Reading Time: 4 minsIn this post, I will be demonstrating the steps to install Tanzu Application Platform packages from the Tanzu Application Platform package repository. Before you install the packages, ensure you have prepared the setup as mentioned in post.
Add TAP package repository
# Set up environment variables for use during the installation.
export INSTALL_REGISTRY_USERNAME=TANZU-NET-USER
export INSTALL_REGISTRY_PASSWORD=TANZU-NET-PASSWORD
export INSTALL_REGISTRY_HOSTNAME=registry.tanzu.vmware.com
# Create a namespace called tap-install for deploying any component packages by running:
$ kubectl create ns tap-install
#Create a registry secret by running:
$ tanzu secret registry add tap-registry --username ${INSTALL_REGISTRY_USERNAME} --password ${INSTALL_REGISTRY_PASSWORD} --server ${INSTALL_REGISTRY_HOSTNAME} --export-to-all-namespaces --yes --namespace tap-install
# Add Tanzu Application Platform package repository to the cluster by running:
$ tanzu package repository add tanzu-tap-repository --url registry.tanzu.vmware.com/tanzu-application-platform/tap-packages:1.0.0 --namespace tap-install
# Get the status of the Tanzu Application Platform package repository, and ensure the status updates to Reconcile succeeded by running:
$ tanzu package repository get tanzu-tap-repository --namespace tap-install
- Retrieving repository tanzu-tap-repository...
NAME: tanzu-tap-repository
VERSION: 16710
REPOSITORY: registry.tanzu.vmware.com/tanzu-application-platform/tap-packages
TAG: 1.0.0
STATUS: Reconcile succeeded
REASON:
#List the available packages by running:
$ tanzu package available list --namespace tap-install
Install Tanzu Application Platform profile
Tanzu Application Platform can be installed through pre-defined profiles or through individual packages. TAP contains the following two profiles. In this demo, I will cover full profile with ootb supply chain with testing and scanning, gcr.io for image repo, service_type Load Balancer.
Note: refer to doc for more details
full Profile Syntax
profile: full
ceip_policy_disclosed: true # Installation fails if this is set to 'false'
buildservice:
kp_default_repository: "KP-DEFAULT-REPO"
kp_default_repository_username: "KP-DEFAULT-REPO-USERNAME"
kp_default_repository_password: "KP-DEFAULT-REPO-PASSWORD"
tanzunet_username: "TANZUNET-USERNAME"
tanzunet_password: "TANZUNET-PASSWORD"
descriptor_name: "DESCRIPTOR-NAME"
enable_automatic_dependency_updates: true
supply_chain: basic
ootb_supply_chain_basic:
registry:
server: "SERVER-NAME"
repository: "REPO-NAME"
gitops:
ssh_secret: ""
learningcenter:
ingressDomain: "DOMAIN-NAME"
tap_gui:
service_type: ClusterIP
ingressEnabled: "true"
ingressDomain: "INGRESS-DOMAIN"
app_config:
app:
baseUrl: http://tap-gui.INGRESS-DOMAIN
catalog:
locations:
- type: url
target: https://GIT-CATALOG-URL/catalog-info.yaml
backend:
baseUrl: http://tap-gui.INGRESS-DOMAIN
cors:
origin: http://tap-gui.INGRESS-DOMAIN
metadata_store:
app_service_type: LoadBalancer # (optional) Defaults to LoadBalancer. Change to NodePort for distributions that don't support LoadBalancer
grype:
namespace: "MY-DEV-NAMESPACE" # (optional) Defaults to default namespace.
targetImagePullSecret: "TARGET-REGISTRY-CREDENTIALS-SECRET"
KP-DEFAULT-REPO is a writable repository in your registry. Tanzu Build Service dependencies are written to this location. Examples:
- Harbor has the form
kp_default_repository: "my-harbor.io/my-project/build-service"
- Dockerhub has the form
kp_default_repository: "my-dockerhub-user/build-service" or kp_default_repository: "index.docker.io/my-user/build-service"
- Google Cloud Registry has the form
kp_default_repository: "gcr.io/my-project/build-service"
KP-DEFAULT-REPO-USERNAME is the username that can write to KP-DEFAULT-REPO. You should be able to docker push to this location with this credential.
- For Google Cloud Registry, use
kp_default_repository_username: _json_key
KP-DEFAULT-REPO-PASSWORD is the password for the user that can write to KP-DEFAULT-REPO. You can docker push to this location with this credential.
- For Google Cloud Registry, use the contents of the service account JSON key.
DESCRIPTOR-NAME is the name of the descriptor to import automatically. Current available options at time of release:
tap-1.0.0-full contains all dependencies, and is for production use.tap-1.0.0-lite smaller footprint used for speeding up installs. Requires Internet access on the cluster.
SERVER-NAME is the hostname of the registry server. Examples:
- Harbor has the form
server: "my-harbor.io"
- Dockerhub has the form
server: "index.docker.io"
- Google Cloud Registry has the form
server: "gcr.io"
REPO-NAME is where workload images are stored in the registry. Images are written to SERVER-NAME/REPO-NAME/workload-name. Examples:
- Harbor has the form
repository: "my-project/supply-chain"
- Dockerhub has the form
repository: "my-dockerhub-user"
- Google Cloud Registry has the form
repository: "my-project/supply-chain"
DOMAIN-NAME has a value such as learningcenter.example.com.INGRESS-DOMAIN is the subdomain for the host name that you point at the tanzu-shared-ingress service’s External IP address.GIT-CATALOG-URL is the path to the catalog-info.yaml catalog definition file from either the included Blank catalog (provided as an additional download named “Blank Tanzu Application Platform GUI Catalog”) or a Backstage-compliant catalog that you’ve already built and posted on the Git infrastucture you specified in the Integration section.MY-DEV-NAMESPACE is the namespace where you want the ScanTemplates to be deployed to. This is the namespace where the scanning feature is going to run.TARGET-REGISTRY-CREDENTIALS-SECRET is the name of the secret that contains the credentials to pull an image from the registry for scanning. If built images are pushed to the same registry as the Tanzu Application Platform images, this can reuse the tap-registry secret.
Note: Using the tap-values.yaml configuration, buildservice.enable_automatic_dependency_updates: false can be used to pause the automatic update of Build Service dependencies.
- Since we are using Google Cloud Registry in this demo, I have a simple script to parse the credentials. Replace the necessary values before executing.
# where <key>.json is the file downloaded from GCP console
service_account_key="$(cat <key>.json)"
cat <<EOF > tap-values.yaml
profile: full
ceip_policy_disclosed: true # Installation fails if this is set to 'false'
buildservice:
kp_default_repository: "gcr.io/eknath-se/build-service" # Replace the project id with yours. In my case eknath-se is the project ID
kp_default_repository_username: _json_key
kp_default_repository_password: '$(echo $service_account_key)'
tanzunet_username: "<Tanzu network user name>" # Provide the Tanzu network user name
tanzunet_password: "<Tanzu network password>" # Provide the Tanzu network password
descriptor_name: "tap-1.0.0-full"
enable_automatic_dependency_updates: true
supply_chain: testing_scanning
ootb_supply_chain_testing_scanning:
registry:
server: "gcr.io"
repository: "eknath-se/build-service" # Replace the project id with yours. In my case eknath-se is the project ID
gitops:
ssh_secret: ""
cluster_builder: default
service_account: default
learningcenter:
ingressDomain: "<domain name>" # Provide a Domain Name
metadata_store:
app_service_type: LoadBalancer # (optional) Defaults to LoadBalancer. Change to NodePort for distributions that don't support LoadBalancer
grype:
namespace: "tap-install" # (optional) Defaults to default namespace.
targetImagePullSecret: "registry-credentials"
contour:
envoy:
service:
type: LoadBalancer
tap_gui:
service_type: LoadBalancer # NodePort for distributions that don't support LoadBalancer
app_config:
app:
baseUrl: http://<ip>:7000
integrations:
github: # Other integrations available see NOTE below
- host: github.com
token: <github token> # Create a token in github
catalog:
locations:
- type: url
target: https://github.com/sample-accelerators/tanzu-java-web-app/blob/main/catalog/catalog-info.yaml
backend:
baseUrl: http://<ip>:7000
cors:
origin: http://<ip>:7000
EOF
# Install the package by running:
tanzu package install tap -p tap.tanzu.vmware.com -v 1.0.0 --values-file tap-values.yml -n tap-install
# Verify the package install by running:
tanzu package installed get tap -n tap-install
#Verify that all the necessary packages in the profile are installed by running:
tanzu package installed list -n tap-install
/ Retrieving installed packages...
NAME PACKAGE-NAME PACKAGE-VERSION STATUS
accelerator accelerator.apps.tanzu.vmware.com 1.0.0 Reconcile succeeded
api-portal api-portal.tanzu.vmware.com 1.0.8 Reconcile succeeded
appliveview run.appliveview.tanzu.vmware.com 1.0.1 Reconcile succeeded
appliveview-conventions build.appliveview.tanzu.vmware.com 1.0.1 Reconcile succeeded
buildservice buildservice.tanzu.vmware.com 1.4.2 Reconcile succeeded
cartographer cartographer.tanzu.vmware.com 0.1.0 Reconcile succeeded
cert-manager cert-manager.tanzu.vmware.com 1.5.3+tap.1 Reconcile succeeded
cnrs cnrs.tanzu.vmware.com 1.1.0 Reconcile succeeded
contour contour.tanzu.vmware.com 1.18.2+tap.1 Reconcile succeeded
conventions-controller controller.conventions.apps.tanzu.vmware.com 0.5.0 Reconcile succeeded
developer-conventions developer-conventions.tanzu.vmware.com 0.5.0-build.1 Reconcile succeeded
fluxcd-source-controller fluxcd.source.controller.tanzu.vmware.com 0.16.0 Reconcile succeeded
grype grype.scanning.apps.tanzu.vmware.com 1.0.0 Reconcile succeeded
image-policy-webhook image-policy-webhook.signing.apps.tanzu.vmware.com 1.0.0 Reconcile succeeded
learningcenter learningcenter.tanzu.vmware.com 0.1.0 Reconcile succeeded
learningcenter-workshops workshops.learningcenter.tanzu.vmware.com 0.1.0 Reconcile succeeded
metadata-store metadata-store.apps.tanzu.vmware.com 1.0.1 Reconcile succeeded
ootb-delivery-basic ootb-delivery-basic.tanzu.vmware.com 0.5.1 Reconcile succeeded
ootb-supply-chain-testing-scanning ootb-supply-chain-testing-scanning.tanzu.vmware.com 0.5.1 Reconcile succeeded
ootb-templates ootb-templates.tanzu.vmware.com 0.5.1 Reconcile succeeded
scanning scanning.apps.tanzu.vmware.com 1.0.0 Reconcile succeeded
service-bindings service-bindings.labs.vmware.com 0.6.0 Reconcile succeeded
services-toolkit services-toolkit.tanzu.vmware.com 0.5.0 Reconcile succeeded
source-controller controller.source.apps.tanzu.vmware.com 0.2.0 Reconcile succeeded
spring-boot-conventions spring-boot-conventions.tanzu.vmware.com 0.3.0 Reconcile succeeded
tap tap.tanzu.vmware.com 1.0.0 Reconcile succeeded
tap-gui tap-gui.tanzu.vmware.com 1.0.1 Reconcile succeeded
tap-telemetry tap-telemetry.tanzu.vmware.com 0.1.2 Reconcile succeeded
tekton-pipelines tekton.tanzu.vmware.com 0.30.0 Reconcile succeeded
Configure TAP GUI
- On your Git repository of choice, extract the Blank Software Catalog from VMware Tanzu Network. You link to that
catalog-info.yaml file when you configure your catalog later. In this demo I am using an existing catalog-info.yaml file from my repo
- Collect the
External IP of LoadBalancer by running and update tap-values.yaml file
$ kubectl get svc -n tap-gui
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
server LoadBalancer 10.32.2.211 35.200.246.183 7000:31577/TCP 91m
- Add the following section to
tap-values.yml by using the following template, and replace all placeholders with your relevant values.
Syntax for new lines to be added
tap_gui:
service_type: LoadBalancer
# Existing tap-values.yml above
app_config:
app:
baseUrl: http://EXTERNAL-IP:7000
integrations:
github: # Other integrations available see NOTE below
- host: github.com
token: GITHUB-TOKEN
catalog:
locations:
- type: url
target: https://GIT-CATALOG-URL/catalog-info.yaml
backend:
baseUrl: http://EXTERNAL-IP:7000
cors:
origin: http://EXTERNAL-IP:7000
- Updated yaml file should be similar to below:
profile: full
ceip_policy_disclosed: true # Installation fails if this is set to 'false'
buildservice:
kp_default_repository: "gcr.io/eknath-se/build-service" # Replace the project id with yours. In my case eknath-se is the project ID
kp_default_repository_username: _json_key
kp_default_repository_password: '<redacted>' # This will be the key.json file in one line
tanzunet_username: "<Tanzu network user name>" # Provide the Tanzu network user name
tanzunet_password: "<Tanzu network password>" # Provide the Tanzu network password
descriptor_name: "tap-1.0.0-full"
enable_automatic_dependency_updates: true
supply_chain: testing_scanning
ootb_supply_chain_testing_scanning:
registry:
server: "gcr.io"
repository: "eknath-se/build-service" # Replace the project id with yours. In my case eknath-se is the project ID
gitops:
ssh_secret: ""
cluster_builder: default
service_account: default
learningcenter:
ingressDomain: "captainvirtualization.in" #Domain name
metadata_store:
app_service_type: LoadBalancer # (optional) Defaults to LoadBalancer. Change to NodePort for distributions that don't support LoadBalancer
grype:
namespace: "tap-install" # (optional) Defaults to default namespace.
targetImagePullSecret: "registry-credentials" # will create this credentials in few next few mins
contour:
envoy:
service:
type: LoadBalancer
tap_gui:
service_type: LoadBalancer
app_config:
app:
baseUrl: http://35.200.246.183:7000 ### Load balancer External IP collected in previous step
integrations:
github: # Other integrations available see NOTE below
- host: github.com
token: ghp_t7a7WxC4SMaY8AyUv46IAOk ### To be collected from git portal
catalog:
locations:
- type: url
target: https://github.com/sample-accelerators/tanzu-java-web-app/blob/main/catalog/catalog-info.yaml ## Replace with yours
backend:
baseUrl: http://35.200.246.183:7000 ### Load balancer External IP collected in previous step
cors:
origin: http://35.200.246.183:7000 ### Load balancer External IP collected in previous step
Update the package profile:
$. tanzu package installed update tap --package-name tap.tanzu.vmware.com --version 1.0.0 -n tap-install -f tap-values-gke.yaml
| Updating installed package 'tap'
/ Getting package install for 'tap'
| Getting package metadata for 'tap.tanzu.vmware.com'
| Updating secret 'tap-tap-install-values'
| Updating package install for 'tap'
- Waiting for 'PackageInstall' reconciliation for 'tap'
Updated installed package 'tap' in namespace 'tap-install'
- Access the external IP collected earlier with port 7000 to access the TAP GUI. Ex: http://EXTERNAL-IP:7000
