--- title: Tanzu Application Platform 1.3 (Iterate Profile) をKindにインストールしHTTPSを有効にするメモ tags: ["Kubernetes", "Cartographer", "kind", "Tanzu", "TAP", "Knative"] categories: ["Dev", "CaaS", "Kubernetes", "TAP"] date: 2022-11-29T05:33:50Z updated: 2022-11-29T15:39:54Z --- [Tanzu Application Platform 1.3](https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.3/tap/GUID-overview.html) をKindにインストールします。 Intel版のMacで試しています。 本記事ではTAPをInstallし、"Hello World"なアプリケーションをソースコードからデプロイする機能("Source to URL")を試します。 また、HTTPSを有効にします。 **目次** ### Kindクラスタの作成 Dockerには4 CPU, 4 GBメモリ以上を割り当ててください。 ``` cat < kind-expose-port.yaml kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane extraPortMappings: - containerPort: 31443 # expose port 31443 of the node to port 80 on the host for use later by Contour ingress (envoy) hostPort: 443 - containerPort: 31080 # expose port 31080 of the node to port 80 on the host for use later by Contour ingress (envoy) hostPort: 80 EOF kind create cluster --config kind-expose-port.yaml --image kindest/node:v1.23.12 ``` ### Pivnet CLIのインストール ここでは [`pivnet`](https://github.com/pivotal-cf/pivnet-cli) CLIを使用して必要なソフトウェアをダウンロードします。 `pivnet` CLIはbrewでインストールできます。 ``` brew install pivotal/tap/pivnet-cli ``` [VMware Tanzu Network](https://network.tanzu.vmware.com/) のAPI Tokenを取得して、`pivnet` CLIでログインします。 ``` pivnet login --api-token= ``` ### EULAの承諾 初めてインストールする場合は、以下のコンポーネントのEULAをAcceptしてください。 * [Tanzu Application Platform](https://network.tanzu.vmware.com/products/tanzu-application-platform/) * [Cluster Essentials for VMware Tanzu](https://network.tanzu.vmware.com/products/tanzu-cluster-essentials/) > ⚠️ EULAで定められている使用期間は30日間です。とは言え、特にソフトウェア的に制限がかけられているわけではありません。 ### Tanzu CLIのインストール ``` # For Mac pivnet download-product-files --product-slug='tanzu-application-platform' --release-version='1.3.2' --glob='tanzu-framework-darwin-amd64-*.tar' # For Linux pivnet download-product-files --product-slug='tanzu-application-platform' --release-version='1.3.2' --glob='tanzu-framework-linux-amd64-*.tar' # For Windows pivnet download-product-files --product-slug='tanzu-application-platform' --release-version='1.3.2' --glob='tanzu-framework-windows-amd64-*.zip' ``` ``` tar xvf tanzu-framework-*-amd64-*.tar install cli/core/v0.25.0/tanzu-core-*_amd64 /usr/local/bin/tanzu export TANZU_CLI_NO_INIT=true ``` ``` $ tanzu version version: v0.25.0 buildDate: 2022-08-25 sha: 6288c751-dirty ``` プラグインのインストール ``` tanzu plugin install --local cli all ``` ### Cluster Essentials for VMware Tanzuのインストール TAPのインストールに必要なKapp ControllerとSecretgen Controllerをデプロイするために [Cluster Essentials for VMware Tanzu](https://network.tanzu.vmware.com/products/tanzu-cluster-essentials) をインストールします。 ``` # Mac pivnet download-product-files --product-slug='tanzu-cluster-essentials' --release-version='1.3.0' --glob='tanzu-cluster-essentials-darwin-amd64-*' # Linux pivnet download-product-files --product-slug='tanzu-cluster-essentials' --release-version='1.3.0' --glob='tanzu-cluster-essentials-linux-amd64-*' ``` ```yaml TANZUNET_USERNAME=... TANZUNET_PASSWORD=... mkdir tanzu-cluster-essentials tar xzvf tanzu-cluster-essentials-*-amd64-*.tgz -C tanzu-cluster-essentials export INSTALL_BUNDLE=registry.tanzu.vmware.com/tanzu-cluster-essentials/cluster-essentials-bundle:1.3.0 export INSTALL_REGISTRY_HOSTNAME=registry.tanzu.vmware.com export INSTALL_REGISTRY_USERNAME=${TANZUNET_USERNAME} export INSTALL_REGISTRY_PASSWORD=${TANZUNET_PASSWORD} cd tanzu-cluster-essentials ./install.sh --yes cd .. ``` ``` $ kubectl get pod -n kapp-controller NAME READY STATUS RESTARTS AGE kapp-controller-77466557f5-tz6b8 2/2 Running 0 61s $ kubectl get pod -n secretgen-controller NAME READY STATUS RESTARTS AGE secretgen-controller-7c88f487c-54tlb 1/1 Running 0 39s ``` ### Tanzu Application Platformのインストール #### TAP用Package Repositoryの登録 ``` TANZUNET_USERNAME=... TANZUNET_PASSWORD=... kubectl create ns tap-install tanzu secret registry add tap-registry \ --username "${TANZUNET_USERNAME}" \ --password "${TANZUNET_PASSWORD}" \ --server registry.tanzu.vmware.com \ --export-to-all-namespaces \ --yes \ --namespace tap-install tanzu package repository add tanzu-tap-repository \ --url registry.tanzu.vmware.com/tanzu-application-platform/tap-packages:1.3.2 \ --namespace tap-install ``` ``` $ tanzu package available list --namespace tap-install NAME DISPLAY-NAME SHORT-DESCRIPTION LATEST-VERSION accelerator.apps.tanzu.vmware.com Application Accelerator for VMware Tanzu Used to create new projects and configurations. 1.3.2 api-portal.tanzu.vmware.com API portal A unified user interface for API discovery and exploration at scale. 1.2.5 apis.apps.tanzu.vmware.com API Auto Registration for VMware Tanzu A TAP component to automatically register API exposing workloads as API entities 0.1.2 in TAP GUI. backend.appliveview.tanzu.vmware.com Application Live View for VMware Tanzu App for monitoring and troubleshooting running apps 1.3.1 buildservice.tanzu.vmware.com Tanzu Build Service Tanzu Build Service enables the building and automation of containerized 1.7.4 software workflows securely and at scale. carbonblack.scanning.apps.tanzu.vmware.com VMware Carbon Black for Supply Chain Security Tools - Scan Default scan templates using VMware Carbon Black 1.0.0-beta.2 cartographer.tanzu.vmware.com Cartographer Kubernetes native Supply Chain Choreographer. 0.5.4 cnrs.tanzu.vmware.com Cloud Native Runtimes Cloud Native Runtimes is a serverless runtime based on Knative 2.0.2 connector.appliveview.tanzu.vmware.com Application Live View Connector for VMware Tanzu App for discovering and registering running apps 1.3.1 controller.conventions.apps.tanzu.vmware.com Convention Service for VMware Tanzu Convention Service enables app operators to consistently apply desired runtime 0.7.1 configurations to fleets of workloads. controller.source.apps.tanzu.vmware.com Tanzu Source Controller Tanzu Source Controller enables workload create/update from source code. 0.5.1 conventions.appliveview.tanzu.vmware.com Application Live View Conventions for VMware Tanzu Application Live View convention server 1.3.1 developer-conventions.tanzu.vmware.com Tanzu App Platform Developer Conventions Developer Conventions 0.8.0 eventing.tanzu.vmware.com Eventing Eventing is an event-driven architecture platform based on Knative Eventing 2.0.2 fluxcd.source.controller.tanzu.vmware.com Flux Source Controller The source-controller is a Kubernetes operator, specialised in artifacts 0.27.0+tap.1 acquisition from external sources such as Git, Helm repositories and S3 buckets. grype.scanning.apps.tanzu.vmware.com Grype for Supply Chain Security Tools - Scan Default scan templates using Anchore Grype 1.3.1 image-policy-webhook.signing.apps.tanzu.vmware.com Image Policy Webhook Image Policy Webhook enables defining of a policy to restrict unsigned container 1.1.9 images. learningcenter.tanzu.vmware.com Learning Center for Tanzu Application Platform Guided technical workshops 0.2.4 metadata-store.apps.tanzu.vmware.com Supply Chain Security Tools - Store Post SBoMs and query for image, package, and vulnerability metadata. 1.3.4 ootb-delivery-basic.tanzu.vmware.com Tanzu App Platform Out of The Box Delivery Basic Out of The Box Delivery Basic. 0.10.5 ootb-supply-chain-basic.tanzu.vmware.com Tanzu App Platform Out of The Box Supply Chain Basic Out of The Box Supply Chain Basic. 0.10.5 ootb-supply-chain-testing-scanning.tanzu.vmware.com Tanzu App Platform Out of The Box Supply Chain with Testing and Scanning Out of The Box Supply Chain with Testing and Scanning. 0.10.5 ootb-supply-chain-testing.tanzu.vmware.com Tanzu App Platform Out of The Box Supply Chain with Testing Out of The Box Supply Chain with Testing. 0.10.5 ootb-templates.tanzu.vmware.com Tanzu App Platform Out of The Box Templates Out of The Box Templates. 0.10.5 policy.apps.tanzu.vmware.com Supply Chain Security Tools - Policy Controller Policy Controller enables defining of a policy to restrict unsigned container 1.1.3 images. scanning.apps.tanzu.vmware.com Supply Chain Security Tools - Scan Scan for vulnerabilities and enforce policies directly within Kubernetes native 1.3.1 Supply Chains. service-bindings.labs.vmware.com Service Bindings for Kubernetes Service Bindings for Kubernetes implements the Service Binding Specification. 0.8.1 services-toolkit.tanzu.vmware.com Services Toolkit The Services Toolkit enables the management, lifecycle, discoverability and 0.8.1 connectivity of Service Resources (databases, message queues, DNS records, etc.). snyk.scanning.apps.tanzu.vmware.com Snyk for Supply Chain Security Tools - Scan Default scan templates using Snyk 1.0.0-beta.5 spring-boot-conventions.tanzu.vmware.com Tanzu Spring Boot Conventions Server Default Spring Boot convention server. 0.5.0 sso.apps.tanzu.vmware.com AppSSO Application Single Sign-On for Tanzu 2.0.0 tap-auth.tanzu.vmware.com Default roles for Tanzu Application Platform Default roles for Tanzu Application Platform 1.1.0 tap-gui.tanzu.vmware.com Tanzu Application Platform GUI web app graphical user interface for Tanzu Application Platform 1.3.3 tap-telemetry.tanzu.vmware.com Telemetry Collector for Tanzu Application Platform Tanzu Application Plaform Telemetry 0.3.2 tap.tanzu.vmware.com Tanzu Application Platform Package to install a set of TAP components to get you started based on your use 1.3.2 case. tekton.tanzu.vmware.com Tekton Pipelines Tekton Pipelines is a framework for creating CI/CD systems. 0.39.0+tap.2 workshops.learningcenter.tanzu.vmware.com Workshop Building Tutorial Workshop Building Tutorial 0.2.3 ``` #### 自己署名CA証明書の作成 ``` mkdir -p certs rm -f certs/* docker run --rm -v ${PWD}/certs:/certs hitch openssl req -new -nodes -out /certs/ca.csr -keyout /certs/ca.key -subj "/CN=default-ca/O=TAP/C=JP" chmod og-rwx ca.key docker run --rm -v ${PWD}/certs:/certs hitch openssl x509 -req -in /certs/ca.csr -days 3650 -extfile /etc/ssl/openssl.cnf -extensions v3_ca -signkey /certs/ca.key -out /certs/ca.crt ``` #### Iterate Profileのインストール iterate profileをインストールするために、次の`tap-values.yaml`を作成します。 4CPUでもインストールできるように不要なpackageを`excluded_packages`に追加しています。 ```yaml GITHUB_USERNAME=... GITHUB_API_TOKEN=... cat < tap-values.yaml shared: ingress_domain: 127-0-0-1.sslip.io image_registry: project_path: ghcr.io/${GITHUB_USERNAME} username: ${GITHUB_USERNAME} password: ${GITHUB_API_TOKEN} ca_cert_data: | $(cat certs/ca.crt | sed 's/^/ /g') ceip_policy_disclosed: true profile: iterate supply_chain: basic contour: contour: replicas: 1 envoy: service: type: NodePort nodePorts: http: 31080 https: 31443 hostPorts: enable: true cnrs: domain_template: "{{.Name}}-{{.Namespace}}.{{.Domain}}" default_tls_secret: tanzu-system-ingress/tap-default-tls provider: local package_overlays: - name: contour secrets: - name: contour-default-tls - name: cnrs secrets: - name: cnrs-https - name: tap-telemetry secrets: - name: tap-telemetry-remove excluded_packages: - policy.apps.tanzu.vmware.com - image-policy-webhook.signing.apps.tanzu.vmware.com - eventing.tanzu.vmware.com - sso.apps.tanzu.vmware.com EOF ``` > `*.127-0-0-1.sslip.io`は`127.0.0.1`に解決されます。 Contour/Knativeで使用するデフォルトのTLS証明書を用意するための次の定義をoverlayで作成します。 ```yaml mkdir -p overlays cat < overlays/contour-default-tls.yaml #@ load("@ytt:data", "data") #@ load("@ytt:overlay", "overlay") #@ namespace = data.values.namespace --- apiVersion: v1 kind: Secret metadata: name: default-ca namespace: #@ namespace type: kubernetes.io/tls stringData: tls.crt: | $(cat certs/ca.crt | sed 's/^/ /g') tls.key: | $(cat certs/ca.key | sed 's/^/ /g') --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: default-ca-issuer namespace: #@ namespace spec: ca: secretName: default-ca --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: tap-default-tls namespace: #@ namespace spec: dnsNames: - #@ "*.127-0-0-1.sslip.io" issuerRef: kind: Issuer name: default-ca-issuer secretName: tap-default-tls --- apiVersion: projectcontour.io/v1 kind: TLSCertificateDelegation metadata: name: contour-delegation namespace: #@ namespace spec: delegations: - secretName: tap-default-tls targetNamespaces: - "*" EOF cat < overlays/cnrs-https.yaml #@ load("@ytt:overlay", "overlay") #@overlay/match by=overlay.subset({"metadata":{"name":"config-network"}, "kind": "ConfigMap"}) --- data: #@overlay/match missing_ok=True default-external-scheme: https EOF cat < overlays/tap-telemetry-remove.yaml #@ load("@ytt:overlay", "overlay") #@overlay/match by=overlay.subset({"metadata":{"namespace":"tap-telemetry"}}), expects="1+" #@overlay/remove --- EOF ``` overlayファイルをSecretとして作成します。 ``` kubectl -n tap-install create secret generic contour-default-tls \ -o yaml \ --dry-run=client \ --from-file=overlays/contour-default-tls.yaml \ | kubectl apply -f- kubectl -n tap-install create secret generic cnrs-https \ -o yaml \ --dry-run=client \ --from-file=overlays/cnrs-https.yaml \ | kubectl apply -f- kubectl -n tap-install create secret generic tap-telemetry-remove \ -o yaml \ --dry-run=client \ --from-file=overlays/tap-telemetry-remove.yaml \ | kubectl apply -f- ``` TAPをインストールします。 ``` tanzu package install tap \ -p tap.tanzu.vmware.com \ -v 1.3.2 \ --values-file tap-values.yaml \ -n tap-install \ --wait=false ``` インストールの進捗は次のコマンドで確認します。 ``` while [ "$(kubectl -n tap-install get app tap -o=jsonpath='{.status.friendlyDescription}')" != "Reconcile succeeded" ];do date kubectl get app -n tap-install echo "---------------------------------------------------------------------" sleep 10 done echo "✅ Install succeeded" ``` 全てのappが `Reconcile succeeded` になるまで待ちます。10分くらいかかります。 ``` $ kubectl get app -n tap-install NAME DESCRIPTION SINCE-DEPLOY AGE api-auto-registration Reconcile succeeded 9m54s 10m appliveview-connector Reconcile succeeded 9m54s 10m appliveview-conventions Reconcile succeeded 5m50s 5m57s buildservice Reconciling 9m51s 9m59s cartographer Reconcile succeeded 8m2s 8m9s cert-manager Reconcile succeeded 9m53s 10m cnrs Reconcile succeeded 4m28s 4m35s contour Reconcile succeeded 8m2s 8m9s conventions-controller Reconcile succeeded 8m3s 8m9s developer-conventions Reconcile succeeded 5m51s 5m58s fluxcd-source-controller Reconcile succeeded 9m53s 10m ootb-delivery-basic Reconcile succeeded 5m18s 5m25s ootb-supply-chain-basic Reconcile succeeded 5m19s 5m25s ootb-templates Reconcile succeeded 5m27s 5m33s service-bindings Reconcile succeeded 9m54s 10m services-toolkit Reconcile succeeded 9m43s 9m58s source-controller Reconcile succeeded 8m2s 8m9s spring-boot-conventions Reconcile succeeded 5m52s 5m58s tap Reconciling 10m 10m tap-auth Reconcile succeeded 9m54s 10m tap-telemetry Reconcile succeeded 9m52s 9m59s tekton-pipelines Reconcile succeeded 9m54s 10m ``` インストールされたパッケージは次の通りです。 ```` $ tanzu package installed list -n tap-install NAME PACKAGE-NAME PACKAGE-VERSION STATUS api-auto-registration apis.apps.tanzu.vmware.com 0.1.2 Reconcile succeeded appliveview-connector connector.appliveview.tanzu.vmware.com 1.3.1 Reconcile succeeded appliveview-conventions conventions.appliveview.tanzu.vmware.com 1.3.1 Reconcile succeeded buildservice buildservice.tanzu.vmware.com 1.7.4 Reconcile succeeded cartographer cartographer.tanzu.vmware.com 0.5.4 Reconcile succeeded cert-manager cert-manager.tanzu.vmware.com 1.7.2+tap.1 Reconcile succeeded cnrs cnrs.tanzu.vmware.com 2.0.2 Reconcile succeeded contour contour.tanzu.vmware.com 1.22.0+tap.5 Reconcile succeeded conventions-controller controller.conventions.apps.tanzu.vmware.com 0.7.1 Reconcile succeeded developer-conventions developer-conventions.tanzu.vmware.com 0.8.0 Reconcile succeeded fluxcd-source-controller fluxcd.source.controller.tanzu.vmware.com 0.27.0+tap.1 Reconcile succeeded ootb-delivery-basic ootb-delivery-basic.tanzu.vmware.com 0.10.5 Reconcile succeeded ootb-supply-chain-basic ootb-supply-chain-basic.tanzu.vmware.com 0.10.5 Reconcile succeeded ootb-templates ootb-templates.tanzu.vmware.com 0.10.5 Reconcile succeeded service-bindings service-bindings.labs.vmware.com 0.8.1 Reconcile succeeded services-toolkit services-toolkit.tanzu.vmware.com 0.8.1 Reconcile succeeded source-controller controller.source.apps.tanzu.vmware.com 0.5.1 Reconcile succeeded spring-boot-conventions spring-boot-conventions.tanzu.vmware.com 0.5.0 Reconcile succeeded tap tap.tanzu.vmware.com 1.3.2 Reconcile succeeded tap-auth tap-auth.tanzu.vmware.com 1.1.0 Reconcile succeeded tap-telemetry tap-telemetry.tanzu.vmware.com 0.3.2 Reconcile succeeded tekton-pipelines tekton.tanzu.vmware.com 0.39.0+tap.2 Reconcile succeeded ```` デプロイされたPodは次の通りです。 ``` $ kubectl get pod -A NAMESPACE NAME READY STATUS RESTARTS AGE api-auto-registration api-auto-registration-controller-675dcfbb6f-s79cx 1/1 Running 0 16m app-live-view-connector application-live-view-connector-zvlw9 1/1 Running 0 16m app-live-view-conventions appliveview-webhook-69f8765bff-lzzkb 1/1 Running 0 12m build-service build-pod-image-fetcher-twsch 5/5 Running 0 16m build-service dependency-updater-controller-789db96d9c-4s4dj 1/1 Running 0 16m build-service secret-syncer-controller-5d4b99bb46-bvdtt 1/1 Running 0 16m build-service smart-warmer-image-fetcher-dqn6v 3/3 Running 0 7m46s build-service warmer-controller-5ddd8c9768-9hv4t 1/1 Running 0 16m cartographer-system cartographer-controller-9498cf75-s2cw2 1/1 Running 0 14m cartographer-system cartographer-conventions-controller-manager-75478d544b-rxvbm 1/1 Running 0 14m cert-injection-webhook cert-injection-webhook-9b999bf6f-xqhtl 1/1 Running 0 16m cert-manager cert-manager-687f5f56bf-kwlfd 1/1 Running 0 16m cert-manager cert-manager-cainjector-69c87566b8-kvhxn 1/1 Running 0 16m cert-manager cert-manager-webhook-656694bcf5-nznqt 1/1 Running 0 16m conventions-system conventions-controller-manager-5b5db64df6-cbwsj 1/1 Running 0 14m developer-conventions webhook-75596db5c4-b7cmc 1/1 Running 0 12m flux-system fluxcd-source-controller-56f889f644-8vb75 1/1 Running 0 16m kapp-controller kapp-controller-77466557f5-tz6b8 2/2 Running 0 49m knative-serving activator-57f6877df6-dnmns 1/1 Running 0 10m knative-serving autoscaler-8b477dff7-7ws6k 1/1 Running 0 10m knative-serving autoscaler-hpa-76c95b69d8-kzz69 1/1 Running 0 10m knative-serving controller-6f7d858bdc-65jjb 1/1 Running 0 10m knative-serving domain-mapping-846b8744c6-sm6lj 1/1 Running 0 10m knative-serving domainmapping-webhook-6cddd6644-vwpkk 1/1 Running 0 10m knative-serving net-certmanager-controller-87d5885fc-6dcg5 1/1 Running 0 10m knative-serving net-certmanager-webhook-78fb75fb59-56xtc 1/1 Running 0 10m knative-serving net-contour-controller-85cfd8b599-5rzn4 1/1 Running 0 10m knative-serving webhook-b55dc57d-wpmw2 1/1 Running 0 10m kpack kpack-controller-8674b8df76-6vj76 1/1 Running 0 16m kpack kpack-webhook-6d49b65755-2mrpc 1/1 Running 0 16m kube-system coredns-64897985d-6znqq 1/1 Running 0 116m kube-system coredns-64897985d-b4prw 1/1 Running 0 116m kube-system etcd-kind-control-plane 1/1 Running 0 117m kube-system kindnet-9prdc 1/1 Running 0 116m kube-system kube-apiserver-kind-control-plane 1/1 Running 0 117m kube-system kube-controller-manager-kind-control-plane 1/1 Running 0 117m kube-system kube-proxy-w4tv7 1/1 Running 0 116m kube-system kube-scheduler-kind-control-plane 1/1 Running 0 117m local-path-storage local-path-provisioner-58dc9cd8d9-trltg 1/1 Running 0 116m secretgen-controller secretgen-controller-7c88f487c-54tlb 1/1 Running 0 49m service-bindings manager-b6c6d689c-9gpxf 1/1 Running 0 16m services-toolkit resource-claims-apiserver-649b79fcd4-7q4qr 1/1 Running 0 16m services-toolkit services-toolkit-controller-manager-6645b85b77-q74nq 1/1 Running 0 16m source-system source-controller-manager-69dcffd958-t2qrp 1/1 Running 0 14m spring-boot-convention spring-boot-webhook-6959dd9567-hcs6h 1/1 Running 0 12m stacks-operator-system controller-manager-765f5c768d-gxqct 1/1 Running 0 16m tanzu-system-ingress contour-769c5b87c7-b8qs9 1/1 Running 0 14m tanzu-system-ingress envoy-c9kp4 2/2 Running 0 14m tekton-pipelines tekton-pipelines-controller-66b8768b68-zj9rn 1/1 Running 0 16m tekton-pipelines tekton-pipelines-webhook-74d6959b76-l9hg2 1/1 Running 0 16m ``` ClusterBuilderがREADYなことを確認します。 ``` $ kubectl get clusterbuilder NAME LATESTIMAGE READY base ghcr.io/making/buildservice:clusterbuilder-base@sha256:6f6f2178be677884e78353eb39bf37cc55b0f7483cc59740e50dbf958dec7f65 True base-jammy ghcr.io/making/buildservice:clusterbuilder-base-jammy@sha256:064c5d5314dd9357a7978e41f62f8d44b6ffc2cf18fba78a73d85ebc25d8d51e True default ghcr.io/making/buildservice:clusterbuilder-default@sha256:6f6f2178be677884e78353eb39bf37cc55b0f7483cc59740e50dbf958dec7f65 True ``` ### Workloadのデプロイ #### Workloadを作成するための事前準備 https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.3/tap/GUID-set-up-namespaces.html (一部変更しています) ``` kubectl create ns demo tanzu secret registry add registry-credentials \ --server ghcr.io \ --username ${GITHUB_USERNAME} \ --password ${GITHUB_API_TOKEN} \ --namespace demo ``` ```yaml cat < rbac.yaml apiVersion: v1 kind: Secret metadata: name: tap-registry annotations: secretgen.carvel.dev/image-pull-secret: "" type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: e30K --- apiVersion: v1 kind: Secret metadata: name: git-ssh annotations: tekton.dev/git-0: github.com type: kubernetes.io/ssh-auth data: ssh-privatekey: 8J+UkQ== --- apiVersion: v1 kind: ServiceAccount metadata: name: default secrets: - name: registry-credentials - name: git-ssh imagePullSecrets: - name: registry-credentials - name: tap-registry --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: default-permit-deliverable roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: deliverable subjects: - kind: ServiceAccount name: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: default-permit-workload roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: workload subjects: - kind: ServiceAccount name: default EOF kubectl -n demo apply -f rbac.yaml ``` #### Node.jsアプリのデプロイ ``` tanzu apps workload apply hello-nodejs \ --app hello-nodejs \ --git-repo https://github.com/making/hello-nodejs \ --git-branch master \ --type web \ -n demo \ -y ``` ログは[`stern`](https://github.com/stern/stern)を使うとわかりやすいです。 ``` stern -n demo hello-nodejs ``` Supply Chainの進捗は次のコマンドで確認できます。 ``` $ tanzu apps workload get -n demo hello-nodejs 📡 Overview name: hello-nodejs type: web 💾 Source type: git url: https://github.com/making/hello-nodejs branch: master 📦 Supply Chain name: source-to-url RESOURCE READY HEALTHY TIME OUTPUT source-provider True True 9s GitRepository/hello-nodejs image-provider Unknown Unknown 9s Image/hello-nodejs config-provider False Unknown 11s not found app-config False True 11s not found service-bindings False True 11s not found api-descriptors False True 11s not found config-writer False Unknown 11s not found 🚚 Delivery name: delivery-basic RESOURCE READY HEALTHY TIME OUTPUT source-provider False False 7s ImageRepository/hello-nodejs-delivery deployer False Unknown 9s not found 💬 Messages Workload [MissingValueAtPath]: waiting to read value [.status.latestImage] from resource [image.kpack.io/hello-nodejs] in namespace [demo] Deliverable [HealthyConditionRule]: unable to resolve image "ghcr.io/making/workloads/hello-nodejs-demo-bundle:519e7cea-20ad-4568-9b56-84002d42ba2c": GET https://ghcr.io/v2/making/workloads/hello-nodejs-demo-bundle/manifests/519e7cea-20ad-4568-9b56-84002d42ba2c: MANIFEST_UNKNOWN: manifest unknown 🛶 Pods NAME READY STATUS RESTARTS AGE hello-nodejs-build-1-build-pod 0/1 Init:1/6 0 8s To see logs: "tanzu apps workload tail hello-nodejs --namespace demo" ``` "Knative Services"の欄が出力され、"Ready"になればアプリでのデプロイは完了です。 ``` $ tanzu apps workload get -n demo hello-nodejs 📡 Overview name: hello-nodejs type: web 💾 Source type: git url: https://github.com/making/hello-nodejs branch: master 📦 Supply Chain name: source-to-url RESOURCE READY HEALTHY TIME OUTPUT source-provider True True 85s GitRepository/hello-nodejs image-provider True True 38s Image/hello-nodejs config-provider True True 31s PodIntent/hello-nodejs app-config True True 31s ConfigMap/hello-nodejs service-bindings True True 31s ConfigMap/hello-nodejs-with-claims api-descriptors True True 31s ConfigMap/hello-nodejs-with-api-descriptors config-writer True True 17s Runnable/hello-nodejs-config-writer 🚚 Delivery name: delivery-basic RESOURCE READY HEALTHY TIME OUTPUT source-provider True True 11s ImageRepository/hello-nodejs-delivery deployer True True 9s App/hello-nodejs 💬 Messages No messages found. 🛶 Pods NAME READY STATUS RESTARTS AGE hello-nodejs-00001-deployment-5cfbcf8f56-bkwg9 2/2 Running 0 11s hello-nodejs-build-1-build-pod 0/1 Completed 0 84s hello-nodejs-config-writer-w6lmp-pod 0/1 Completed 0 29s 🚢 Knative Services NAME READY URL hello-nodejs Ready https://hello-nodejs-demo.127-0-0-1.sslip.io To see logs: "tanzu apps workload tail hello-nodejs --namespace demo" ``` ``` $ curl -k https://hello-nodejs-demo.127-0-0-1.sslip.io Hello World! ``` 確認が終わればWorkloadを削除します。 ``` tanzu apps workload delete -n demo hello-nodejs -y ``` #### Javaアプリのデプロイ ``` tanzu apps workload apply spring-music \ --app spring-music \ --git-repo https://github.com/scottfrederick/spring-music \ --git-branch tanzu \ --type web \ --annotation autoscaling.knative.dev/minScale=1 \ -n demo \ -y ``` ログは[`stern`](https://github.com/stern/stern)を使うとわかりやすいです。 ``` stern -n demo spring-music ``` 次のコマンドを実行し、"Knative Services"の欄が出力され、"Ready"になればアプリでのデプロイは完了です。 ``` $ tanzu apps workload get -n demo spring-music 📡 Overview name: spring-music type: web 💾 Source type: git url: https://github.com/scottfrederick/spring-music branch: tanzu 📦 Supply Chain name: source-to-url RESOURCE READY HEALTHY TIME OUTPUT source-provider True True 5m28s GitRepository/spring-music image-provider True True 102s Image/spring-music config-provider True True 93s PodIntent/spring-music app-config True True 93s ConfigMap/spring-music service-bindings True True 93s ConfigMap/spring-music-with-claims api-descriptors True True 93s ConfigMap/spring-music-with-api-descriptors config-writer True True 79s Runnable/spring-music-config-writer 🚚 Delivery name: delivery-basic RESOURCE READY HEALTHY TIME OUTPUT source-provider True True 21s ImageRepository/spring-music-delivery deployer True True 19s App/spring-music 💬 Messages No messages found. 🛶 Pods NAME READY STATUS RESTARTS AGE spring-music-00001-deployment-55fcc4c676-7dpdg 2/2 Running 0 21s spring-music-build-1-build-pod 0/1 Completed 0 5m17s spring-music-config-writer-lbnp7-pod 0/1 Completed 0 91s 🚢 Knative Services NAME READY URL spring-music Ready https://spring-music-demo.127-0-0-1.sslip.io To see logs: "tanzu apps workload tail spring-music --namespace demo" ``` image "THIS IS UNSAFE"を入力 image 確認が終わればWorkloadを削除します。 ``` tanzu apps workload delete -n demo spring-music -y ``` ### GitOpsでデプロイする https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.3/tap/GUID-scc-gitops-vs-regops.html#gitops-0 まず、manifestを管理するgitレポジトリをGitHubで作成ます。READMEのみを含む https://github.com/making/hello-nodejs-manifests を作成しました。 image image GitレポジトリにpushするためのSecretを作成します。[HTTP(S) Basic-auth](https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.2/tap/GUID-scc-gitops-vs-regops.html#authentication-3)か[SSH](https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.2/tap/GUID-scc-gitops-vs-regops.html#ssh-4)が選べます。 ここではBasic-authを使用します。 https://github.com/settings/tokens からrepoへのアクセス権があるPersonal access tokensを生成してください。 image 次のコマンドでSecretを作成します。 ``` GITHUB_USERNAME=making GITHUB_API_TOKEN=ghp_****** kubectl create secret generic git-basic -n demo \ --type kubernetes.io/basic-auth \ --from-literal=username=${GITHUB_USERNAME} \ --from-literal=password=${GITHUB_API_TOKEN} \ --dry-run=client -oyaml \ | kubectl apply -f- kubectl -n demo annotate secret git-basic tekton.dev/git-0=https://github.com --overwrite=true kubectl patch -n demo serviceaccount default -p "{\"secrets\":[{\"name\":\"git-basic\"}]}" ``` 次のコマンドでデプロイできます。 ``` tanzu apps workload apply hello-nodejs \ --app hello-nodejs \ --git-repo https://github.com/making/hello-nodejs \ --git-branch master \ --type web \ --param gitops_branch=main \ --param gitops_commit_message=Bump \ --param gitops_server_address=https://github.com \ --param gitops_repository_owner=making \ --param gitops_repository_name=tap-gitops-manifests \ --param gitops_user_email=makingx+bot@gmail.com \ --param gitops_user_name=making-bot \ --param gitops_ssh_secret=git-basic \ -n demo \ -y ``` ログは[`stern`](https://github.com/stern/stern)を使うとわかりやすいです。 ``` stern -n demo hello-nodejs ``` 次のコマンドを実行し、"Knative Services"の欄が出力され、"Ready"になればアプリでのデプロイは完了です。 ``` $ tanzu apps workload get hello-nodejs -n demo ``` kpackによるコンテナイメージのビルドが終わると、そのイメージのdigestを使用してmanifestをgit commit & pushがTektonによって行われます。 gitレポジトリを見ると次のコミットが自動で行われていることがわかります。 image URLにアクセスします。 ``` $ curl -k https://hello-demo.127-0-0-1.sslip.io Hello World! ``` ソースコードを変更してgit pushすると、新しいコンテナイメージがビルドされ、manifestも新しいイメージのdigestを使用するようにcommit & pushされます。 次のようなコミットになります。 image ### GitOpsでpull requestを使用する TAP 1.2からはmanifestの変更を直接commit & pushする代わり、pull requestを送ることができるようになりました。 https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.3/tap/GUID-scc-gitops-vs-regops.html#pull-requests-2 `tap-values.yaml`の以下の行を追加します。デフォルトは`direct`です。 ```yaml # ... ootb_supply_chain_basic: gitops: commit_strategy: pull_request pull_request: server_kind: github commit_branch: "" pull_request_title: "ready for review" pull_request_body: "generated by supply chain" ``` 次のコマンドでTAPをアップデートします。 ``` tanzu package installed update -n tap-install tap -f tap-values.yaml ``` ソースコードに変更を加え、git pushすると、コンテナイメージ作成後に次のようなPull Requestが作成されます。 image image このPull Requestをマージすると、変更結果がデプロイされます。 確認が終わればWorkloadを削除します。 ``` tanzu apps workload delete -n demo hello -y ``` ### Kaniko経由でDockerfileを使う TAP 1.2からはコンテナイメージを作成する際にCloud Native Buildpacksではなく、Dockerfileを使用できます。
内部的にはkpackではなく、[kaniko](https://github.com/GoogleContainerTools/kaniko)が使用されます。 ``` tanzu apps workload apply hello-nodejs \ --app hello-nodejs \ --git-repo https://github.com/making/hello-nodejs \ --git-branch master \ --param dockerfile=./Dockerfile \ --type web \ -n demo \ -y tanzu apps workload tail hello -n demo ``` 確認が終わればWorkloadを削除します。 ``` tanzu apps workload delete -n demo hello-nodejs -y ``` --- TAPを使うとCI/CDのフローを`tanzu apps workload`だけで作成できるのが便利ですね。