IK.AM

@making's tech note


Tanzu Application Platform 1.6 (Full Profile) をKind on OrbStackにインストールするメモ

🗃 {Dev/CaaS/Kubernetes/TAP}
🏷 Kubernetes 🏷 Cartographer 🏷 OrbStack 🏷 Tanzu 🏷 TAP 
🗓 Updated at 2023-08-01T16:07:27Z  🗓 Created at 2023-08-01T16:07:27Z   🌎 English Page

⚠️ 本記事の内容はVMwareによってサポートされていません。 記事の内容で生じた問題については自己責任で対応し、 VMwareサポート窓口には問い合わせないでください

目次

kindクラスタの作成

6vCPU, 8GB RAM以上必要です。

kind create cluster --image kindest/node:v1.27.3

Metal LBのインストール

MetalLBインストール

kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.10/config/manifests/metallb-native.yaml
kubectl wait --namespace metallb-system \
             --for=condition=ready pod \
             --selector=app=metallb \
             --timeout=90s

次のコマンドの結果をdocker networkのIP Rangeを確認します。

$ docker network inspect -f '{{.IPAM.Config}}' kind
[{192.168.228.0/24  192.168.228.1 map[]} {fc00:f853:ccd:e793::/64  fc00:f853:ccd:e793::1 map[]}]

192.168.228.0/24が出力されたので、MetalLBが払い出すIP Rangeとして192.168.228.200-192.168.228.250を設定します。

kubectl apply -f- << EOF
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
  name: example
  namespace: metallb-system
spec:
  addresses:
  - 192.168.228.200-192.168.228.250
---
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
  name: empty
  namespace: metallb-system
EOF

以降、type=LoadBalancerのサービスのExternal IPに192.168.228.200-192.168.228.250が利用可能です。

今後の作業で、次のIPを利用します。

  • 192.168.228.200 ... TAPのEnvoy

Tanzu Application Platformのインストール

Pivnet CLIのインストール

ここでは pivnet CLIを使用して必要なソフトウェアをダウンロードします。 pivnet CLIはbrewでインストールできます。

brew install pivotal/tap/pivnet-cli

VMware Tanzu Network のAPI Tokenを取得して、pivnet CLIでログインします。

pivnet login --api-token=<API Token>

🍎 Apple Siliconの場合は https://github.com/anthonydahanne/pivnet-cli/releases/tag/anthony-dev-20230323 からpivnetのバイナリをダウンロードできます。

EULAの承諾

初めてインストールする場合は、以下のコンポーネントのEULAをAcceptしてください。

⚠️ EULAで定められている使用期間は30日間です。とは言え、特にソフトウェア的に制限がかけられているわけではありません。

Tanzu CLIのインストール

TAP 1.6からはTanzu CLIはGithubからダウンロードまたはbrewコマンドでインストールすれば良くなりました。

ℹ️ https://github.com/vmware-tanzu/tanzu-cli/blob/main/docs/quickstart/install.md

brew install vmware-tanzu/tanzu/tanzu-cli
$ tanzu version
version: v0.90.1
buildDate: 2023-06-29
sha: 8945351c

プラグインのインストール方法がTAP 1.6から変わりました。

tanzu plugin clean
tanzu plugin install --group vmware-tap/default:v1.6.1
$ tanzu plugin list
Standalone Plugins
  NAME              DESCRIPTION                                                      TARGET      VERSION        STATUS     
  accelerator       Manage accelerators in a Kubernetes cluster                      kubernetes  v1.6.0         installed  
  apps              Applications on Kubernetes                                       kubernetes  v0.12.1        installed  
  build-service     plugin to interact with tanzu build service (tbs) crds           kubernetes  v1.0.0         installed  
  external-secrets  interacts with external-secrets.io resources                     kubernetes  v0.1.0-beta.7  installed  
  insight           post & query image, package, source, and vulnerability data      kubernetes  v1.6.0         installed  
  package           Tanzu package management                                         kubernetes  v0.29.0        installed  
  secret            Tanzu secret management                                          kubernetes  v0.29.0        installed  
  services          Commands for working with service instances, classes and claims  kubernetes  v0.7.0         installed 

Cluster Essentials for VMware Tanzuのインストール

TAPのインストールに必要なKapp ControllerとSecretgen Controllerをデプロイするために Cluster Essentials for VMware Tanzu をインストールします。

# Mac
pivnet download-product-files --product-slug='tanzu-cluster-essentials' --release-version='1.6.0' --glob='tanzu-cluster-essentials-darwin-amd64-*'
# Linux
pivnet download-product-files --product-slug='tanzu-cluster-essentials' --release-version='1.6.0' --glob='tanzu-cluster-essentials-linux-amd64-*'

Cluster Essentialsをインストールします。

TANZUNET_USERNAME=...
TANZUNET_PASSWORD=...

mkdir tanzu-cluster-essentials
tar xzvf tanzu-cluster-essentials-*-amd64-*.tgz -C tanzu-cluster-essentials

export INSTALL_BUNDLE=registry.tanzu.vmware.com/tanzu-cluster-essentials/cluster-essentials-bundle:1.6.0
export INSTALL_REGISTRY_HOSTNAME=registry.tanzu.vmware.com
export INSTALL_REGISTRY_USERNAME=${TANZUNET_USERNAME}
export INSTALL_REGISTRY_PASSWORD=${TANZUNET_PASSWORD}
cd tanzu-cluster-essentials
./install.sh --yes
cd ..

Podを確認します。

$ kubectl get pod -n kapp-controller 
NAME                               READY   STATUS    RESTARTS   AGE
kapp-controller-8557d45b9b-qjbsj   2/2     Running   0          37s

$ kubectl get pod -n secretgen-controller 
NAME                                   READY   STATUS    RESTARTS   AGE
secretgen-controller-6b6bf7bb4-ngln4   1/1     Running   0          37s

Package Repositoryの設定

TAPのPackage Repositoryを作成します。

TANZUNET_USERNAME=...
TANZUNET_PASSWORD=...

kubectl create ns tap-install

tanzu secret registry add tap-registry \
  --username "${TANZUNET_USERNAME}" \
  --password "${TANZUNET_PASSWORD}" \
  --server registry.tanzu.vmware.com \
  --export-to-all-namespaces \
  --yes \
  --namespace tap-install

tanzu package repository add tanzu-tap-repository \
  --url registry.tanzu.vmware.com/tanzu-application-platform/tap-packages:1.6.1 \
  --namespace tap-install

tanzu package repository add full-deps-repository \
  --url registry.tanzu.vmware.com/tanzu-application-platform/full-deps-package-repo:1.6.1 \
  --namespace tap-install

利用可能なPackage一覧を確認します。

$ kubectl get package -n tap-install                     
NAME                                                         PACKAGEMETADATA NAME                                  VERSION          AGE
accelerator.apps.tanzu.vmware.com.1.6.1                      accelerator.apps.tanzu.vmware.com                     1.6.1            28s
amr-observer.apps.tanzu.vmware.com.0.1.0-alpha.8             amr-observer.apps.tanzu.vmware.com                    0.1.0-alpha.8    28s
api-portal.tanzu.vmware.com.1.4.0                            api-portal.tanzu.vmware.com                           1.4.0            28s
apis.apps.tanzu.vmware.com.0.3.3                             apis.apps.tanzu.vmware.com                            0.3.3            26s
apiserver.appliveview.tanzu.vmware.com.1.6.1                 apiserver.appliveview.tanzu.vmware.com                1.6.1            26s
app-scanning.apps.tanzu.vmware.com.0.1.0-beta.45             app-scanning.apps.tanzu.vmware.com                    0.1.0-beta.45    27s
application-configuration-service.tanzu.vmware.com.2.1.0     application-configuration-service.tanzu.vmware.com    2.1.0            28s
backend.appliveview.tanzu.vmware.com.1.6.1                   backend.appliveview.tanzu.vmware.com                  1.6.1            28s
base-jammy-builder-lite.buildpacks.tanzu.vmware.com.0.1.0    base-jammy-builder-lite.buildpacks.tanzu.vmware.com   0.1.0            28s
base-jammy-builder.buildpacks.tanzu.vmware.com.0.1.0         base-jammy-builder.buildpacks.tanzu.vmware.com        0.1.0            8s
base-jammy-stack-lite.buildpacks.tanzu.vmware.com.0.1.41     base-jammy-stack-lite.buildpacks.tanzu.vmware.com     0.1.41           28s
base-jammy-stack.buildpacks.tanzu.vmware.com.0.1.41          base-jammy-stack.buildpacks.tanzu.vmware.com          0.1.41           8s
bitnami.services.tanzu.vmware.com.0.2.0                      bitnami.services.tanzu.vmware.com                     0.2.0            28s
buildservice.tanzu.vmware.com.1.11.10                        buildservice.tanzu.vmware.com                         1.11.10          28s
carbonblack.scanning.apps.tanzu.vmware.com.1.2.1-beta.1      carbonblack.scanning.apps.tanzu.vmware.com            1.2.1-beta.1     28s
cartographer.tanzu.vmware.com.0.7.3                          cartographer.tanzu.vmware.com                         0.7.3            28s
cert-manager.tanzu.vmware.com.2.3.1                          cert-manager.tanzu.vmware.com                         2.3.1            28s
cnrs.tanzu.vmware.com.2.3.1                                  cnrs.tanzu.vmware.com                                 2.3.1            28s
connector.appliveview.tanzu.vmware.com.1.6.1                 connector.appliveview.tanzu.vmware.com                1.6.1            28s
contour.tanzu.vmware.com.1.24.4                              contour.tanzu.vmware.com                              1.24.4           28s
controller.source.apps.tanzu.vmware.com.0.8.0                controller.source.apps.tanzu.vmware.com               0.8.0            28s
conventions.appliveview.tanzu.vmware.com.1.6.1               conventions.appliveview.tanzu.vmware.com              1.6.1            28s
crossplane.tanzu.vmware.com.0.2.1                            crossplane.tanzu.vmware.com                           0.2.1            28s
developer-conventions.tanzu.vmware.com.0.11.0                developer-conventions.tanzu.vmware.com                0.11.0           28s
dotnet-core-lite.buildpacks.tanzu.vmware.com.2.6.2           dotnet-core-lite.buildpacks.tanzu.vmware.com          2.6.2            28s
dotnet-core.buildpacks.tanzu.vmware.com.2.6.2                dotnet-core.buildpacks.tanzu.vmware.com               2.6.2            8s
eventing.tanzu.vmware.com.2.2.3-build.36                     eventing.tanzu.vmware.com                             2.2.3-build.36   28s
external-secrets.apps.tanzu.vmware.com.0.6.1+tap.6           external-secrets.apps.tanzu.vmware.com                0.6.1+tap.6      28s
fluxcd.source.controller.tanzu.vmware.com.0.36.1-build.2     fluxcd.source.controller.tanzu.vmware.com             0.36.1-build.2   28s
full-deps.buildservice.tanzu.vmware.com.0.2.3                full-deps.buildservice.tanzu.vmware.com               0.2.3            8s
full-jammy-builder.buildpacks.tanzu.vmware.com.0.1.0         full-jammy-builder.buildpacks.tanzu.vmware.com        0.1.0            8s
full-jammy-stack.buildpacks.tanzu.vmware.com.0.1.79          full-jammy-stack.buildpacks.tanzu.vmware.com          0.1.79           8s
go-lite.buildpacks.tanzu.vmware.com.2.1.4                    go-lite.buildpacks.tanzu.vmware.com                   2.1.4            28s
go.buildpacks.tanzu.vmware.com.2.1.4                         go.buildpacks.tanzu.vmware.com                        2.1.4            8s
grype.scanning.apps.tanzu.vmware.com.1.6.66                  grype.scanning.apps.tanzu.vmware.com                  1.6.66           28s
java-lite.buildpacks.tanzu.vmware.com.9.0.4                  java-lite.buildpacks.tanzu.vmware.com                 9.0.4            27s
java-native-image-lite.buildpacks.tanzu.vmware.com.7.0.4     java-native-image-lite.buildpacks.tanzu.vmware.com    7.0.4            27s
java-native-image.buildpacks.tanzu.vmware.com.7.0.4          java-native-image.buildpacks.tanzu.vmware.com         7.0.4            8s
java.buildpacks.tanzu.vmware.com.9.0.4                       java.buildpacks.tanzu.vmware.com                      9.0.4            8s
learningcenter.tanzu.vmware.com.0.3.1                        learningcenter.tanzu.vmware.com                       0.3.1            27s
local-source-proxy.apps.tanzu.vmware.com.0.1.0               local-source-proxy.apps.tanzu.vmware.com              0.1.0            27s
metadata-store.apps.tanzu.vmware.com.1.6.2                   metadata-store.apps.tanzu.vmware.com                  1.6.2            28s
namespace-provisioner.apps.tanzu.vmware.com.0.4.0            namespace-provisioner.apps.tanzu.vmware.com           0.4.0            28s
nodejs-lite.buildpacks.tanzu.vmware.com.2.2.3                nodejs-lite.buildpacks.tanzu.vmware.com               2.2.3            28s
nodejs.buildpacks.tanzu.vmware.com.2.2.3                     nodejs.buildpacks.tanzu.vmware.com                    2.2.3            8s
ootb-delivery-basic.tanzu.vmware.com.0.13.6                  ootb-delivery-basic.tanzu.vmware.com                  0.13.6           28s
ootb-supply-chain-basic.tanzu.vmware.com.0.13.6              ootb-supply-chain-basic.tanzu.vmware.com              0.13.6           28s
ootb-supply-chain-testing-scanning.tanzu.vmware.com.0.13.6   ootb-supply-chain-testing-scanning.tanzu.vmware.com   0.13.6           28s
ootb-supply-chain-testing.tanzu.vmware.com.0.13.6            ootb-supply-chain-testing.tanzu.vmware.com            0.13.6           28s
ootb-templates.tanzu.vmware.com.0.13.6                       ootb-templates.tanzu.vmware.com                       0.13.6           28s
php.buildpacks.tanzu.vmware.com.2.3.3                        php.buildpacks.tanzu.vmware.com                       2.3.3            8s
policy.apps.tanzu.vmware.com.1.4.0                           policy.apps.tanzu.vmware.com                          1.4.0            28s
procfile.buildpacks.tanzu.vmware.com.5.6.1                   procfile.buildpacks.tanzu.vmware.com                  5.6.1            8s
python-lite.buildpacks.tanzu.vmware.com.2.3.8                python-lite.buildpacks.tanzu.vmware.com               2.3.8            28s
python.buildpacks.tanzu.vmware.com.2.3.8                     python.buildpacks.tanzu.vmware.com                    2.3.8            8s
ruby-lite.buildpacks.tanzu.vmware.com.2.5.2                  ruby-lite.buildpacks.tanzu.vmware.com                 2.5.2            28s
ruby.buildpacks.tanzu.vmware.com.2.5.2                       ruby.buildpacks.tanzu.vmware.com                      2.5.2            8s
scanning.apps.tanzu.vmware.com.1.6.67                        scanning.apps.tanzu.vmware.com                        1.6.67           28s
service-bindings.labs.vmware.com.0.9.1                       service-bindings.labs.vmware.com                      0.9.1            28s
services-toolkit.tanzu.vmware.com.0.11.0                     services-toolkit.tanzu.vmware.com                     0.11.0           28s
snyk.scanning.apps.tanzu.vmware.com.1.0.0-beta.71            snyk.scanning.apps.tanzu.vmware.com                   1.0.0-beta.71    28s
spring-boot-conventions.tanzu.vmware.com.1.6.1               spring-boot-conventions.tanzu.vmware.com              1.6.1            26s
spring-cloud-gateway.tanzu.vmware.com.2.0.3                  spring-cloud-gateway.tanzu.vmware.com                 2.0.3            26s
sso.apps.tanzu.vmware.com.4.0.0                              sso.apps.tanzu.vmware.com                             4.0.0            26s
tap-auth.tanzu.vmware.com.1.1.0                              tap-auth.tanzu.vmware.com                             1.1.0            26s
tap-gui.tanzu.vmware.com.1.6.4                               tap-gui.tanzu.vmware.com                              1.6.4            28s
tap-telemetry.tanzu.vmware.com.0.6.1                         tap-telemetry.tanzu.vmware.com                        0.6.1            28s
tap.tanzu.vmware.com.1.6.1                                   tap.tanzu.vmware.com                                  1.6.1            28s
tekton.tanzu.vmware.com.0.41.0+tap.8                         tekton.tanzu.vmware.com                               0.41.0+tap.8     28s
tiny-jammy-builder.buildpacks.tanzu.vmware.com.0.1.0         tiny-jammy-builder.buildpacks.tanzu.vmware.com        0.1.0            8s
tiny-jammy-stack.buildpacks.tanzu.vmware.com.0.1.43          tiny-jammy-stack.buildpacks.tanzu.vmware.com          0.1.43           8s
tpb.tanzu.vmware.com.0.1.2                                   tpb.tanzu.vmware.com                                  0.1.2            27s
web-servers-lite.buildpacks.tanzu.vmware.com.0.13.1          web-servers-lite.buildpacks.tanzu.vmware.com          0.13.1           27s
web-servers.buildpacks.tanzu.vmware.com.0.13.1               web-servers.buildpacks.tanzu.vmware.com               0.13.1           8s
workshops.learningcenter.tanzu.vmware.com.0.3.0              workshops.learningcenter.tanzu.vmware.com             0.3.0            27s

Full profileのインストール

https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.6/tap/install-online-profile.html

Full Profileをインストールします。

Builderの作成などに使用するBuildservice用のSecretを作成します。

GITHUB_USERNAME=...
GITHUB_API_TOKEN=...

tanzu secret registry add buildservice-regcred \
  --username ${GITHUB_USERNAME} \
  --password ${GITHUB_API_TOKEN} \
  --server ghcr.io \
  --yes \
  --namespace tap-install

tap-values.yamlを用意します。せっかくFull profileをインストールするので、Supply Chainはtesting_scanningにします。また、Buildservice用のdependenciesはfullを使用します。

cat <<EOF > tap-values.yaml
shared:
  ingress_domain: tap.192-168-228-200.sslip.io
  ingress_issuer: tap-ingress-selfsigned

  image_registry:
    project_path: ghcr.io/${GITHUB_USERNAME}
    secret:
      name: buildservice-regcred
      namespace: tap-install
  kubernetes_version: "1.27"

ceip_policy_disclosed: true

profile: full
supply_chain: testing_scanning
contour:
  contour:
    replicas: 1
  envoy:
    service:
      type: LoadBalancer
      loadBalancerIP: 192.168.228.200
buildservice:
  exclude_dependencies: false
tap_gui:
  metadataStoreAutoconfiguration: true
  app_config:
    auth:
      allowGuestAccess: true
metadata_store:
  ns_for_export_app_cert: "*"
  app_service_type: ClusterIP
  pg_req_cpu: "200m"
  pg_req_memory: "200Mi"
scanning:
  metadataStore:
    url: "" # Configuration is moved, so set this string to empty.
# 以下リソース節約用
cnrs:
  lite:
    enable: true
  pdb:
    enable: false
cartographer:
  cartographer:
    resources:
      requests:
        cpu: 100m
        memory: 200Mi
crossplane:
  resourcesCrossplane:
    requests:
      cpu: 100m
      memory: 200Mi
  resourcesRBACManager:
    requests:
      cpu: 100m
      memory: 200Mi

excluded_packages:
- policy.apps.tanzu.vmware.com
- image-policy-webhook.signing.apps.tanzu.vmware.com
- eventing.tanzu.vmware.com
- sso.apps.tanzu.vmware.com
- learningcenter.tanzu.vmware.com
- workshops.learningcenter.tanzu.vmware.com
- api-portal.tanzu.vmware.com
EOF

TAPをインストールします。

tanzu package install tap \
  -p tap.tanzu.vmware.com \
  -v 1.6.1 \
  --values-file tap-values.yaml \
  -n tap-install

インストールされたPackageInstallを確認します。

$ kubectl get pkgi -n tap-install 
NAME                                 PACKAGE NAME                                          PACKAGE VERSION   DESCRIPTION           AGE
accelerator                          accelerator.apps.tanzu.vmware.com                     1.6.1             Reconcile succeeded   101s
api-auto-registration                apis.apps.tanzu.vmware.com                            0.3.3             Reconcile succeeded   2m32s
appliveview                          backend.appliveview.tanzu.vmware.com                  1.6.1             Reconcile succeeded   101s
appliveview-apiserver                apiserver.appliveview.tanzu.vmware.com                1.6.1             Reconcile succeeded   2m32s
appliveview-connector                connector.appliveview.tanzu.vmware.com                1.6.1             Reconcile succeeded   4m13s
appliveview-conventions              conventions.appliveview.tanzu.vmware.com              1.6.1             Reconcile succeeded   2m
base-jammy-builder-lite              base-jammy-builder-lite.buildpacks.tanzu.vmware.com   0.1.0             Reconcile succeeded   3m18s
base-jammy-stack-lite                base-jammy-stack-lite.buildpacks.tanzu.vmware.com     0.1.41            Reconcile succeeded   3m34s
bitnami-services                     bitnami.services.tanzu.vmware.com                     0.2.0             Reconcile succeeded   2m7s
buildservice                         buildservice.tanzu.vmware.com                         1.11.10           Reconcile succeeded   4m13s
cartographer                         cartographer.tanzu.vmware.com                         0.7.3             Reconcile succeeded   2m32s
cert-manager                         cert-manager.tanzu.vmware.com                         2.3.1             Reconcile succeeded   4m13s
cnrs                                 cnrs.tanzu.vmware.com                                 2.3.1             Reconcile succeeded   101s
contour                              contour.tanzu.vmware.com                              1.24.4            Reconcile succeeded   2m32s
crossplane                           crossplane.tanzu.vmware.com                           0.2.1             Reconcile succeeded   4m13s
developer-conventions                developer-conventions.tanzu.vmware.com                0.11.0            Reconcile succeeded   2m
dotnet-core-lite-buildpack           dotnet-core-lite.buildpacks.tanzu.vmware.com          2.6.2             Reconcile succeeded   3m34s
fluxcd-source-controller             fluxcd.source.controller.tanzu.vmware.com             0.36.1-build.2    Reconcile succeeded   4m13s
go-lite-buildpack                    go-lite.buildpacks.tanzu.vmware.com                   2.1.4             Reconcile succeeded   3m34s
grype                                grype.scanning.apps.tanzu.vmware.com                  1.6.66            Reconcile succeeded   2m4s
java-lite-buildpack                  java-lite.buildpacks.tanzu.vmware.com                 9.0.4             Reconcile succeeded   3m34s
java-native-image-lite-buildpack     java-native-image-lite.buildpacks.tanzu.vmware.com    7.0.4             Reconcile succeeded   3m34s
local-source-proxy                   local-source-proxy.apps.tanzu.vmware.com              0.1.0             Reconcile succeeded   4m13s
metadata-store                       metadata-store.apps.tanzu.vmware.com                  1.6.2             Reconcile succeeded   101s
namespace-provisioner                namespace-provisioner.apps.tanzu.vmware.com           0.4.0             Reconcile succeeded   4m13s
nodejs-lite-buildpack                nodejs-lite.buildpacks.tanzu.vmware.com               2.2.3             Reconcile succeeded   3m34s
ootb-delivery-basic                  ootb-delivery-basic.tanzu.vmware.com                  0.13.6            Reconcile succeeded   110s
ootb-supply-chain-testing-scanning   ootb-supply-chain-testing-scanning.tanzu.vmware.com   0.13.6            Reconcile succeeded   110s
ootb-templates                       ootb-templates.tanzu.vmware.com                       0.13.6            Reconcile succeeded   2m
python-lite-buildpack                python-lite.buildpacks.tanzu.vmware.com               2.3.8             Reconcile succeeded   3m34s
ruby-lite-buildpack                  ruby-lite.buildpacks.tanzu.vmware.com                 2.5.2             Reconcile succeeded   3m34s
scanning                             scanning.apps.tanzu.vmware.com                        1.6.67            Reconcile succeeded   2m32s
service-bindings                     service-bindings.labs.vmware.com                      0.9.1             Reconcile succeeded   4m13s
services-toolkit                     services-toolkit.tanzu.vmware.com                     0.11.0            Reconcile succeeded   2m32s
source-controller                    controller.source.apps.tanzu.vmware.com               0.8.0             Reconcile succeeded   2m32s
spring-boot-conventions              spring-boot-conventions.tanzu.vmware.com              1.6.1             Reconcile succeeded   2m
tap                                  tap.tanzu.vmware.com                                  1.6.1             Reconcile succeeded   4m36s
tap-auth                             tap-auth.tanzu.vmware.com                             1.1.0             Reconcile succeeded   4m13s
tap-gui                              tap-gui.tanzu.vmware.com                              1.6.4             Reconcile succeeded   101s
tap-telemetry                        tap-telemetry.tanzu.vmware.com                        0.6.1             Reconcile succeeded   4m28s
tekton-pipelines                     tekton.tanzu.vmware.com                               0.41.0+tap.8      Reconcile succeeded   4m13s
web-servers-lite-buildpack           web-servers-lite.buildpacks.tanzu.vmware.com          0.13.1            Reconcile succeeded   3m34s

デプロイされたPodは次の通りです。

$ kubectl get pod -A | grep -v kube-system  | grep -v local-path-storage
NAMESPACE                    NAME                                                           READY   STATUS    RESTARTS   AGE
accelerator-system           acc-engine-6f8db684c5-vs82m                                    1/1     Running   0          117s
accelerator-system           acc-server-56c9d8bf45-tx9lk                                    1/1     Running   0          116s
accelerator-system           accelerator-controller-manager-6c7fd869b4-hsm2x                1/1     Running   0          117s
api-auto-registration        api-auto-registration-controller-6fbd78bd5c-vs24t              1/1     Running   0          2m48s
app-live-view-connector      application-live-view-connector-r8cdb                          1/1     Running   0          4m26s
app-live-view-conventions    appliveview-webhook-586484d766-wnzws                           1/1     Running   0          2m18s
app-live-view                application-live-view-server-f76d4df57-nv8pm                   1/1     Running   0          117s
appliveview-tokens-system    appliveview-apiserver-7f69dc69b6-8blvp                         1/1     Running   0          2m47s
build-service                build-pod-image-fetcher-2jgbd                                  5/5     Running   0          4m14s
build-service                dependency-updater-controller-64b8fb5569-gq6dw                 1/1     Running   0          4m12s
build-service                secret-syncer-controller-b65996878-tt4qv                       1/1     Running   0          4m14s
build-service                warmer-controller-7cb45c4b58-mhcq8                             1/1     Running   0          4m14s
cartographer-system          cartographer-controller-79dc6d6479-8lktg                       1/1     Running   0          2m46s
cartographer-system          cartographer-conventions-controller-manager-7748966c58-x99vk   1/1     Running   0          2m46s
cert-injection-webhook       cert-injection-webhook-6445c878b4-2nr74                        1/1     Running   0          4m12s
cert-manager                 cert-manager-7d668f9fd5-wj96p                                  1/1     Running   0          4m15s
cert-manager                 cert-manager-cainjector-78bd945b49-p9z5x                       1/1     Running   0          4m15s
cert-manager                 cert-manager-webhook-bc7898c8c-fptx5                           1/1     Running   0          4m15s
crossplane-system            crossplane-86cc7fd8f9-mqcsz                                    1/1     Running   0          4m22s
crossplane-system            crossplane-rbac-manager-59bfd8d56c-8fbp2                       1/1     Running   0          4m22s
crossplane-system            provider-helm-114a45ad4a03-54bdbf6bbc-kz7zb                    1/1     Running   0          87m
crossplane-system            provider-kubernetes-5c227ff2984d-5fbbcff7c4-9kd8t              1/1     Running   0          87m
developer-conventions        webhook-5cb5fbcf88-rlvn9                                       1/1     Running   0          2m17s
flux-system                  fluxcd-source-controller-856b6f6754-4nq52                      1/1     Running   0          4m28s
kapp-controller              kapp-controller-6bf98fb6c-6vdgm                                2/2     Running   0          101m
knative-serving              activator-69596868b6-rj6pj                                     1/1     Running   0          112s
knative-serving              autoscaler-5fcccfff7c-rxjt8                                    1/1     Running   0          112s
knative-serving              autoscaler-hpa-b577465f6-mdmts                                 1/1     Running   0          111s
knative-serving              controller-6798d76cbd-2l4qn                                    1/1     Running   0          112s
knative-serving              domain-mapping-779f947495-pdxk4                                1/1     Running   0          112s
knative-serving              domainmapping-webhook-67f67d86c9-fbmb6                         1/1     Running   0          112s
knative-serving              net-certmanager-controller-594744568b-2wtmn                    1/1     Running   0          111s
knative-serving              net-certmanager-webhook-6bd7b6d7b6-ph8qw                       1/1     Running   0          111s
knative-serving              net-contour-controller-bbd9f7f7f-9vrsg                         1/1     Running   0          111s
knative-serving              webhook-84794fbbc9-7bbds                                       1/1     Running   0          111s
kpack                        kpack-controller-df9bb597-6r6sq                                1/1     Running   0          4m14s
kpack                        kpack-webhook-594df8bb87-8zgck                                 1/1     Running   0          4m14s
metadata-store               metadata-store-app-5c49c7c8c6-hvxtc                            2/2     Running   0          117s
metadata-store               metadata-store-db-0                                            1/1     Running   0          117s
metallb-system               controller-595f88d88f-hv2qj                                    1/1     Running   0          115m
metallb-system               speaker-jqbr6                                                  1/1     Running   0          115m
scan-link-system             scan-link-controller-manager-7cd99966b5-svkbp                  2/2     Running   0          2m46s
secretgen-controller         secretgen-controller-76cd6cdcc5-zwv4k                          1/1     Running   0          101m
service-bindings             manager-b4f74fb5c-9jwrd                                        1/1     Running   0          4m27s
services-toolkit             resource-claims-apiserver-59f4f56885-zrz25                     1/1     Running   0          2m47s
services-toolkit             services-toolkit-controller-manager-7f4d899489-55h5w           1/1     Running   0          2m47s
source-system                source-controller-manager-767c5b4488-gfph6                     1/1     Running   0          2m49s
spring-boot-convention       spring-boot-webhook-5f4bbccbdb-mw4gk                           1/1     Running   0          2m17s
stacks-operator-system       controller-manager-5c548bbf49-wvpbc                            1/1     Running   0          4m12s
tanzu-system-ingress         contour-7db987f649-c4769                                       1/1     Running   0          2m46s
tanzu-system-ingress         envoy-hfrql                                                    2/2     Running   0          2m47s
tap-gui                      server-757488cff8-dx8l4                                        1/1     Running   0          118s
tap-local-source-system      local-source-proxy-8476b8dc96-nvsl8                            1/1     Running   0          4m29s
tap-namespace-provisioning   controller-manager-6c98988fb8-7rqx8                            1/1     Running   0          4m29s
tap-telemetry                tap-telemetry-informer-65cfdcbb8b-b9hmt                        1/1     Running   0          4m44s
tekton-pipelines-resolvers   tekton-pipelines-remote-resolvers-67f6b5bdd9-rbkmb             1/1     Running   0          4m27s
tekton-pipelines             tekton-pipelines-controller-549974c7f8-89d7c                   1/1     Running   0          4m27s
tekton-pipelines             tekton-pipelines-webhook-765dddbbd6-gvdnj                      1/1     Running   0          4m27s 

リクエストされたリソースは以下の通りです。

$ kubectl describe node
...
Allocated resources:
  (Total limits may be over 100 percent, i.e., overcommitted.)
  Resource           Requests          Limits
  --------           --------          ------
  cpu                5330m (44%)       19625m (163%)
  memory             6664380672 (80%)  27392631040 (329%)
  ephemeral-storage  0 (0%)            0 (0%)
Events:
...

tap-values.yamlに指定したLoadBalancer IPがEnvoyにアサインされていることを確認します。

$ kubectl get svc -n tanzu-system-ingress envoy 
NAME    TYPE           CLUSTER-IP    EXTERNAL-IP       PORT(S)                      AGE
envoy   LoadBalancer   10.96.74.85   192.168.228.200   80:32585/TCP,443:30868/TCP   12m

インストールされたBuilder一覧を確認します。

$ kubectl get clusterbuilder 
NAME         LATESTIMAGE                                                                                           READY
base-jammy   ghcr.io/making/buildservice@sha256:e5178ac71369fe6162f135ec5e7566db83e40f0079a5019d74d5f95835bf3a6c   True
default      ghcr.io/making/buildservice@sha256:e5178ac71369fe6162f135ec5e7566db83e40f0079a5019d74d5f95835bf3a6c   True

公開されているエンドポイント一覧を確認します。

$ kubectl get httpproxy -A        
NAMESPACE        NAME                     FQDN                                          TLS SECRET     STATUS   STATUS DESCRIPTION
metadata-store   metadata-store-ingress   metadata-store.tap.192-168-228-200.sslip.io   ingress-cert   valid    Valid HTTPProxy
tap-gui          tap-gui                  tap-gui.tap.192-168-228-200.sslip.io          tap-gui-cert   valid    Valid HTTPProxy

https://tap-gui.tap.192-168-228-200.sslip.io でTAP GUIにアクセスします。

image image

Workloadのデプロイ

registry-credentialsを作成します。

tanzu secret registry add registry-credentials \
  --server ghcr.io \
  --username ${GITHUB_USERNAME} \
  --password ${GITHUB_API_TOKEN} \
  --namespace tap-install \
  --export-to-all-namespaces \
  -y

Namespaceを作成します。

kubectl create ns demo
kubectl label namespaces demo apps.tanzu.vmware.com/tap-ns=""

source-test-scan-to-url Supply Chainが利用可能になっていることを確認します。

$ tanzu apps cluster-supply-chain list
NAME                         READY   AGE
scanning-image-scan-to-url   Ready   15m
source-test-scan-to-url      Ready   15m

To view details: "tanzu apps cluster-supply-chain get <name>"

Tektonパイプラインを作成します。ここではダミーのパイプラインを使用します。

kubectl apply -f - -n demo << 'EOF'
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: skip-test-pipeline
  labels:
    apps.tanzu.vmware.com/pipeline: test
    apps.tanzu.vmware.com/language: skip
spec:
  params:
  - name: source-url
  - name: source-revision
  tasks:
  - name: test
    params:
    - name: source-url
      value: $(params.source-url)
    - name: source-revision
      value: $(params.source-revision)
    taskSpec:
      params:
      - name: source-url
      - name: source-revision
      steps:
      - name: test
        image: alpine
        script: |-
          echo 'skip'
EOF

ScanPolicyを作成します。ここではUnknownSeverity以外は許可するScanPolicyにします。

kubectl apply -f - -n demo << 'EOF'
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ScanPolicy
metadata:
  labels:
    app.kubernetes.io/part-of: enable-in-gui
  name: scan-policy
spec:
  regoFile: |
    package main
    
    # Accepted Values: "Critical", "High", "Medium", "Low", "Negligible", "UnknownSeverity"
    notAllowedSeverities := ["UnknownSeverity"]
    
    ignoreCves := []
    
    contains(array, elem) = true {
      array[_] = elem
    } else = false { true }
    
    isSafe(match) {
      severities := { e | e := match.ratings.rating.severity } | { e | e := match.ratings.rating[_].severity }
      some i
      fails := contains(notAllowedSeverities, severities[i])
      not fails
    }
    
    isSafe(match) {
      ignore := contains(ignoreCves, match.id)
      ignore
    }
    
    deny[msg] {
      comps := { e | e := input.bom.components.component } | { e | e := input.bom.components.component[_] }
      some i
      comp := comps[i]
      vulns := { e | e := comp.vulnerabilities.vulnerability } | { e | e := comp.vulnerabilities.vulnerability[_] }
      some j
      vuln := vulns[j]
      ratings := { e | e := vuln.ratings.rating.severity } | { e | e := vuln.ratings.rating[_].severity }
      not isSafe(vuln)
      msg = sprintf("CVE %s %s %s", [comp.name, vuln.id, ratings])
    }
EOF

Workloadを作成します。

tanzu apps workload apply hello-nodejs \
  --app hello-nodejs \
  --git-repo https://github.com/making/hello-nodejs \
  --git-branch master \
  --type web \
  --label apps.tanzu.vmware.com/has-tests=true \
  -n demo \
  -y

しばらくして、Workloadの状態を確認すると次の出力のようになります。

$ tanzu apps workload get hello-nodejs --namespace demo
📡 Overview
   name:        hello-nodejs
   type:        web
   namespace:   demo

💾 Source
   type:       git
   url:        https://github.com/making/hello-nodejs
   branch:     master
   revision:   master@sha1:fde413c0fba0003c218a60bde69c8e254d3b15a6

📦 Supply Chain
   name:   source-test-scan-to-url

   NAME               READY   HEALTHY   UPDATED   RESOURCE
   source-provider    True    True      7m11s     gitrepositories.source.toolkit.fluxcd.io/hello-nodejs
   source-tester      True    True      6m51s     runnables.carto.run/hello-nodejs
   image-provider     True    True      5m20s     images.kpack.io/hello-nodejs
   image-scanner      True    True      3m46s     imagescans.scanning.apps.tanzu.vmware.com/hello-nodejs
   config-provider    True    True      3m31s     podintents.conventions.carto.run/hello-nodejs
   app-config         True    True      3m31s     configmaps/hello-nodejs
   service-bindings   True    True      3m30s     configmaps/hello-nodejs-with-claims
   api-descriptors    True    True      3m30s     configmaps/hello-nodejs-with-api-descriptors
   config-writer      True    True      2m59s     runnables.carto.run/hello-nodejs-config-writer

🚚 Delivery
   name:   delivery-basic

   NAME              READY   HEALTHY   UPDATED   RESOURCE
   source-provider   True    True      2m4s      imagerepositories.source.apps.tanzu.vmware.com/hello-nodejs-delivery
   deployer          True    True      2m1s      apps.kappctrl.k14s.io/hello-nodejs

💬 Messages
   No messages found.

🛶 Pods
   NAME                                             READY   STATUS      RESTARTS   AGE
   hello-nodejs-00001-deployment-5fbbdf78f4-zg47q   2/2     Running     0          19s
   hello-nodejs-9mlvf-test-pod                      0/1     Completed   0          7m6s
   hello-nodejs-build-1-build-pod                   0/1     Completed   0          6m49s
   hello-nodejs-config-writer-s7nh7-pod             0/1     Completed   0          3m28s
   scan-hello-nodejs-9szvs-pod                      0/7     Completed   1          5m20s

🚢 Knative Services
   NAME           READY   URL
   hello-nodejs   Ready   https://hello-nodejs.demo.tap.192-168-228-200.sslip.io

To see logs: "tanzu apps workload tail hello-nodejs --namespace demo --timestamp --since 1h"

アプリにアクセスします。

$ curl -k https://hello-nodejs.demo.tap.192-168-228-200.sslip.io/
Hello World!!

TAP GUIのSupply Chain一覧を確認します。

https://tap-gui.tap.192-168-228-200.sslip.io/supply-chain

image

hello-nodejsをクリックします。

https://tap-gui.tap.192-168-228-200.sslip.io/supply-chain/host/demo/hello-nodejs

Workloadが視覚化されています。

image

コンテナイメージの脆弱性一覧を確認できます。

image

DeliveryをクリックするとアプリのURLが出力されます。

image

✒️️ Edit  ⏰ History  🗑 Delete