TAP On GKE (1.0.0) : Part 2 – Install TAP with supply chain testing and scanning

Eknath -
Reading Time: 4 mins

In this post, I will be demonstrating the steps to install Tanzu Application Platform packages from the Tanzu Application Platform package repository. Before you install the packages, ensure you have prepared the setup as mentioned in post.

Add TAP package repository

# Set up environment variables for use during the installation.

export INSTALL_REGISTRY_USERNAME=TANZU-NET-USER
export INSTALL_REGISTRY_PASSWORD=TANZU-NET-PASSWORD
export INSTALL_REGISTRY_HOSTNAME=registry.tanzu.vmware.com

# Create a namespace called tap-install for deploying any component packages by running:

$  kubectl create ns tap-install

#Create a registry secret by running:

$  tanzu secret registry add tap-registry --username ${INSTALL_REGISTRY_USERNAME} --password ${INSTALL_REGISTRY_PASSWORD} --server ${INSTALL_REGISTRY_HOSTNAME} --export-to-all-namespaces --yes --namespace tap-install

# Add Tanzu Application Platform package repository to the cluster by running:

$  tanzu package repository add tanzu-tap-repository --url registry.tanzu.vmware.com/tanzu-application-platform/tap-packages:1.0.0 --namespace tap-install

# Get the status of the Tanzu Application Platform package repository, and ensure the status updates to Reconcile succeeded by running:

$  tanzu package repository get tanzu-tap-repository --namespace tap-install
- Retrieving repository tanzu-tap-repository...
NAME:          tanzu-tap-repository
VERSION:       16710
REPOSITORY:    registry.tanzu.vmware.com/tanzu-application-platform/tap-packages
TAG:           1.0.0
STATUS:        Reconcile succeeded
REASON:

#List the available packages by running:

$  tanzu package available list --namespace tap-install

Install Tanzu Application Platform profile

Tanzu Application Platform can be installed through pre-defined profiles or through individual packages. TAP contains the following two profiles. In this demo, I will cover full profile with ootb supply chain with testing and scanning, gcr.io for image repo, service_type Load Balancer. 

      • Full
      • Light

Note: refer to doc for more details

full Profile Syntax 
profile: full
ceip_policy_disclosed: true # Installation fails if this is set to 'false'
buildservice:
  kp_default_repository: "KP-DEFAULT-REPO"
  kp_default_repository_username: "KP-DEFAULT-REPO-USERNAME"
  kp_default_repository_password: "KP-DEFAULT-REPO-PASSWORD"
  tanzunet_username: "TANZUNET-USERNAME"
  tanzunet_password: "TANZUNET-PASSWORD"
  descriptor_name: "DESCRIPTOR-NAME"
  enable_automatic_dependency_updates: true
supply_chain: basic

ootb_supply_chain_basic:
  registry:
    server: "SERVER-NAME"
    repository: "REPO-NAME"
  gitops:
    ssh_secret: ""

learningcenter:
  ingressDomain: "DOMAIN-NAME"

tap_gui:
  service_type: ClusterIP
  ingressEnabled: "true"
  ingressDomain: "INGRESS-DOMAIN"
  app_config:
    app:
      baseUrl: http://tap-gui.INGRESS-DOMAIN
    catalog:
      locations:
        - type: url
          target: https://GIT-CATALOG-URL/catalog-info.yaml
    backend:
      baseUrl: http://tap-gui.INGRESS-DOMAIN
      cors:
        origin: http://tap-gui.INGRESS-DOMAIN

metadata_store:
  app_service_type: LoadBalancer # (optional) Defaults to LoadBalancer. Change to NodePort for distributions that don't support LoadBalancer

grype:
  namespace: "MY-DEV-NAMESPACE" # (optional) Defaults to default namespace.
  targetImagePullSecret: "TARGET-REGISTRY-CREDENTIALS-SECRET"
  • KP-DEFAULT-REPO is a writable repository in your registry. Tanzu Build Service dependencies are written to this location. Examples:
    • Harbor has the form kp_default_repository: "my-harbor.io/my-project/build-service"
    • Dockerhub has the form kp_default_repository: "my-dockerhub-user/build-service" or kp_default_repository: "index.docker.io/my-user/build-service"
    • Google Cloud Registry has the form kp_default_repository: "gcr.io/my-project/build-service"
  • KP-DEFAULT-REPO-USERNAME is the username that can write to KP-DEFAULT-REPO. You should be able to docker push to this location with this credential.
    • For Google Cloud Registry, use kp_default_repository_username: _json_key
  • KP-DEFAULT-REPO-PASSWORD is the password for the user that can write to KP-DEFAULT-REPO. You can docker push to this location with this credential.
    • For Google Cloud Registry, use the contents of the service account JSON key.
  • DESCRIPTOR-NAME is the name of the descriptor to import automatically. Current available options at time of release:
    • tap-1.0.0-full contains all dependencies, and is for production use.
    • tap-1.0.0-lite smaller footprint used for speeding up installs. Requires Internet access on the cluster.
  • SERVER-NAME is the hostname of the registry server. Examples:
    • Harbor has the form server: "my-harbor.io"
    • Dockerhub has the form server: "index.docker.io"
    • Google Cloud Registry has the form server: "gcr.io"
  • REPO-NAME is where workload images are stored in the registry. Images are written to SERVER-NAME/REPO-NAME/workload-name. Examples:
    • Harbor has the form repository: "my-project/supply-chain"
    • Dockerhub has the form repository: "my-dockerhub-user"
    • Google Cloud Registry has the form repository: "my-project/supply-chain"
  • DOMAIN-NAME has a value such as learningcenter.example.com.
  • INGRESS-DOMAIN is the subdomain for the host name that you point at the tanzu-shared-ingress service’s External IP address.
  • GIT-CATALOG-URL is the path to the catalog-info.yaml catalog definition file from either the included Blank catalog (provided as an additional download named “Blank Tanzu Application Platform GUI Catalog”) or a Backstage-compliant catalog that you’ve already built and posted on the Git infrastucture you specified in the Integration section.
  • MY-DEV-NAMESPACE is the namespace where you want the ScanTemplates to be deployed to. This is the namespace where the scanning feature is going to run.
  • TARGET-REGISTRY-CREDENTIALS-SECRET is the name of the secret that contains the credentials to pull an image from the registry for scanning. If built images are pushed to the same registry as the Tanzu Application Platform images, this can reuse the tap-registry secret.

Note: Using the tap-values.yaml configuration, buildservice.enable_automatic_dependency_updates: false can be used to pause the automatic update of Build Service dependencies.

  • Since we are using Google Cloud Registry in this demo, I have a simple script to parse the credentials. Replace the necessary values before executing.
# where <key>.json is the file downloaded from GCP console

service_account_key="$(cat <key>.json)"
cat <<EOF > tap-values.yaml
profile: full
ceip_policy_disclosed: true # Installation fails if this is set to 'false'
buildservice:
  kp_default_repository: "gcr.io/eknath-se/build-service" # Replace the project id with yours. In my case eknath-se is the project ID
  kp_default_repository_username: _json_key
  kp_default_repository_password: '$(echo $service_account_key)'
  tanzunet_username: "<Tanzu network user name>" # Provide the Tanzu network user name
  tanzunet_password: "<Tanzu network password>" # Provide the Tanzu network password
  descriptor_name: "tap-1.0.0-full"
  enable_automatic_dependency_updates: true
supply_chain: testing_scanning
ootb_supply_chain_testing_scanning:
  registry:
    server: "gcr.io"
    repository: "eknath-se/build-service" # Replace the project id with yours. In my case eknath-se is the project ID
  gitops:
    ssh_secret: ""
  cluster_builder: default
  service_account: default

learningcenter:
  ingressDomain: "<domain name>" # Provide a Domain Name

metadata_store:
  app_service_type: LoadBalancer # (optional) Defaults to LoadBalancer. Change to NodePort for distributions that don't support LoadBalancer
grype:
  namespace: "tap-install" # (optional) Defaults to default namespace.
  targetImagePullSecret: "registry-credentials"
contour:
  envoy:
    service:
      type: LoadBalancer
tap_gui:
  service_type: LoadBalancer # NodePort for distributions that don't support LoadBalancer
  app_config:
    app:
      baseUrl: http://<ip>:7000 
    integrations:
      github: # Other integrations available see NOTE below
        - host: github.com
          token: <github token> # Create a token in github 
    catalog:
      locations:
        - type: url
          target: https://github.com/sample-accelerators/tanzu-java-web-app/blob/main/catalog/catalog-info.yaml
    backend:
      baseUrl: http://<ip>:7000
      cors:
        origin: http://<ip>:7000
EOF
# Install the package by running:

tanzu package install tap -p tap.tanzu.vmware.com -v 1.0.0 --values-file tap-values.yml -n tap-install

# Verify the package install by running:

tanzu package installed get tap -n tap-install

#Verify that all the necessary packages in the profile are installed by running:

tanzu package installed list -n tap-install
/ Retrieving installed packages...
  NAME                                PACKAGE-NAME                                         PACKAGE-VERSION  STATUS
  accelerator                         accelerator.apps.tanzu.vmware.com                    1.0.0            Reconcile succeeded
  api-portal                          api-portal.tanzu.vmware.com                          1.0.8            Reconcile succeeded
  appliveview                         run.appliveview.tanzu.vmware.com                     1.0.1            Reconcile succeeded
  appliveview-conventions             build.appliveview.tanzu.vmware.com                   1.0.1            Reconcile succeeded
  buildservice                        buildservice.tanzu.vmware.com                        1.4.2            Reconcile succeeded
  cartographer                        cartographer.tanzu.vmware.com                        0.1.0            Reconcile succeeded
  cert-manager                        cert-manager.tanzu.vmware.com                        1.5.3+tap.1      Reconcile succeeded
  cnrs                                cnrs.tanzu.vmware.com                                1.1.0            Reconcile succeeded
  contour                             contour.tanzu.vmware.com                             1.18.2+tap.1     Reconcile succeeded
  conventions-controller              controller.conventions.apps.tanzu.vmware.com         0.5.0            Reconcile succeeded
  developer-conventions               developer-conventions.tanzu.vmware.com               0.5.0-build.1    Reconcile succeeded
  fluxcd-source-controller            fluxcd.source.controller.tanzu.vmware.com            0.16.0           Reconcile succeeded
  grype                               grype.scanning.apps.tanzu.vmware.com                 1.0.0            Reconcile succeeded
  image-policy-webhook                image-policy-webhook.signing.apps.tanzu.vmware.com   1.0.0            Reconcile succeeded
  learningcenter                      learningcenter.tanzu.vmware.com                      0.1.0            Reconcile succeeded
  learningcenter-workshops            workshops.learningcenter.tanzu.vmware.com            0.1.0            Reconcile succeeded
  metadata-store                      metadata-store.apps.tanzu.vmware.com                 1.0.1            Reconcile succeeded
  ootb-delivery-basic                 ootb-delivery-basic.tanzu.vmware.com                 0.5.1            Reconcile succeeded
  ootb-supply-chain-testing-scanning  ootb-supply-chain-testing-scanning.tanzu.vmware.com  0.5.1            Reconcile succeeded
  ootb-templates                      ootb-templates.tanzu.vmware.com                      0.5.1            Reconcile succeeded
  scanning                            scanning.apps.tanzu.vmware.com                       1.0.0            Reconcile succeeded
  service-bindings                    service-bindings.labs.vmware.com                     0.6.0            Reconcile succeeded
  services-toolkit                    services-toolkit.tanzu.vmware.com                    0.5.0            Reconcile succeeded
  source-controller                   controller.source.apps.tanzu.vmware.com              0.2.0            Reconcile succeeded
  spring-boot-conventions             spring-boot-conventions.tanzu.vmware.com             0.3.0            Reconcile succeeded
  tap                                 tap.tanzu.vmware.com                                 1.0.0            Reconcile succeeded
  tap-gui                             tap-gui.tanzu.vmware.com                             1.0.1            Reconcile succeeded
  tap-telemetry                       tap-telemetry.tanzu.vmware.com                       0.1.2            Reconcile succeeded
  tekton-pipelines                    tekton.tanzu.vmware.com                              0.30.0           Reconcile succeeded

Configure TAP GUI

  • On your Git repository of choice, extract the Blank Software Catalog from VMware Tanzu Network. You link to that catalog-info.yaml file when you configure your catalog later. In this demo I am using an existing catalog-info.yaml file from my repo
  • Collect the External IP of LoadBalancer by running and update tap-values.yaml file
$ kubectl get svc -n tap-gui
NAME     TYPE           CLUSTER-IP    EXTERNAL-IP      PORT(S)          AGE
server   LoadBalancer   10.32.2.211   35.200.246.183   7000:31577/TCP   91m
  • Add the following section to tap-values.yml by using the following template, and replace all placeholders with your relevant values.
Syntax for new lines to be added 
tap_gui:
  service_type: LoadBalancer
  # Existing tap-values.yml above  
  app_config:
    app:
      baseUrl: http://EXTERNAL-IP:7000
    integrations:
      github: # Other integrations available see NOTE below
        - host: github.com
          token: GITHUB-TOKEN
    catalog:
      locations:
        - type: url
          target: https://GIT-CATALOG-URL/catalog-info.yaml
    backend:
        baseUrl: http://EXTERNAL-IP:7000
        cors:
          origin: http://EXTERNAL-IP:7000
  • Updated yaml file should be similar to below:
profile: full
ceip_policy_disclosed: true # Installation fails if this is set to 'false'
buildservice:
  kp_default_repository: "gcr.io/eknath-se/build-service" # Replace the project id with yours. In my case eknath-se is the project ID
  kp_default_repository_username: _json_key
  kp_default_repository_password: '<redacted>'  # This will be the key.json file in one line
  tanzunet_username: "<Tanzu network user name>" # Provide the Tanzu network user name
  tanzunet_password: "<Tanzu network password>" # Provide the Tanzu network password
  descriptor_name: "tap-1.0.0-full"
  enable_automatic_dependency_updates: true
supply_chain: testing_scanning
ootb_supply_chain_testing_scanning:
  registry:
    server: "gcr.io"
    repository: "eknath-se/build-service" # Replace the project id with yours. In my case eknath-se is the project ID
  gitops:
    ssh_secret: ""
  cluster_builder: default
  service_account: default

learningcenter:
  ingressDomain: "captainvirtualization.in"  #Domain name

metadata_store:
  app_service_type: LoadBalancer # (optional) Defaults to LoadBalancer. Change to NodePort for distributions that don't support LoadBalancer
grype:
  namespace: "tap-install" # (optional) Defaults to default namespace.
  targetImagePullSecret: "registry-credentials"  # will create this credentials in few next few mins
contour:
  envoy:
    service:
      type: LoadBalancer
tap_gui:
  service_type: LoadBalancer
  app_config:
    app:
      baseUrl: http://35.200.246.183:7000  ### Load balancer External IP collected in previous step
    integrations:
      github: # Other integrations available see NOTE below
        - host: github.com
          token: ghp_t7a7WxC4SMaY8AyUv46IAOk  ### To be collected from git portal
    catalog:
      locations:
        - type: url
          target: https://github.com/sample-accelerators/tanzu-java-web-app/blob/main/catalog/catalog-info.yaml  ## Replace with yours
    backend:
      baseUrl: http://35.200.246.183:7000  ### Load balancer External IP collected in previous step
      cors:
        origin: http://35.200.246.183:7000  ### Load balancer External IP collected in previous step

Update the package profile:

$. tanzu package installed update tap --package-name tap.tanzu.vmware.com --version 1.0.0 -n tap-install -f tap-values-gke.yaml
| Updating installed package 'tap'
/ Getting package install for 'tap'
| Getting package metadata for 'tap.tanzu.vmware.com'
| Updating secret 'tap-tap-install-values'
| Updating package install for 'tap'
- Waiting for 'PackageInstall' reconciliation for 'tap'

Updated installed package 'tap' in namespace 'tap-install'
  • Access the external IP collected earlier with port 7000 to access the TAP GUI. Ex: http://EXTERNAL-IP:7000