Installing & Configuring Tanzu Application Platform (TAP) v0.2 on an EKS Cluster with Azure Container Registry, and Creating Software Supply Chain
What is Tanzu Application Platform (TAP)?
I wrote a blog post earlier to introduce TAP v0.1 and setup on an AKS Cluster, Refer this link to know about TAP.
What’s New in TAP v0.2?
TAP v0.2 introduced several new components that helps to setup secure software supply chain. Here are the list of components and what are their purpose. Refer below link.
See the v0.2 release note as well to know what’s changed from earlier version.
In this blog post, I will be talking about how to setup TAP v0.2 components on an EKS cluster with Azure Container Registry and turn a java based application from source code to url.
Installation Pre-requirements
- Tanzu Network account access : Validate your access by logging into https://login.run.pivotal.io/login
- Container Image Registry: I am using ACR, but you can use other registry.
- Kubernetes Cluster (v1.19 or later): I have an EKS cluster here.
- Kubectl
- Accept required EULA, Follow below url to accept the EULA “https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/0.2/tap-0-2/GUID-install-general.html#eulas”
Deploying Pre-requirement Components
- Deploy kapp controller
$ kapp deploy -a kc -f https://github.com/vmware-tanzu/carvel-kapp-controller/releases/download/v0.27.0/release.ymlTarget cluster 'https://A67EC78FE0A3A2ADBB99CE0BDF234AB2.gr7.us-east-2.eks.amazonaws.com' (nodes: ip-10-0-72-61.us-east-2.compute.internal, 1+)ChangesNamespace Name Kind Conds. Age Op Op st. Wait to Rs Ri(cluster) apps.kappctrl.k14s.io CustomResourceDefinition - - create - reconcile - -^ internalpackagemetadatas.internal.packaging.carvel.dev CustomResourceDefinition - - create - reconcile - -^ internalpackages.internal.packaging.carvel.dev CustomResourceDefinition - - create - reconcile - -^ kapp-controller Namespace - - create - reconcile - -^ kapp-controller-cluster-role ClusterRole - - create - reconcile - -^ kapp-controller-cluster-role-binding ClusterRoleBinding - - create - reconcile - -^ kapp-controller-packaging-global Namespace - - create - reconcile - -^ packageinstalls.packaging.carvel.dev CustomResourceDefinition - - create - reconcile - -^ packagerepositories.packaging.carvel.dev CustomResourceDefinition - - create - reconcile - -^ pkg-apiserver:system:auth-delegator ClusterRoleBinding - - create - reconcile - -^ v1alpha1.data.packaging.carvel.dev APIService - - create - reconcile - -kapp-controller kapp-controller Deployment - - create - reconcile - -^ kapp-controller-sa ServiceAccount - - create - reconcile - -^ packaging-api Service - - create - reconcile - -kube-system pkgserver-auth-reader RoleBinding - - create - reconcile - -Op: 15 create, 0 delete, 0 update, 0 noopWait to: 15 reconcile, 0 delete, 0 noopContinue? [yN]: y7:58:11AM: ---- applying 12 changes [0/15 done] ----7:58:11AM: create namespace/kapp-controller (v1) cluster7:58:11AM: create namespace/kapp-controller-packaging-global (v1) cluster7:58:11AM: create rolebinding/pkgserver-auth-reader (rbac.authorization.k8s.io/v1) namespace: kube-system7:58:12AM: create customresourcedefinition/internalpackagemetadatas.internal.packaging.carvel.dev (apiextensions.k8s.io/v1) cluster7:58:12AM: create apiservice/v1alpha1.data.packaging.carvel.dev (apiregistration.k8s.io/v1) cluster7:58:13AM: create clusterrole/kapp-controller-cluster-role (rbac.authorization.k8s.io/v1) cluster7:58:13AM: create customresourcedefinition/internalpackages.internal.packaging.carvel.dev (apiextensions.k8s.io/v1) cluster7:58:13AM: create clusterrolebinding/kapp-controller-cluster-role-binding (rbac.authorization.k8s.io/v1) cluster7:58:13AM: create customresourcedefinition/apps.kappctrl.k14s.io (apiextensions.k8s.io/v1) cluster7:58:13AM: create clusterrolebinding/pkg-apiserver:system:auth-delegator (rbac.authorization.k8s.io/v1) cluster7:58:13AM: create customresourcedefinition/packageinstalls.packaging.carvel.dev (apiextensions.k8s.io/v1) cluster7:58:14AM: create customresourcedefinition/packagerepositories.packaging.carvel.dev (apiextensions.k8s.io/v1) cluster7:58:14AM: ---- waiting on 12 changes [0/15 done] ----7:58:14AM: ok: reconcile customresourcedefinition/packagerepositories.packaging.carvel.dev (apiextensions.k8s.io/v1) cluster7:58:14AM: ok: reconcile namespace/kapp-controller (v1) cluster7:58:14AM: ok: reconcile clusterrole/kapp-controller-cluster-role (rbac.authorization.k8s.io/v1) cluster7:58:14AM: ok: reconcile namespace/kapp-controller-packaging-global (v1) cluster7:58:14AM: ok: reconcile rolebinding/pkgserver-auth-reader (rbac.authorization.k8s.io/v1) namespace: kube-system7:58:14AM: ok: reconcile customresourcedefinition/apps.kappctrl.k14s.io (apiextensions.k8s.io/v1) cluster7:58:14AM: ok: reconcile clusterrolebinding/kapp-controller-cluster-role-binding (rbac.authorization.k8s.io/v1) cluster7:58:14AM: ok: reconcile customresourcedefinition/internalpackages.internal.packaging.carvel.dev (apiextensions.k8s.io/v1) cluster7:58:14AM: ok: reconcile clusterrolebinding/pkg-apiserver:system:auth-delegator (rbac.authorization.k8s.io/v1) cluster7:58:14AM: ok: reconcile customresourcedefinition/packageinstalls.packaging.carvel.dev (apiextensions.k8s.io/v1) cluster7:58:14AM: ongoing: reconcile apiservice/v1alpha1.data.packaging.carvel.dev (apiregistration.k8s.io/v1) cluster7:58:14AM: ^ Condition Available is not True (False)7:58:14AM: ok: reconcile customresourcedefinition/internalpackagemetadatas.internal.packaging.carvel.dev (apiextensions.k8s.io/v1) cluster7:58:14AM: ---- applying 1 changes [12/15 done] ----7:58:14AM: create serviceaccount/kapp-controller-sa (v1) namespace: kapp-controller7:58:14AM: ---- waiting on 2 changes [11/15 done] ----7:58:14AM: ok: reconcile serviceaccount/kapp-controller-sa (v1) namespace: kapp-controller7:58:14AM: ---- applying 2 changes [13/15 done] ----7:58:14AM: create service/packaging-api (v1) namespace: kapp-controller7:58:15AM: create deployment/kapp-controller (apps/v1) namespace: kapp-controller7:58:15AM: ---- waiting on 3 changes [12/15 done] ----7:58:15AM: ok: reconcile service/packaging-api (v1) namespace: kapp-controller7:58:15AM: ongoing: reconcile deployment/kapp-controller (apps/v1) namespace: kapp-controller7:58:15AM: ^ Waiting for generation 2 to be observed7:58:15AM: L ok: waiting on replicaset/kapp-controller-84f7cfcb59 (apps/v1) namespace: kapp-controller7:58:15AM: L ongoing: waiting on pod/kapp-controller-84f7cfcb59-ktkcr (v1) namespace: kapp-controller7:58:15AM: ^ Pending: ContainerCreating7:58:15AM: ---- waiting on 2 changes [13/15 done] ----7:58:15AM: ongoing: reconcile deployment/kapp-controller (apps/v1) namespace: kapp-controller7:58:15AM: ^ Waiting for 1 unavailable replicas7:58:15AM: L ok: waiting on replicaset/kapp-controller-84f7cfcb59 (apps/v1) namespace: kapp-controller7:58:15AM: L ongoing: waiting on pod/kapp-controller-84f7cfcb59-ktkcr (v1) namespace: kapp-controller7:58:15AM: ^ Pending: ContainerCreating7:58:28AM: ok: reconcile deployment/kapp-controller (apps/v1) namespace: kapp-controller7:58:28AM: ---- waiting on 1 changes [14/15 done] ----7:58:34AM: ok: reconcile apiservice/v1alpha1.data.packaging.carvel.dev (apiregistration.k8s.io/v1) cluster7:58:34AM: ---- applying complete [15/15 done] ----7:58:34AM: ---- waiting complete [15/15 done] ----Succeeded
- Validate kapp controller deployment and version
$ kubectl get pods -A | grep kapp-controllerkapp-controller kapp-controller-84f7cfcb59-ktkcr 1/1 Running 0 61s$ kubectl get deployment kapp-controller -n kapp-controller -o yaml | grep kapp-controller.carvel.dev/versionkapp-controller.carvel.dev/version: v0.27.0kapp.k14s.io/original: '{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"kapp-controller.carvel.dev/version":"v0.27.0","kbld.k14s.io/images":"-f:kapp-controller.carvel.dev/version: {}
- Deploy secretgen-controller
$ kapp deploy -a sg -f https://github.com/vmware-tanzu/carvel-secretgen-controller/releases/download/v0.5.0/release.ymlTarget cluster 'https://A67EC78FE0A3A2ADBB99CE0BDF234AB2.gr7.us-east-2.eks.amazonaws.com' (nodes: ip-10-0-72-61.us-east-2.compute.internal, 1+)ChangesNamespace Name Kind Conds. Age Op Op st. Wait to Rs Ri(cluster) certificates.secretgen.k14s.io CustomResourceDefinition - - create - reconcile - -^ passwords.secretgen.k14s.io CustomResourceDefinition - - create - reconcile - -^ rsakeys.secretgen.k14s.io CustomResourceDefinition - - create - reconcile - -^ secretexports.secretgen.carvel.dev CustomResourceDefinition - - create - reconcile - -^ secretgen-controller Namespace - - create - reconcile - -^ secretgen-controller-cluster-role ClusterRole - - create - reconcile - -^ secretgen-controller-cluster-role-binding ClusterRoleBinding - - create - reconcile - -^ secretimports.secretgen.carvel.dev CustomResourceDefinition - - create - reconcile - -^ sshkeys.secretgen.k14s.io CustomResourceDefinition - - create - reconcile - -secretgen-controller secretgen-controller Deployment - - create - reconcile - -^ secretgen-controller-sa ServiceAccount - - create - reconcile - -Op: 11 create, 0 delete, 0 update, 0 noopWait to: 11 reconcile, 0 delete, 0 noopContinue? [yN]: y8:00:42AM: ---- applying 9 changes [0/11 done] ----8:00:42AM: create clusterrolebinding/secretgen-controller-cluster-role-binding (rbac.authorization.k8s.io/v1) cluster8:00:42AM: create customresourcedefinition/secretexports.secretgen.carvel.dev (apiextensions.k8s.io/v1) cluster8:00:42AM: create customresourcedefinition/secretimports.secretgen.carvel.dev (apiextensions.k8s.io/v1) cluster8:00:42AM: create customresourcedefinition/sshkeys.secretgen.k14s.io (apiextensions.k8s.io/v1) cluster8:00:42AM: create namespace/secretgen-controller (v1) cluster8:00:42AM: create clusterrole/secretgen-controller-cluster-role (rbac.authorization.k8s.io/v1) cluster8:00:43AM: create customresourcedefinition/rsakeys.secretgen.k14s.io (apiextensions.k8s.io/v1) cluster8:00:43AM: create customresourcedefinition/passwords.secretgen.k14s.io (apiextensions.k8s.io/v1) cluster8:00:43AM: create customresourcedefinition/certificates.secretgen.k14s.io (apiextensions.k8s.io/v1) cluster8:00:43AM: ---- waiting on 9 changes [0/11 done] ----8:00:43AM: ok: reconcile customresourcedefinition/certificates.secretgen.k14s.io (apiextensions.k8s.io/v1) cluster8:00:43AM: ok: reconcile customresourcedefinition/secretexports.secretgen.carvel.dev (apiextensions.k8s.io/v1) cluster8:00:43AM: ok: reconcile customresourcedefinition/secretimports.secretgen.carvel.dev (apiextensions.k8s.io/v1) cluster8:00:43AM: ok: reconcile customresourcedefinition/sshkeys.secretgen.k14s.io (apiextensions.k8s.io/v1) cluster8:00:43AM: ok: reconcile clusterrolebinding/secretgen-controller-cluster-role-binding (rbac.authorization.k8s.io/v1) cluster8:00:43AM: ok: reconcile clusterrole/secretgen-controller-cluster-role (rbac.authorization.k8s.io/v1) cluster8:00:43AM: ok: reconcile namespace/secretgen-controller (v1) cluster8:00:43AM: ok: reconcile customresourcedefinition/passwords.secretgen.k14s.io (apiextensions.k8s.io/v1) cluster8:00:43AM: ok: reconcile customresourcedefinition/rsakeys.secretgen.k14s.io (apiextensions.k8s.io/v1) cluster8:00:43AM: ---- applying 1 changes [9/11 done] ----8:00:43AM: create serviceaccount/secretgen-controller-sa (v1) namespace: secretgen-controller8:00:43AM: ---- waiting on 1 changes [9/11 done] ----8:00:43AM: ok: reconcile serviceaccount/secretgen-controller-sa (v1) namespace: secretgen-controller8:00:43AM: ---- applying 1 changes [10/11 done] ----8:00:44AM: create deployment/secretgen-controller (apps/v1) namespace: secretgen-controller8:00:44AM: ---- waiting on 1 changes [10/11 done] ----8:00:45AM: ongoing: reconcile deployment/secretgen-controller (apps/v1) namespace: secretgen-controller8:00:45AM: ^ Waiting for generation 2 to be observed8:00:45AM: L ok: waiting on replicaset/secretgen-controller-799d77f67d (apps/v1) namespace: secretgen-controller8:00:45AM: L ongoing: waiting on pod/secretgen-controller-799d77f67d-ccfmh (v1) namespace: secretgen-controller8:00:45AM: ^ Pending8:00:46AM: ongoing: reconcile deployment/secretgen-controller (apps/v1) namespace: secretgen-controller8:00:46AM: ^ Waiting for 1 unavailable replicas8:00:46AM: L ok: waiting on replicaset/secretgen-controller-799d77f67d (apps/v1) namespace: secretgen-controller8:00:46AM: L ongoing: waiting on pod/secretgen-controller-799d77f67d-ccfmh (v1) namespace: secretgen-controller8:00:46AM: ^ Pending: ContainerCreating8:00:51AM: ok: reconcile deployment/secretgen-controller (apps/v1) namespace: secretgen-controller8:00:51AM: ---- applying complete [11/11 done] ----8:00:51AM: ---- waiting complete [11/11 done] ----Succeeded
- Validate secretgen-controller deployment and version
$ kubectl get pods -A | grep secretgen-controllersecretgen-controller secretgen-controller-799d77f67d-ccfmh 1/1 Running 0 51s$ kubectl get deployment secretgen-controller -n secretgen-controller -oyaml | grep secretgen-controller.carvel.dev/versiongit\n URL: index.docker.io/k14s/secretgen-controller@sha256:bc346ab665f8106d7d232d798d2f75bbbca4557aae1268fd7dba946c1a8d027d\n","secretgen-controller.carvel.dev/version":"v0.5.0"},"labels":{"kapp.k14s.io/app":"1635321639588670249","kapp.k14s.io/association":"v1.1a0485fb29b825f0bdc2567860b4b9f4"},"name":"secretgen-controller","namespace":"secretgen-controller"},"spec":{"replicas":1,"revisionHistoryLimit":0,"selector":{"matchLabels":{"app":"secretgen-controller","kapp.k14s.io/app":"1635321639588670249"}},"template":{"metadata":{"labels":{"app":"secretgen-controller","kapp.k14s.io/app":"1635321639588670249","kapp.k14s.io/association":"v1.1a0485fb29b825f0bdc2567860b4b9f4"}},"spec":{"containers":[{"image":"index.docker.io/k14s/secretgen-controller@sha256:bc346ab665f8106d7d232d798d2f75bbbca4557aae1268fd7dba946c1a8d027d","name":"secretgen-controller","resources":{"requests":{"cpu":"120m","memory":"100Mi"}},"securityContext":{"runAsGroup":2000,"runAsUser":1000}}],"securityContext":{"fsGroup":3000},"serviceAccount":"secretgen-controller-sa"}}}}'secretgen-controller.carvel.dev/version: v0.5.0f:secretgen-controller.carvel.dev/version: {}
- Deploy cert-manager
$ kapp deploy -a cert-manager -f https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.yamlTarget cluster 'https://A67EC78FE0A3A2ADBB99CE0BDF234AB2.gr7.us-east-2.eks.amazonaws.com' (nodes: ip-10-0-72-61.us-east-2.compute.internal, 1+)ChangesNamespace Name Kind Conds. Age Op Op st. Wait to Rs Ri(cluster) cert-manager Namespace - - create - reconcile - -^ cert-manager-cainjector ClusterRole - - create - reconcile - -^ cert-manager-cainjector ClusterRoleBinding - - create - reconcile - -^ cert-manager-controller-approve:cert-manager-io ClusterRole - - create - reconcile - -^ cert-manager-controller-approve:cert-manager-io ClusterRoleBinding - - create - reconcile - -^ cert-manager-controller-certificates ClusterRole - - create - reconcile - -^ cert-manager-controller-certificates ClusterRoleBinding - - create - reconcile - -^ cert-manager-controller-certificatesigningrequests ClusterRole - - create - reconcile - -^ cert-manager-controller-certificatesigningrequests ClusterRoleBinding - - create - reconcile - -^ cert-manager-controller-challenges ClusterRole - - create - reconcile - -^ cert-manager-controller-challenges ClusterRoleBinding - - create - reconcile - -^ cert-manager-controller-clusterissuers ClusterRole - - create - reconcile - -^ cert-manager-controller-clusterissuers ClusterRoleBinding - - create - reconcile - -^ cert-manager-controller-ingress-shim ClusterRole - - create - reconcile - -^ cert-manager-controller-ingress-shim ClusterRoleBinding - - create - reconcile - -^ cert-manager-controller-issuers ClusterRole - - create - reconcile - -^ cert-manager-controller-issuers ClusterRoleBinding - - create - reconcile - -^ cert-manager-controller-orders ClusterRole - - create - reconcile - -^ cert-manager-controller-orders ClusterRoleBinding - - create - reconcile - -^ cert-manager-edit ClusterRole - - create - reconcile - -^ cert-manager-view ClusterRole - - create - reconcile - -^ cert-manager-webhook MutatingWebhookConfiguration - - create - reconcile - -^ cert-manager-webhook ValidatingWebhookConfiguration - - create - reconcile - -^ cert-manager-webhook:subjectaccessreviews ClusterRole - - create - reconcile - -^ cert-manager-webhook:subjectaccessreviews ClusterRoleBinding - - create - reconcile - -^ certificaterequests.cert-manager.io CustomResourceDefinition - - create - reconcile - -^ certificates.cert-manager.io CustomResourceDefinition - - create - reconcile - -^ challenges.acme.cert-manager.io CustomResourceDefinition - - create - reconcile - -^ clusterissuers.cert-manager.io CustomResourceDefinition - - create - reconcile - -^ issuers.cert-manager.io CustomResourceDefinition - - create - reconcile - -^ orders.acme.cert-manager.io CustomResourceDefinition - - create - reconcile - -cert-manager cert-manager Deployment - - create - reconcile - -^ cert-manager Service - - create - reconcile - -^ cert-manager ServiceAccount - - create - reconcile - -^ cert-manager-cainjector Deployment - - create - reconcile - -^ cert-manager-cainjector ServiceAccount - - create - reconcile - -^ cert-manager-webhook Deployment - - create - reconcile - -^ cert-manager-webhook Service - - create - reconcile - -^ cert-manager-webhook ServiceAccount - - create - reconcile - -^ cert-manager-webhook:dynamic-serving Role - - create - reconcile - -^ cert-manager-webhook:dynamic-serving RoleBinding - - create - reconcile - -kube-system cert-manager-cainjector:leaderelection Role - - create - reconcile - -^ cert-manager-cainjector:leaderelection RoleBinding - - create - reconcile - -^ cert-manager:leaderelection Role - - create - reconcile - -^ cert-manager:leaderelection RoleBinding - - create - reconcile - -Op: 45 create, 0 delete, 0 update, 0 noopWait to: 45 reconcile, 0 delete, 0 noopContinue? [yN]: y8:02:40AM: ---- applying 35 changes [0/45 done] ----8:02:40AM: create clusterrole/cert-manager-webhook:subjectaccessreviews (rbac.authorization.k8s.io/v1) cluster8:02:40AM: create clusterrole/cert-manager-controller-certificatesigningrequests (rbac.authorization.k8s.io/v1) cluster8:02:40AM: create clusterrole/cert-manager-controller-approve:cert-manager-io (rbac.authorization.k8s.io/v1) cluster8:02:40AM: create validatingwebhookconfiguration/cert-manager-webhook (admissionregistration.k8s.io/v1) cluster8:02:40AM: create clusterrolebinding/cert-manager-controller-issuers (rbac.authorization.k8s.io/v1) cluster8:02:40AM: create clusterrolebinding/cert-manager-cainjector (rbac.authorization.k8s.io/v1) cluster8:02:40AM: create clusterrolebinding/cert-manager-controller-clusterissuers (rbac.authorization.k8s.io/v1) cluster8:02:40AM: create clusterrolebinding/cert-manager-controller-certificates (rbac.authorization.k8s.io/v1) cluster8:02:40AM: create clusterrolebinding/cert-manager-controller-challenges (rbac.authorization.k8s.io/v1) cluster8:02:40AM: create clusterrolebinding/cert-manager-controller-orders (rbac.authorization.k8s.io/v1) cluster8:02:40AM: create clusterrolebinding/cert-manager-controller-approve:cert-manager-io (rbac.authorization.k8s.io/v1) cluster8:02:40AM: create clusterrolebinding/cert-manager-controller-ingress-shim (rbac.authorization.k8s.io/v1) cluster8:02:41AM: create clusterrolebinding/cert-manager-controller-certificatesigningrequests (rbac.authorization.k8s.io/v1) cluster8:02:41AM: create clusterrolebinding/cert-manager-webhook:subjectaccessreviews (rbac.authorization.k8s.io/v1) cluster8:02:41AM: create role/cert-manager-cainjector:leaderelection (rbac.authorization.k8s.io/v1) namespace: kube-system8:02:41AM: create rolebinding/cert-manager-cainjector:leaderelection (rbac.authorization.k8s.io/v1) namespace: kube-system8:02:41AM: create role/cert-manager:leaderelection (rbac.authorization.k8s.io/v1) namespace: kube-system8:02:41AM: create rolebinding/cert-manager:leaderelection (rbac.authorization.k8s.io/v1) namespace: kube-system8:02:41AM: create clusterrole/cert-manager-controller-issuers (rbac.authorization.k8s.io/v1) cluster8:02:41AM: create mutatingwebhookconfiguration/cert-manager-webhook (admissionregistration.k8s.io/v1) cluster8:02:42AM: create customresourcedefinition/certificaterequests.cert-manager.io (apiextensions.k8s.io/v1) cluster8:02:42AM: create customresourcedefinition/certificates.cert-manager.io (apiextensions.k8s.io/v1) cluster8:02:43AM: create namespace/cert-manager (v1) cluster8:02:43AM: create clusterrole/cert-manager-cainjector (rbac.authorization.k8s.io/v1) cluster8:02:43AM: create clusterrole/cert-manager-controller-challenges (rbac.authorization.k8s.io/v1) cluster8:02:43AM: create clusterrole/cert-manager-controller-clusterissuers (rbac.authorization.k8s.io/v1) cluster8:02:44AM: create clusterrole/cert-manager-controller-certificates (rbac.authorization.k8s.io/v1) cluster8:02:44AM: create clusterrole/cert-manager-controller-orders (rbac.authorization.k8s.io/v1) cluster8:02:44AM: create clusterrole/cert-manager-view (rbac.authorization.k8s.io/v1) cluster8:02:44AM: create clusterrole/cert-manager-controller-ingress-shim (rbac.authorization.k8s.io/v1) cluster8:02:44AM: create customresourcedefinition/challenges.acme.cert-manager.io (apiextensions.k8s.io/v1) cluster8:02:45AM: create clusterrole/cert-manager-edit (rbac.authorization.k8s.io/v1) cluster8:02:45AM: create customresourcedefinition/orders.acme.cert-manager.io (apiextensions.k8s.io/v1) cluster8:02:46AM: create customresourcedefinition/clusterissuers.cert-manager.io (apiextensions.k8s.io/v1) cluster8:02:46AM: create customresourcedefinition/issuers.cert-manager.io (apiextensions.k8s.io/v1) cluster8:02:46AM: ---- waiting on 35 changes [0/45 done] ----8:02:46AM: ok: reconcile clusterrole/cert-manager-controller-certificatesigningrequests (rbac.authorization.k8s.io/v1) cluster8:02:46AM: ok: reconcile rolebinding/cert-manager:leaderelection (rbac.authorization.k8s.io/v1) namespace: kube-system8:02:46AM: ok: reconcile clusterrole/cert-manager-controller-issuers (rbac.authorization.k8s.io/v1) cluster8:02:46AM: ok: reconcile clusterrole/cert-manager-webhook:subjectaccessreviews (rbac.authorization.k8s.io/v1) cluster8:02:46AM: ok: reconcile mutatingwebhookconfiguration/cert-manager-webhook (admissionregistration.k8s.io/v1) cluster8:02:46AM: ok: reconcile customresourcedefinition/certificaterequests.cert-manager.io (apiextensions.k8s.io/v1) cluster8:02:46AM: ok: reconcile namespace/cert-manager (v1) cluster8:02:46AM: ok: reconcile customresourcedefinition/certificates.cert-manager.io (apiextensions.k8s.io/v1) cluster8:02:46AM: ok: reconcile clusterrole/cert-manager-cainjector (rbac.authorization.k8s.io/v1) cluster8:02:46AM: ok: reconcile clusterrole/cert-manager-controller-challenges (rbac.authorization.k8s.io/v1) cluster8:02:46AM: ok: reconcile clusterrole/cert-manager-controller-clusterissuers (rbac.authorization.k8s.io/v1) cluster8:02:46AM: ok: reconcile clusterrole/cert-manager-controller-certificates (rbac.authorization.k8s.io/v1) cluster8:02:46AM: ok: reconcile clusterrole/cert-manager-controller-orders (rbac.authorization.k8s.io/v1) cluster8:02:46AM: ok: reconcile clusterrole/cert-manager-view (rbac.authorization.k8s.io/v1) cluster8:02:46AM: ok: reconcile clusterrole/cert-manager-controller-ingress-shim (rbac.authorization.k8s.io/v1) cluster8:02:46AM: ok: reconcile clusterrole/cert-manager-edit (rbac.authorization.k8s.io/v1) cluster8:02:46AM: ok: reconcile customresourcedefinition/issuers.cert-manager.io (apiextensions.k8s.io/v1) cluster8:02:46AM: ok: reconcile customresourcedefinition/orders.acme.cert-manager.io (apiextensions.k8s.io/v1) cluster8:02:46AM: ok: reconcile clusterrolebinding/cert-manager-controller-orders (rbac.authorization.k8s.io/v1) cluster8:02:46AM: ok: reconcile clusterrole/cert-manager-controller-approve:cert-manager-io (rbac.authorization.k8s.io/v1) cluster8:02:46AM: ok: reconcile validatingwebhookconfiguration/cert-manager-webhook (admissionregistration.k8s.io/v1) cluster8:02:46AM: ok: reconcile customresourcedefinition/challenges.acme.cert-manager.io (apiextensions.k8s.io/v1) cluster8:02:46AM: ok: reconcile clusterrolebinding/cert-manager-controller-issuers (rbac.authorization.k8s.io/v1) cluster8:02:46AM: ok: reconcile clusterrolebinding/cert-manager-controller-certificates (rbac.authorization.k8s.io/v1) cluster8:02:46AM: ok: reconcile clusterrolebinding/cert-manager-cainjector (rbac.authorization.k8s.io/v1) cluster8:02:46AM: ok: reconcile clusterrolebinding/cert-manager-controller-clusterissuers (rbac.authorization.k8s.io/v1) cluster8:02:46AM: ok: reconcile clusterrolebinding/cert-manager-webhook:subjectaccessreviews (rbac.authorization.k8s.io/v1) cluster8:02:46AM: ok: reconcile clusterrolebinding/cert-manager-controller-ingress-shim (rbac.authorization.k8s.io/v1) cluster8:02:46AM: ok: reconcile clusterrolebinding/cert-manager-controller-challenges (rbac.authorization.k8s.io/v1) cluster8:02:46AM: ok: reconcile clusterrolebinding/cert-manager-controller-approve:cert-manager-io (rbac.authorization.k8s.io/v1) cluster8:02:46AM: ok: reconcile customresourcedefinition/clusterissuers.cert-manager.io (apiextensions.k8s.io/v1) cluster8:02:46AM: ok: reconcile role/cert-manager-cainjector:leaderelection (rbac.authorization.k8s.io/v1) namespace: kube-system8:02:46AM: ok: reconcile clusterrolebinding/cert-manager-controller-certificatesigningrequests (rbac.authorization.k8s.io/v1) cluster8:02:46AM: ok: reconcile rolebinding/cert-manager-cainjector:leaderelection (rbac.authorization.k8s.io/v1) namespace: kube-system8:02:46AM: ok: reconcile role/cert-manager:leaderelection (rbac.authorization.k8s.io/v1) namespace: kube-system8:02:46AM: ---- applying 5 changes [35/45 done] ----8:02:46AM: create serviceaccount/cert-manager-cainjector (v1) namespace: cert-manager8:02:46AM: create rolebinding/cert-manager-webhook:dynamic-serving (rbac.authorization.k8s.io/v1) namespace: cert-manager8:02:46AM: create role/cert-manager-webhook:dynamic-serving (rbac.authorization.k8s.io/v1) namespace: cert-manager8:02:46AM: create serviceaccount/cert-manager (v1) namespace: cert-manager8:02:46AM: create serviceaccount/cert-manager-webhook (v1) namespace: cert-manager8:02:46AM: ---- waiting on 5 changes [35/45 done] ----8:02:46AM: ok: reconcile serviceaccount/cert-manager-webhook (v1) namespace: cert-manager8:02:46AM: ok: reconcile role/cert-manager-webhook:dynamic-serving (rbac.authorization.k8s.io/v1) namespace: cert-manager8:02:46AM: ok: reconcile rolebinding/cert-manager-webhook:dynamic-serving (rbac.authorization.k8s.io/v1) namespace: cert-manager8:02:46AM: ok: reconcile serviceaccount/cert-manager-cainjector (v1) namespace: cert-manager8:02:46AM: ok: reconcile serviceaccount/cert-manager (v1) namespace: cert-manager8:02:46AM: ---- applying 5 changes [40/45 done] ----8:02:46AM: create deployment/cert-manager-webhook (apps/v1) namespace: cert-manager8:02:46AM: create deployment/cert-manager-cainjector (apps/v1) namespace: cert-manager8:02:46AM: create service/cert-manager-webhook (v1) namespace: cert-manager8:02:46AM: create service/cert-manager (v1) namespace: cert-manager8:02:47AM: create deployment/cert-manager (apps/v1) namespace: cert-manager8:02:47AM: ---- waiting on 5 changes [40/45 done] ----8:02:47AM: ok: reconcile service/cert-manager-webhook (v1) namespace: cert-manager8:02:47AM: ok: reconcile service/cert-manager (v1) namespace: cert-manager8:02:48AM: ongoing: reconcile deployment/cert-manager-webhook (apps/v1) namespace: cert-manager8:02:48AM: ^ Waiting for 1 unavailable replicas8:02:48AM: L ok: waiting on replicaset/cert-manager-webhook-7774c459f6 (apps/v1) namespace: cert-manager8:02:48AM: L ongoing: waiting on pod/cert-manager-webhook-7774c459f6-9gns5 (v1) namespace: cert-manager8:02:48AM: ^ Pending: ContainerCreating8:02:48AM: ongoing: reconcile deployment/cert-manager (apps/v1) namespace: cert-manager8:02:48AM: ^ Waiting for generation 2 to be observed8:02:48AM: L ok: waiting on replicaset/cert-manager-7fdfc4d799 (apps/v1) namespace: cert-manager8:02:48AM: L ongoing: waiting on pod/cert-manager-7fdfc4d799-dfrrc (v1) namespace: cert-manager8:02:48AM: ^ Pending: ContainerCreating8:02:48AM: ongoing: reconcile deployment/cert-manager-cainjector (apps/v1) namespace: cert-manager8:02:48AM: ^ Waiting for 1 unavailable replicas8:02:48AM: L ok: waiting on replicaset/cert-manager-cainjector-567b694b87 (apps/v1) namespace: cert-manager8:02:48AM: L ongoing: waiting on pod/cert-manager-cainjector-567b694b87-9rxn7 (v1) namespace: cert-manager8:02:48AM: ^ Pending: ContainerCreating8:02:48AM: ---- waiting on 3 changes [42/45 done] ----8:02:48AM: ongoing: reconcile deployment/cert-manager (apps/v1) namespace: cert-manager8:02:48AM: ^ Waiting for 1 unavailable replicas8:02:48AM: L ok: waiting on replicaset/cert-manager-7fdfc4d799 (apps/v1) namespace: cert-manager8:02:48AM: L ongoing: waiting on pod/cert-manager-7fdfc4d799-dfrrc (v1) namespace: cert-manager8:02:48AM: ^ Pending: ContainerCreating8:02:50AM: ongoing: reconcile deployment/cert-manager-webhook (apps/v1) namespace: cert-manager8:02:50AM: ^ Waiting for 1 unavailable replicas8:02:50AM: L ok: waiting on replicaset/cert-manager-webhook-7774c459f6 (apps/v1) namespace: cert-manager8:02:50AM: L ongoing: waiting on pod/cert-manager-webhook-7774c459f6-9gns5 (v1) namespace: cert-manager8:02:50AM: ^ Condition Ready is not True (False)8:02:50AM: ok: reconcile deployment/cert-manager (apps/v1) namespace: cert-manager8:02:50AM: ok: reconcile deployment/cert-manager-cainjector (apps/v1) namespace: cert-manager8:02:50AM: ---- waiting on 1 changes [44/45 done] ----8:02:59AM: ok: reconcile deployment/cert-manager-webhook (apps/v1) namespace: cert-manager8:02:59AM: ---- applying complete [45/45 done] ----8:02:59AM: ---- waiting complete [45/45 done] ----Succeeded
- Validate cert-manager deployed version
$ kubectl get deployment cert-manager -n cert-manager -o yaml | grep 'app.kubernetes.io/version: v'app.kubernetes.io/version: v1.5.3app.kubernetes.io/version: v1.5.3
- Deploy FluxCD source-controller
# Create namespace
$ kubectl create namespace flux-systemnamespace/flux-system created$ kubectl create clusterrolebinding default-admin \> --clusterrole=cluster-admin \> --serviceaccount=flux-system:defaultclusterrolebinding.rbac.authorization.k8s.io/default-admin created$ kapp deploy -a flux-source-controller -n flux-system \> -f https://github.com/fluxcd/source-controller/releases/download/v0.15.4/source-controller.crds.yaml \> -f https://github.com/fluxcd/source-controller/releases/download/v0.15.4/source-controller.deployment.yamlTarget cluster 'https://A67EC78FE0A3A2ADBB99CE0BDF234AB2.gr7.us-east-2.eks.amazonaws.com' (nodes: ip-10-0-72-61.us-east-2.compute.internal, 1+)ChangesNamespace Name Kind Conds. Age Op Op st. Wait to Rs Ri(cluster) buckets.source.toolkit.fluxcd.io CustomResourceDefinition - - create - reconcile - -^ gitrepositories.source.toolkit.fluxcd.io CustomResourceDefinition - - create - reconcile - -^ helmcharts.source.toolkit.fluxcd.io CustomResourceDefinition - - create - reconcile - -^ helmrepositories.source.toolkit.fluxcd.io CustomResourceDefinition - - create - reconcile - -flux-system source-controller Deployment - - create - reconcile - -^ source-controller Service - - create - reconcile - -Op: 6 create, 0 delete, 0 update, 0 noopWait to: 6 reconcile, 0 delete, 0 noopContinue? [yN]: y8:04:24AM: ---- applying 6 changes [0/6 done] ----8:04:25AM: create customresourcedefinition/buckets.source.toolkit.fluxcd.io (apiextensions.k8s.io/v1) cluster8:04:25AM: create customresourcedefinition/helmrepositories.source.toolkit.fluxcd.io (apiextensions.k8s.io/v1) cluster8:04:25AM: create customresourcedefinition/helmcharts.source.toolkit.fluxcd.io (apiextensions.k8s.io/v1) cluster8:04:25AM: create customresourcedefinition/gitrepositories.source.toolkit.fluxcd.io (apiextensions.k8s.io/v1) cluster8:04:25AM: create service/source-controller (v1) namespace: flux-system8:04:25AM: create deployment/source-controller (apps/v1) namespace: flux-system8:04:25AM: ---- waiting on 6 changes [0/6 done] ----8:04:25AM: ok: reconcile customresourcedefinition/helmcharts.source.toolkit.fluxcd.io (apiextensions.k8s.io/v1) cluster8:04:25AM: ok: reconcile customresourcedefinition/helmrepositories.source.toolkit.fluxcd.io (apiextensions.k8s.io/v1) cluster8:04:25AM: ok: reconcile customresourcedefinition/buckets.source.toolkit.fluxcd.io (apiextensions.k8s.io/v1) cluster8:04:25AM: ok: reconcile customresourcedefinition/gitrepositories.source.toolkit.fluxcd.io (apiextensions.k8s.io/v1) cluster8:04:25AM: ok: reconcile service/source-controller (v1) namespace: flux-system8:04:25AM: ongoing: reconcile deployment/source-controller (apps/v1) namespace: flux-system8:04:25AM: ^ Waiting for generation 2 to be observed8:04:25AM: L ok: waiting on replicaset/source-controller-788bccc84d (apps/v1) namespace: flux-system8:04:25AM: L ongoing: waiting on pod/source-controller-788bccc84d-k6rhv (v1) namespace: flux-system8:04:25AM: ^ Pending: ContainerCreating8:04:25AM: ---- waiting on 1 changes [5/6 done] ----8:04:26AM: ongoing: reconcile deployment/source-controller (apps/v1) namespace: flux-system8:04:26AM: ^ Waiting for 1 unavailable replicas8:04:26AM: L ok: waiting on replicaset/source-controller-788bccc84d (apps/v1) namespace: flux-system8:04:26AM: L ongoing: waiting on pod/source-controller-788bccc84d-k6rhv (v1) namespace: flux-system8:04:26AM: ^ Pending: ContainerCreating8:04:29AM: ongoing: reconcile deployment/source-controller (apps/v1) namespace: flux-system8:04:29AM: ^ Waiting for 1 unavailable replicas8:04:29AM: L ok: waiting on replicaset/source-controller-788bccc84d (apps/v1) namespace: flux-system8:04:29AM: L ongoing: waiting on pod/source-controller-788bccc84d-k6rhv (v1) namespace: flux-system8:04:29AM: ^ Condition Ready is not True (False)8:04:30AM: ongoing: reconcile deployment/source-controller (apps/v1) namespace: flux-system8:04:30AM: ^ Waiting for 1 unavailable replicas8:04:30AM: L ok: waiting on replicaset/source-controller-788bccc84d (apps/v1) namespace: flux-system8:04:30AM: L ok: waiting on pod/source-controller-788bccc84d-k6rhv (v1) namespace: flux-system8:04:31AM: ok: reconcile deployment/source-controller (apps/v1) namespace: flux-system8:04:31AM: ---- applying complete [6/6 done] ----8:04:31AM: ---- waiting complete [6/6 done] ----Succeeded
Setting up Tanzu Cli and plugins
tanzu cli and plugins are needed on the node from where you will trigger the deployment of TAP. Follow below steps to setup the same. I am using Linux system and steps are show as per Linux OS.
- Download Tanzu CLI from Tanzu Network. You need to have pivnet CLI installed and configured.
$ pivnet download-product-files --product-slug='tanzu-application-platform' --release-version='0.2.0' --product-file-id=10555862021/10/27 08:09:09 Downloading 'tanzu-framework-linux-amd64.tar' to 'tanzu-framework-linux-amd64.tar'530.71 MiB / 530.71 MiB [==========================================] 100.00% 1s2021/10/27 08:09:11 Verifying SHA2562021/10/27 08:09:13 Successfully verified SHA256
- Install Tanzu CLI
# Create a dir$ mkdir -p $HOME/tanzu$ tar -xvf tanzu-framework-linux-amd64.tar -C $HOME/tanzucli/cli/login/cli/login/v0.5.0/cli/login/v0.5.0/tanzu-login-linux_amd64cli/login/plugin.yamlcli/apps/cli/apps/v0.5.0/cli/apps/v0.5.0/tanzu-apps-linux_amd64cli/apps/plugin.yamlcli/manifest.yamlcli/cluster/cli/cluster/v0.5.0/cli/cluster/v0.5.0/tanzu-cluster-linux_amd64cli/cluster/plugin.yamlcli/kubernetes-release/cli/kubernetes-release/v0.5.0/cli/kubernetes-release/v0.5.0/tanzu-kubernetes-release-linux_amd64cli/kubernetes-release/plugin.yamlcli/accelerator/cli/accelerator/v0.5.0/cli/accelerator/v0.5.0/tanzu-accelerator-linux_amd64cli/accelerator/plugin.yamlcli/imagepullsecret/cli/imagepullsecret/v0.5.0/cli/imagepullsecret/v0.5.0/tanzu-imagepullsecret-linux_amd64cli/imagepullsecret/plugin.yamlcli/package/cli/package/v0.5.0/cli/package/v0.5.0/tanzu-package-linux_amd64cli/package/plugin.yamlcli/pinniped-auth/cli/pinniped-auth/v0.5.0/cli/pinniped-auth/v0.5.0/tanzu-pinniped-auth-linux_amd64cli/pinniped-auth/plugin.yamlcli/management-cluster/cli/management-cluster/v0.5.0/cli/management-cluster/v0.5.0/tanzu-management-cluster-linux_amd64cli/management-cluster/plugin.yamlcli/core/cli/core/v0.5.0/cli/core/v0.5.0/tanzu-core-linux_amd64cli/core/plugin.yaml $ cd $HOME/tanzu $ sudo install cli/core/v0.5.0/tanzu-core-linux_amd64 /usr/local/bin/tanzu$ tanzu| initializing Tanzu CLIUsage:tanzu [command]Available command groups:Runcluster Kubernetes cluster operationskubernetes-release Kubernetes release operationsmanagement-cluster Kubernetes management cluster operationspackage Tanzu package managementSystemcompletion Output shell completion codeconfig Configuration for the CLIinit Initialize the CLIlogin Login to the platformplugin Manage CLI pluginsupdate Update the CLIversion Version informationFlags:-h, --help help for tanzuUse "tanzu [command] --help" for more information about a command.Not logged in
- Validate tanzu cli version
$ tanzu versionversion: v0.5.0buildDate: 2021-10-01sha: e1894f55
- Install and validate Tanzu CLI plugins
$ tanzu plugin install --local cli all# List the installed tanzu cli plugins$ tanzu plugin listNAME LATEST VERSION DESCRIPTION REPOSITORY VERSION STATUSaccelerator Manage accelerators in a Kubernetes cluster v0.3.0 installedapps Applications on Kubernetes v0.2.0 installedcluster v0.8.0 Kubernetes cluster operations core v0.5.0 upgrade availableimagepullsecret Manage image pull secret operations. Image pull secrets enable the package and package repository consumers to authenticate to private registries. v0.5.0 installedkubernetes-release v0.8.0 Kubernetes release operations core v0.5.0 upgrade availablelogin v0.8.0 Login to the platform core v0.5.0 upgrade availablemanagement-cluster v0.8.0 Kubernetes management cluster operations core v0.5.0 upgrade availablepackage v0.8.0 Tanzu package management core v0.5.0 upgrade availablepinniped-auth v0.8.0 Pinniped authentication operations (usually not directly invoked) core v0.5.0 upgrade availablesecret v0.8.0 Tanzu secret management core not installed
Installing TAP
- Create a namespace
$ kubectl create ns tap-installnamespace/tap-install created
- Create image pull secret for Tanzu Network registry
$ tanzu imagepullsecret add tap-registry --username dinesh.tripathi30@gmail.com --password <replace-me> --registry registry.tanzu.vmware.com --export-to-all-namespaces --namespace tap-installWarning: By choosing --export-to-all-namespaces, given secret contents will be available to ALL users in ALL namespaces. Please ensure that included registry credentials are read only and are safe to share.| Adding image pull secret 'tap-registry'...Added image pull secret 'tap-registry' into namespace 'tap-install'
- Add TAP package repository
$ tanzu package repository add tanzu-tap-repository \> --url registry.tanzu.vmware.com/tanzu-application-platform/tap-packages:0.2.0 \> --namespace tap-install| Adding package repository 'tanzu-tap-repository'...Added package repository 'tanzu-tap-repository'tanzu package repository get tanzu-tap-repository --namespace tap-install\ Retrieving repository tanzu-tap-repository...NAME: tanzu-tap-repositoryVERSION: 9446REPOSITORY: registry.tanzu.vmware.com/tanzu-application-platform/tap-packages:0.2.0STATUS: Reconcile succeededREASON:
- Validate the available packages in repository that needs to be installed.
$ tanzu package available list --namespace tap-install\ Retrieving available packages...NAME DISPLAY-NAME SHORT-DESCRIPTIONaccelerator.apps.tanzu.vmware.com Application Accelerator for VMware Tanzu Used to create new projects and configurations.api-portal.tanzu.vmware.com API portal A unified user interface to enable search, discovery and try-out of API endpoints at ease.appliveview.tanzu.vmware.com Application Live View for VMware Tanzu App for monitoring and troubleshooting running appsbuildservice.tanzu.vmware.com Tanzu Build Service Tanzu Build Service enables the building and automation of containerized software workflows securely and at scale.cartographer.tanzu.vmware.com Cartographer Kubernetes native Supply Chain Choreographer.cnrs.tanzu.vmware.com Cloud Native Runtimes Cloud Native Runtimes is a serverless runtime based on Knativecontroller.conventions.apps.tanzu.vmware.com Convention Service for VMware Tanzu Convention Service enables app operators to consistently apply desired runtime configurations to fleets of workloads.controller.source.apps.tanzu.vmware.com Tanzu Source Controller Tanzu Source Controller enables workload create/update from source code.default-supply-chain-testing.tanzu.vmware.com Tanzu App Platform Default Supply Chain with Testing Default Software Supply Chain with testing.default-supply-chain.tanzu.vmware.com Tanzu App Platform Default Supply Chain Default Supply Chaindeveloper-conventions.tanzu.vmware.com Tanzu App Platform Develooper Conventions Developer Conventionsgrype.scanning.apps.tanzu.vmware.com Grype Scanner for Supply Chain Security Tools for VMware Tanzu - Scan Default scan templates using Anchore Grypeimage-policy-webhook.signing.run.tanzu.vmware.com Image Policy Webhook The Image Policy Webhook allows platform operators to define a policy that will use cosign to verify signatures of container imagesscanning.apps.tanzu.vmware.com Supply Chain Security Tools for VMware Tanzu - Scan Scan for vulnerabilities and enforce policies directly within Kubernetes native Supply Chains.scp-toolkit.tanzu.vmware.com SCP Toolkit The SCP Toolkitscst-store.tanzu.vmware.com Tanzu Supply Chain Security Tools - Store The Metadata Store enables saving and querying image, package, and vulnerability data.service-bindings.labs.vmware.com Service Bindings for Kubernetes Service Bindings for Kubernetes implements the Service Binding Specification.
- Now, We will install these packages one by one.
Install Cloud Native Runtimes
$ tanzu package install cloud-native-runtimes -p cnrs.tanzu.vmware.com -v 1.0.2 -n tap-install --poll-timeout 30m\ Installing package 'cnrs.tanzu.vmware.com'| Getting namespace 'tap-install'| Getting package metadata for 'cnrs.tanzu.vmware.com'| Creating service account 'cloud-native-runtimes-tap-install-sa'| Creating cluster admin role 'cloud-native-runtimes-tap-install-cluster-role'| Creating cluster role binding 'cloud-native-runtimes-tap-install-cluster-rolebinding'- Creating package resource- Package install status: ReconcilingAdded installed package 'cloud-native-runtimes' in namespace 'tap-install'# Validate cloud native runtime installation$ tanzu package installed get cloud-native-runtimes -n tap-install\ Retrieving installation details for cloud-native-runtimes...NAME: cloud-native-runtimesPACKAGE-NAME: cnrs.tanzu.vmware.comPACKAGE-VERSION: 1.0.2STATUS: Reconcile succeededCONDITIONS: [{ReconcileSucceeded True }]USEFUL-ERROR-MESSAGE:
Install Application Accelerator
- Create
app-accelerator-values.yaml
server:# Set the engine.service_type to "NodePort" for local clusters like minikube or kind.service_type: "LoadBalancer"watched_namespace: "default"
- Install Application accelerator
$ tanzu package install app-accelerator -p accelerator.apps.tanzu.vmware.com -v 0.3.0 -n tap-install -f app-accelerator-values.yaml\ Installing package 'accelerator.apps.tanzu.vmware.com'| Getting namespace 'tap-install'| Getting package metadata for 'accelerator.apps.tanzu.vmware.com'| Creating service account 'app-accelerator-tap-install-sa'| Creating cluster admin role 'app-accelerator-tap-install-cluster-role'| Creating cluster role binding 'app-accelerator-tap-install-cluster-rolebinding'| Creating secret 'app-accelerator-tap-install-values'- Creating package resource- Package install status: ReconcilingAdded installed package 'app-accelerator' in namespace 'tap-install'
- Validate the installation
$ k get all -n accelerator-systemNAME READY STATUS RESTARTS AGEpod/acc-engine-547d977887-p27qg 1/1 Running 0 2m6spod/acc-ui-server-55566b5864-2bt9h 1/1 Running 0 2m6spod/accelerator-controller-manager-66d8d947dd-9ztcs 1/1 Running 0 2m6sNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEservice/acc-engine ClusterIP 172.20.43.169 <none> 80/TCP 2m7sservice/acc-ui-server LoadBalancer 172.20.115.40 a0edbbfa1ccbc41f1bb443f9ebb6c22e-2145691775.us-east-2.elb.amazonaws.com 80:31944/TCP 2m6sNAME READY UP-TO-DATE AVAILABLE AGEdeployment.apps/acc-engine 1/1 1 1 2m8sdeployment.apps/acc-ui-server 1/1 1 1 2m7sdeployment.apps/accelerator-controller-manager 1/1 1 1 2m7sNAME DESIRED CURRENT READY AGEreplicaset.apps/acc-engine-547d977887 1 1 1 2m8sreplicaset.apps/acc-ui-server-55566b5864 1 1 1 2m7sreplicaset.apps/accelerator-controller-manager-66d8d947dd 1 1 1 2m7sNAME SHORT NAME DUCKS READY REASONclusterducktype.discovery.knative.dev/addressables.duck.knative.dev Addressable 7 Trueclusterducktype.discovery.knative.dev/bindings.duck.knative.dev Binding 1 Trueclusterducktype.discovery.knative.dev/channelables.duck.knative.dev Channelable 0 Trueclusterducktype.discovery.knative.dev/podspecables.duck.knative.dev PodSpecable 7 Trueclusterducktype.discovery.knative.dev/sources.duck.knative.dev Source 18 True$ tanzu package installed get app-accelerator -n tap-install| Retrieving installation details for app-accelerator...NAME: app-acceleratorPACKAGE-NAME: accelerator.apps.tanzu.vmware.comPACKAGE-VERSION: 0.3.0STATUS: Reconcile succeededCONDITIONS: [{ReconcileSucceeded True }]USEFUL-ERROR-MESSAGE:
Install Convention Service
$ tanzu package install convention-controller -p controller.conventions.apps.tanzu.vmware.com -v 0.4.2 -n tap-install| Installing package 'controller.conventions.apps.tanzu.vmware.com'| Getting namespace 'tap-install'| Getting package metadata for 'controller.conventions.apps.tanzu.vmware.com'| Creating service account 'convention-controller-tap-install-sa'| Creating cluster admin role 'convention-controller-tap-install-cluster-role'| Creating cluster role binding 'convention-controller-tap-install-cluster-rolebinding'- Creating package resource/ Package install status: ReconcilingAdded installed package 'convention-controller' in namespace 'tap-install'$ tanzu package installed get convention-controller -n tap-install| Retrieving installation details for convention-controller...NAME: convention-controllerPACKAGE-NAME: controller.conventions.apps.tanzu.vmware.comPACKAGE-VERSION: 0.4.2STATUS: Reconcile succeededCONDITIONS: [{ReconcileSucceeded True }]USEFUL-ERROR-MESSAGE:$ kubectl get pods -n conventions-systemNAME READY STATUS RESTARTS AGEconventions-controller-manager-b7b9b4f99-cq2b6 1/1 Running 0 86s
Install Source Controller
$ tanzu package install source-controller -p controller.source.apps.tanzu.vmware.com -v 0.1.2 -n tap-install| Installing package 'controller.source.apps.tanzu.vmware.com'| Getting namespace 'tap-install'| Getting package metadata for 'controller.source.apps.tanzu.vmware.com'| Creating service account 'source-controller-tap-install-sa'| Creating cluster admin role 'source-controller-tap-install-cluster-role'| Creating cluster role binding 'source-controller-tap-install-cluster-rolebinding'- Creating package resource\ Package install status: ReconcilingAdded installed package 'source-controller' in namespace 'tap-install'$ tanzu package installed get source-controller -n tap-install/ Retrieving installation details for source-controller...NAME: source-controllerPACKAGE-NAME: controller.source.apps.tanzu.vmware.comPACKAGE-VERSION: 0.1.2STATUS: Reconcile succeededCONDITIONS: [{ReconcileSucceeded True }]USEFUL-ERROR-MESSAGE:$ kubectl get pods -n source-systemNAME READY STATUS RESTARTS AGEsource-controller-manager-7d8486fcfd-xbwd6 1/1 Running 0 76s
Install Tanzu Build Services
This is bit time consuming and complex installation. Though the process remains same but TBS need more space and you may see pull rate limit error when you are trying to use docker hub for registry.
Here is the docker pull rate limit error that i faced and then i used ACR.
Error: package reconciliation failed: kapp: Error: waiting on reconcile tanzunetdependencyupdater/dependency-updater (buildservice.tanzu.vmware.com/v1alpha1) namespace: build-service:
Finished unsuccessfully (Encountered failure condition Ready == False: CannotImportDescriptor (message: ClusterStore “default” not ready: GET https://index.docker.io/v2/dineshtripathi30/build-service/manifests/sha256:fe9636f80a7f1f07d3d392fbd7aa723226cb02d294d030d20d53b84db66d92b1: TOOMANYREQUESTS: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit))
Usage:
tanzu package install INSTALLED_PACKAGE_NAME — package-name PACKAGE_NAME — version VERSION [flags]
- Create
tbs-values.yaml
with following content.
---kp_default_repository: ddemoacr.azurecr.io/build-servicekp_default_repository_username: dineshtripathi30kp_default_repository_password: <dockerhubpwd>tanzunet_username: dinesh.tripathi30@gmail.comtanzunet_password: <Tanzu Network pwd>
- Trigger the TBS Installation.
$ tanzu package install tbs -p buildservice.tanzu.vmware.com -v 1.3.0 -n tap-install -f tbs-values.yaml --poll-timeout 30m/ Installing package 'buildservice.tanzu.vmware.com'| Getting namespace 'tap-install'| Getting package metadata for 'buildservice.tanzu.vmware.com'| Creating service account 'tbs-tap-install-sa'| Creating cluster admin role 'tbs-tap-install-cluster-role'| Creating cluster role binding 'tbs-tap-install-cluster-rolebinding'| Creating secret 'tbs-tap-install-values'- Creating package resource\ Package install status: ReconcilingAdded installed package 'tbs' in namespace 'tap-install'$ tanzu package installed get tbs -n tap-install- Retrieving installation details for tbs...NAME: tbsPACKAGE-NAME: buildservice.tanzu.vmware.comPACKAGE-VERSION: 1.3.0STATUS: Reconcile succeededCONDITIONS: [{ReconcileSucceeded True }]USEFUL-ERROR-MESSAGE:
- Validate the images stored on registry by TBS
Install Supply Chain Choreographer
$ tanzu package install cartographer \> --namespace tap-install \> --package-name cartographer.tanzu.vmware.com \> --version 0.0.6\ Installing package 'cartographer.tanzu.vmware.com'| Getting namespace 'tap-install'| Getting package metadata for 'cartographer.tanzu.vmware.com'| Creating service account 'cartographer-tap-install-sa'| Creating cluster admin role 'cartographer-tap-install-cluster-role'| Creating cluster role binding 'cartographer-tap-install-cluster-rolebinding'- Creating package resource/ Package install status: ReconcilingAdded installed package 'cartographer' in namespace 'tap-install'
Install Default Supply Chain
- Create
default-supply-chain-values.yaml
file with below content. Remember to update your registry and repository name.
---registry:server: demoacr.azurecr.iorepository: tap
- Install Default supply chain
$ tanzu package install default-supply-chain \> --package-name default-supply-chain.tanzu.vmware.com \> --version 0.2.0 \> --namespace tap-install \> --values-file default-supply-chain-values.yaml\ Installing package 'default-supply-chain.tanzu.vmware.com'| Getting namespace 'tap-install'| Getting package metadata for 'default-supply-chain.tanzu.vmware.com'| Creating service account 'default-supply-chain-tap-install-sa'| Creating cluster admin role 'default-supply-chain-tap-install-cluster-role'| Creating cluster role binding 'default-supply-chain-tap-install-cluster-rolebinding'| Creating secret 'default-supply-chain-tap-install-values'- Creating package resource/ Package install status: ReconcilingAdded installed package 'default-supply-chain' in namespace 'tap-install'
Install Developer Conventions
$ tanzu package install developer-conventions \> --package-name developer-conventions.tanzu.vmware.com \> --version 0.2.0 \> --namespace tap-install\ Installing package 'developer-conventions.tanzu.vmware.com'| Getting namespace 'tap-install'| Getting package metadata for 'developer-conventions.tanzu.vmware.com'| Creating service account 'developer-conventions-tap-install-sa'| Creating cluster admin role 'developer-conventions-tap-install-cluster-role'| Creating cluster role binding 'developer-conventions-tap-install-cluster-rolebinding'- Creating package resource\ Package install status: ReconcilingAdded installed package 'developer-conventions' in namespace 'tap-install'
- Validate the package installation
$ tanzu package installed get developer-conventions -n tap-install\ Retrieving installation details for developer-conventions...NAME: developer-conventionsPACKAGE-NAME: developer-conventions.tanzu.vmware.comPACKAGE-VERSION: 0.2.0STATUS: Reconcile succeededCONDITIONS: [{ReconcileSucceeded True }]USEFUL-ERROR-MESSAGE:
Install Application Live View
- Create
app-live-view-values.yaml
file with below content
---connector_namespaces: [default]server_namespace: app-live-view
- Install Application Live View
$ tanzu package install app-live-view -p appliveview.tanzu.vmware.com -v 0.2.0 -n tap-install -f app-live-view-values.yaml\ Installing package 'appliveview.tanzu.vmware.com'| Getting namespace 'tap-install'| Getting package metadata for 'appliveview.tanzu.vmware.com'| Creating service account 'app-live-view-tap-install-sa'| Creating cluster admin role 'app-live-view-tap-install-cluster-role'| Creating cluster role binding 'app-live-view-tap-install-cluster-rolebinding'| Creating secret 'app-live-view-tap-install-values'- Creating package resource\ Package install status: ReconcilingAdded installed package 'app-live-view' in namespace 'tap-install'$ tanzu package installed get app-live-view -n tap-install| Retrieving installation details for app-live-view...NAME: app-live-viewPACKAGE-NAME: appliveview.tanzu.vmware.comPACKAGE-VERSION: 0.2.0STATUS: Reconcile succeededCONDITIONS: [{ReconcileSucceeded True }]USEFUL-ERROR-MESSAGE:
Install Service Bindings
$ tanzu package install service-bindings -p service-bindings.labs.vmware.com -v 0.5.0 -n tap-install| Installing package 'service-bindings.labs.vmware.com'| Getting namespace 'tap-install'| Getting package metadata for 'service-bindings.labs.vmware.com'| Creating service account 'service-bindings-tap-install-sa'| Creating cluster admin role 'service-bindings-tap-install-cluster-role'| Creating cluster role binding 'service-bindings-tap-install-cluster-rolebinding'- Creating package resource\ Package install status: ReconcilingAdded installed package 'service-bindings' in namespace 'tap-install'$ tanzu package installed get service-bindings -n tap-install/ Retrieving installation details for service-bindings...NAME: service-bindingsPACKAGE-NAME: service-bindings.labs.vmware.comPACKAGE-VERSION: 0.5.0STATUS: Reconcile succeededCONDITIONS: [{ReconcileSucceeded True }]USEFUL-ERROR-MESSAGE:
Install Supply Chain Security Tools — Store
- Create
scst-store-values.yaml
file with below content
db_password: "PASSWORD-0123"app_service_type: "LoadBalancer"db_host: "metadata-store-db"
- Install the component
$ tanzu package install metadata-store \> --package-name scst-store.tanzu.vmware.com \> --version 1.0.0-beta.0 \> --namespace tap-install \> --values-file scst-store-values.yaml/ Installing package 'scst-store.tanzu.vmware.com'| Getting namespace 'tap-install'| Getting package metadata for 'scst-store.tanzu.vmware.com'| Creating service account 'metadata-store-tap-install-sa'| Creating cluster admin role 'metadata-store-tap-install-cluster-role'| Creating cluster role binding 'metadata-store-tap-install-cluster-rolebinding'| Creating secret 'metadata-store-tap-install-values'- Creating package resource/ Package install status: ReconcilingAdded installed package 'metadata-store' in namespace 'tap-install'
Install Supply Chain Security Tools — Sign
- Create
scst-sign-values.yaml
file with below content. Remember, if you go with option true, there will be only warning given and not error.
---warn_on_unmatched: true
- Install the component. ( i am not using this component, so i am ignoring Cluster image policy creation, You can create in case you are implementing this).
$ tanzu package install image-policy-webhook \> --package-name image-policy-webhook.signing.run.tanzu.vmware.com \> --version 1.0.0-beta.0 \> --namespace tap-install \> --values-file scst-sign-values.yaml/ Installing package 'image-policy-webhook.signing.run.tanzu.vmware.com'| Getting namespace 'tap-install'| Getting package metadata for 'image-policy-webhook.signing.run.tanzu.vmware.com'| Creating service account 'image-policy-webhook-tap-install-sa'| Creating cluster admin role 'image-policy-webhook-tap-install-cluster-role'| Creating cluster role binding 'image-policy-webhook-tap-install-cluster-rolebinding'| Creating secret 'image-policy-webhook-tap-install-values'- Creating package resource\ Package install status: ReconcilingAdded installed package 'image-policy-webhook' in namespace 'tap-install'
Install Supply Chain Security Tools — Scan
- Create a file name
scst-scan-controller-values.yaml
- Update the file with below parameters and their values. Values are based on your setup.
---
metadataStoreUrl: https://metadata-store-app.metadata-store.svc.cluster.local:8443
metadataStoreCa: |-
-----BEGIN CERTIFICATE-----
MIIC8DCCAdigAwIBAgIQexDLEMH/WBfgurGCgSfggjANBgkqhkiG9w0BAQsFADAS
MRAwDgYDVQQDEwdjYS1jZXJ0MB4XDTIxMTAyNzEwMjcxNVoXDTIyMDEyNTEwMjcx
NVowEjEQMA4GA1UEAxMHY2EtY2VydDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAL5nHXAlPnLkaQ4at0ubgnBXJY5+1ohI8gjDb1+Qs80GDGwsUbnJU3Tf
kUYNYWly8vYM6xteIG4jfQ2dzaJDwBH57/saLQZtInotU8u0p5oLPzCPztG0YjeW
MZKkN9aYsZyTa/PoXiWATPm0RIpQORyC+P2bAQn7H4JliysBukz4S8wGmAuVivVp
+jqbmErnCRhmG4vxFbN55xRHv2EafelMaqWVjz8qFVQH96Mt43/9SpFF31GZ6QnZ
jYsfK5hnaVywv4s0sZ4J/dUXGAJV0BTBcaeCGmzq+1ykuN+dB1wSdqyP11BE/538
38a15tUGE7sEwHTEXhQwvBuYdB+l9pcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKk
MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFP+i+6Wze3T4RGts/+8GNMAayOQN
MA0GCSqGSIb3DQEBCwUAA4IBAQAza1d005LfJHSK9r9QiuXEdSPHK+1SdKo+1U9H
s4SgATbWU7jiSWfHol6/yAim9B+pjfqVaemxIEuXW5ESoOpcXOX/GxAEY1VqI2ad
r/XBa6S5yeicAvZVT9/EJZf1JcCvXGyHMWDn/FlxwOz5jdXEaNCBBSA+CgCxYt63
qFvJZjOA+ET9V0tGtp3lDmytMu+QnA59WbtlFaCeK+7FN7VTN9tszHrHWiBzubo4
St67dOxPBTHm4CG6nkX/TyQKjWQZcn/InzASDK20AAW6r/9Gajl7xLYd6cEVlBhX
6hvWiKcaPT9aQ4PL92lleiYlKVywMaWxwBjtMR2FoTFtrKXu
-----END CERTIFICATE-----
metadataStoreTokenSecret: metadata-store-secret
- To fetch the metadataStoreUrl, run
$ kubectl -n metadata-store get service -o name |> grep app |> xargs kubectl -n metadata-store get -o jsonpath='{.spec.ports[].name}{"://"}{.metadata.name}{"."}{.metadata.namespace}{".svc.cluster.local:"}{.spec.ports[].port}'
- To fetch the certificate, run
$ kubectl get secret app-tls-cert -n metadata-store -o json | jq -r '.data."ca.crt"' | base64 -d
- Install the component
$ kubectl create namespace scan-link-systemnamespace/scan-link-system created$ kubectl apply -f metadata-store-secret.yamlsecret/metadata-store-secret created$ tanzu package install scan-controller \> --package-name scanning.apps.tanzu.vmware.com \> --version 1.0.0-beta \> --namespace tap-install \> --values-file scst-scan-controller-values.yaml\ Installing package 'scanning.apps.tanzu.vmware.com'| Getting namespace 'tap-install'| Getting package metadata for 'scanning.apps.tanzu.vmware.com'| Creating service account 'scan-controller-tap-install-sa'| Creating cluster admin role 'scan-controller-tap-install-cluster-role'| Creating cluster role binding 'scan-controller-tap-install-cluster-rolebinding'| Creating secret 'scan-controller-tap-install-values'- Creating package resource/ Package install status: ReconcilingAdded installed package 'scan-controller' in namespace 'tap-install'
Install Supply Chain Security Tools — Scan (Grype Scanner)
$ tanzu package install grype-scanner \> --package-name grype.scanning.apps.tanzu.vmware.com \> --version 1.0.0-beta \> --namespace tap-install| Installing package 'grype.scanning.apps.tanzu.vmware.com'| Getting namespace 'tap-install'| Getting package metadata for 'grype.scanning.apps.tanzu.vmware.com'| Creating service account 'grype-scanner-tap-install-sa'| Creating cluster admin role 'grype-scanner-tap-install-cluster-role'| Creating cluster role binding 'grype-scanner-tap-install-cluster-rolebinding'- Creating package resource/ Package install status: ReconcilingAdded installed package 'grype-scanner' in namespace 'tap-install'
Install API package
$ tanzu package install api-portal -n tap-install -p api-portal.tanzu.vmware.com -v 1.0.2- Installing package 'api-portal.tanzu.vmware.com'| Getting namespace 'tap-install'| Getting package metadata for 'api-portal.tanzu.vmware.com'| Creating service account 'api-portal-tap-install-sa'| Creating cluster admin role 'api-portal-tap-install-cluster-role'| Creating cluster role binding 'api-portal-tap-install-cluster-rolebinding'- Creating package resource- Package install status: ReconcilingAdded installed package 'api-portal' in namespace 'tap-install'
Install Services Control Plane (SCP) Toolkit
$ tanzu package install scp-toolkit -n tap-install -p scp-toolkit.tanzu.vmware.com -v 0.3.0- Installing package 'scp-toolkit.tanzu.vmware.com'| Getting namespace 'tap-install'| Getting package metadata for 'scp-toolkit.tanzu.vmware.com'| Creating service account 'scp-toolkit-tap-install-sa'| Creating cluster admin role 'scp-toolkit-tap-install-cluster-role'| Creating cluster role binding 'scp-toolkit-tap-install-cluster-rolebinding'- Creating package resource/ Package install status: ReconcilingAdded installed package 'scp-toolkit' in namespace 'tap-install'$ tanzu package installed get scp-toolkit -n tap-install\ Retrieving installation details for scp-toolkit...NAME: scp-toolkitPACKAGE-NAME: scp-toolkit.tanzu.vmware.comPACKAGE-VERSION: 0.3.0STATUS: Reconcile succeededCONDITIONS: [{ReconcileSucceeded True }]USEFUL-ERROR-MESSAGE:
Verify the installed packages
$ tanzu package installed list --namespace tap-install| Retrieving installed packages...NAME PACKAGE-NAME PACKAGE-VERSION STATUSapi-portal api-portal.tanzu.vmware.com 1.0.2 Reconcile succeededapp-accelerator accelerator.apps.tanzu.vmware.com 0.3.0 Reconcile succeededapp-live-view appliveview.tanzu.vmware.com 0.2.0 Reconcile succeededcartographer cartographer.tanzu.vmware.com 0.0.6 Reconcile succeededcloud-native-runtimes cnrs.tanzu.vmware.com 1.0.2 Reconcile succeededconvention-controller controller.conventions.apps.tanzu.vmware.com 0.4.2 Reconcile succeededdefault-supply-chain default-supply-chain.tanzu.vmware.com 0.2.0 Reconcile succeededdeveloper-conventions developer-conventions.tanzu.vmware.com 0.2.0 Reconcile succeededgrype-scanner grype.scanning.apps.tanzu.vmware.com 1.0.0-beta Reconcile succeededimage-policy-webhook image-policy-webhook.signing.run.tanzu.vmware.com 1.0.0-beta.0 Reconcile succeededmetadata-store scst-store.tanzu.vmware.com 1.0.0-beta.0 Reconcile succeededscan-controller scanning.apps.tanzu.vmware.com 1.0.0-beta Reconcile succeededscp-toolkit scp-toolkit.tanzu.vmware.com 0.3.0 Reconcile succeededservice-bindings service-bindings.labs.vmware.com 0.5.0 Reconcile succeededsource-controller controller.source.apps.tanzu.vmware.com 0.1.2 Reconcile succeededtbs buildservice.tanzu.vmware.com 1.3.0 Reconcile succeeded
You can also see the whole bunch of namespace created.
$ k get nsNAME STATUS AGEaccelerator-system Active 3h49mapp-live-view Active 112mbuild-service Active 170mcartographer-system Active 147mcert-manager Active 4h12mcontour-external Active 3h54mcontour-internal Active 3h54mconventions-system Active 3h23mdefault Active 4h45mdeveloper-conventions Active 118mflux-system Active 4h10mimage-policy-system Active 105mkapp-controller Active 4h16mkapp-controller-packaging-global Active 4h16mknative-discovery Active 3h54mknative-eventing Active 3h54mknative-serving Active 3h54mknative-sources Active 3h54mkpack Active 170mkube-node-lease Active 4h45mkube-public Active 4h45mkube-system Active 4h45mmetadata-store Active 107mscan-link-system Active 3m15sscp-toolkit Active 80msecretgen-controller Active 4h14mservice-bindings Active 110msource-system Active 3h21mstacks-operator-system Active 170mtap-install Active 4h3mtriggermesh Active 3h54mvmware-sources Active 3h54m
Installation is completed.
Now, Lets see how to use TAP by creating a workload.
Using TAP — App deployment pre-reqs
- Create the image pull secret in a namespace where you want to deploy the application.
$ tanzu imagepullsecret add registry-credentials --registry demoacr.azurecr.io --username demoacr --password <replace me> --namespace default| Adding image pull secret 'registry-credentials'...Added image pull secret 'registry-credentials' into namespace 'default'
- Create the following objects
$ cat <<EOF | kubectl -n default apply -f -apiVersion: v1kind: Secretmetadata:name: tap-registryannotations:secretgen.carvel.dev/image-pull-secret: ""type: kubernetes.io/dockerconfigjsondata:.dockerconfigjson: e30K---apiVersion: v1kind: ServiceAccountmetadata:name: service-account # use value from "Install Default Supply Chain"secrets:- name: registry-credentialsimagePullSecrets:- name: registry-credentials- name: tap-registry---apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:name: kapp-permissionsannotations:kapp.k14s.io/change-group: "role"rules:- apiGroups:- servicebinding.ioresources: ['servicebindings']verbs: ['*']- apiGroups:- serving.knative.devresources: ['services']verbs: ['*']- apiGroups: [""]resources: ['configmaps']verbs: ['get', 'watch', 'list', 'create', 'update', 'patch', 'delete']---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: kapp-permissionsannotations:kapp.k14s.io/change-rule: "upsert after upserting role"roleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: kapp-permissionssubjects:- kind: ServiceAccountname: service-account # use value from "Install Default Supply Chain"EOF
Deploying Application
- Visit Application Accelerator url, Service is there on
accelerator-system
namespace. - You will see the following UI. filter for tanzu-java-web-app
- Click on the app, replace the registry value where we will keep the image.
- Click on Generate project button
- Deploy application
$ tanzu apps workload create tanzu-java-web-app \
--git-repo https://github.com/sample-accelerators/tanzu-java-web-app \
--git-branch main --type web --yes
- Get the status of app. You will see the status
Ready
in few min. Access application by click on the knative service url.
$ tanzu apps workload get tanzu-java-web-app# tanzu-java-web-app: Ready
---
lastTransitionTime: "2021-10-28T14:33:52Z"
message: ""
reason: Ready
status: "True"
type: ReadyWorkload pods
NAME STATE AGE
tanzu-java-web-app-00004-deployment-5c84ccdd88-97bwp Running 28h
tanzu-java-web-app-build-1-build-pod Succeeded 30h
tanzu-java-web-app-build-2-build-pod Succeeded 28h
tanzu-java-web-app-build-3-build-pod Succeeded 28hWorkload Knative Services
NAME READY URL
tanzu-java-web-app Ready http://tanzu-java-web-app.default.example.com
- To troubleshoot an app, You can access App live view UI deployed on
app-live-view
namespace. You will see the following ui.
That’s all from this post. In the next post, i will talk about how to iterate over this application and deploy the changes automatically.
For more Info, Refer TAP v0.2 documentation.