tekton.dev/git-0: github.com
type: kubernetes.io/ssh-auth
data:
ssh-privatekey: 8J+UkQ==
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
secrets:
- name: registry-credentials
- name: git-ssh
imagePullSecrets:
- name: registry-credentials
- name: tap-registry
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: default-permit-deliverable
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: deliverable
subjects:
- kind: ServiceAccount
name: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: default-permit-workload
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: workload
subjects:
- kind: ServiceAccount
name: default
EOF
kubectl -n demo apply -f rbac.yaml
Node.jsアプリのデプロイ
tanzu apps workload apply hello-nodejs \
--app hello-nodejs \
--git-repo https://github.com/making/hello-nodejs \
--git-branch master \
--type web \
-n demo \
-y
ログはsternを使うとわかりやすいです。
stern -n demo hello-nodejs
Supply Chainの進捗は次のコマンドで確認できます。
$ tanzu apps workload get -n demo hello-nodejs
📡 Overview
name: hello-nodejs
type: web
💾 Source
type: git
url: https://github.com/making/hello-nodejs
branch: master
📦 Supply Chain
name: source-to-url
RESOURCE READY HEALTHY TIME OUTPUT
source-provider True True 9s GitRepository/hello-nodejs
image-provider Unknown Unknown 9s Image/hello-nodejs
config-provider False Unknown 11s not found
app-config False True 11s not found
service-bindings False True 11s not found
api-descriptors False True 11s not found
config-writer False Unknown 11s not found
🚚 Delivery
name: delivery-basic
RESOURCE READY HEALTHY TIME OUTPUT
source-provider False False 7s ImageRepository/hello-nodejs-delivery
deployer False Unknown 9s not found
💬 Messages
Workload [MissingValueAtPath]: waiting to read value [.status.latestImage] from resource [image.kpack.io/hello-nodejs] in namespace [demo]
Deliverable [HealthyConditionRule]: unable to resolve image "ghcr.io/making/workloads/hello-nodejs-demo-bundle:519e7cea-20ad-4568-9b56-84002d42ba2c": GET https://ghcr.io/v2/making/workloads/hello-nodejs-demo-bundle/manifests/519e7cea-20ad-4568-9b56-84002d42ba2c: MANIFEST_UNKNOWN: manifest unknown
🛶 Pods
NAME READY STATUS RESTARTS AGE
hello-nodejs-build-1-build-pod 0/1 Init:1/6 0 8s
To see logs: "tanzu apps workload tail hello-nodejs --namespace demo"
"Knative Services"の欄が出力され、"Ready"になればアプリでのデプロイは完了です。
$ tanzu apps workload get -n demo hello-nodejs
📡 Overview
name: hello-nodejs
type: web
💾 Source
type: git
url: https://github.com/making/hello-nodejs
branch: master
📦 Supply Chain
name: source-to-url
RESOURCE READY HEALTHY TIME OUTPUT
source-provider True True 85s GitRepository/hello-nodejs
image-provider True True 38s Image/hello-nodejs
config-provider True True 31s PodIntent/hello-nodejs
app-config True True 31s ConfigMap/hello-nodejs
service-bindings True True 31s ConfigMap/hello-nodejs-with-claims
api-descriptors True True 31s ConfigMap/hello-nodejs-with-api-descriptors
config-writer True True 17s Runnable/hello-nodejs-config-writer
🚚 Delivery
name: delivery-basic
RESOURCE READY HEALTHY TIME OUTPUT
source-provider True True 11s ImageRepository/hello-nodejs-delivery
deployer True True 9s App/hello-nodejs
💬 Messages
No messages found.
🛶 Pods
NAME READY STATUS RESTARTS AGE
hello-nodejs-00001-deployment-5cfbcf8f56-bkwg9 2/2 Running 0 11s
hello-nodejs-build-1-build-pod 0/1 Completed 0 84s
hello-nodejs-config-writer-w6lmp-pod 0/1 Completed 0 29s
🚢 Knative Services
NAME READY URL
hello-nodejs Ready https://hello-nodejs-demo.127-0-0-1.sslip.io
To see logs: "tanzu apps workload tail hello-nodejs --namespace demo"
$ curl -k https://hello-nodejs-demo.127-0-0-1.sslip.io
Hello World!
確認が終わればWorkloadを削除します。
tanzu apps workload delete -n demo hello-nodejs -y
Javaアプリのデプロイ
tanzu apps workload apply spring-music \
--app spring-music \
--git-repo https://github.com/scottfrederick/spring-music \
--git-branch tanzu \
--type web \
--annotation autoscaling.knative.dev/minScale=1 \
-n demo \
-y
ログはsternを使うとわかりやすいです。
stern -n demo spring-music
次のコマンドを実行し、"Knative Services"の欄が出力され、"Ready"になればアプリでのデプロイは完了です。
$ tanzu apps workload get -n demo spring-music
📡 Overview
name: spring-music
type: web
💾 Source
type: git
url: https://github.com/scottfrederick/spring-music
branch: tanzu
📦 Supply Chain
name: source-to-url
RESOURCE READY HEALTHY TIME OUTPUT
source-provider True True 5m28s GitRepository/spring-music
image-provider True True 102s Image/spring-music
config-provider True True 93s PodIntent/spring-music
app-config True True 93s ConfigMap/spring-music
service-bindings True True 93s ConfigMap/spring-music-with-claims
api-descriptors True True 93s ConfigMap/spring-music-with-api-descriptors
config-writer True True 79s Runnable/spring-music-config-writer
🚚 Delivery
name: delivery-basic
RESOURCE READY HEALTHY TIME OUTPUT
source-provider True True 21s ImageRepository/spring-music-delivery
deployer True True 19s App/spring-music
💬 Messages
No messages found.
🛶 Pods
NAME READY STATUS RESTARTS AGE
spring-music-00001-deployment-55fcc4c676-7dpdg 2/2 Running 0 21s
spring-music-build-1-build-pod 0/1 Completed 0 5m17s
spring-music-config-writer-lbnp7-pod 0/1 Completed 0 91s
🚢 Knative Services
NAME READY URL
spring-music Ready https://spring-music-demo.127-0-0-1.sslip.io
To see logs: "tanzu apps workload tail spring-music --namespace demo"
"THIS IS UNSAFE"を入力
確認が終わればWorkloadを削除します。
tanzu apps workload delete -n demo spring-music -y
GitOpsでデプロイする
まず、manifestを管理するgitレポジトリをGitHubで作成ます。READMEのみを含む https://github.com/making/hello-nodejs-manifests を作成しました。
GitレポジトリにpushするためのSecretを作成します。HTTP(S) Basic-authかSSHが選べます。 ここではBasic-authを使用します。
https://github.com/settings/tokens からrepoへのアクセス権があるPersonal access tokensを生成してください。
次のコマンドでSecretを作成します。
GITHUB_USERNAME=making
GITHUB_API_TOKEN=ghp_******
kubectl create secret generic git-basic -n demo \
--type kubernetes.io/basic-auth \
--from-literal=username=${GITHUB_USERNAME} \
--from-literal=password=${GITHUB_API_TOKEN} \
--dry-run=client -oyaml \
| kubectl apply -f-
kubectl -n demo annotate secret git-basic tekton.dev/git-0=https://github.com --overwrite=true
kubectl patch -n demo serviceaccount default -p "{\"secrets\":[{\"name\":\"git-basic\"}]}"
次のコマンドでデプロイできます。
tanzu apps workload apply hello-nodejs \
--app hello-nodejs \
--git-repo https://github.com/making/hello-nodejs \
--git-branch master \
--type web \
--param gitops_branch=main \
--param gitops_commit_message=Bump \
--param gitops_server_address=https://github.com \
--param gitops_repository_owner=making \
--param gitops_repository_name=tap-gitops-manifests \
--param gitops_user_email=makingx+bot@gmail.com \
--param gitops_user_name=making-bot \
--param gitops_ssh_secret=git-basic \
-n demo \
-y
ログはsternを使うとわかりやすいです。
stern -n demo hello-nodejs
次のコマンドを実行し、"Knative Services"の欄が出力され、"Ready"になればアプリでのデプロイは完了です。
$ tanzu apps workload get hello-nodejs -n demo
kpackによるコンテナイメージのビルドが終わると、そのイメージのdigestを使用してmanifestをgit commit & pushがTektonによって行われます。 gitレポジトリを見ると次のコミットが自動で行われていることがわかります。
URLにアクセスします。
$ curl -k https://hello-demo.127-0-0-1.sslip.io
Hello World!
ソースコードを変更してgit pushすると、新しいコンテナイメージがビルドされ、manifestも新しいイメージのdigestを使用するようにcommit & pushされます。 次のようなコミットになります。
GitOpsでpull requestを使用する
TAP 1.2からはmanifestの変更を直接commit & pushする代わり、pull requestを送ることができるようになりました。
tap-values.yamlの以下の行を追加します。デフォルトはdirectです。
# ...
ootb_supply_chain_basic:
gitops:
commit_strategy: pull_request
pull_request:
server_kind: github
commit_branch: ""
pull_request_title: "ready for review"
pull_request_body: "generated by supply chain"
次のコマンドでTAPをアップデートします。
tanzu package installed update -n tap-install tap -f tap-values.yaml
ソースコードに変更を加え、git pushすると、コンテナイメージ作成後に次のようなPull Requestが作成されます。
このPull Requestをマージすると、変更結果がデプロイされます。
確認が終わればWorkloadを削除します。
tanzu apps workload delete -n demo hello -y
Kaniko経由でDockerfileを使う
TAP 1.2からはコンテナイメージを作成する際にCloud Native Buildpacksではなく、Dockerfileを使用できます。
内部的にはkpackではなく、kanikoが使用されます。
tanzu apps workload apply hello-nodejs \
--app hello-nodejs \
--git-repo https://github.com/making/hello-nodejs \
--git-branch master \
--param dockerfile=./Dockerfile \
--type web \
-n demo \
-y
tanzu apps workload tail hello -n demo
確認が終わればWorkloadを削除します。
tanzu apps workload delete -n demo hello-nodejs -y
TAPを使うとCI/CDのフローをtanzu apps workloadだけで作成できるのが便利ですね。