VMware/TAP: Difference between revisions
Jump to navigation
Jump to search
| (9 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
= Install Tanzu Application Platform = | = Install Tanzu Application Platform = | ||
== Create a Tanzu Account == | |||
Follow Step 1: https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.11/tap/install-offline-profile.html | |||
== Set Environment Variables == | == Set Environment Variables == | ||
export IMGPKG_REGISTRY_HOSTNAME=harbor.dersllc.com | export IMGPKG_REGISTRY_HOSTNAME=harbor.dersllc.com | ||
| Line 26: | Line 29: | ||
== Setup the TAP Repository == | == Setup the TAP Repository == | ||
kubectl config use-context tap-admin@tap | #kubectl config use-context tap-admin@tap | ||
#kubectl vsphere login --insecure-skip-tls-verify --server tkgs.dersllc.com -u admin --tanzu-kubernetes-cluster-namespace ders --tanzu-kubernetes-cluster-name tap | |||
#tanzu package repository delete -n tap-install tanzu-tap-repository --yes | #tanzu package repository delete -n tap-install tanzu-tap-repository --yes | ||
kubectl create ns tap-install | kubectl create ns tap-install | ||
| Line 73: | Line 78: | ||
== Install Full Build Service Dependancies Package == | == Install Full Build Service Dependancies Package == | ||
# | # LOG INTO THE HARBOR SERVER | ||
docker login tap-sm-docker-prod-local.dmz.packages.broadcom.com #LOOK @ VAULT.DERSLLC.COM for the CREDENTIALS. Search for TAP. | |||
export TAP_VERSION=1.10.1 | |||
export HARBOR_HOSTNAME=harbor.dersllc.com | |||
#####Export and Import Full Dep Containers | #####Export and Import Full Dep Containers | ||
imgpkg copy -b tap-sm-docker-prod-local.dmz.packages.broadcom.com/$TAP_VERSION/tanzu-application-platform/full-deps-package-repo:$TAP_VERSION \ | |||
--to-tar=tbs-full-deps.tar | --to-tar=tbs-full-deps-$TAP_VERSION.tar | ||
--to-repo=${ | imgpkg copy --tar tbs-full-deps-$TAP_VERSION.tar \ | ||
--to-repo=${HARBOR_HOSTNAME}/tbs-$TAP_VERSION/tbs-full-deps | |||
# BACK ON THE SERVER WITH TANZU CLI | |||
export TAP_VERSION=1.10.1 | |||
export HARBOR_HOSTNAME=harbor.dersllc.com | |||
tanzu package repository add tbs-full-deps-repository \ | tanzu package repository add tbs-full-deps-repository \ | ||
--url ${ | --url ${HARBOR_HOSTNAME}/tbs-$TAP_VERSION/tbs-full-deps:$TAP_VERSION \ | ||
--namespace tap-install | --namespace tap-install | ||
| Line 189: | Line 202: | ||
#Delete Workload | #Delete Workload | ||
tanzu apps workload delete tanzu-java-web-app-scan --yes | tanzu apps workload delete tanzu-java-web-app-scan --yes -n test | ||
#Create Workload | #Create Workload | ||
tanzu apps workload create -f tanzu-java-web-app-workload-scan.yaml --yes | tanzu apps workload create -f tanzu-java-web-app-workload-scan.yaml --yes -n test | ||
#Continuously View Workload | #Continuously View Workload | ||
| Line 199: | Line 212: | ||
== Hungryman (Where for Dinner) == | == Hungryman (Where for Dinner) == | ||
=== Prepare Namespace === | === Prepare Namespace === | ||
kubectl apply -f https://ders-gitlab.dersllc.com/ders/vmware-se/-/raw/main/TAP/prep-cluster.yaml | |||
kubectl apply -f https://ders-gitlab.dersllc.com/ders/vmware-se/-/raw/main/TAP/prep-workloads-ns.yaml | |||
curl https://ders-gitlab.dersllc.com/ders/ders-proxy/-/raw/master/AddTrustExternalCARoot.crt > /data/ders-ca.crt | curl https://ders-gitlab.dersllc.com/ders/ders-proxy/-/raw/master/AddTrustExternalCARoot.crt > /data/ders-ca.crt | ||
| Line 262: | Line 272: | ||
= References = | = References = | ||
== GITOPS Skip TLS verification == | |||
https://github.com/alexandreroman/tap-recipes/tree/main/skip-tls-gitops | |||
== Namespace Provisioner == | |||
https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.7/tap/namespace-provisioner-use-cases.html | |||
== values file values == | == values file values == | ||
OOTB Supply Chain Testing and Scanning | OOTB Supply Chain Testing and Scanning | ||
| Line 289: | Line 303: | ||
secrets: | secrets: | ||
- name: overlay-ootb-templates-skip-tls | - name: overlay-ootb-templates-skip-tls | ||
Config Writer ERROR | |||
fatal: could not read Username for 'https://ders-gitlab.dersllc.com': No such device or address | |||
kubectl patch serviceaccount default -p '{"secrets": [{"name": "git-ssh"}]}' -n test | |||
Latest revision as of 20:15, 22 July 2024
Install Tanzu Application Platform
Create a Tanzu Account
Follow Step 1: https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.11/tap/install-offline-profile.html
Set Environment Variables
export IMGPKG_REGISTRY_HOSTNAME=harbor.dersllc.com export IMGPKG_REGISTRY_USERNAME=admin export IMGPKG_REGISTRY_PASSWORD=<PASSWORD> export TAP_VERSION=1.6.3 export REGISTRY_CA_PATH=/data/ders-ca.crt
Export and Import the Package Repo for Air-Gapped Environments
docker login harbor.dersllc.com docker login registry.tanzu.vmware.com imgpkg copy \ -b registry.tanzu.vmware.com/tanzu-application-platform/tap-packages:$TAP_VERSION \ --to-tar tap-packages-$TAP_VERSION.tar \ --include-non-distributable-layers # Add new harbor repository named tap-$TAP_VERSION imgpkg copy \ --tar tap-packages-$TAP_VERSION.tar \ --to-repo $IMGPKG_REGISTRY_HOSTNAME/tap-$TAP_VERSION/tap-packages \ --include-non-distributable-layers \ --registry-ca-cert-path $REGISTRY_CA_PATH \ --registry-username $IMGPKG_REGISTRY_USERNAME \ --registry-password $IMGPKG_REGISTRY_PASSWORD
Setup the TAP Repository
#kubectl config use-context tap-admin@tap
#kubectl vsphere login --insecure-skip-tls-verify --server tkgs.dersllc.com -u admin --tanzu-kubernetes-cluster-namespace ders --tanzu-kubernetes-cluster-name tap
#tanzu package repository delete -n tap-install tanzu-tap-repository --yes
kubectl create ns tap-install
tanzu secret registry add tap-registry \
--server $IMGPKG_REGISTRY_HOSTNAME \
--username $IMGPKG_REGISTRY_USERNAME \
--password $IMGPKG_REGISTRY_PASSWORD \
--namespace tap-install \
--export-to-all-namespaces \
--yes
kubectl create secret docker-registry registry-credentials \
--docker-server=${IMGPKG_REGISTRY_HOSTNAME} \
--docker-username=${IMGPKG_REGISTRY_USERNAME} \
--docker-password=${IMGPKG_REGISTRY_PASSWORD} \
-n tap-install
tanzu package repository add tanzu-tap-repository \
--url $IMGPKG_REGISTRY_HOSTNAME/tap-$TAP_VERSION/tap-packages:$TAP_VERSION \
--namespace tap-install
tanzu package repository get tanzu-tap-repository --namespace tap-install
Prep for Grype Scanner
kubectl create configmap grype-ca -n default --from-file=ca.crt=/data/ders-ca.crt curl https://ders-gitlab.dersllc.com/ders/vmware-se/-/raw/main/TAP/grype-db/grype-airgap-secret.yaml > grype-airgap-secret.yaml kubectl apply -f grype-airgap-secret.yaml -n tap-install curl https://ders-gitlab.dersllc.com/ders/vmware-se/-/raw/main/TAP/grype-db/grype-ca-overlay.yaml > grype-ca-overlay.yaml kubectl apply -f grype-ca-overlay.yaml -n tap-install
Install TAP
#Dependancies Certificate Issuer kubectl apply -f https://ders-gitlab.dersllc.com/ders/vmware-se/-/raw/main/HomeLab/TMC%20on%20TKGm/tmc-issuer.yaml #GITOPS (If you want TAP to send its deployment yamls to GitLab Repo) # curl https://ders-gitlab.dersllc.com/ders/vmware-se/-/raw/main/TAP/gitops/TAP-values-FULL.yaml > tap-values.yaml #REPOOPS (If you want TAP to send its deployment yamls to Harbor Repo) curl https://ders-gitlab.dersllc.com/ders/vmware-se/-/raw/main/TAP/tap-values-FULL.yaml > tap-values.yaml #INSTALL TAP #vi tap-values.yaml tanzu package install tap -p tap.tanzu.vmware.com -v $TAP_VERSION --values-file tap-values.yaml -n tap-install kubectl get packageinstall -n tap-install
Install Full Build Service Dependancies Package
# LOG INTO THE HARBOR SERVER
docker login tap-sm-docker-prod-local.dmz.packages.broadcom.com #LOOK @ VAULT.DERSLLC.COM for the CREDENTIALS. Search for TAP.
export TAP_VERSION=1.10.1
export HARBOR_HOSTNAME=harbor.dersllc.com
#####Export and Import Full Dep Containers
imgpkg copy -b tap-sm-docker-prod-local.dmz.packages.broadcom.com/$TAP_VERSION/tanzu-application-platform/full-deps-package-repo:$TAP_VERSION \
--to-tar=tbs-full-deps-$TAP_VERSION.tar
imgpkg copy --tar tbs-full-deps-$TAP_VERSION.tar \
--to-repo=${HARBOR_HOSTNAME}/tbs-$TAP_VERSION/tbs-full-deps
# BACK ON THE SERVER WITH TANZU CLI
export TAP_VERSION=1.10.1
export HARBOR_HOSTNAME=harbor.dersllc.com
tanzu package repository add tbs-full-deps-repository \
--url ${HARBOR_HOSTNAME}/tbs-$TAP_VERSION/tbs-full-deps:$TAP_VERSION \
--namespace tap-install
tanzu package install full-tbs-deps -p full-tbs-deps.tanzu.vmware.com -v $TAP_VERSION -n tap-install
Install OOTB Testing and Scanning Package
tanzu package available list ootb-supply-chain-testing-scanning.tanzu.vmware.com --namespace tap-install
export OOTB_VERSION='0.13.9'
export OOTB_VERSION=`tanzu package available list ootb-supply-chain-testing-scanning.tanzu.vmware.com --namespace tap-install | awk '{ print $2 }' | egrep -v VERSION | tail -1`
echo $OOTB_VERSION
#GITOPS
curl https://ders-gitlab.dersllc.com/ders/vmware-se/-/raw/main/TAP/gitops/ootb-supply-chain-testing-scanning-values.yaml > scan-values.yaml
kubectl apply -f https://ders-gitlab.dersllc.com/ders/vmware-se/-/raw/main/TAP/gitops/overlay-ootb-templates-skip-tls.yaml
#REPOOPS curl https://ders-gitlab.dersllc.com/ders/vmware-se/-/raw/main/TAP/ootb-supply-chain-testing-scanning-values.yaml > scan-values.yaml #INSTALL tanzu package install ootb-supply-chain-testing-scanning -p ootb-supply-chain-testing-scanning.tanzu.vmware.com -v $OOTB_VERSION -n tap-install --values-file scan-values.yaml
Fix the Metadata Service
kubectl get secret $(kubectl get sa -n metadata-store metadata-store-read-write-client -o json | jq -r '.metadata.name') -n metadata-store -o json | jq -r '.data.token' | base64 -d
#add the following to the tap-values.yaml
tap_gui:
service_type: ClusterIP
ingressEnabled: "true"
app_config:
#auth:
#environment: development
#providers:
#gitlab:
#development:
#clientId: "22b23986fb7218abd7914d2ac2f03e6be740f59cdd7c4c73fc34179efa5a5cd3"
#clientSecret: "01888711c86de528a8a90b38259dd346d74601e1351d35b8b7bdb07200cceee4"
#audience: "https://ders-gitlab.dersllc.com"
proxy:
/metadata-store:
target: https://metadata-store-app.metadata-store:8443/api/v1
changeOrigin: true
secure: false
headers:
Authorization: "Bearer <TOKEN FROM PREVIOUS STEP>"
X-Custom-Source: project-star
tanzu package install tap -p tap.tanzu.vmware.com -v $TAP_VERSION --values-file tap-values.yaml -n tap-install
Install the Apps Plug-in for the Tanzu CLI
# Latest Release - https://github.com/vmware-tanzu/apps-cli-plugin/releases wget https://github.com/vmware-tanzu/apps-cli-plugin/releases/download/v0.12.1/tanzu-apps-plugin-linux-amd64-v0.12.1.tar.gz mkdir -p tap-cli tar -zxvf tanzu-apps-plugin-linux-amd64-v0.12.1.tar.gz -C tap-cli/ tanzu plugin install apps -l tap-cli/linux/amd64/
Delete TAP
tanzu package installed delete ootb-supply-chain-testing-scanning -n tap-install --yes tanzu package installed delete full-tbs-deps -n tap-install --yes tanzu package installed delete tap -n tap-install --yes
Delete Repos
tanzu package repository delete -n tap-install tbs-full-deps-repository --yes tanzu package repository delete -n tap-install tanzu-tap-repository --yes
Deploy Workloads
Tanzu Java Web App (Basic Supply Chain)
Prepare Namespace
curl https://ders-gitlab.dersllc.com/ders/vmware-se/-/raw/main/TAP/prep-cluster.yaml > prep-cluster.yaml kubectl apply -f prep-cluster.yaml curl https://ders-gitlab.dersllc.com/ders/vmware-se/-/raw/main/TAP/prep-default-ns.yaml > prep-default-ns.yaml kubectl apply -f prep-default-ns.yaml curl https://ders-gitlab.dersllc.com/ders/ders-proxy/-/raw/master/AddTrustExternalCARoot.crt > /data/ders-ca.crt curl https://ders-gitlab.dersllc.com/ders/vmware-se/-/raw/main/HomeLab/DERS-CA-CERT/ders-ca.cer >> /data/ders-ca.crt kubectl create configmap grype-ca -n default --from-file=ca.crt=/data/ders-ca.crt
Create Workload in TAP
#Download Workload File curl --insecure https://ders-gitlab.dersllc.com/ders/tanzu-java-web-app/-/raw/main/config/workload.yaml > tanzu-java-web-app-workload.yaml #Delete Workload tanzu apps workload delete tanzu-java-web-app --yes #Create Workload tanzu apps workload create -f tanzu-java-web-app-workload.yaml --yes #Continuously View Workload watch tanzu apps workload get tanzu-java-web-app
Tanzu Java Web App (Test / Scan Supply Chain)
Prepare Namespace
kubectl apply -f https://ders-gitlab.dersllc.com/ders/vmware-se/-/raw/main/TAP/prep-cluster.yaml kubectl apply -f https://ders-gitlab.dersllc.com/ders/vmware-se/-/raw/main/TAP/prep-test-ns.yaml curl https://ders-gitlab.dersllc.com/ders/ders-proxy/-/raw/master/AddTrustExternalCARoot.crt > /data/ders-ca.crt curl https://ders-gitlab.dersllc.com/ders/vmware-se/-/raw/main/HomeLab/DERS-CA-CERT/ders-ca.cer >> /data/ders-ca.crt kubectl create configmap grype-ca -n default --from-file=ca.crt=/data/ders-ca.crt kubectl create secret generic custom-ca --from-file=caFile=/data/ders-ca.crt -n test
Create Workload in TAP
#Download Workload File curl --insecure https://ders-gitlab.dersllc.com/ders/tanzu-java-web-app/-/raw/scan-branch/config/workload-scan.yaml > tanzu-java-web-app-workload-scan.yaml #Delete Workload tanzu apps workload delete tanzu-java-web-app-scan --yes -n test #Create Workload tanzu apps workload create -f tanzu-java-web-app-workload-scan.yaml --yes -n test #Continuously View Workload watch tanzu apps workload get tanzu-java-web-app-scan -n test
Hungryman (Where for Dinner)
Prepare Namespace
kubectl apply -f https://ders-gitlab.dersllc.com/ders/vmware-se/-/raw/main/TAP/prep-cluster.yaml kubectl apply -f https://ders-gitlab.dersllc.com/ders/vmware-se/-/raw/main/TAP/prep-workloads-ns.yaml curl https://ders-gitlab.dersllc.com/ders/ders-proxy/-/raw/master/AddTrustExternalCARoot.crt > /data/ders-ca.crt curl https://ders-gitlab.dersllc.com/ders/vmware-se/-/raw/main/HomeLab/DERS-CA-CERT/ders-ca.cer >> /data/ders-ca.crt kubectl create configmap grype-ca -n workloads --from-file=ca.crt=/data/ders-ca.crt
Create Workloads in TAP
#Download Workload Files curl --insecure https://ders-gitlab.dersllc.com/ders/where-for-dinner/-/raw/main/where-for-dinner-api-gateway/config/workload.yaml > where-for-dinner-api-gateway-workload.yaml curl --insecure https://ders-gitlab.dersllc.com/ders/where-for-dinner/-/raw/main/where-for-dinner-availability/config/workload.yaml > where-for-dinner-availability-workload.yaml curl --insecure https://ders-gitlab.dersllc.com/ders/where-for-dinner/-/raw/main/where-for-dinner-crawler/config/workload.yaml > where-for-dinner-crawler-workload.yaml curl --insecure https://ders-gitlab.dersllc.com/ders/where-for-dinner/-/raw/main/where-for-dinner-notify/config/workload.yaml > where-for-dinner-notify-workload.yaml curl --insecure https://ders-gitlab.dersllc.com/ders/where-for-dinner/-/raw/main/where-for-dinner-search-proc/config/workload.yaml > where-for-dinner-search-proc-workload.yaml curl --insecure https://ders-gitlab.dersllc.com/ders/where-for-dinner/-/raw/main/where-for-dinner-search/config/workload.yaml > where-for-dinner-search-workload.yaml curl --insecure https://ders-gitlab.dersllc.com/ders/where-for-dinner/-/raw/main/where-for-dinner-ui/config/workload.yaml > where-for-dinner-ui-workload.yaml #Delete Workloads tanzu apps workload delete -n workloads where-for-dinner --yes tanzu apps workload delete -n workloads where-for-dinner-availability --yes tanzu apps workload delete -n workloads where-for-dinner-crawler --yes tanzu apps workload delete -n workloads where-for-dinner-notify --yes tanzu apps workload delete -n workloads where-for-dinner-search-proc --yes tanzu apps workload delete -n workloads where-for-dinner-search --yes tanzu apps workload delete -n workloads where-for-dinner-ui --yes #Create Workloads tanzu apps workload create -f where-for-dinner-api-gateway-workload.yaml --yes tanzu apps workload create -f where-for-dinner-availability-workload.yaml --yes tanzu apps workload create -f where-for-dinner-crawler-workload.yaml --yes tanzu apps workload create -f where-for-dinner-notify-workload.yaml --yes tanzu apps workload create -f where-for-dinner-search-proc-workload.yaml --yes tanzu apps workload create -f where-for-dinner-search-workload.yaml --yes tanzu apps workload create -f where-for-dinner-ui-workload.yaml --yes #View Workloads tanzu apps workload get -n workloads where-for-dinner tanzu apps workload get -n workloads where-for-dinner-availability tanzu apps workload get -n workloads where-for-dinner-crawler tanzu apps workload get -n workloads where-for-dinner-notify tanzu apps workload get -n workloads where-for-dinner-search-proc tanzu apps workload get -n workloads where-for-dinner-search tanzu apps workload get -n workloads where-for-dinner-ui
Register Repos with TAP
Tanzu Java Web App
https://ders-gitlab.dersllc.com/ders/tanzu-java-web-app/-/blob/main/catalog/catalog-info.yaml
Hungryman (Where for Dinner)
https://ders-gitlab.dersllc.com/ders/where-for-dinner/-/blob/main/catalog/catalog-info.yaml
Other Commands
IDE
= Setup Demo ENV
pscp [email protected]:/root/.kube/config C:\Users\ders\.kube\ kubectl config use-context tap-admin@tap
Accelerator URL Setup (Port-Forward)
kubectl port-forward service/acc-server -n accelerator-system 8877:80
References
GITOPS Skip TLS verification
https://github.com/alexandreroman/tap-recipes/tree/main/skip-tls-gitops
Namespace Provisioner
https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.7/tap/namespace-provisioner-use-cases.html
values file values
OOTB Supply Chain Testing and Scanning
tanzu package available get ootb-supply-chain-testing-scanning.tanzu.vmware.com/0.13.9 -n tap-install --values-schema tanzu package available get tap.tanzu.vmware.com/1.6.3 -n tap-install --values-schema
Supply Chain
GitOps vs. RegistryOps (Config Writer)
https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.3/tap/GUID-scc-gitops-vs-regops.html
ERRORS
Supply-Chain Image Scanner Step
error: scan job failed. logs: Error: Get "https://harbor.dersllc.com/v2/": x509: certificate signed by unknown authority
Make sure the grype-ca ConfigMap is in the desired namespace. Make sure the grype-ca-overlay secret is created. Make sure the grype-ca-overlay is referenced in the tap-values.yaml
Config Writer Error
pod error: fatal: unable to access 'https://ders-gitlab.dersllc.com/ders/tap-supply-chain.git/': server certificate verification failed. CAfile: none CRLfile: none
#Follow the instructions here -> https://github.com/alexandreroman/tap-recipes/tree/main/skip-tls-gitops kubectl apply -f https://ders-gitlab.dersllc.com/ders/vmware-se/-/raw/main/TAP/gitops/overlay-ootb-templates-skip-tls.yaml #Add the following to tap-values.yaml package_overlays: - name: ootb-templates secrets: - name: overlay-ootb-templates-skip-tls
Config Writer ERROR
fatal: could not read Username for 'https://ders-gitlab.dersllc.com': No such device or address
kubectl patch serviceaccount default -p '{"secrets": [{"name": "git-ssh"}]}' -n test