--- title: Tanzu Application Platform 1.6 (Full Profile) をKind on OrbStackにインストールするメモ tags: ["Kubernetes", "Cartographer", "OrbStack", "Tanzu", "TAP"] categories: ["Dev", "CaaS", "Kubernetes", "TAP"] date: 2023-08-01T16:07:27Z updated: 2023-08-01T16:07:27Z --- **目次** ### kindクラスタの作成 6vCPU, 8GB RAM以上必要です。 ``` kind create cluster --image kindest/node:v1.27.3 ``` ### Metal LBのインストール MetalLBインストール ``` kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.10/config/manifests/metallb-native.yaml kubectl wait --namespace metallb-system \ --for=condition=ready pod \ --selector=app=metallb \ --timeout=90s ``` 次のコマンドの結果をdocker networkのIP Rangeを確認します。 ``` $ docker network inspect -f '{{.IPAM.Config}}' kind [{192.168.228.0/24 192.168.228.1 map[]} {fc00:f853:ccd:e793::/64 fc00:f853:ccd:e793::1 map[]}] ``` `192.168.228.0/24`が出力されたので、MetalLBが払い出すIP Rangeとして`192.168.228.200-192.168.228.250`を設定します。 ```yaml kubectl apply -f- << EOF apiVersion: metallb.io/v1beta1 kind: IPAddressPool metadata: name: example namespace: metallb-system spec: addresses: - 192.168.228.200-192.168.228.250 --- apiVersion: metallb.io/v1beta1 kind: L2Advertisement metadata: name: empty namespace: metallb-system EOF ``` 以降、type=LoadBalancerのサービスのExternal IPに`192.168.228.200-192.168.228.250`が利用可能です。 今後の作業で、次のIPを利用します。 * 192.168.228.200 ... TAPのEnvoy ### Tanzu Application Platformのインストール #### Pivnet CLIのインストール ここでは [`pivnet`](https://github.com/pivotal-cf/pivnet-cli) CLIを使用して必要なソフトウェアをダウンロードします。 `pivnet` CLIはbrewでインストールできます。 ``` brew install pivotal/tap/pivnet-cli ``` [VMware Tanzu Network](https://network.tanzu.vmware.com/) のAPI Tokenを取得して、`pivnet` CLIでログインします。 ``` pivnet login --api-token= ``` > 🍎 Apple Siliconの場合は https://github.com/anthonydahanne/pivnet-cli/releases/tag/anthony-dev-20230323 からpivnetのバイナリをダウンロードできます。 #### EULAの承諾 初めてインストールする場合は、以下のコンポーネントのEULAをAcceptしてください。 * [Tanzu Application Platform](https://network.tanzu.vmware.com/products/tanzu-application-platform/) * [Cluster Essentials for VMware Tanzu](https://network.tanzu.vmware.com/products/tanzu-cluster-essentials/) > ⚠️ EULAで定められている使用期間は30日間です。とは言え、特にソフトウェア的に制限がかけられているわけではありません。 #### Tanzu CLIのインストール TAP 1.6からはTanzu CLIは[Github](https://github.com/vmware-tanzu/tanzu-cli/releases/tag/v0.90.1)からダウンロードまたは`brew`コマンドでインストールすれば良くなりました。 > ℹ️ https://github.com/vmware-tanzu/tanzu-cli/blob/main/docs/quickstart/install.md ``` brew install vmware-tanzu/tanzu/tanzu-cli ``` ``` $ tanzu version version: v0.90.1 buildDate: 2023-06-29 sha: 8945351c ``` プラグインのインストール方法がTAP 1.6から変わりました。 ``` tanzu plugin clean tanzu plugin install --group vmware-tap/default:v1.6.1 ``` ``` $ tanzu plugin list Standalone Plugins NAME DESCRIPTION TARGET VERSION STATUS accelerator Manage accelerators in a Kubernetes cluster kubernetes v1.6.0 installed apps Applications on Kubernetes kubernetes v0.12.1 installed build-service plugin to interact with tanzu build service (tbs) crds kubernetes v1.0.0 installed external-secrets interacts with external-secrets.io resources kubernetes v0.1.0-beta.7 installed insight post & query image, package, source, and vulnerability data kubernetes v1.6.0 installed package Tanzu package management kubernetes v0.29.0 installed secret Tanzu secret management kubernetes v0.29.0 installed services Commands for working with service instances, classes and claims kubernetes v0.7.0 installed ``` #### Cluster Essentials for VMware Tanzuのインストール TAPのインストールに必要なKapp ControllerとSecretgen Controllerをデプロイするために [Cluster Essentials for VMware Tanzu](https://network.tanzu.vmware.com/products/tanzu-cluster-essentials) をインストールします。 ``` # Mac pivnet download-product-files --product-slug='tanzu-cluster-essentials' --release-version='1.6.0' --glob='tanzu-cluster-essentials-darwin-amd64-*' # Linux pivnet download-product-files --product-slug='tanzu-cluster-essentials' --release-version='1.6.0' --glob='tanzu-cluster-essentials-linux-amd64-*' ``` Cluster Essentialsをインストールします。 ``` TANZUNET_USERNAME=... TANZUNET_PASSWORD=... mkdir tanzu-cluster-essentials tar xzvf tanzu-cluster-essentials-*-amd64-*.tgz -C tanzu-cluster-essentials export INSTALL_BUNDLE=registry.tanzu.vmware.com/tanzu-cluster-essentials/cluster-essentials-bundle:1.6.0 export INSTALL_REGISTRY_HOSTNAME=registry.tanzu.vmware.com export INSTALL_REGISTRY_USERNAME=${TANZUNET_USERNAME} export INSTALL_REGISTRY_PASSWORD=${TANZUNET_PASSWORD} cd tanzu-cluster-essentials ./install.sh --yes cd .. ``` Podを確認します。 ``` $ kubectl get pod -n kapp-controller NAME READY STATUS RESTARTS AGE kapp-controller-8557d45b9b-qjbsj 2/2 Running 0 37s $ kubectl get pod -n secretgen-controller NAME READY STATUS RESTARTS AGE secretgen-controller-6b6bf7bb4-ngln4 1/1 Running 0 37s ``` #### Package Repositoryの設定 TAPのPackage Repositoryを作成します。 ``` TANZUNET_USERNAME=... TANZUNET_PASSWORD=... kubectl create ns tap-install tanzu secret registry add tap-registry \ --username "${TANZUNET_USERNAME}" \ --password "${TANZUNET_PASSWORD}" \ --server registry.tanzu.vmware.com \ --export-to-all-namespaces \ --yes \ --namespace tap-install tanzu package repository add tanzu-tap-repository \ --url registry.tanzu.vmware.com/tanzu-application-platform/tap-packages:1.6.1 \ --namespace tap-install tanzu package repository add full-deps-repository \ --url registry.tanzu.vmware.com/tanzu-application-platform/full-deps-package-repo:1.6.1 \ --namespace tap-install ``` 利用可能なPackage一覧を確認します。 ``` $ kubectl get package -n tap-install NAME PACKAGEMETADATA NAME VERSION AGE accelerator.apps.tanzu.vmware.com.1.6.1 accelerator.apps.tanzu.vmware.com 1.6.1 28s amr-observer.apps.tanzu.vmware.com.0.1.0-alpha.8 amr-observer.apps.tanzu.vmware.com 0.1.0-alpha.8 28s api-portal.tanzu.vmware.com.1.4.0 api-portal.tanzu.vmware.com 1.4.0 28s apis.apps.tanzu.vmware.com.0.3.3 apis.apps.tanzu.vmware.com 0.3.3 26s apiserver.appliveview.tanzu.vmware.com.1.6.1 apiserver.appliveview.tanzu.vmware.com 1.6.1 26s app-scanning.apps.tanzu.vmware.com.0.1.0-beta.45 app-scanning.apps.tanzu.vmware.com 0.1.0-beta.45 27s application-configuration-service.tanzu.vmware.com.2.1.0 application-configuration-service.tanzu.vmware.com 2.1.0 28s backend.appliveview.tanzu.vmware.com.1.6.1 backend.appliveview.tanzu.vmware.com 1.6.1 28s base-jammy-builder-lite.buildpacks.tanzu.vmware.com.0.1.0 base-jammy-builder-lite.buildpacks.tanzu.vmware.com 0.1.0 28s base-jammy-builder.buildpacks.tanzu.vmware.com.0.1.0 base-jammy-builder.buildpacks.tanzu.vmware.com 0.1.0 8s base-jammy-stack-lite.buildpacks.tanzu.vmware.com.0.1.41 base-jammy-stack-lite.buildpacks.tanzu.vmware.com 0.1.41 28s base-jammy-stack.buildpacks.tanzu.vmware.com.0.1.41 base-jammy-stack.buildpacks.tanzu.vmware.com 0.1.41 8s bitnami.services.tanzu.vmware.com.0.2.0 bitnami.services.tanzu.vmware.com 0.2.0 28s buildservice.tanzu.vmware.com.1.11.10 buildservice.tanzu.vmware.com 1.11.10 28s carbonblack.scanning.apps.tanzu.vmware.com.1.2.1-beta.1 carbonblack.scanning.apps.tanzu.vmware.com 1.2.1-beta.1 28s cartographer.tanzu.vmware.com.0.7.3 cartographer.tanzu.vmware.com 0.7.3 28s cert-manager.tanzu.vmware.com.2.3.1 cert-manager.tanzu.vmware.com 2.3.1 28s cnrs.tanzu.vmware.com.2.3.1 cnrs.tanzu.vmware.com 2.3.1 28s connector.appliveview.tanzu.vmware.com.1.6.1 connector.appliveview.tanzu.vmware.com 1.6.1 28s contour.tanzu.vmware.com.1.24.4 contour.tanzu.vmware.com 1.24.4 28s controller.source.apps.tanzu.vmware.com.0.8.0 controller.source.apps.tanzu.vmware.com 0.8.0 28s conventions.appliveview.tanzu.vmware.com.1.6.1 conventions.appliveview.tanzu.vmware.com 1.6.1 28s crossplane.tanzu.vmware.com.0.2.1 crossplane.tanzu.vmware.com 0.2.1 28s developer-conventions.tanzu.vmware.com.0.11.0 developer-conventions.tanzu.vmware.com 0.11.0 28s dotnet-core-lite.buildpacks.tanzu.vmware.com.2.6.2 dotnet-core-lite.buildpacks.tanzu.vmware.com 2.6.2 28s dotnet-core.buildpacks.tanzu.vmware.com.2.6.2 dotnet-core.buildpacks.tanzu.vmware.com 2.6.2 8s eventing.tanzu.vmware.com.2.2.3-build.36 eventing.tanzu.vmware.com 2.2.3-build.36 28s external-secrets.apps.tanzu.vmware.com.0.6.1+tap.6 external-secrets.apps.tanzu.vmware.com 0.6.1+tap.6 28s fluxcd.source.controller.tanzu.vmware.com.0.36.1-build.2 fluxcd.source.controller.tanzu.vmware.com 0.36.1-build.2 28s full-deps.buildservice.tanzu.vmware.com.0.2.3 full-deps.buildservice.tanzu.vmware.com 0.2.3 8s full-jammy-builder.buildpacks.tanzu.vmware.com.0.1.0 full-jammy-builder.buildpacks.tanzu.vmware.com 0.1.0 8s full-jammy-stack.buildpacks.tanzu.vmware.com.0.1.79 full-jammy-stack.buildpacks.tanzu.vmware.com 0.1.79 8s go-lite.buildpacks.tanzu.vmware.com.2.1.4 go-lite.buildpacks.tanzu.vmware.com 2.1.4 28s go.buildpacks.tanzu.vmware.com.2.1.4 go.buildpacks.tanzu.vmware.com 2.1.4 8s grype.scanning.apps.tanzu.vmware.com.1.6.66 grype.scanning.apps.tanzu.vmware.com 1.6.66 28s java-lite.buildpacks.tanzu.vmware.com.9.0.4 java-lite.buildpacks.tanzu.vmware.com 9.0.4 27s java-native-image-lite.buildpacks.tanzu.vmware.com.7.0.4 java-native-image-lite.buildpacks.tanzu.vmware.com 7.0.4 27s java-native-image.buildpacks.tanzu.vmware.com.7.0.4 java-native-image.buildpacks.tanzu.vmware.com 7.0.4 8s java.buildpacks.tanzu.vmware.com.9.0.4 java.buildpacks.tanzu.vmware.com 9.0.4 8s learningcenter.tanzu.vmware.com.0.3.1 learningcenter.tanzu.vmware.com 0.3.1 27s local-source-proxy.apps.tanzu.vmware.com.0.1.0 local-source-proxy.apps.tanzu.vmware.com 0.1.0 27s metadata-store.apps.tanzu.vmware.com.1.6.2 metadata-store.apps.tanzu.vmware.com 1.6.2 28s namespace-provisioner.apps.tanzu.vmware.com.0.4.0 namespace-provisioner.apps.tanzu.vmware.com 0.4.0 28s nodejs-lite.buildpacks.tanzu.vmware.com.2.2.3 nodejs-lite.buildpacks.tanzu.vmware.com 2.2.3 28s nodejs.buildpacks.tanzu.vmware.com.2.2.3 nodejs.buildpacks.tanzu.vmware.com 2.2.3 8s ootb-delivery-basic.tanzu.vmware.com.0.13.6 ootb-delivery-basic.tanzu.vmware.com 0.13.6 28s ootb-supply-chain-basic.tanzu.vmware.com.0.13.6 ootb-supply-chain-basic.tanzu.vmware.com 0.13.6 28s ootb-supply-chain-testing-scanning.tanzu.vmware.com.0.13.6 ootb-supply-chain-testing-scanning.tanzu.vmware.com 0.13.6 28s ootb-supply-chain-testing.tanzu.vmware.com.0.13.6 ootb-supply-chain-testing.tanzu.vmware.com 0.13.6 28s ootb-templates.tanzu.vmware.com.0.13.6 ootb-templates.tanzu.vmware.com 0.13.6 28s php.buildpacks.tanzu.vmware.com.2.3.3 php.buildpacks.tanzu.vmware.com 2.3.3 8s policy.apps.tanzu.vmware.com.1.4.0 policy.apps.tanzu.vmware.com 1.4.0 28s procfile.buildpacks.tanzu.vmware.com.5.6.1 procfile.buildpacks.tanzu.vmware.com 5.6.1 8s python-lite.buildpacks.tanzu.vmware.com.2.3.8 python-lite.buildpacks.tanzu.vmware.com 2.3.8 28s python.buildpacks.tanzu.vmware.com.2.3.8 python.buildpacks.tanzu.vmware.com 2.3.8 8s ruby-lite.buildpacks.tanzu.vmware.com.2.5.2 ruby-lite.buildpacks.tanzu.vmware.com 2.5.2 28s ruby.buildpacks.tanzu.vmware.com.2.5.2 ruby.buildpacks.tanzu.vmware.com 2.5.2 8s scanning.apps.tanzu.vmware.com.1.6.67 scanning.apps.tanzu.vmware.com 1.6.67 28s service-bindings.labs.vmware.com.0.9.1 service-bindings.labs.vmware.com 0.9.1 28s services-toolkit.tanzu.vmware.com.0.11.0 services-toolkit.tanzu.vmware.com 0.11.0 28s snyk.scanning.apps.tanzu.vmware.com.1.0.0-beta.71 snyk.scanning.apps.tanzu.vmware.com 1.0.0-beta.71 28s spring-boot-conventions.tanzu.vmware.com.1.6.1 spring-boot-conventions.tanzu.vmware.com 1.6.1 26s spring-cloud-gateway.tanzu.vmware.com.2.0.3 spring-cloud-gateway.tanzu.vmware.com 2.0.3 26s sso.apps.tanzu.vmware.com.4.0.0 sso.apps.tanzu.vmware.com 4.0.0 26s tap-auth.tanzu.vmware.com.1.1.0 tap-auth.tanzu.vmware.com 1.1.0 26s tap-gui.tanzu.vmware.com.1.6.4 tap-gui.tanzu.vmware.com 1.6.4 28s tap-telemetry.tanzu.vmware.com.0.6.1 tap-telemetry.tanzu.vmware.com 0.6.1 28s tap.tanzu.vmware.com.1.6.1 tap.tanzu.vmware.com 1.6.1 28s tekton.tanzu.vmware.com.0.41.0+tap.8 tekton.tanzu.vmware.com 0.41.0+tap.8 28s tiny-jammy-builder.buildpacks.tanzu.vmware.com.0.1.0 tiny-jammy-builder.buildpacks.tanzu.vmware.com 0.1.0 8s tiny-jammy-stack.buildpacks.tanzu.vmware.com.0.1.43 tiny-jammy-stack.buildpacks.tanzu.vmware.com 0.1.43 8s tpb.tanzu.vmware.com.0.1.2 tpb.tanzu.vmware.com 0.1.2 27s web-servers-lite.buildpacks.tanzu.vmware.com.0.13.1 web-servers-lite.buildpacks.tanzu.vmware.com 0.13.1 27s web-servers.buildpacks.tanzu.vmware.com.0.13.1 web-servers.buildpacks.tanzu.vmware.com 0.13.1 8s workshops.learningcenter.tanzu.vmware.com.0.3.0 workshops.learningcenter.tanzu.vmware.com 0.3.0 27s ``` #### Full profileのインストール https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.6/tap/install-online-profile.html Full Profileをインストールします。 Builderの作成などに使用するBuildservice用のSecretを作成します。 ``` GITHUB_USERNAME=... GITHUB_API_TOKEN=... tanzu secret registry add buildservice-regcred \ --username ${GITHUB_USERNAME} \ --password ${GITHUB_API_TOKEN} \ --server ghcr.io \ --yes \ --namespace tap-install ``` `tap-values.yaml`を用意します。せっかくFull profileをインストールするので、Supply Chainは`testing_scanning`にします。また、Buildservice用のdependenciesはfullを使用します。 ```yaml cat < tap-values.yaml shared: ingress_domain: tap.192-168-228-200.sslip.io ingress_issuer: tap-ingress-selfsigned image_registry: project_path: ghcr.io/${GITHUB_USERNAME} secret: name: buildservice-regcred namespace: tap-install kubernetes_version: "1.27" ceip_policy_disclosed: true profile: full supply_chain: testing_scanning contour: contour: replicas: 1 envoy: service: type: LoadBalancer loadBalancerIP: 192.168.228.200 buildservice: exclude_dependencies: false tap_gui: metadataStoreAutoconfiguration: true app_config: auth: allowGuestAccess: true metadata_store: ns_for_export_app_cert: "*" app_service_type: ClusterIP pg_req_cpu: "200m" pg_req_memory: "200Mi" scanning: metadataStore: url: "" # Configuration is moved, so set this string to empty. # 以下リソース節約用 cnrs: lite: enable: true pdb: enable: false cartographer: cartographer: resources: requests: cpu: 100m memory: 200Mi crossplane: resourcesCrossplane: requests: cpu: 100m memory: 200Mi resourcesRBACManager: requests: cpu: 100m memory: 200Mi excluded_packages: - policy.apps.tanzu.vmware.com - image-policy-webhook.signing.apps.tanzu.vmware.com - eventing.tanzu.vmware.com - sso.apps.tanzu.vmware.com - learningcenter.tanzu.vmware.com - workshops.learningcenter.tanzu.vmware.com - api-portal.tanzu.vmware.com EOF ``` TAPをインストールします。 ``` tanzu package install tap \ -p tap.tanzu.vmware.com \ -v 1.6.1 \ --values-file tap-values.yaml \ -n tap-install ``` インストールされたPackageInstallを確認します。 ``` $ kubectl get pkgi -n tap-install NAME PACKAGE NAME PACKAGE VERSION DESCRIPTION AGE accelerator accelerator.apps.tanzu.vmware.com 1.6.1 Reconcile succeeded 101s api-auto-registration apis.apps.tanzu.vmware.com 0.3.3 Reconcile succeeded 2m32s appliveview backend.appliveview.tanzu.vmware.com 1.6.1 Reconcile succeeded 101s appliveview-apiserver apiserver.appliveview.tanzu.vmware.com 1.6.1 Reconcile succeeded 2m32s appliveview-connector connector.appliveview.tanzu.vmware.com 1.6.1 Reconcile succeeded 4m13s appliveview-conventions conventions.appliveview.tanzu.vmware.com 1.6.1 Reconcile succeeded 2m base-jammy-builder-lite base-jammy-builder-lite.buildpacks.tanzu.vmware.com 0.1.0 Reconcile succeeded 3m18s base-jammy-stack-lite base-jammy-stack-lite.buildpacks.tanzu.vmware.com 0.1.41 Reconcile succeeded 3m34s bitnami-services bitnami.services.tanzu.vmware.com 0.2.0 Reconcile succeeded 2m7s buildservice buildservice.tanzu.vmware.com 1.11.10 Reconcile succeeded 4m13s cartographer cartographer.tanzu.vmware.com 0.7.3 Reconcile succeeded 2m32s cert-manager cert-manager.tanzu.vmware.com 2.3.1 Reconcile succeeded 4m13s cnrs cnrs.tanzu.vmware.com 2.3.1 Reconcile succeeded 101s contour contour.tanzu.vmware.com 1.24.4 Reconcile succeeded 2m32s crossplane crossplane.tanzu.vmware.com 0.2.1 Reconcile succeeded 4m13s developer-conventions developer-conventions.tanzu.vmware.com 0.11.0 Reconcile succeeded 2m dotnet-core-lite-buildpack dotnet-core-lite.buildpacks.tanzu.vmware.com 2.6.2 Reconcile succeeded 3m34s fluxcd-source-controller fluxcd.source.controller.tanzu.vmware.com 0.36.1-build.2 Reconcile succeeded 4m13s go-lite-buildpack go-lite.buildpacks.tanzu.vmware.com 2.1.4 Reconcile succeeded 3m34s grype grype.scanning.apps.tanzu.vmware.com 1.6.66 Reconcile succeeded 2m4s java-lite-buildpack java-lite.buildpacks.tanzu.vmware.com 9.0.4 Reconcile succeeded 3m34s java-native-image-lite-buildpack java-native-image-lite.buildpacks.tanzu.vmware.com 7.0.4 Reconcile succeeded 3m34s local-source-proxy local-source-proxy.apps.tanzu.vmware.com 0.1.0 Reconcile succeeded 4m13s metadata-store metadata-store.apps.tanzu.vmware.com 1.6.2 Reconcile succeeded 101s namespace-provisioner namespace-provisioner.apps.tanzu.vmware.com 0.4.0 Reconcile succeeded 4m13s nodejs-lite-buildpack nodejs-lite.buildpacks.tanzu.vmware.com 2.2.3 Reconcile succeeded 3m34s ootb-delivery-basic ootb-delivery-basic.tanzu.vmware.com 0.13.6 Reconcile succeeded 110s ootb-supply-chain-testing-scanning ootb-supply-chain-testing-scanning.tanzu.vmware.com 0.13.6 Reconcile succeeded 110s ootb-templates ootb-templates.tanzu.vmware.com 0.13.6 Reconcile succeeded 2m python-lite-buildpack python-lite.buildpacks.tanzu.vmware.com 2.3.8 Reconcile succeeded 3m34s ruby-lite-buildpack ruby-lite.buildpacks.tanzu.vmware.com 2.5.2 Reconcile succeeded 3m34s scanning scanning.apps.tanzu.vmware.com 1.6.67 Reconcile succeeded 2m32s service-bindings service-bindings.labs.vmware.com 0.9.1 Reconcile succeeded 4m13s services-toolkit services-toolkit.tanzu.vmware.com 0.11.0 Reconcile succeeded 2m32s source-controller controller.source.apps.tanzu.vmware.com 0.8.0 Reconcile succeeded 2m32s spring-boot-conventions spring-boot-conventions.tanzu.vmware.com 1.6.1 Reconcile succeeded 2m tap tap.tanzu.vmware.com 1.6.1 Reconcile succeeded 4m36s tap-auth tap-auth.tanzu.vmware.com 1.1.0 Reconcile succeeded 4m13s tap-gui tap-gui.tanzu.vmware.com 1.6.4 Reconcile succeeded 101s tap-telemetry tap-telemetry.tanzu.vmware.com 0.6.1 Reconcile succeeded 4m28s tekton-pipelines tekton.tanzu.vmware.com 0.41.0+tap.8 Reconcile succeeded 4m13s web-servers-lite-buildpack web-servers-lite.buildpacks.tanzu.vmware.com 0.13.1 Reconcile succeeded 3m34s ``` デプロイされたPodは次の通りです。 ``` $ kubectl get pod -A | grep -v kube-system | grep -v local-path-storage NAMESPACE NAME READY STATUS RESTARTS AGE accelerator-system acc-engine-6f8db684c5-vs82m 1/1 Running 0 117s accelerator-system acc-server-56c9d8bf45-tx9lk 1/1 Running 0 116s accelerator-system accelerator-controller-manager-6c7fd869b4-hsm2x 1/1 Running 0 117s api-auto-registration api-auto-registration-controller-6fbd78bd5c-vs24t 1/1 Running 0 2m48s app-live-view-connector application-live-view-connector-r8cdb 1/1 Running 0 4m26s app-live-view-conventions appliveview-webhook-586484d766-wnzws 1/1 Running 0 2m18s app-live-view application-live-view-server-f76d4df57-nv8pm 1/1 Running 0 117s appliveview-tokens-system appliveview-apiserver-7f69dc69b6-8blvp 1/1 Running 0 2m47s build-service build-pod-image-fetcher-2jgbd 5/5 Running 0 4m14s build-service dependency-updater-controller-64b8fb5569-gq6dw 1/1 Running 0 4m12s build-service secret-syncer-controller-b65996878-tt4qv 1/1 Running 0 4m14s build-service warmer-controller-7cb45c4b58-mhcq8 1/1 Running 0 4m14s cartographer-system cartographer-controller-79dc6d6479-8lktg 1/1 Running 0 2m46s cartographer-system cartographer-conventions-controller-manager-7748966c58-x99vk 1/1 Running 0 2m46s cert-injection-webhook cert-injection-webhook-6445c878b4-2nr74 1/1 Running 0 4m12s cert-manager cert-manager-7d668f9fd5-wj96p 1/1 Running 0 4m15s cert-manager cert-manager-cainjector-78bd945b49-p9z5x 1/1 Running 0 4m15s cert-manager cert-manager-webhook-bc7898c8c-fptx5 1/1 Running 0 4m15s crossplane-system crossplane-86cc7fd8f9-mqcsz 1/1 Running 0 4m22s crossplane-system crossplane-rbac-manager-59bfd8d56c-8fbp2 1/1 Running 0 4m22s crossplane-system provider-helm-114a45ad4a03-54bdbf6bbc-kz7zb 1/1 Running 0 87m crossplane-system provider-kubernetes-5c227ff2984d-5fbbcff7c4-9kd8t 1/1 Running 0 87m developer-conventions webhook-5cb5fbcf88-rlvn9 1/1 Running 0 2m17s flux-system fluxcd-source-controller-856b6f6754-4nq52 1/1 Running 0 4m28s kapp-controller kapp-controller-6bf98fb6c-6vdgm 2/2 Running 0 101m knative-serving activator-69596868b6-rj6pj 1/1 Running 0 112s knative-serving autoscaler-5fcccfff7c-rxjt8 1/1 Running 0 112s knative-serving autoscaler-hpa-b577465f6-mdmts 1/1 Running 0 111s knative-serving controller-6798d76cbd-2l4qn 1/1 Running 0 112s knative-serving domain-mapping-779f947495-pdxk4 1/1 Running 0 112s knative-serving domainmapping-webhook-67f67d86c9-fbmb6 1/1 Running 0 112s knative-serving net-certmanager-controller-594744568b-2wtmn 1/1 Running 0 111s knative-serving net-certmanager-webhook-6bd7b6d7b6-ph8qw 1/1 Running 0 111s knative-serving net-contour-controller-bbd9f7f7f-9vrsg 1/1 Running 0 111s knative-serving webhook-84794fbbc9-7bbds 1/1 Running 0 111s kpack kpack-controller-df9bb597-6r6sq 1/1 Running 0 4m14s kpack kpack-webhook-594df8bb87-8zgck 1/1 Running 0 4m14s metadata-store metadata-store-app-5c49c7c8c6-hvxtc 2/2 Running 0 117s metadata-store metadata-store-db-0 1/1 Running 0 117s metallb-system controller-595f88d88f-hv2qj 1/1 Running 0 115m metallb-system speaker-jqbr6 1/1 Running 0 115m scan-link-system scan-link-controller-manager-7cd99966b5-svkbp 2/2 Running 0 2m46s secretgen-controller secretgen-controller-76cd6cdcc5-zwv4k 1/1 Running 0 101m service-bindings manager-b4f74fb5c-9jwrd 1/1 Running 0 4m27s services-toolkit resource-claims-apiserver-59f4f56885-zrz25 1/1 Running 0 2m47s services-toolkit services-toolkit-controller-manager-7f4d899489-55h5w 1/1 Running 0 2m47s source-system source-controller-manager-767c5b4488-gfph6 1/1 Running 0 2m49s spring-boot-convention spring-boot-webhook-5f4bbccbdb-mw4gk 1/1 Running 0 2m17s stacks-operator-system controller-manager-5c548bbf49-wvpbc 1/1 Running 0 4m12s tanzu-system-ingress contour-7db987f649-c4769 1/1 Running 0 2m46s tanzu-system-ingress envoy-hfrql 2/2 Running 0 2m47s tap-gui server-757488cff8-dx8l4 1/1 Running 0 118s tap-local-source-system local-source-proxy-8476b8dc96-nvsl8 1/1 Running 0 4m29s tap-namespace-provisioning controller-manager-6c98988fb8-7rqx8 1/1 Running 0 4m29s tap-telemetry tap-telemetry-informer-65cfdcbb8b-b9hmt 1/1 Running 0 4m44s tekton-pipelines-resolvers tekton-pipelines-remote-resolvers-67f6b5bdd9-rbkmb 1/1 Running 0 4m27s tekton-pipelines tekton-pipelines-controller-549974c7f8-89d7c 1/1 Running 0 4m27s tekton-pipelines tekton-pipelines-webhook-765dddbbd6-gvdnj 1/1 Running 0 4m27s ``` リクエストされたリソースは以下の通りです。 ``` $ kubectl describe node ... Allocated resources: (Total limits may be over 100 percent, i.e., overcommitted.) Resource Requests Limits -------- -------- ------ cpu 5330m (44%) 19625m (163%) memory 6664380672 (80%) 27392631040 (329%) ephemeral-storage 0 (0%) 0 (0%) Events: ... ``` `tap-values.yaml`に指定したLoadBalancer IPがEnvoyにアサインされていることを確認します。 ``` $ kubectl get svc -n tanzu-system-ingress envoy NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE envoy LoadBalancer 10.96.74.85 192.168.228.200 80:32585/TCP,443:30868/TCP 12m ``` インストールされたBuilder一覧を確認します。 ``` $ kubectl get clusterbuilder NAME LATESTIMAGE READY base-jammy ghcr.io/making/buildservice@sha256:e5178ac71369fe6162f135ec5e7566db83e40f0079a5019d74d5f95835bf3a6c True default ghcr.io/making/buildservice@sha256:e5178ac71369fe6162f135ec5e7566db83e40f0079a5019d74d5f95835bf3a6c True ``` 公開されているエンドポイント一覧を確認します。 ``` $ kubectl get httpproxy -A NAMESPACE NAME FQDN TLS SECRET STATUS STATUS DESCRIPTION metadata-store metadata-store-ingress metadata-store.tap.192-168-228-200.sslip.io ingress-cert valid Valid HTTPProxy tap-gui tap-gui tap-gui.tap.192-168-228-200.sslip.io tap-gui-cert valid Valid HTTPProxy ``` https://tap-gui.tap.192-168-228-200.sslip.io でTAP GUIにアクセスします。 image image ### Workloadのデプロイ registry-credentialsを作成します。 ``` tanzu secret registry add registry-credentials \ --server ghcr.io \ --username ${GITHUB_USERNAME} \ --password ${GITHUB_API_TOKEN} \ --namespace tap-install \ --export-to-all-namespaces \ -y ``` Namespaceを作成します。 ``` kubectl create ns demo kubectl label namespaces demo apps.tanzu.vmware.com/tap-ns="" ``` `source-test-scan-to-url` Supply Chainが利用可能になっていることを確認します。 ``` $ tanzu apps cluster-supply-chain list NAME READY AGE scanning-image-scan-to-url Ready 15m source-test-scan-to-url Ready 15m To view details: "tanzu apps cluster-supply-chain get " ``` Tektonパイプラインを作成します。ここではダミーのパイプラインを使用します。 ```yaml kubectl apply -f - -n demo << 'EOF' apiVersion: tekton.dev/v1beta1 kind: Pipeline metadata: name: skip-test-pipeline labels: apps.tanzu.vmware.com/pipeline: test apps.tanzu.vmware.com/language: skip spec: params: - name: source-url - name: source-revision tasks: - name: test params: - name: source-url value: $(params.source-url) - name: source-revision value: $(params.source-revision) taskSpec: params: - name: source-url - name: source-revision steps: - name: test image: alpine script: |- echo 'skip' EOF ``` ScanPolicyを作成します。ここでは`UnknownSeverity`以外は許可するScanPolicyにします。 ```yaml kubectl apply -f - -n demo << 'EOF' apiVersion: scanning.apps.tanzu.vmware.com/v1beta1 kind: ScanPolicy metadata: labels: app.kubernetes.io/part-of: enable-in-gui name: scan-policy spec: regoFile: | package main # Accepted Values: "Critical", "High", "Medium", "Low", "Negligible", "UnknownSeverity" notAllowedSeverities := ["UnknownSeverity"] ignoreCves := [] contains(array, elem) = true { array[_] = elem } else = false { true } isSafe(match) { severities := { e | e := match.ratings.rating.severity } | { e | e := match.ratings.rating[_].severity } some i fails := contains(notAllowedSeverities, severities[i]) not fails } isSafe(match) { ignore := contains(ignoreCves, match.id) ignore } deny[msg] { comps := { e | e := input.bom.components.component } | { e | e := input.bom.components.component[_] } some i comp := comps[i] vulns := { e | e := comp.vulnerabilities.vulnerability } | { e | e := comp.vulnerabilities.vulnerability[_] } some j vuln := vulns[j] ratings := { e | e := vuln.ratings.rating.severity } | { e | e := vuln.ratings.rating[_].severity } not isSafe(vuln) msg = sprintf("CVE %s %s %s", [comp.name, vuln.id, ratings]) } EOF ``` Workloadを作成します。 ``` tanzu apps workload apply hello-nodejs \ --app hello-nodejs \ --git-repo https://github.com/making/hello-nodejs \ --git-branch master \ --type web \ --label apps.tanzu.vmware.com/has-tests=true \ -n demo \ -y ``` しばらくして、Workloadの状態を確認すると次の出力のようになります。 ``` $ tanzu apps workload get hello-nodejs --namespace demo 📡 Overview name: hello-nodejs type: web namespace: demo 💾 Source type: git url: https://github.com/making/hello-nodejs branch: master revision: master@sha1:fde413c0fba0003c218a60bde69c8e254d3b15a6 📦 Supply Chain name: source-test-scan-to-url NAME READY HEALTHY UPDATED RESOURCE source-provider True True 7m11s gitrepositories.source.toolkit.fluxcd.io/hello-nodejs source-tester True True 6m51s runnables.carto.run/hello-nodejs image-provider True True 5m20s images.kpack.io/hello-nodejs image-scanner True True 3m46s imagescans.scanning.apps.tanzu.vmware.com/hello-nodejs config-provider True True 3m31s podintents.conventions.carto.run/hello-nodejs app-config True True 3m31s configmaps/hello-nodejs service-bindings True True 3m30s configmaps/hello-nodejs-with-claims api-descriptors True True 3m30s configmaps/hello-nodejs-with-api-descriptors config-writer True True 2m59s runnables.carto.run/hello-nodejs-config-writer 🚚 Delivery name: delivery-basic NAME READY HEALTHY UPDATED RESOURCE source-provider True True 2m4s imagerepositories.source.apps.tanzu.vmware.com/hello-nodejs-delivery deployer True True 2m1s apps.kappctrl.k14s.io/hello-nodejs 💬 Messages No messages found. 🛶 Pods NAME READY STATUS RESTARTS AGE hello-nodejs-00001-deployment-5fbbdf78f4-zg47q 2/2 Running 0 19s hello-nodejs-9mlvf-test-pod 0/1 Completed 0 7m6s hello-nodejs-build-1-build-pod 0/1 Completed 0 6m49s hello-nodejs-config-writer-s7nh7-pod 0/1 Completed 0 3m28s scan-hello-nodejs-9szvs-pod 0/7 Completed 1 5m20s 🚢 Knative Services NAME READY URL hello-nodejs Ready https://hello-nodejs.demo.tap.192-168-228-200.sslip.io To see logs: "tanzu apps workload tail hello-nodejs --namespace demo --timestamp --since 1h" ``` アプリにアクセスします。 ``` $ curl -k https://hello-nodejs.demo.tap.192-168-228-200.sslip.io/ Hello World!! ``` TAP GUIのSupply Chain一覧を確認します。 https://tap-gui.tap.192-168-228-200.sslip.io/supply-chain image `hello-nodejs`をクリックします。 https://tap-gui.tap.192-168-228-200.sslip.io/supply-chain/host/demo/hello-nodejs Workloadが視覚化されています。 image コンテナイメージの脆弱性一覧を確認できます。 image DeliveryをクリックするとアプリのURLが出力されます。 image