TAP On AKS (1.0.0) : Part 2 – Install TAP with supply chain testing in ACR repo

Reading Time: 4 mins

In this post, I will be demonstrating the steps to install Tanzu Application Platform packages from the Tanzu Application Platform package repository. Before you install the packages, ensure you have prepared the setup as mentioned in post.

Add TAP package repository

# Set up environment variables for use during the installation.

export INSTALL_REGISTRY_USERNAME=TANZU-NET-USER
export INSTALL_REGISTRY_PASSWORD=TANZU-NET-PASSWORD
export INSTALL_REGISTRY_HOSTNAME=registry.tanzu.vmware.com

# Create a namespace called tap-install for deploying any component packages by running:

$  kubectl create ns tap-install

#Create a registry secret by running:

$  tanzu secret registry add tap-registry --username ${INSTALL_REGISTRY_USERNAME} --password ${INSTALL_REGISTRY_PASSWORD} --server ${INSTALL_REGISTRY_HOSTNAME} --export-to-all-namespaces --yes --namespace tap-install

# Add Tanzu Application Platform package repository to the cluster by running:

$  tanzu package repository add tanzu-tap-repository --url registry.tanzu.vmware.com/tanzu-application-platform/tap-packages:1.0.0 --namespace tap-install

# Get the status of the Tanzu Application Platform package repository, and ensure the status updates to Reconcile succeeded by running:

$  tanzu package repository get tanzu-tap-repository --namespace tap-install
- Retrieving repository tanzu-tap-repository...
NAME:          tanzu-tap-repository
VERSION:       16710
REPOSITORY:    registry.tanzu.vmware.com/tanzu-application-platform/tap-packages
TAG:           1.0.0
STATUS:        Reconcile succeeded
REASON:

#List the available packages by running:

$  tanzu package available list --namespace tap-install

Install Tanzu Application Platform profile

Tanzu Application Platform can be installed through pre-defined profiles or through individual packages. TAP contains the following two profiles. In this demo, I will cover full profile with ootb supply chain with testing, acr.io for image repo, service_type Load Balancer. 

      • Full
      • Light

Note: refer to doc for more details

full Profile Syntax
profile: full
ceip_policy_disclosed: true # Installation fails if this is set to 'false'
buildservice:
  kp_default_repository: "KP-DEFAULT-REPO"
  kp_default_repository_username: "KP-DEFAULT-REPO-USERNAME"
  kp_default_repository_password: "KP-DEFAULT-REPO-PASSWORD"
  tanzunet_username: "TANZUNET-USERNAME"
  tanzunet_password: "TANZUNET-PASSWORD"
  descriptor_name: "DESCRIPTOR-NAME"
  enable_automatic_dependency_updates: true
supply_chain: basic

ootb_supply_chain_basic:
  registry:
    server: "SERVER-NAME"
    repository: "REPO-NAME"
  gitops:
    ssh_secret: ""

learningcenter:
  ingressDomain: "DOMAIN-NAME"

tap_gui:
  service_type: ClusterIP
  ingressEnabled: "true"
  ingressDomain: "INGRESS-DOMAIN"
  app_config:
    app:
      baseUrl: http://tap-gui.INGRESS-DOMAIN
    catalog:
      locations:
        - type: url
          target: https://GIT-CATALOG-URL/catalog-info.yaml
    backend:
      baseUrl: http://tap-gui.INGRESS-DOMAIN
      cors:
        origin: http://tap-gui.INGRESS-DOMAIN

metadata_store:
  app_service_type: LoadBalancer # (optional) Defaults to LoadBalancer. Change to NodePort for distributions that don't support LoadBalancer

grype:
  namespace: "MY-DEV-NAMESPACE" # (optional) Defaults to default namespace.
  targetImagePullSecret: "TARGET-REGISTRY-CREDENTIALS-SECRET"
  • KP-DEFAULT-REPO is a writable repository in your registry. Tanzu Build Service dependencies are written to this location. Examples:
    • Harbor has the form kp_default_repository: "my-harbor.io/my-project/build-service"
    • Dockerhub has the form kp_default_repository: "my-dockerhub-user/build-service" or kp_default_repository: "index.docker.io/my-user/build-service"
    • Google Cloud Registry has the form kp_default_repository: "gcr.io/my-project/build-service"
  • KP-DEFAULT-REPO-USERNAME is the username that can write to KP-DEFAULT-REPO. You should be able to docker push to this location with this credential.
    • For Google Cloud Registry, use kp_default_repository_username: _json_key
  • KP-DEFAULT-REPO-PASSWORD is the password for the user that can write to KP-DEFAULT-REPO. You can docker push to this location with this credential.
    • For Google Cloud Registry, use the contents of the service account JSON key.
  • DESCRIPTOR-NAME is the name of the descriptor to import automatically. Current available options at time of release:
    • tap-1.0.0-full contains all dependencies, and is for production use.
    • tap-1.0.0-lite smaller footprint used for speeding up installs. Requires Internet access on the cluster.
  • SERVER-NAME is the hostname of the registry server. Examples:
    • Harbor has the form server: "my-harbor.io"
    • Dockerhub has the form server: "index.docker.io"
    • Google Cloud Registry has the form server: "gcr.io"
  • REPO-NAME is where workload images are stored in the registry. Images are written to SERVER-NAME/REPO-NAME/workload-name. Examples:
    • Harbor has the form repository: "my-project/supply-chain"
    • Dockerhub has the form repository: "my-dockerhub-user"
    • Google Cloud Registry has the form repository: "my-project/supply-chain"
  • DOMAIN-NAME has a value such as learningcenter.example.com.
  • INGRESS-DOMAIN is the subdomain for the host name that you point at the tanzu-shared-ingress service’s External IP address.
  • GIT-CATALOG-URL is the path to the catalog-info.yaml catalog definition file from either the included Blank catalog (provided as an additional download named “Blank Tanzu Application Platform GUI Catalog”) or a Backstage-compliant catalog that you’ve already built and posted on the Git infrastucture you specified in the Integration section.
  • MY-DEV-NAMESPACE is the namespace where you want the ScanTemplates to be deployed to. This is the namespace where the scanning feature is going to run.
  • TARGET-REGISTRY-CREDENTIALS-SECRET is the name of the secret that contains the credentials to pull an image from the registry for scanning. If built images are pushed to the same registry as the Tanzu Application Platform images, this can reuse the tap-registry secret.

Note: Using the tap-values.yaml configuration, buildservice.enable_automatic_dependency_updates: false can be used to pause the automatic update of Build Service dependencies.

profile: full
ceip_policy_disclosed: true # Installation fails if this is set to 'false'
buildservice:
  kp_default_repository: "captainrepo.azurecr.io/build-service" # Replace the project id with yours. In my case eknath-se is the project ID
  kp_default_repository_username: "captainrepo"
  kp_default_repository_password: "hGQ9XqmOI5NO2+3pJANrF9NOuZHfBd3o"
  tanzunet_username: "eknath.reddy09@gmail.com" # Provide the Tanzu network user name
  tanzunet_password: "Newstart@1" # Provide the Tanzu network password
  descriptor_name: "tap-1.0.0-full"
  enable_automatic_dependency_updates: true
supply_chain: testing
ootb_supply_chain_testing:
  registry:
    server: "captainrepo.azurecr.io"
    repository: "supply-chain" # Replace the project id with yours. In my case eknath-se is the project ID
  gitops:
    ssh_secret: ""
  cluster_builder: default
  service_account: default

learningcenter:
  ingressDomain: "captainvirtualization.in"

metadata_store:
  app_service_type: LoadBalancer # (optional) Defaults to LoadBalancer. Change to NodePort for distributions that don't support LoadBalancer
contour:
  envoy:
    service:
      type: LoadBalancer
tap-values.yaml for supply chain testing
# Install the package by running:

tanzu package install tap -p tap.tanzu.vmware.com -v 1.0.0 --values-file tap-values.yml -n tap-install

# Verify the package install by running:

tanzu package installed get tap -n tap-install

#Verify that all the necessary packages in the profile are installed by running:

tanzu package installed list -A -n tap-install
/ Retrieving installed packages...
  NAME                       PACKAGE-NAME                                        PACKAGE-VERSION  STATUS               NAMESPACE
  accelerator                accelerator.apps.tanzu.vmware.com                   1.0.0            Reconcile succeeded  tap-install
  api-portal                 api-portal.tanzu.vmware.com                         1.0.8            Reconcile succeeded  tap-install
  appliveview                run.appliveview.tanzu.vmware.com                    1.0.1            Reconcile succeeded  tap-install
  appliveview-conventions    build.appliveview.tanzu.vmware.com                  1.0.1            Reconcile succeeded  tap-install
  buildservice               buildservice.tanzu.vmware.com                       1.4.2            Reconcile succeeded  tap-install
  cartographer               cartographer.tanzu.vmware.com                       0.1.0            Reconcile succeeded  tap-install
  cert-manager               cert-manager.tanzu.vmware.com                       1.5.3+tap.1      Reconcile succeeded  tap-install
  cnrs                       cnrs.tanzu.vmware.com                               1.1.0            Reconcile succeeded  tap-install
  contour                    contour.tanzu.vmware.com                            1.18.2+tap.1     Reconcile succeeded  tap-install
  conventions-controller     controller.conventions.apps.tanzu.vmware.com        0.5.0            Reconcile succeeded  tap-install
  developer-conventions      developer-conventions.tanzu.vmware.com              0.5.0-build.1    Reconcile succeeded  tap-install
  fluxcd-source-controller   fluxcd.source.controller.tanzu.vmware.com           0.16.0           Reconcile succeeded  tap-install
  grype                      grype.scanning.apps.tanzu.vmware.com                1.0.0            Reconcile succeeded  tap-install
  image-policy-webhook       image-policy-webhook.signing.apps.tanzu.vmware.com  1.0.0            Reconcile succeeded  tap-install
  learningcenter             learningcenter.tanzu.vmware.com                     0.1.0            Reconcile succeeded  tap-install
  learningcenter-workshops   workshops.learningcenter.tanzu.vmware.com           0.1.0            Reconcile succeeded  tap-install
  metadata-store             metadata-store.apps.tanzu.vmware.com                1.0.1            Reconcile succeeded  tap-install
  ootb-delivery-basic        ootb-delivery-basic.tanzu.vmware.com                0.5.1            Reconcile succeeded  tap-install
  ootb-supply-chain-testing  ootb-supply-chain-testing.tanzu.vmware.com          0.5.1            Reconcile succeeded  tap-install
  ootb-templates             ootb-templates.tanzu.vmware.com                     0.5.1            Reconcile succeeded  tap-install
  scanning                   scanning.apps.tanzu.vmware.com                      1.0.0            Reconcile succeeded  tap-install
  service-bindings           service-bindings.labs.vmware.com                    0.6.0            Reconcile succeeded  tap-install
  services-toolkit           services-toolkit.tanzu.vmware.com                   0.5.0            Reconcile succeeded  tap-install
  source-controller          controller.source.apps.tanzu.vmware.com             0.2.0            Reconcile succeeded  tap-install
  spring-boot-conventions    spring-boot-conventions.tanzu.vmware.com            0.3.0            Reconcile succeeded  tap-install
  tap                        tap.tanzu.vmware.com                                1.0.0            Reconcile succeeded  tap-install
  tap-gui                    tap-gui.tanzu.vmware.com                            1.0.1            Reconcile succeeded  tap-install
  tap-telemetry              tap-telemetry.tanzu.vmware.com                      0.1.2            Reconcile succeeded  tap-install
  tekton-pipelines           tekton.tanzu.vmware.com                             0.30.0           Reconcile succeeded  tap-install

Configure TAP GUI

  • On your Git repository of choice, extract the Blank Software Catalog from VMware Tanzu Network. You link to that catalog-info.yaml file when you configure your catalog later. In this demo I am using an existing catalog-info.yaml file from my repo
  • Collect the External IP of LoadBalancer by running and update tap-values.yaml file
$  kubectl get svc -n tap-gui
NAME     TYPE           CLUSTER-IP    EXTERNAL-IP    PORT(S)          AGE
server   LoadBalancer   10.0.88.159   20.207.74.31   7000:30745/TCP   14m
  • Add the following section to tap-values.yml by using the following template, and replace all placeholders with your relevant values.
Syntax for new lines to be added
tap_gui:
  service_type: LoadBalancer
  # Existing tap-values.yml above  
  app_config:
    app:
      baseUrl: http://EXTERNAL-IP:7000
    integrations:
      github: # Other integrations available see NOTE below
        - host: github.com
          token: GITHUB-TOKEN
    catalog:
      locations:
        - type: url
          target: https://GIT-CATALOG-URL/catalog-info.yaml
    backend:
        baseUrl: http://EXTERNAL-IP:7000
        cors:
          origin: http://EXTERNAL-IP:7000
  • Updated yaml file should be similar to below:
profile: full
ceip_policy_disclosed: true # Installation fails if this is set to 'false'
buildservice:
  kp_default_repository: "captainrepo.azurecr.io/build-service" # Replace the project id with yours. In my case eknath-se is the project ID
  kp_default_repository_username: "captainrepo"
  kp_default_repository_password: "hGQ9XqmOI5NO2+3pJANrF9NOuZHfBd3o"
  tanzunet_username: "eknath.reddy09@gmail.com" # Provide the Tanzu network user name
  tanzunet_password: "Newstart@1" # Provide the Tanzu network password
  descriptor_name: "tap-1.0.0-full"
  enable_automatic_dependency_updates: true
supply_chain: testing
ootb_supply_chain_testing:
  registry:
    server: "captainrepo.azurecr.io"
    repository: "supply-chain" # Replace the project id with yours. In my case eknath-se is the project ID
  gitops:
    ssh_secret: ""
  cluster_builder: default
  service_account: default

learningcenter:
  ingressDomain: "captainvirtualization.in"

metadata_store:
  app_service_type: LoadBalancer # (optional) Defaults to LoadBalancer. Change to NodePort for distributions that don't support LoadBalancer
contour:
  envoy:
    service:
      type: LoadBalancer
tap_gui:
  service_type: LoadBalancer
  app_config:
    app:
      baseUrl: http://20.207.74.31:7000
    integrations:
      github: # Other integrations available see NOTE below
        - host: github.com
          token: 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
    catalog:
      locations:
        - type: url
          target: https://github.com/Eknathreddy09/tanzu-java-web-app/blob/main/catalog/catalog-info.yaml
    backend:
      baseUrl: http://20.207.74.31:7000
      cors:
        origin: http://20.207.74.31:7000

Update the package profile:

$. tanzu package installed update tap --package-name tap.tanzu.vmware.com --version 1.0.0 -n tap-install -f tap-values.yaml
| Updating installed package 'tap'
/ Getting package install for 'tap'
| Getting package metadata for 'tap.tanzu.vmware.com'
| Updating secret 'tap-tap-install-values'
| Updating package install for 'tap'
- Waiting for 'PackageInstall' reconciliation for 'tap'

Updated installed package 'tap' in namespace 'tap-install'
  • Access the external IP collected earlier with port 7000 to access the TAP GUI. Ex: http://EXTERNAL-IP:7000

2 thoughts on “TAP On AKS (1.0.0) : Part 2 – Install TAP with supply chain testing in ACR repo

  1. We are facing below issue while installing application platform package. Kindly help here.
    | Getting package install for ‘tap’
    / Getting package metadata for ‘tap.tanzu.vmware.com’
    | Updating secret ‘tap-tap-install-values’
    | Updating package install for ‘tap’
    – Waiting for ‘PackageInstall’ reconciliation for ‘tap’

    Error: resource reconciliation failed: ytt: Error: Extracting data value from file:
    Unmarshaling YAML data values file ‘/etc/kappctrl-mem-tmp/kapp-controller-template-values218761039/tap-values.yml’: yaml: control characters are not allowed
    . Reconcile failed: Error (see .status.usefulErrorMessage for details)

    1. Can you please share tap-values.yaml by masking the passwords and access tokens ? Where are you trying to deploy the environment ? which image registry is being used ? TAP version ? Also, share the output of tanzu package installed list -A

Comments are closed.