目次
kindクラスタの作成
6vCPU, 8GB RAM以上必要です。
kind create cluster --image kindest/node:v1.27.3
Metal LBのインストール
MetalLBインストール
kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.10/config/manifests/metallb-native.yaml
kubectl wait --namespace metallb-system \
--for=condition=ready pod \
--selector=app=metallb \
--timeout=90s
次のコマンドの結果をdocker networkのIP Rangeを確認します。
$ docker network inspect -f '{{.IPAM.Config}}' kind
[{192.168.228.0/24 192.168.228.1 map[]} {fc00:f853:ccd:e793::/64 fc00:f853:ccd:e793::1 map[]}]
192.168.228.0/24
が出力されたので、MetalLBが払い出すIP Rangeとして192.168.228.200-192.168.228.250
を設定します。
kubectl apply -f- << EOF
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: example
namespace: metallb-system
spec:
addresses:
- 192.168.228.200-192.168.228.250
---
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
name: empty
namespace: metallb-system
EOF
以降、type=LoadBalancerのサービスのExternal IPに192.168.228.200-192.168.228.250
が利用可能です。
今後の作業で、次のIPを利用します。
- 192.168.228.200 ... TAPのEnvoy
Tanzu Application Platformのインストール
Pivnet CLIのインストール
ここでは pivnet
CLIを使用して必要なソフトウェアをダウンロードします。
pivnet
CLIはbrewでインストールできます。
brew install pivotal/tap/pivnet-cli
VMware Tanzu Network のAPI Tokenを取得して、pivnet
CLIでログインします。
pivnet login --api-token=<API Token>
🍎 Apple Siliconの場合は https://github.com/anthonydahanne/pivnet-cli/releases/tag/anthony-dev-20230323 からpivnetのバイナリをダウンロードできます。
EULAの承諾
初めてインストールする場合は、以下のコンポーネントのEULAをAcceptしてください。
⚠️ EULAで定められている使用期間は30日間です。とは言え、特にソフトウェア的に制限がかけられているわけではありません。
Tanzu CLIのインストール
TAP 1.6からはTanzu CLIはGithubからダウンロードまたはbrew
コマンドでインストールすれば良くなりました。
ℹ️ https://github.com/vmware-tanzu/tanzu-cli/blob/main/docs/quickstart/install.md
brew install vmware-tanzu/tanzu/tanzu-cli
$ tanzu version
version: v0.90.1
buildDate: 2023-06-29
sha: 8945351c
プラグインのインストール方法がTAP 1.6から変わりました。
tanzu plugin clean
tanzu plugin install --group vmware-tap/default:v1.6.1
$ tanzu plugin list
Standalone Plugins
NAME DESCRIPTION TARGET VERSION STATUS
accelerator Manage accelerators in a Kubernetes cluster kubernetes v1.6.0 installed
apps Applications on Kubernetes kubernetes v0.12.1 installed
build-service plugin to interact with tanzu build service (tbs) crds kubernetes v1.0.0 installed
external-secrets interacts with external-secrets.io resources kubernetes v0.1.0-beta.7 installed
insight post & query image, package, source, and vulnerability data kubernetes v1.6.0 installed
package Tanzu package management kubernetes v0.29.0 installed
secret Tanzu secret management kubernetes v0.29.0 installed
services Commands for working with service instances, classes and claims kubernetes v0.7.0 installed
Cluster Essentials for VMware Tanzuのインストール
TAPのインストールに必要なKapp ControllerとSecretgen Controllerをデプロイするために Cluster Essentials for VMware Tanzu をインストールします。
# Mac
pivnet download-product-files --product-slug='tanzu-cluster-essentials' --release-version='1.6.0' --glob='tanzu-cluster-essentials-darwin-amd64-*'
# Linux
pivnet download-product-files --product-slug='tanzu-cluster-essentials' --release-version='1.6.0' --glob='tanzu-cluster-essentials-linux-amd64-*'
Cluster Essentialsをインストールします。
TANZUNET_USERNAME=...
TANZUNET_PASSWORD=...
mkdir tanzu-cluster-essentials
tar xzvf tanzu-cluster-essentials-*-amd64-*.tgz -C tanzu-cluster-essentials
export INSTALL_BUNDLE=registry.tanzu.vmware.com/tanzu-cluster-essentials/cluster-essentials-bundle:1.6.0
export INSTALL_REGISTRY_HOSTNAME=registry.tanzu.vmware.com
export INSTALL_REGISTRY_USERNAME=${TANZUNET_USERNAME}
export INSTALL_REGISTRY_PASSWORD=${TANZUNET_PASSWORD}
cd tanzu-cluster-essentials
./install.sh --yes
cd ..
Podを確認します。
$ kubectl get pod -n kapp-controller
NAME READY STATUS RESTARTS AGE
kapp-controller-8557d45b9b-qjbsj 2/2 Running 0 37s
$ kubectl get pod -n secretgen-controller
NAME READY STATUS RESTARTS AGE
secretgen-controller-6b6bf7bb4-ngln4 1/1 Running 0 37s
Package Repositoryの設定
TAPのPackage Repositoryを作成します。
TANZUNET_USERNAME=...
TANZUNET_PASSWORD=...
kubectl create ns tap-install
tanzu secret registry add tap-registry \
--username "${TANZUNET_USERNAME}" \
--password "${TANZUNET_PASSWORD}" \
--server registry.tanzu.vmware.com \
--export-to-all-namespaces \
--yes \
--namespace tap-install
tanzu package repository add tanzu-tap-repository \
--url registry.tanzu.vmware.com/tanzu-application-platform/tap-packages:1.6.1 \
--namespace tap-install
tanzu package repository add full-deps-repository \
--url registry.tanzu.vmware.com/tanzu-application-platform/full-deps-package-repo:1.6.1 \
--namespace tap-install
利用可能なPackage一覧を確認します。
$ kubectl get package -n tap-install
NAME PACKAGEMETADATA NAME VERSION AGE
accelerator.apps.tanzu.vmware.com.1.6.1 accelerator.apps.tanzu.vmware.com 1.6.1 28s
amr-observer.apps.tanzu.vmware.com.0.1.0-alpha.8 amr-observer.apps.tanzu.vmware.com 0.1.0-alpha.8 28s
api-portal.tanzu.vmware.com.1.4.0 api-portal.tanzu.vmware.com 1.4.0 28s
apis.apps.tanzu.vmware.com.0.3.3 apis.apps.tanzu.vmware.com 0.3.3 26s
apiserver.appliveview.tanzu.vmware.com.1.6.1 apiserver.appliveview.tanzu.vmware.com 1.6.1 26s
app-scanning.apps.tanzu.vmware.com.0.1.0-beta.45 app-scanning.apps.tanzu.vmware.com 0.1.0-beta.45 27s
application-configuration-service.tanzu.vmware.com.2.1.0 application-configuration-service.tanzu.vmware.com 2.1.0 28s
backend.appliveview.tanzu.vmware.com.1.6.1 backend.appliveview.tanzu.vmware.com 1.6.1 28s
base-jammy-builder-lite.buildpacks.tanzu.vmware.com.0.1.0 base-jammy-builder-lite.buildpacks.tanzu.vmware.com 0.1.0 28s
base-jammy-builder.buildpacks.tanzu.vmware.com.0.1.0 base-jammy-builder.buildpacks.tanzu.vmware.com 0.1.0 8s
base-jammy-stack-lite.buildpacks.tanzu.vmware.com.0.1.41 base-jammy-stack-lite.buildpacks.tanzu.vmware.com 0.1.41 28s
base-jammy-stack.buildpacks.tanzu.vmware.com.0.1.41 base-jammy-stack.buildpacks.tanzu.vmware.com 0.1.41 8s
bitnami.services.tanzu.vmware.com.0.2.0 bitnami.services.tanzu.vmware.com 0.2.0 28s
buildservice.tanzu.vmware.com.1.11.10 buildservice.tanzu.vmware.com 1.11.10 28s
carbonblack.scanning.apps.tanzu.vmware.com.1.2.1-beta.1 carbonblack.scanning.apps.tanzu.vmware.com 1.2.1-beta.1 28s
cartographer.tanzu.vmware.com.0.7.3 cartographer.tanzu.vmware.com 0.7.3 28s
cert-manager.tanzu.vmware.com.2.3.1 cert-manager.tanzu.vmware.com 2.3.1 28s
cnrs.tanzu.vmware.com.2.3.1 cnrs.tanzu.vmware.com 2.3.1 28s
connector.appliveview.tanzu.vmware.com.1.6.1 connector.appliveview.tanzu.vmware.com 1.6.1 28s
contour.tanzu.vmware.com.1.24.4 contour.tanzu.vmware.com 1.24.4 28s
controller.source.apps.tanzu.vmware.com.0.8.0 controller.source.apps.tanzu.vmware.com 0.8.0 28s
conventions.appliveview.tanzu.vmware.com.1.6.1 conventions.appliveview.tanzu.vmware.com 1.6.1 28s
crossplane.tanzu.vmware.com.0.2.1 crossplane.tanzu.vmware.com 0.2.1 28s
developer-conventions.tanzu.vmware.com.0.11.0 developer-conventions.tanzu.vmware.com 0.11.0 28s
dotnet-core-lite.buildpacks.tanzu.vmware.com.2.6.2 dotnet-core-lite.buildpacks.tanzu.vmware.com 2.6.2 28s
dotnet-core.buildpacks.tanzu.vmware.com.2.6.2 dotnet-core.buildpacks.tanzu.vmware.com 2.6.2 8s
eventing.tanzu.vmware.com.2.2.3-build.36 eventing.tanzu.vmware.com 2.2.3-build.36 28s
external-secrets.apps.tanzu.vmware.com.0.6.1+tap.6 external-secrets.apps.tanzu.vmware.com 0.6.1+tap.6 28s
fluxcd.source.controller.tanzu.vmware.com.0.36.1-build.2 fluxcd.source.controller.tanzu.vmware.com 0.36.1-build.2 28s
full-deps.buildservice.tanzu.vmware.com.0.2.3 full-deps.buildservice.tanzu.vmware.com 0.2.3 8s
full-jammy-builder.buildpacks.tanzu.vmware.com.0.1.0 full-jammy-builder.buildpacks.tanzu.vmware.com 0.1.0 8s
full-jammy-stack.buildpacks.tanzu.vmware.com.0.1.79 full-jammy-stack.buildpacks.tanzu.vmware.com 0.1.79 8s
go-lite.buildpacks.tanzu.vmware.com.2.1.4 go-lite.buildpacks.tanzu.vmware.com 2.1.4 28s
go.buildpacks.tanzu.vmware.com.2.1.4 go.buildpacks.tanzu.vmware.com 2.1.4 8s
grype.scanning.apps.tanzu.vmware.com.1.6.66 grype.scanning.apps.tanzu.vmware.com 1.6.66 28s
java-lite.buildpacks.tanzu.vmware.com.9.0.4 java-lite.buildpacks.tanzu.vmware.com 9.0.4 27s
java-native-image-lite.buildpacks.tanzu.vmware.com.7.0.4 java-native-image-lite.buildpacks.tanzu.vmware.com 7.0.4 27s
java-native-image.buildpacks.tanzu.vmware.com.7.0.4 java-native-image.buildpacks.tanzu.vmware.com 7.0.4 8s
java.buildpacks.tanzu.vmware.com.9.0.4 java.buildpacks.tanzu.vmware.com 9.0.4 8s
learningcenter.tanzu.vmware.com.0.3.1 learningcenter.tanzu.vmware.com 0.3.1 27s
local-source-proxy.apps.tanzu.vmware.com.0.1.0 local-source-proxy.apps.tanzu.vmware.com 0.1.0 27s
metadata-store.apps.tanzu.vmware.com.1.6.2 metadata-store.apps.tanzu.vmware.com 1.6.2 28s
namespace-provisioner.apps.tanzu.vmware.com.0.4.0 namespace-provisioner.apps.tanzu.vmware.com 0.4.0 28s
nodejs-lite.buildpacks.tanzu.vmware.com.2.2.3 nodejs-lite.buildpacks.tanzu.vmware.com 2.2.3 28s
nodejs.buildpacks.tanzu.vmware.com.2.2.3 nodejs.buildpacks.tanzu.vmware.com 2.2.3 8s
ootb-delivery-basic.tanzu.vmware.com.0.13.6 ootb-delivery-basic.tanzu.vmware.com 0.13.6 28s
ootb-supply-chain-basic.tanzu.vmware.com.0.13.6 ootb-supply-chain-basic.tanzu.vmware.com 0.13.6 28s
ootb-supply-chain-testing-scanning.tanzu.vmware.com.0.13.6 ootb-supply-chain-testing-scanning.tanzu.vmware.com 0.13.6 28s
ootb-supply-chain-testing.tanzu.vmware.com.0.13.6 ootb-supply-chain-testing.tanzu.vmware.com 0.13.6 28s
ootb-templates.tanzu.vmware.com.0.13.6 ootb-templates.tanzu.vmware.com 0.13.6 28s
php.buildpacks.tanzu.vmware.com.2.3.3 php.buildpacks.tanzu.vmware.com 2.3.3 8s
policy.apps.tanzu.vmware.com.1.4.0 policy.apps.tanzu.vmware.com 1.4.0 28s
procfile.buildpacks.tanzu.vmware.com.5.6.1 procfile.buildpacks.tanzu.vmware.com 5.6.1 8s
python-lite.buildpacks.tanzu.vmware.com.2.3.8 python-lite.buildpacks.tanzu.vmware.com 2.3.8 28s
python.buildpacks.tanzu.vmware.com.2.3.8 python.buildpacks.tanzu.vmware.com 2.3.8 8s
ruby-lite.buildpacks.tanzu.vmware.com.2.5.2 ruby-lite.buildpacks.tanzu.vmware.com 2.5.2 28s
ruby.buildpacks.tanzu.vmware.com.2.5.2 ruby.buildpacks.tanzu.vmware.com 2.5.2 8s
scanning.apps.tanzu.vmware.com.1.6.67 scanning.apps.tanzu.vmware.com 1.6.67 28s
service-bindings.labs.vmware.com.0.9.1 service-bindings.labs.vmware.com 0.9.1 28s
services-toolkit.tanzu.vmware.com.0.11.0 services-toolkit.tanzu.vmware.com 0.11.0 28s
snyk.scanning.apps.tanzu.vmware.com.1.0.0-beta.71 snyk.scanning.apps.tanzu.vmware.com 1.0.0-beta.71 28s
spring-boot-conventions.tanzu.vmware.com.1.6.1 spring-boot-conventions.tanzu.vmware.com 1.6.1 26s
spring-cloud-gateway.tanzu.vmware.com.2.0.3 spring-cloud-gateway.tanzu.vmware.com 2.0.3 26s
sso.apps.tanzu.vmware.com.4.0.0 sso.apps.tanzu.vmware.com 4.0.0 26s
tap-auth.tanzu.vmware.com.1.1.0 tap-auth.tanzu.vmware.com 1.1.0 26s
tap-gui.tanzu.vmware.com.1.6.4 tap-gui.tanzu.vmware.com 1.6.4 28s
tap-telemetry.tanzu.vmware.com.0.6.1 tap-telemetry.tanzu.vmware.com 0.6.1 28s
tap.tanzu.vmware.com.1.6.1 tap.tanzu.vmware.com 1.6.1 28s
tekton.tanzu.vmware.com.0.41.0+tap.8 tekton.tanzu.vmware.com 0.41.0+tap.8 28s
tiny-jammy-builder.buildpacks.tanzu.vmware.com.0.1.0 tiny-jammy-builder.buildpacks.tanzu.vmware.com 0.1.0 8s
tiny-jammy-stack.buildpacks.tanzu.vmware.com.0.1.43 tiny-jammy-stack.buildpacks.tanzu.vmware.com 0.1.43 8s
tpb.tanzu.vmware.com.0.1.2 tpb.tanzu.vmware.com 0.1.2 27s
web-servers-lite.buildpacks.tanzu.vmware.com.0.13.1 web-servers-lite.buildpacks.tanzu.vmware.com 0.13.1 27s
web-servers.buildpacks.tanzu.vmware.com.0.13.1 web-servers.buildpacks.tanzu.vmware.com 0.13.1 8s
workshops.learningcenter.tanzu.vmware.com.0.3.0 workshops.learningcenter.tanzu.vmware.com 0.3.0 27s
Full profileのインストール
https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.6/tap/install-online-profile.html
Full Profileをインストールします。
Builderの作成などに使用するBuildservice用のSecretを作成します。
GITHUB_USERNAME=...
GITHUB_API_TOKEN=...
tanzu secret registry add buildservice-regcred \
--username ${GITHUB_USERNAME} \
--password ${GITHUB_API_TOKEN} \
--server ghcr.io \
--yes \
--namespace tap-install
tap-values.yaml
を用意します。せっかくFull profileをインストールするので、Supply Chainはtesting_scanning
にします。また、Buildservice用のdependenciesはfullを使用します。
cat <<EOF > tap-values.yaml
shared:
ingress_domain: tap.192-168-228-200.sslip.io
ingress_issuer: tap-ingress-selfsigned
image_registry:
project_path: ghcr.io/${GITHUB_USERNAME}
secret:
name: buildservice-regcred
namespace: tap-install
kubernetes_version: "1.27"
ceip_policy_disclosed: true
profile: full
supply_chain: testing_scanning
contour:
contour:
replicas: 1
envoy:
service:
type: LoadBalancer
loadBalancerIP: 192.168.228.200
buildservice:
exclude_dependencies: false
tap_gui:
metadataStoreAutoconfiguration: true
app_config:
auth:
allowGuestAccess: true
metadata_store:
ns_for_export_app_cert: "*"
app_service_type: ClusterIP
pg_req_cpu: "200m"
pg_req_memory: "200Mi"
scanning:
metadataStore:
url: "" # Configuration is moved, so set this string to empty.
# 以下リソース節約用
cnrs:
lite:
enable: true
pdb:
enable: false
cartographer:
cartographer:
resources:
requests:
cpu: 100m
memory: 200Mi
crossplane:
resourcesCrossplane:
requests:
cpu: 100m
memory: 200Mi
resourcesRBACManager:
requests:
cpu: 100m
memory: 200Mi
excluded_packages:
- policy.apps.tanzu.vmware.com
- image-policy-webhook.signing.apps.tanzu.vmware.com
- eventing.tanzu.vmware.com
- sso.apps.tanzu.vmware.com
- learningcenter.tanzu.vmware.com
- workshops.learningcenter.tanzu.vmware.com
- api-portal.tanzu.vmware.com
EOF
TAPをインストールします。
tanzu package install tap \
-p tap.tanzu.vmware.com \
-v 1.6.1 \
--values-file tap-values.yaml \
-n tap-install
インストールされたPackageInstallを確認します。
$ kubectl get pkgi -n tap-install
NAME PACKAGE NAME PACKAGE VERSION DESCRIPTION AGE
accelerator accelerator.apps.tanzu.vmware.com 1.6.1 Reconcile succeeded 101s
api-auto-registration apis.apps.tanzu.vmware.com 0.3.3 Reconcile succeeded 2m32s
appliveview backend.appliveview.tanzu.vmware.com 1.6.1 Reconcile succeeded 101s
appliveview-apiserver apiserver.appliveview.tanzu.vmware.com 1.6.1 Reconcile succeeded 2m32s
appliveview-connector connector.appliveview.tanzu.vmware.com 1.6.1 Reconcile succeeded 4m13s
appliveview-conventions conventions.appliveview.tanzu.vmware.com 1.6.1 Reconcile succeeded 2m
base-jammy-builder-lite base-jammy-builder-lite.buildpacks.tanzu.vmware.com 0.1.0 Reconcile succeeded 3m18s
base-jammy-stack-lite base-jammy-stack-lite.buildpacks.tanzu.vmware.com 0.1.41 Reconcile succeeded 3m34s
bitnami-services bitnami.services.tanzu.vmware.com 0.2.0 Reconcile succeeded 2m7s
buildservice buildservice.tanzu.vmware.com 1.11.10 Reconcile succeeded 4m13s
cartographer cartographer.tanzu.vmware.com 0.7.3 Reconcile succeeded 2m32s
cert-manager cert-manager.tanzu.vmware.com 2.3.1 Reconcile succeeded 4m13s
cnrs cnrs.tanzu.vmware.com 2.3.1 Reconcile succeeded 101s
contour contour.tanzu.vmware.com 1.24.4 Reconcile succeeded 2m32s
crossplane crossplane.tanzu.vmware.com 0.2.1 Reconcile succeeded 4m13s
developer-conventions developer-conventions.tanzu.vmware.com 0.11.0 Reconcile succeeded 2m
dotnet-core-lite-buildpack dotnet-core-lite.buildpacks.tanzu.vmware.com 2.6.2 Reconcile succeeded 3m34s
fluxcd-source-controller fluxcd.source.controller.tanzu.vmware.com 0.36.1-build.2 Reconcile succeeded 4m13s
go-lite-buildpack go-lite.buildpacks.tanzu.vmware.com 2.1.4 Reconcile succeeded 3m34s
grype grype.scanning.apps.tanzu.vmware.com 1.6.66 Reconcile succeeded 2m4s
java-lite-buildpack java-lite.buildpacks.tanzu.vmware.com 9.0.4 Reconcile succeeded 3m34s
java-native-image-lite-buildpack java-native-image-lite.buildpacks.tanzu.vmware.com 7.0.4 Reconcile succeeded 3m34s
local-source-proxy local-source-proxy.apps.tanzu.vmware.com 0.1.0 Reconcile succeeded 4m13s
metadata-store metadata-store.apps.tanzu.vmware.com 1.6.2 Reconcile succeeded 101s
namespace-provisioner namespace-provisioner.apps.tanzu.vmware.com 0.4.0 Reconcile succeeded 4m13s
nodejs-lite-buildpack nodejs-lite.buildpacks.tanzu.vmware.com 2.2.3 Reconcile succeeded 3m34s
ootb-delivery-basic ootb-delivery-basic.tanzu.vmware.com 0.13.6 Reconcile succeeded 110s
ootb-supply-chain-testing-scanning ootb-supply-chain-testing-scanning.tanzu.vmware.com 0.13.6 Reconcile succeeded 110s
ootb-templates ootb-templates.tanzu.vmware.com 0.13.6 Reconcile succeeded 2m
python-lite-buildpack python-lite.buildpacks.tanzu.vmware.com 2.3.8 Reconcile succeeded 3m34s
ruby-lite-buildpack ruby-lite.buildpacks.tanzu.vmware.com 2.5.2 Reconcile succeeded 3m34s
scanning scanning.apps.tanzu.vmware.com 1.6.67 Reconcile succeeded 2m32s
service-bindings service-bindings.labs.vmware.com 0.9.1 Reconcile succeeded 4m13s
services-toolkit services-toolkit.tanzu.vmware.com 0.11.0 Reconcile succeeded 2m32s
source-controller controller.source.apps.tanzu.vmware.com 0.8.0 Reconcile succeeded 2m32s
spring-boot-conventions spring-boot-conventions.tanzu.vmware.com 1.6.1 Reconcile succeeded 2m
tap tap.tanzu.vmware.com 1.6.1 Reconcile succeeded 4m36s
tap-auth tap-auth.tanzu.vmware.com 1.1.0 Reconcile succeeded 4m13s
tap-gui tap-gui.tanzu.vmware.com 1.6.4 Reconcile succeeded 101s
tap-telemetry tap-telemetry.tanzu.vmware.com 0.6.1 Reconcile succeeded 4m28s
tekton-pipelines tekton.tanzu.vmware.com 0.41.0+tap.8 Reconcile succeeded 4m13s
web-servers-lite-buildpack web-servers-lite.buildpacks.tanzu.vmware.com 0.13.1 Reconcile succeeded 3m34s
デプロイされたPodは次の通りです。
$ kubectl get pod -A | grep -v kube-system | grep -v local-path-storage
NAMESPACE NAME READY STATUS RESTARTS AGE
accelerator-system acc-engine-6f8db684c5-vs82m 1/1 Running 0 117s
accelerator-system acc-server-56c9d8bf45-tx9lk 1/1 Running 0 116s
accelerator-system accelerator-controller-manager-6c7fd869b4-hsm2x 1/1 Running 0 117s
api-auto-registration api-auto-registration-controller-6fbd78bd5c-vs24t 1/1 Running 0 2m48s
app-live-view-connector application-live-view-connector-r8cdb 1/1 Running 0 4m26s
app-live-view-conventions appliveview-webhook-586484d766-wnzws 1/1 Running 0 2m18s
app-live-view application-live-view-server-f76d4df57-nv8pm 1/1 Running 0 117s
appliveview-tokens-system appliveview-apiserver-7f69dc69b6-8blvp 1/1 Running 0 2m47s
build-service build-pod-image-fetcher-2jgbd 5/5 Running 0 4m14s
build-service dependency-updater-controller-64b8fb5569-gq6dw 1/1 Running 0 4m12s
build-service secret-syncer-controller-b65996878-tt4qv 1/1 Running 0 4m14s
build-service warmer-controller-7cb45c4b58-mhcq8 1/1 Running 0 4m14s
cartographer-system cartographer-controller-79dc6d6479-8lktg 1/1 Running 0 2m46s
cartographer-system cartographer-conventions-controller-manager-7748966c58-x99vk 1/1 Running 0 2m46s
cert-injection-webhook cert-injection-webhook-6445c878b4-2nr74 1/1 Running 0 4m12s
cert-manager cert-manager-7d668f9fd5-wj96p 1/1 Running 0 4m15s
cert-manager cert-manager-cainjector-78bd945b49-p9z5x 1/1 Running 0 4m15s
cert-manager cert-manager-webhook-bc7898c8c-fptx5 1/1 Running 0 4m15s
crossplane-system crossplane-86cc7fd8f9-mqcsz 1/1 Running 0 4m22s
crossplane-system crossplane-rbac-manager-59bfd8d56c-8fbp2 1/1 Running 0 4m22s
crossplane-system provider-helm-114a45ad4a03-54bdbf6bbc-kz7zb 1/1 Running 0 87m
crossplane-system provider-kubernetes-5c227ff2984d-5fbbcff7c4-9kd8t 1/1 Running 0 87m
developer-conventions webhook-5cb5fbcf88-rlvn9 1/1 Running 0 2m17s
flux-system fluxcd-source-controller-856b6f6754-4nq52 1/1 Running 0 4m28s
kapp-controller kapp-controller-6bf98fb6c-6vdgm 2/2 Running 0 101m
knative-serving activator-69596868b6-rj6pj 1/1 Running 0 112s
knative-serving autoscaler-5fcccfff7c-rxjt8 1/1 Running 0 112s
knative-serving autoscaler-hpa-b577465f6-mdmts 1/1 Running 0 111s
knative-serving controller-6798d76cbd-2l4qn 1/1 Running 0 112s
knative-serving domain-mapping-779f947495-pdxk4 1/1 Running 0 112s
knative-serving domainmapping-webhook-67f67d86c9-fbmb6 1/1 Running 0 112s
knative-serving net-certmanager-controller-594744568b-2wtmn 1/1 Running 0 111s
knative-serving net-certmanager-webhook-6bd7b6d7b6-ph8qw 1/1 Running 0 111s
knative-serving net-contour-controller-bbd9f7f7f-9vrsg 1/1 Running 0 111s
knative-serving webhook-84794fbbc9-7bbds 1/1 Running 0 111s
kpack kpack-controller-df9bb597-6r6sq 1/1 Running 0 4m14s
kpack kpack-webhook-594df8bb87-8zgck 1/1 Running 0 4m14s
metadata-store metadata-store-app-5c49c7c8c6-hvxtc 2/2 Running 0 117s
metadata-store metadata-store-db-0 1/1 Running 0 117s
metallb-system controller-595f88d88f-hv2qj 1/1 Running 0 115m
metallb-system speaker-jqbr6 1/1 Running 0 115m
scan-link-system scan-link-controller-manager-7cd99966b5-svkbp 2/2 Running 0 2m46s
secretgen-controller secretgen-controller-76cd6cdcc5-zwv4k 1/1 Running 0 101m
service-bindings manager-b4f74fb5c-9jwrd 1/1 Running 0 4m27s
services-toolkit resource-claims-apiserver-59f4f56885-zrz25 1/1 Running 0 2m47s
services-toolkit services-toolkit-controller-manager-7f4d899489-55h5w 1/1 Running 0 2m47s
source-system source-controller-manager-767c5b4488-gfph6 1/1 Running 0 2m49s
spring-boot-convention spring-boot-webhook-5f4bbccbdb-mw4gk 1/1 Running 0 2m17s
stacks-operator-system controller-manager-5c548bbf49-wvpbc 1/1 Running 0 4m12s
tanzu-system-ingress contour-7db987f649-c4769 1/1 Running 0 2m46s
tanzu-system-ingress envoy-hfrql 2/2 Running 0 2m47s
tap-gui server-757488cff8-dx8l4 1/1 Running 0 118s
tap-local-source-system local-source-proxy-8476b8dc96-nvsl8 1/1 Running 0 4m29s
tap-namespace-provisioning controller-manager-6c98988fb8-7rqx8 1/1 Running 0 4m29s
tap-telemetry tap-telemetry-informer-65cfdcbb8b-b9hmt 1/1 Running 0 4m44s
tekton-pipelines-resolvers tekton-pipelines-remote-resolvers-67f6b5bdd9-rbkmb 1/1 Running 0 4m27s
tekton-pipelines tekton-pipelines-controller-549974c7f8-89d7c 1/1 Running 0 4m27s
tekton-pipelines tekton-pipelines-webhook-765dddbbd6-gvdnj 1/1 Running 0 4m27s
リクエストされたリソースは以下の通りです。
$ kubectl describe node
...
Allocated resources:
(Total limits may be over 100 percent, i.e., overcommitted.)
Resource Requests Limits
-------- -------- ------
cpu 5330m (44%) 19625m (163%)
memory 6664380672 (80%) 27392631040 (329%)
ephemeral-storage 0 (0%) 0 (0%)
Events:
...
tap-values.yaml
に指定したLoadBalancer IPがEnvoyにアサインされていることを確認します。
$ kubectl get svc -n tanzu-system-ingress envoy
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
envoy LoadBalancer 10.96.74.85 192.168.228.200 80:32585/TCP,443:30868/TCP 12m
インストールされたBuilder一覧を確認します。
$ kubectl get clusterbuilder
NAME LATESTIMAGE READY
base-jammy ghcr.io/making/buildservice@sha256:e5178ac71369fe6162f135ec5e7566db83e40f0079a5019d74d5f95835bf3a6c True
default ghcr.io/making/buildservice@sha256:e5178ac71369fe6162f135ec5e7566db83e40f0079a5019d74d5f95835bf3a6c True
公開されているエンドポイント一覧を確認します。
$ kubectl get httpproxy -A
NAMESPACE NAME FQDN TLS SECRET STATUS STATUS DESCRIPTION
metadata-store metadata-store-ingress metadata-store.tap.192-168-228-200.sslip.io ingress-cert valid Valid HTTPProxy
tap-gui tap-gui tap-gui.tap.192-168-228-200.sslip.io tap-gui-cert valid Valid HTTPProxy
https://tap-gui.tap.192-168-228-200.sslip.io でTAP GUIにアクセスします。
Workloadのデプロイ
registry-credentialsを作成します。
tanzu secret registry add registry-credentials \
--server ghcr.io \
--username ${GITHUB_USERNAME} \
--password ${GITHUB_API_TOKEN} \
--namespace tap-install \
--export-to-all-namespaces \
-y
Namespaceを作成します。
kubectl create ns demo
kubectl label namespaces demo apps.tanzu.vmware.com/tap-ns=""
source-test-scan-to-url
Supply Chainが利用可能になっていることを確認します。
$ tanzu apps cluster-supply-chain list
NAME READY AGE
scanning-image-scan-to-url Ready 15m
source-test-scan-to-url Ready 15m
To view details: "tanzu apps cluster-supply-chain get <name>"
Tektonパイプラインを作成します。ここではダミーのパイプラインを使用します。
kubectl apply -f - -n demo << 'EOF'
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: skip-test-pipeline
labels:
apps.tanzu.vmware.com/pipeline: test
apps.tanzu.vmware.com/language: skip
spec:
params:
- name: source-url
- name: source-revision
tasks:
- name: test
params:
- name: source-url
value: $(params.source-url)
- name: source-revision
value: $(params.source-revision)
taskSpec:
params:
- name: source-url
- name: source-revision
steps:
- name: test
image: alpine
script: |-
echo 'skip'
EOF
ScanPolicyを作成します。ここではUnknownSeverity
以外は許可するScanPolicyにします。
kubectl apply -f - -n demo << 'EOF'
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ScanPolicy
metadata:
labels:
app.kubernetes.io/part-of: enable-in-gui
name: scan-policy
spec:
regoFile: |
package main
# Accepted Values: "Critical", "High", "Medium", "Low", "Negligible", "UnknownSeverity"
notAllowedSeverities := ["UnknownSeverity"]
ignoreCves := []
contains(array, elem) = true {
array[_] = elem
} else = false { true }
isSafe(match) {
severities := { e | e := match.ratings.rating.severity } | { e | e := match.ratings.rating[_].severity }
some i
fails := contains(notAllowedSeverities, severities[i])
not fails
}
isSafe(match) {
ignore := contains(ignoreCves, match.id)
ignore
}
deny[msg] {
comps := { e | e := input.bom.components.component } | { e | e := input.bom.components.component[_] }
some i
comp := comps[i]
vulns := { e | e := comp.vulnerabilities.vulnerability } | { e | e := comp.vulnerabilities.vulnerability[_] }
some j
vuln := vulns[j]
ratings := { e | e := vuln.ratings.rating.severity } | { e | e := vuln.ratings.rating[_].severity }
not isSafe(vuln)
msg = sprintf("CVE %s %s %s", [comp.name, vuln.id, ratings])
}
EOF
Workloadを作成します。
tanzu apps workload apply hello-nodejs \
--app hello-nodejs \
--git-repo https://github.com/making/hello-nodejs \
--git-branch master \
--type web \
--label apps.tanzu.vmware.com/has-tests=true \
-n demo \
-y
しばらくして、Workloadの状態を確認すると次の出力のようになります。
$ tanzu apps workload get hello-nodejs --namespace demo
📡 Overview
name: hello-nodejs
type: web
namespace: demo
💾 Source
type: git
url: https://github.com/making/hello-nodejs
branch: master
revision: master@sha1:fde413c0fba0003c218a60bde69c8e254d3b15a6
📦 Supply Chain
name: source-test-scan-to-url
NAME READY HEALTHY UPDATED RESOURCE
source-provider True True 7m11s gitrepositories.source.toolkit.fluxcd.io/hello-nodejs
source-tester True True 6m51s runnables.carto.run/hello-nodejs
image-provider True True 5m20s images.kpack.io/hello-nodejs
image-scanner True True 3m46s imagescans.scanning.apps.tanzu.vmware.com/hello-nodejs
config-provider True True 3m31s podintents.conventions.carto.run/hello-nodejs
app-config True True 3m31s configmaps/hello-nodejs
service-bindings True True 3m30s configmaps/hello-nodejs-with-claims
api-descriptors True True 3m30s configmaps/hello-nodejs-with-api-descriptors
config-writer True True 2m59s runnables.carto.run/hello-nodejs-config-writer
🚚 Delivery
name: delivery-basic
NAME READY HEALTHY UPDATED RESOURCE
source-provider True True 2m4s imagerepositories.source.apps.tanzu.vmware.com/hello-nodejs-delivery
deployer True True 2m1s apps.kappctrl.k14s.io/hello-nodejs
💬 Messages
No messages found.
🛶 Pods
NAME READY STATUS RESTARTS AGE
hello-nodejs-00001-deployment-5fbbdf78f4-zg47q 2/2 Running 0 19s
hello-nodejs-9mlvf-test-pod 0/1 Completed 0 7m6s
hello-nodejs-build-1-build-pod 0/1 Completed 0 6m49s
hello-nodejs-config-writer-s7nh7-pod 0/1 Completed 0 3m28s
scan-hello-nodejs-9szvs-pod 0/7 Completed 1 5m20s
🚢 Knative Services
NAME READY URL
hello-nodejs Ready https://hello-nodejs.demo.tap.192-168-228-200.sslip.io
To see logs: "tanzu apps workload tail hello-nodejs --namespace demo --timestamp --since 1h"
アプリにアクセスします。
$ curl -k https://hello-nodejs.demo.tap.192-168-228-200.sslip.io/
Hello World!!
TAP GUIのSupply Chain一覧を確認します。
https://tap-gui.tap.192-168-228-200.sslip.io/supply-chain
hello-nodejs
をクリックします。
https://tap-gui.tap.192-168-228-200.sslip.io/supply-chain/host/demo/hello-nodejs
Workloadが視覚化されています。
コンテナイメージの脆弱性一覧を確認できます。
DeliveryをクリックするとアプリのURLが出力されます。