TAP on GKE (1.0.0) : Part 3 – Deploy an application with testing and scanning in gcr repo

Reading Time: 5 mins

Overview

In this section, I will walk you through the steps required to deploy an application using the Tanzu Application Platform. Before moving further, please ensure below are completed:

  • Prepare set up is completed, If not done, then follow the steps in the post
  • Default kubeconfig context is set to the target Kubernetes cluster.
  • Tanzu Application Platform GUI is successfully installed, for more details, read here

Install Supply Chain with Testing and Scanning

This Cartographer Supply Chain ties a series of Kubernetes resources which, when working together, drives a developer-provided Workload from source code all the way to a Kubernetes configuration ready to be deployed to a cluster, having not only passed that source code through testing and vulnerability scanning, but also the container image produced. It includes below capabilities:

  • Watching a Git Repository or local directory for changes
  • Running tests from a developer-provided Tekton or Pipeline
  • Scanning the source code for known vulnerabilities using Grype
  • Building a container image out of the source code with Buildpacks
  • Scanning the image for known vulnerabilities
  • Applying operator-defined conventions to the container definition
  • Deploying the application to the same cluster

You can verify that you have the right set of supply chains installed by running the following command:

$  tanzu apps cluster-supply-chain list
NAME READY AGE LABEL SELECTOR
source-test-scan-to-url Ready 123m apps.tanzu.vmware.com/has-tests=true,apps.tanzu.vmware.com/workload-type=web

Setup Developer Namespaces to use Installed Packages

To create workload for your application using the registry credentials specified, run these commands to add credentials and Role-Based Access Control (RBAC) rules to the namespace that you plan to create the workload in:

# Syntax: 

kubectl create secret docker-registry registry-credentials --docker-server=REGISTRY-SERVER --docker-username=REGISTRY-USERNAME --docker-password=REGISTRY-PASSWORD -n YOUR-NAMESPACE

# Example: where <key>.json is the key file downloaded from GCP portal.

kubectl create secret docker-registry registry-credentials --docker-server=gcr.io --docker-username=_json_key --docker-password="$(cat <key>.json)" -n tap-install
  • Add placeholder read secrets, a service account, and RBAC rules to the developer namespace by running:
cat <<EOF | kubectl -n tap-install apply -f -

apiVersion: v1
kind: Secret
metadata:
name: tap-registry
annotations:
secretgen.carvel.dev/image-pull-secret: ""
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: e30K

---
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
secrets:
- name: registry-credentials
imagePullSecrets:
- name: registry-credentials
- name: tap-registry

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: default
rules:
- apiGroups: [source.toolkit.fluxcd.io]
resources: [gitrepositories]
verbs: ['*']
- apiGroups: [source.apps.tanzu.vmware.com]
resources: [imagerepositories]
verbs: ['*']
- apiGroups: [carto.run]
resources: [deliverables, runnables]
verbs: ['*']
- apiGroups: [kpack.io]
resources: [images]
verbs: ['*']
- apiGroups: [conventions.apps.tanzu.vmware.com]
resources: [podintents]
verbs: ['*']
- apiGroups: [""]
resources: ['configmaps']
verbs: ['*']
- apiGroups: [""]
resources: ['pods']
verbs: ['list']
- apiGroups: [tekton.dev]
resources: [taskruns, pipelineruns]
verbs: ['*']
- apiGroups: [tekton.dev]
resources: [pipelines]
verbs: ['list']
- apiGroups: [kappctrl.k14s.io]
resources: [apps]
verbs: ['*']
- apiGroups: [serving.knative.dev]
resources: ['services']
verbs: ['*']
- apiGroups: [servicebinding.io]
resources: ['servicebindings']
verbs: ['*']
- apiGroups: [services.apps.tanzu.vmware.com]
resources: ['resourceclaims']
verbs: ['*']
- apiGroups: [scanning.apps.tanzu.vmware.com]
resources: ['imagescans', 'sourcescans']
verbs: ['*']

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: default
subjects:
- kind: ServiceAccount
name: default

EOF

Tekton pipeline

A pipeline to be ran whenever the supply chain hits the stage of testing the source code. Save below into a yaml file for ex:  tekton-pipeline.yaml

apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: developer-defined-tekton-pipeline
labels:
apps.tanzu.vmware.com/pipeline: test # (!) required
spec:
params:
- name: source-url # (!) required
- name: source-revision # (!) required
tasks:
- name: test
params:
- name: source-url
value: $(params.source-url)
- name: source-revision
value: $(params.source-revision)
taskSpec:
params:
- name: source-url
- name: source-revision
steps:
- name: test
image: gradle
script: |-
cd `mktemp -d`
wget -qO- $(params.source-url) | tar xvz
./mvnw test

Run the yaml file with following command in tap-install namespace:

kubectl apply -f tekton-pipeline.yaml -n tap-install
pipeline.tekton.dev/developer-defined-tekton-pipeline created

scan policy:

The ScanPolicy defines a set of rules to evaluate for a particular scan to consider the artifacts (image or source code) either compliant or not. When a ImageScan or SourceScan is created to run a scan, those reference a policy whose name must match the one below (scan-policy). Save below code into a yaml file, for ex: scanpolicy.yaml

apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ScanPolicy
metadata:
name: scan-policy
spec:
regoFile: |
package policies

default isCompliant = false

# Accepted Values: "Critical", "High", "Medium", "Low", "Negligible", "UnknownSeverity"
violatingSeverities := ["Critical","High","UnknownSeverity"]
ignoreCVEs := []

contains(array, elem) = true {
array[_] = elem
} else = false { true }

isSafe(match) {
fails := contains(violatingSeverities, match.Ratings.Rating[_].Severity)
not fails
}

isSafe(match) {
ignore := contains(ignoreCVEs, match.Id)
ignore
}

isCompliant = isSafe(input.currentVulnerability)
  • Run the yaml file with following command in tap-install namespace:
kubectl apply -f scanpolicy.yaml -n tap-install
scanpolicy.scanning.apps.tanzu.vmware.com/scan-policy created

Image Secret:

Regardless of the supply chain that a Workload goes through, there must be a secret in the developer namespace. This secret contains the credentials to be passed to

# Where <key>.json is the file downloaded earlier: 

kubectl create secret docker-registry image-secret --docker-server=gcr.io --docker-username=_json_key --docker-password="$(cat <key>.json)" -n tap-install

ScanTemplate

  • Create a file named ootb-supply-chain-basic-values.yaml that specifies the corresponding values to the properties you want to change.
grype:
namespace: tap-install
targetImagePullSecret: registry-credentials
$  tanzu package install grype-scanner --package-name grype.scanning.apps.tanzu.vmware.com --version 1.0.0  --namespace tap-install -f ootb-supply-chain-basic-values.yaml
| Installing package 'grype.scanning.apps.tanzu.vmware.com'
/ Getting package metadata for 'grype.scanning.apps.tanzu.vmware.com'
| Creating service account 'grype-scanner-tap-install-sa'
/ Creating cluster admin role 'grype-scanner-tap-install-cluster-role'
/ Creating cluster role binding 'grype-scanner-tap-install-cluster-rolebinding'
| Creating secret 'grype-scanner-tap-install-values'
| Creating package resource
- Waiting for 'PackageInstall' reconciliation for 'grype-scanner'
\ 'PackageInstall' resource install status: Reconciling


Added installed package 'grype-scanner'

Deploy Application

To deploy your application, you must download an accelerator, upload it on your Git repository of choice, and run a CLI command. Let me take you through the steps of downloading an accelerator through TAP-GUI:

  • From the Tanzu Application Platform GUI portal, click on Accelerators on the left side of the navigation bar to see the list of available accelerators.
  • Locate the Tanzu Java Web App accelerator, which is a sample Spring Boot web app, and click on Choose button.

  • In the Generate Accelerators prompt, replace the default value dev.local in the prefix for container image registry field with the registry in the form of SERVER-NAME/REPO-NAME. The SERVER-NAME/REPO-NAME must match what was specified for registry as part of the installation values for ootb_supply_chain_basic. Click NEXT STEP, verify the provided information, and click CREATE.

  • After the Task Activity processes are complete, click on the DOWNLOAD ZIP FILE button

  • After downloading the zip file, expand it in a workspace directory and follow your preferred procedure for uploading the generated project files to a Git repository for your new project.
# Unzip the downloaded file and follow below process to push to git repo: 

reddye@reddye-a02 tanzu-java-web-app-demo % ls
LICENSE Tiltfile catalog-info.yaml mvnw pom.xml
README.md accelerator-log.md config mvnw.cmd src

# Initialize git

reddye@reddye-a02 tanzu-java-web-app-demo % git init

Initialized empty Git repository in /Users/reddye/Downloads/tanzu-java-web-app-demo/.git/

#Add all the files
git add *

#Commit
git commit -am "First commit"

git branch -M main

# Created a new repo named tanzu-java-web-app-demo in my github account and later executed below command:

git remote add origin https://github.com/Eknathreddy09/tanzu-java-web-app-demo.git

# Syntax: git config --global user.email "github account email"

git config --global user.email "eknath.reddy09@gmail.com"

$ git push -u origin main
Username for 'https://github.com': eknathreddy09
Password for 'https://eknathreddy09@github.com':
Enumerating objects: 28, done.
Counting objects: 100% (28/28), done.
Delta compression using up to 16 threads
Compressing objects: 100% (19/19), done.
Writing objects: 100% (28/28), 15.36 KiB | 3.07 MiB/s, done.
Total 28 (delta 0), reused 0 (delta 0), pack-reused 0
To https://github.com/Eknathreddy09/tanzu-java-web-app-demo.git
* [new branch] main -> main
Branch 'main' set up to track remote branch 'main' from 'origin'.

# Login to Github account and verify the repo.

For this demo, instead of downloading from accelerator, I have a used a public version to test which is available here

  • Deploy the Tanzu Java Web App accelerator by running the tanzu apps workload create command:
$ tanzu apps workload create tanzu-java-web-app  --git-repo https://github.com/sample-accelerators/tanzu-java-web-app --git-branch main --type web --label apps.tanzu.vmware.com/has-tests=true --label app.kubernetes.io/part-of=tanzu-java-web-app  --type web -n tap-install --yes

# View the build and runtime logs for your app by running the tail command:

tanzu apps workload tail tanzu-java-web-app --since 10m --timestamp -n tap-install

# Get the status of application:

tanzu apps workload get tanzu-java-web-app -n tap-install
# tanzu-java-web-app: Ready
---
lastTransitionTime: "2022-01-17T06:04:43Z"
message: ""
reason: Ready
status: "True"
type: Ready

Workload pods
NAME STATE AGE
tanzu-java-web-app-00001-deployment-86c664cc87-6mmbj Running 8s
tanzu-java-web-app-build-1-build-pod Succeeded 56m
tanzu-java-web-app-config-writer-tnsfd-pod Succeeded 51m
tanzu-java-web-app-p6mb2-test-pod Succeeded 61m

Workload Knative Services
NAME READY URL
tanzu-java-web-app Ready http://tanzu-java-web-app.tap-install.example.com
  • Collect the External IP of Envoy service in name space: tanzu-system-ingress
kubectl get svc envoy -n tanzu-system-ingress
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
envoy LoadBalancer 10.32.4.176 35.244.7.37 80:32521/TCP,443:30574/TCP 103m
  • Add an entry in your local machine /etc/hosts with the IP collected above pointing to hostname: tanzu-java-web-app.tap-install.example.com

  • Access the url tanzu-java-web-app.tap-install.example.com and you should see result as below:

Verify the scan results:

#Source scan 

kubectl get sourcescan -n tap-install
NAME PHASE SCANNEDREVISION SCANNEDREPOSITORY AGE CRITICAL HIGH MEDIUM LOW UNKNOWN CVETOTAL
tanzu-java-web-app Completed 90bd107ad26e228886e2ad28c964580858196376 http://source-controller.flux-system.svc.cluster.local./gitrepository/tap-install/tanzu-java-web-app/90bd107ad26e228886e2ad28c964580858196376.tar.gz 66m

# Image Scan

kubectl get imagescan -n tap-install
NAME PHASE SCANNEDIMAGE AGE CRITICAL HIGH MEDIUM LOW UNKNOWN CVETOTAL
tanzu-java-web-app Completed gcr.io/eknath-se/build-service/tanzu-java-web-app-tap-install@sha256:067cba3141828775b0715f5054f54db33c6b5193c77fc90a31100abcf5f83a71 61m