This document describes how to install Tanzu Application Platform packages from the Tanzu Application Platform package repository.
Before you install the packages, ensure that you have completed the prerequisites, configured and verified the cluster, accepted the EULA, and installed the Tanzu CLI with any required plugins. For information, see Installing Part I: Prerequisites, Cluster Configurations, EULA, and CLI.
The parameters that are required for the installation need to be defined in a YAML file.
The available parameters for the individual packages can be identified by the values schema that are defined in the package. You can get these parameters by running the command as described in the procedure below.
To add the Tanzu Application Platform package repository:
-
Create a namespace called
tap-installfor deploying the packages of the components by running:kubectl create ns tap-install
This namespace is to keep the objects grouped together logically.
-
Create an imagepullsecret:
tanzu imagepullsecret add tap-registry \ --username TANZU-NET-USER --password TANZU-NET-PASSWORD \ --registry registry.tanzu.vmware.com \ --export-to-all-namespaces --namespace tap-install
Where
TANZU-NET-USERandTANZU-NET-PASSWORDare your credentials for Tanzu Network. -
Add Tanzu Application Platform package repository to the cluster by running:
tanzu package repository add tanzu-tap-repository \ --url registry.tanzu.vmware.com/tanzu-application-platform/tap-packages:TAP-VERSION \ --namespace tap-installWhere
TAP-VERSIONis the version of Tanzu Application Platform you want to install. For example:$ tanzu package repository add tanzu-tap-repository \ --url registry.tanzu.vmware.com/tanzu-application-platform/tap-packages:0.2.0 \ --namespace tap-install \ Adding package repository 'tanzu-tap-repository'... Added package repository 'tanzu-tap-repository' -
Get status of the Tanzu Application Platform package repository, and ensure the status updates to
Reconcile succeededby running:tanzu package repository get tanzu-tap-repository --namespace tap-install
For example:
$ tanzu package repository get tanzu-tap-repository --namespace tap-install - Retrieving repository tap... NAME: tanzu-tap-repository VERSION: 5712276 REPOSITORY: registry.tanzu.vmware.com/tanzu-application-platform/tap-packages:0.2.0 STATUS: Reconcile succeeded REASON:
-
List the available packages by running:
tanzu package available list --namespace tap-install
For example:
$ tanzu package available list --namespace tap-install / Retrieving available packages... NAME DISPLAY-NAME SHORT-DESCRIPTION accelerator.apps.tanzu.vmware.com Application Accelerator for VMware Tanzu Used to create new projects and configurations. api-portal.tanzu.vmware.com API portal A unified user interface to enable search, discovery and try-out of API endpoints at ease. appliveview.tanzu.vmware.com Application Live View for VMware Tanzu App for monitoring and troubleshooting running apps buildservice.tanzu.vmware.com Tanzu Build Service Tanzu Build Service enables the building and automation of containerized software workflows securely and at scale. cartographer.tanzu.vmware.com Cartographer Kubernetes native Supply Chain Choreographer. cnrs.tanzu.vmware.com Cloud Native Runtimes Cloud Native Runtimes is a serverless runtime based on Knative controller.conventions.apps.tanzu.vmware.com Convention Service for VMware Tanzu Convention Service enables app operators to consistently apply desired runtime configurations to fleets of workloads. controller.source.apps.tanzu.vmware.com Tanzu Source Controller Tanzu Source Controller enables workload create/update from source code. default-supply-chain-testing.tanzu.vmware.com Tanzu App Platform Default Supply Chain with Testing Default Software Supply Chain with testing. default-supply-chain.tanzu.vmware.com Tanzu App Platform Default Supply Chain Default Supply Chain developer-conventions.tanzu.vmware.com Tanzu App Platform Develooper Conventions Developer Conventions grype.scanning.apps.tanzu.vmware.com Grype Scanner for Supply Chain Security Tools for VMware Tanzu - Scan Default scan templates using Anchore Grype image-policy-webhook.signing.run.tanzu.vmware.com Image Policy Webhook The Image Policy Webhook allows platform operators to define a policy that will use cosign to verify signatures of container images scanning.apps.tanzu.vmware.com Supply Chain Security Tools for VMware Tanzu - Scan Scan for vulnerabilities and enforce policies directly within Kubernetes native Supply Chains. scp-toolkit.tanzu.vmware.com SCP Toolkit The SCP Toolkit scst-store.tanzu.vmware.com Tanzu Supply Chain Security Tools - Store The Metadata Store enables saving and querying image, package, and vulnerability data. service-bindings.labs.vmware.com Service Bindings for Kubernetes Service Bindings for Kubernetes implements the Service Binding Specification.
To install any package from the Tanzu Application Platform package repository:
-
List version information for the package by running:
tanzu package available list PACKAGE-NAME --namespace tap-install
Where:
PACKAGE-NAMEis the name of the package listed in step 5 of Add the Tanzu Application Platform Package Repository above. For example:
$ tanzu package available list cnrs.tanzu.vmware.com --namespace tap-install - Retrieving package versions for cnrs.tanzu.vmware.com... NAME VERSION RELEASED-AT cnrs.tanzu.vmware.com 1.0.2 2021-08-30T00:00:00Z -
(Optional) To make changes to the default installation settings, run:
tanzu package available get PACKAGE-NAME/VERSION-NUMBER --values-schema --namespace tap-install
Where:
PACKAGE-NAMEis same as step 1 above.VERSION-NUMBERis the version of the package listed in step 1 above.
For example:
$ tanzu package available get cnrs.tanzu.vmware.com/1.0.2 --values-schema --namespace tap-install
For more information about values schema options, see the individual product documentation.
-
Follow the specific installation instructions for each package:
- Install Cloud Native Runtimes
- Install Application Accelerator
- Install Convention Service
- Install Source Controller
- Install Developer Conventions
- Install Application Live View
- Install Service Bindings
- Install Tanzu Build Service
- Install Supply Chain Choreographer
- Install Default Supply Chain
- Install Supply Chain Security Tools - Store
- Install Supply Chain Security Tools - Sign
- Install Supply Chain Security Tools - Scan
- Install API portal
- Install Services Control Plane (SCP) Toolkit
To install Cloud Native Runtimes:
-
Follow the instructions in Install Packages above.
-
Gather values schema.
tanzu package available get cnrs.tanzu.vmware.com/1.0.2 --values-schema -n tap-install
For example:
$ tanzu package available get cnrs.tanzu.vmware.com/1.0.2 --values-schema -n tap-install | Retrieving package details for cnrs.tanzu.vmware.com/1.0.2... KEY DEFAULT TYPE DESCRIPTION pdb.enable true boolean Optional: Set to true to enable Pod Disruption Budget. If provider local is set to "local", the PDB will be disabled automatically. provider <nil> string Optional: Kubernetes cluster provider. To be specified if deploying CNR on TKGs or on a local Kubernetes cluster provider. ingress.external.namespace <nil> string Optional: Only valid if a Contour instance already present in the cluster. Specify a namespace where an existing Contour is installed on your cluster (for external services) if you want CNR to use your Contour instance. ingress.internal.namespace <nil> string Optional: Only valid if a Contour instance already present in the cluster. Specify a namespace where an existing Contour is installed on your cluster (for internal services) if you want CNR to use your Contour instance. ingress.reuse_crds false boolean Optional: Only valid if a Contour instance already present in the cluster. Set to "true" if you want CNR to re-use the cluster\'s existing Contour CRDs. local_dns.enable false boolean Optional: Only for when "provider" is set to "local" and running on Kind. Set to true to enable local DNS. local_dns.domain <nil> string Optional: Set a custom domain for the Knative services.
-
Create a
cnr-values.yamlusing the following sample as a guide:Sample
cnr-values.yamlfor Cloud Native Runtimes:--- # if deploying on a local cluster such as Kind. Otherwise, you can use the defaults values to install CNR. provider: local
Note: For most installations, you can leave the
cnr-values.yamlempty and use the default values.If you are running on a single-node cluster like kind or minikube, set the
provider: localoption. This option reduces resource requirements by using a HostPort service instead of a LoadBalancer and reduces the number of replicas. You may also want to follow the local kind configuration guide for Cloud Native Runtimes. If you are running on a multi-node cluster, do not setprovider.If your environment has Contour packages present, they might conflict with the Cloud Native Runtimes installation. For information on how to prevent conflicts, see Installing Cloud Native Runtimes for Tanzu with an Existing Contour Installation in the Cloud Native Runtimes documentation. Then, in the
cnr-values.yamlfile, specify values foringress.reuse_crds,ingress.external.namespace, andingress.internal.namespaceas appropriate. -
Install the package by running:
tanzu package install cloud-native-runtimes -p cnrs.tanzu.vmware.com -v 1.0.2 -n tap-install -f cnr-values.yaml --poll-timeout 30mFor example:
$ tanzu package install cloud-native-runtimes -p cnrs.tanzu.vmware.com -v 1.0.2 -n tap-install -f cnr-values.yaml --poll-timeout 30m - Installing package 'cnrs.tanzu.vmware.com' | Getting package metadata for 'cnrs.tanzu.vmware.com' | Creating service account 'cloud-native-runtimes-tap-install-sa' | Creating cluster admin role 'cloud-native-runtimes-tap-install-cluster-role' | Creating cluster role binding 'cloud-native-runtimes-tap-install-cluster-rolebinding' - Creating package resource - Package install status: Reconciling Added installed package 'cloud-native-runtimes' in namespace 'tap-install'
-
Verify the package install by running:
tanzu package installed get cloud-native-runtimes -n tap-installFor example:
tanzu package installed get cloud-native-runtimes -n tap-install | Retrieving installation details for cc... NAME: cloud-native-runtimes PACKAGE-NAME: cnrs.tanzu.vmware.com PACKAGE-VERSION: 1.0.2 STATUS: Reconcile succeeded CONDITIONS: [{ReconcileSucceeded True }] USEFUL-ERROR-MESSAGE:
STATUS should be
Reconcile succeeded. -
Configuring a namespace to use Cloud Native Runtimes:
Service accounts which run workloads using Cloud Native Runtimes need to have access to the image pull secrets for the Tanzu package. This includes the
defaultservice account in a namespace, which is created automatically but not associated with any image pull secrets. Without these credentials, attempts to launch a service will fail with a timeout and the underlying Pods will report that they were unable to pull thequeue-proxyimage.To create an image pull secret in the current namespace and fill it from the
tap-registrysecret, run the following commands to create an empty secret and annotate it as a target of the secretgen controller:kubectl create secret generic pull-secret --from-literal=.dockerconfigjson={} --type=kubernetes.io/dockerconfigjson kubectl annotate secret pull-secret secretgen.carvel.dev/image-pull-secret=""
Once you have a
pull-secretsecret in the same namespace as the service account, run the following command to add the secret to the service account:kubectl patch serviceaccount SERVICEACCOUNT -p '{"imagePullSecrets": [{"name": "pull-secret"}]}'You can verify that a service account is correctly configured by running:
kubectl describe serviceaccount SERVICEACCOUNTFor example:
kubectl describe sa default Name: default Namespace: default Labels: <none> Annotations: <none> Image pull secrets: pull-secret Mountable secrets: default-token-xh6p4 Tokens: default-token-xh6p4 Events: <none>
Note that the service account has access to the
pull-secretimage pull secret.
To learn more about using Cloud Native Runtimes, see Verify your Installation in the Cloud Native Runtimes documentation.
To install Application Accelerator:
Prerequisite: Flux SourceController installed on the cluster. See Install Prerequisites.
The following optional properties are configurable:
| Property | Default | Description |
|---|---|---|
| registry.secret_ref | registry.tanzu.vmware.com | The secret used for accessing the registry where the App-Accelerator images are located |
| server.service_type | LoadBalancer | The service type for the acc-ui-server service (LoadBalancer, NodePort or ClusterIP) |
| server.watched_namespace | default | The namespace that the server watches for accelerator resources |
| server.engine_invocation_url | http://acc-engine.accelerator-system.svc.cluster.local/invocations | The URL to use for invoking the accelerator engine |
| engine.service_type | ClusterIP | The service type for the acc-engine service (LoadBalancer, NodePort or ClusterIP) |
Note: For clusters that do not support the
LoadBalancerservice type you should override the default value forserver.service_type.
In general you should not override the defaults for registry.secret_ref,
server.engine_invocation_url or engine.service_type.
They are only used for configuration of non-standard installs.
-
Follow the instructions in Install Packages above.
-
Create an
app-accelerator-values.yamlusing the following sample as a guide:server: # Set the engine.service_type to "NodePort" for local clusters like minikube or kind. service_type: "LoadBalancer" watched_namespace: "default"
Modify the values if needed or leave the default values.
-
Install the package by running:
tanzu package install app-accelerator -p accelerator.apps.tanzu.vmware.com -v 0.3.0 -n tap-install -f app-accelerator-values.yamlFor example:
$ tanzu package install app-accelerator -p accelerator.apps.tanzu.vmware.com -v 0.3.0 -n tap-install -f app-accelerator-values.yaml - Installing package 'accelerator.apps.tanzu.vmware.com' | Getting package metadata for 'accelerator.apps.tanzu.vmware.com' | Creating service account 'app-accelerator-tap-install-sa' | Creating cluster admin role 'app-accelerator-tap-install-cluster-role' | Creating cluster role binding 'app-accelerator-tap-install-cluster-rolebinding' | Creating secret 'app-accelerator-tap-install-values' - Creating package resource - Package install status: Reconciling Added installed package 'app-accelerator' in namespace 'tap-install'
-
Verify the package install by running:
tanzu package installed get app-accelerator -n tap-installFor example:
tanzu package installed get app-accelerator -n tap-install | Retrieving installation details for cc... NAME: app-accelerator PACKAGE-NAME: accelerator.apps.tanzu.vmware.com PACKAGE-VERSION: 0.3.0 STATUS: Reconcile succeeded CONDITIONS: [{ReconcileSucceeded True }] USEFUL-ERROR-MESSAGE:
STATUS should be
Reconcile succeeded. -
To access the Application Accelerator UI, please refer to the Application Accelerator for VMware Tanzu documentation.
Convention Service allows app operators to enrich Pod Template Specs with operational knowledge based on specific conventions they define.
Convention Service includes the following components:
- Convention Controller: Provides metadata to the Convention Server. Implements the update requests from Convention Server.
- Convention Server: Receives and evaluates metadata associated with a workload from Convention Controller. Requests updates to the Pod Template Spec associated with that workload. There can be one or more Convention Servers for a single Convention Controller instance.
In the following procedure, you install Convention Controller.
You install Convention Servers as part of separate installation procedures.
For example, you install an app-live-view Convention Server as part of the app-live-view
installation.
Prerequisite: Cert-manager installed on the cluster. See Install Prerequisites.
To install Convention Controller:
-
Follow the instructions in Install Packages above.
-
Install the package by running:
tanzu package install convention-controller -p controller.conventions.apps.tanzu.vmware.com -v 0.4.2 -n tap-install
/ Installing package 'controller.conventions.apps.tanzu.vmware.com' | Getting namespace 'tap-install' - Getting package metadata for 'controller.conventions.apps.tanzu.vmware.com' | Creating service account 'convention-controller-tap-install-sa' | Creating cluster admin role 'convention-controller-tap-install-cluster-role' | Creating cluster role binding 'convention-controller-tap-install-cluster-rolebinding' \ Creating package resource | Package install status: Reconciling Added installed package 'convention-controller' in namespace 'tap-install'
-
Verify the package install by running:
tanzu package installed get convention-controller -n tap-install
Retrieving installation details for convention-controller... NAME: convention-controller PACKAGE-NAME: controller.conventions.apps.tanzu.vmware.com PACKAGE-VERSION: 0.4.2 STATUS: Reconcile succeeded CONDITIONS: [{ReconcileSucceeded True }] USEFUL-ERROR-MESSAGE:kubectl get pods -n conventions-system
For example:
$ kubectl get pods -n conventions-system NAME READY STATUS RESTARTS AGE conventions-controller-manager-596c65f75-j9dmn 1/1 Running 0 72s
STATUS should be
Running.
Use the following procedure to install Source Controller.
Prerequisite: Fluxcd Source Controller installed on the cluster. See Install Prerequisites.
To install Source Controller:
-
Follow the instructions in Install Packages above.
-
Install the package. Run:
tanzu package install source-controller -p controller.source.apps.tanzu.vmware.com -v 0.1.2 -n tap-install
/ Installing package 'controller.source.apps.tanzu.vmware.com' | Getting namespace 'tap-install' - Getting package metadata for 'controller.source.apps.tanzu.vmware.com' | Creating service account 'source-controller-tap-install-sa' | Creating cluster admin role 'source-controller-tap-install-cluster-role' | Creating cluster role binding 'source-controller-tap-install-cluster-rolebinding' \ Creating package resource | Package install status: Reconciling Added installed package 'source-controller' in namespace 'tap-install'
-
Verify the package install by running:
tanzu package installed get source-controller -n tap-install
Retrieving installation details for sourcer-controller... NAME: sourcer-controller PACKAGE-NAME: controller.source.apps.tanzu.vmware.com PACKAGE-VERSION: 0.1.2 STATUS: Reconcile succeeded CONDITIONS: [{ReconcileSucceeded True }] USEFUL-ERROR-MESSAGE:kubectl get pods -n source-system
For example:
$ kubectl get pods -n source-system NAME READY STATUS RESTARTS AGE source-controller-manager-f68dc7bb6-4lrn6 1/1 Running 0 45h
STATUS should be
Running.
This section provides a quick-start guide for installing Tanzu Build Service as part of Tanzu Application Platform using the Tanzu CLI.
Note: This procedure might not include some configurations required for your specific environment. For more advanced details on installing Tanzu Build Service, see Installing Tanzu Build Service.
- You have access to a Docker registry that Tanzu Build Service can use to create Builder images. Approximately 5GB of registry space is required.
- Your Docker registry is accesible with username and password credentials.
To install Tanzu Build Service using the Tanzu CLI:
-
Follow the instructions in Install Packages above.
-
Gather values schema.
tanzu package available get buildservice.tanzu.vmware.com/1.3.0 --values-schema --namespace tap-install
For example:
$ tanzu package available get buildservice.tanzu.vmware.com/1.3.0 --values-schema --namespace tap-install | Retrieving package details for buildservice.tanzu.vmware.com/1.3.0... KEY DEFAULT TYPE DESCRIPTION kp_default_repository <nil> string docker repository kp_default_repository_password <nil> string registry password kp_default_repository_username <nil> string registry username tanzunet_username <nil> string tanzunet registry username required for dependency updater feature tanzunet_password <nil> string tanzunet registry password required for dependency updater feature ca_cert_data <nil> string tbs registry ca certificate
-
Create a
tbs-values.yamlfile.--- kp_default_repository: EXAMPLE-REGISTRY/PATH-TO-INSTALL kp_default_repository_username: REGISTRY-USERNAME kp_default_repository_password: REGISTRY-PASSWORD tanzunet_username: TANZUNET-USERNAME tanzunet_password: TANZUNET-PASSWORD
Where: *
EXAMPLE-REGISTRYis the URL of the Docker registry. *PATH-TO-INSTALLis the path to the registry install location.kp_default_repositoryis the registry location where all Tanzu Build Services dependencies and builder images are written. *REGISTRY-USERNAMEandREGISTRY-PASSWORDare the username and password for the registry. The install requires akp_default_repository_usernameandkp_default_repository_passwordin order to write to the repository location. *TANZUNET-USERNAMEandTANZUNET-PASSWORDare the email address and password that you use to log in to Tanzu Network. The Tanzu Network credentials allow for configuration of the Dependencies Updater. This resource accesses and installs the build dependencies (buildpacks and stacks) Tanzu Build Service needs on your Cluster. It also keeps these dependencies up-to-date as new versions are released on Tanzu Network. * Optional values: There are optional values not included in this sample file that provide additional configuration for production use cases. For more information, see Installing Tanzu Build Service. -
Install the package by running:
tanzu package install tbs -p buildservice.tanzu.vmware.com -v 1.3.0 -n tap-install -f tbs-values.yaml --poll-timeout 30m
For example:
$ tanzu package install tbs -p buildservice.tanzu.vmware.com -v 1.3.0 -n tap-install -f tbs-values.yaml --poll-timeout 30m | Installing package 'buildservice.tanzu.vmware.com' | Getting namespace 'tap-install' | Getting package metadata for 'buildservice.tanzu.vmware.com' | Creating service account 'tbs-tap-install-sa' | Creating cluster admin role 'tbs-tap-install-cluster-role' | Creating cluster role binding 'tbs-tap-install-cluster-rolebinding' | Creating secret 'tbs-tap-install-values' - Creating package resource - Package install status: Reconciling Added installed package 'tbs' in namespace 'tap-install'
Note: Installing the
buildservice.tanzu.vmware.compackage with Tanzu Net credentials automatically relocates buildpack dependencies to your cluster. This install process can take some time. The command provided above increases the timeout duration to account for this. If the command still times out, periodically run the installation verification step provided in the optional step below because image relocation will continue in the background. -
(Optional) Run the following command to verify the clusterbuilders created by the Tanzu Build Service install:
tanzu package installed get buildservice.tanzu.vmware.com -n tap-install
Supply Chain Choreographer is what provides the custom resource definitions that this supply chain makes use of. It enables choreography of components that form the software supply chain, such as passing the results of fetching source code to the component that knows how to build a container image out of it, and then passing to a component that knows how to deploy it, and so on and so forth.
# Install the version 0.0.6 of the `cartographer.tanzu.vmware.com`
# package naming the installation as `cartographer`.
#
tanzu package install cartographer \
--namespace tap-install \
--package-name cartographer.tanzu.vmware.com \
--version 0.0.6| Installing package 'cartographer.tanzu.vmware.com'
| Getting namespace 'default'
| Getting package metadata for 'cartographer.tanzu.vmware.com'
| Creating service account 'cartographer-default-sa'
| Creating cluster admin role 'cartographer-default-cluster-role'
| Creating cluster role binding 'cartographer-default-cluster-rolebinding'
- Creating package resource
\ Package install status: Reconciling
Added installed package 'cartographer' in namespace 'default'-
Follow the instructions in Install Packages above.
tanzu package available get default-supply-chain.tanzu.vmware.com/0.2.0 --values-schema -n tap-install
For example:
$ tanzu package available get default-supply-chain.tanzu.vmware.com/0.2.0 --values-schema -n tap-install | Retrieving package details for default-supply-chain.tanzu.vmware.com/0.2.0... KEY DEFAULT TYPE DESCRIPTION registry.repository <nil> string Name of the repository in the image registry server where the application images from the workloads should be pushed to (required). registry.server index.docker.io string Name of the registry server where application images should be pushed to. service_account default string Name of the service account in the namespace where the Workload is submitted to utilize for providing registry credentials to Tanzu Build Service (TBS) Image objects as well as deploying the application. templates_namespace tap-install string Name of the namespace where shared templates are installed to. This variable should point to the namespace where this package is being installed into. cluster_builder default string Name of the Tanzu Build Service (TBS) ClusterBuilder to use by default on image objects managed by the supply chain.
-
Gather the values schema.
-
Create a
default-supply-chain-values.yamlusing the following sample as a guide:Sample
default-supply-chain-values.yamlfor Default Supply Chain:--- registry: server: REGISTRY_SERVER repository: REGISTRY_REPOSITORY service_account: service-account templates_namespace: tap-install
-
Create a secret called
registry-credentialswith the credentials for the registry that you want the supply chain to use. -
Create an
imagepullsecret:tanzu imagepullsecret add registry-credentials --registry <REGISTRY_SERVER> --username <REGISTRY_USERNAME> --password <REGISTRY_PASSWORD> --export-to-all-namespaces || trueWhere:
REGISTRY_SERVERis the server of the registry.REGISTRY_USERNAMEis the username for the registry.REGISTRY_PASSWORDis the password for the registry.
-
Install the package by running:
tanzu package install default-supply-chain \ --package-name default-supply-chain.tanzu.vmware.com \ --version 0.2.0 \ --namespace tap-install \ --values-file default-supply-chain-values.yaml
To install developer conventions:
Prerequisite: Convention Service installed on the cluster, see Install Convention Service.
-
Follow the instructions in Install Packages above.
tanzu package available get developer-conventions.tanzu.vmware.com/0.2.0 -n tap-install
For example:
$ tanzu package available get developer-conventions.tanzu.vmware.com/0.2.0 -n tap-install \ Retrieving package details for developer-conventions.tanzu.vmware.com/0.2.0... NAME: developer-conventions.tanzu.vmware.com VERSION: 0.2.0 RELEASED-AT: DISPLAY-NAME: Tanzu App Platform Develooper Conventions SHORT-DESCRIPTION: Developer Conventions PACKAGE-PROVIDER: VMware MINIMUM-CAPACITY-REQUIREMENTS: LONG-DESCRIPTION: Tanzu App Platform Developer Conventions MAINTAINERS: [{Lisa Burns} {Paul Warren} {Harsha Nandiwada} {Kiwi Bui} {Ming Xiao} {Anthony Pensiero}] RELEASE-NOTES: Developer Conventions contents package LICENSE: [] SUPPORT: https://tanzu.vmware.com/support CATEGORY: []
-
Install the package by running:
tanzu package install developer-conventions \ --package-name developer-conventions.tanzu.vmware.com \ --version 0.2.0 \ --namespace tap-install
To install Application Live View:
-
Follow the instructions in Install Packages above.
-
Follow the instructions in Install Convention Service.
-
Gather the values schema.
-
Create namespace app-live-view to deploy Application Live View components by running
kubectl create ns app-live-view
-
Create a
app-live-view-values.yamlusing the following sample as a guide: Sampleapp-live-view-values.yamlfor Application Live View:--- connector_namespaces: [default] server_namespace: app-live-view
The
server_namespaceis the namespace where the Application Live View server is deployed. You should use the namespace you created earlier, namedapp-live-view. Theconnector_namespacesis a list of existing namespaces where you want Application Live View to monitor your apps. An instance of the Application Live View Connector will be deployed to each of those namespaces. -
Install the package by running:
tanzu package install app-live-view -p appliveview.tanzu.vmware.com -v 0.2.0 -n tap-install -f app-live-view-values.yamlFor example:
$ tanzu package install app-live-view -p appliveview.tanzu.vmware.com -v 0.2.0 -n tap-install -f app-live-view-values.yaml - Installing package 'appliveview.tanzu.vmware.com' | Getting package metadata for 'appliveview.tanzu.vmware.com' | Creating service account 'app-live-view-tap-install-sa' | Creating cluster admin role 'app-live-view-tap-install-cluster-role' | Creating cluster role binding 'app-live-view-tap-install-cluster-role binding' | Creating secret 'app-live-view-tap-install-values' - Creating package resource - Package install status: Reconciling Added installed package 'app-live-view' in namespace 'tap-install'
For more information about Application Live View, see the Application Live View documentation.
-
Verify the package install by running:
tanzu package installed get app-live-view -n tap-installFor example:
tanzu package installed get app-live-view -n tap-install | Retrieving installation details for cc... NAME: app-live-view PACKAGE-NAME: appliveview.tanzu.vmware.com PACKAGE-VERSION: 0.2.0 STATUS: Reconcile succeeded CONDITIONS: [{ReconcileSucceeded True }] USEFUL-ERROR-MESSAGE:
STATUS should be
Reconcile succeeded.
Use the following procedure to install Service Bindings:
-
Follow the instructions in Install Packages above.
-
Install the package. Run:
tanzu package install service-bindings -p service-bindings.labs.vmware.com -v 0.5.0 -n tap-install
/ Installing package 'service-bindings.labs.vmware.com' | Getting namespace 'tap-install' - Getting package metadata for 'service-bindings.labs.vmware.com' | Creating service account 'service-bindings-tap-install-sa' | Creating cluster admin role 'service-bindings-tap-install-cluster-role' | Creating cluster role binding 'service-bindings-tap-install-cluster-rolebinding' \ Creating package resource | Package install status: Reconciling Added installed package 'service-bindings' in namespace 'tap-install'
-
Verify the package install by running:
tanzu package installed get service-bindings -n tap-install
- Retrieving installation details for service-bindings... NAME: service-bindings PACKAGE-NAME: service-bindings.labs.vmware.com PACKAGE-VERSION: 0.5.0 STATUS: Reconcile succeeded CONDITIONS: [{ReconcileSucceeded True }] USEFUL-ERROR-MESSAGE:
kubectl get pods -n service-bindings
For example:
$ kubectl get pods -n service-bindings NAME READY STATUS RESTARTS AGE manager-6d85fffbcd-j4gvs 1/1 Running 0 22s
STATUS should be
Running.
To install Supply Chain Security Tools - Store:
-
Follow the instructions in Install Packages above.
tanzu package available get scst-store.tanzu.vmware.com/1.0.0-beta.0 --values-schema -n tap-install
For example:
$ tanzu package available get scst-store.tanzu.vmware.com/1.0.0-beta.0 --values-schema -n tap-install | Retrieving package details for scst-store.tanzu.vmware.com/1.0.0-beta.0... KEY DEFAULT TYPE DESCRIPTION auth_proxy_host 0.0.0.0 string The binding ip address of the kube-rbac-proxy sidecar db_name metadata-store string The name of the database to use. db_password string The database user password. db_port 5432 string The database port to use. This is the port to use when connecting to the database pod. db_sslmode verify-full string Determines the security connection between API server and Postgres database. This can be set to 'verify-ca' or 'verify-full' db_user metadata-store-user string The database user to create and use for updating and querying. The metadata postgres section create this user. The metadata api server uses this username to connect to the database. api_host localhost string The internal hostname for the metadata api endpoint. This will be used by the kube-rbac-proxy sidecar. api_port 9443 integer The internal port for the metadata app api endpoint. This will be used by the kube-rbac-proxy sidecar. app_service_type NodePort string The type of service to use for the metadata app service. This can be set to 'Nodeport' or 'LoadBalancer'. auth_proxy_port 8443 integer The external port address of the of the kube-rbac-proxy sidecar db_host metadata-postgres string The database hostname storageClassName manual string The storage class name of the persistent volume used by Postgres database for storing data. The default value will use the default class name defined on the cluster. use_cert_manager true string Cert manager is required to be installed to use this flag. When true, this creates certificates object to be signed by cert manager for the API server and Postgres database. If false, the certificate object have to be provided by the user.
-
Gather the values schema.
-
Create a
scst-store-values.yamlusing the following sample as a guide:Sample
scst-store-values.yamlfor Supply Chain Security Tools - Store:db_password: "password0123456" app_service_type: "LoadBalancer"
db_passwordshould be significantly complex. You must use the same password between deployments. For more information about this known issue, see Known Issues - Persistent Volume Retains Data.app_service_typehas been set toLoadBalancer. If your environment does not supportLoadBalancer, omit this line and it will use the default valueNodePort.
-
Install the package by running:
tanzu package install metadata-store \ --package-name scst-store.tanzu.vmware.com \ --version 1.0.0-beta.0 \ --namespace tap-install \ --values-file scst-store-values.yaml
For example:
$ tanzu package install metadata-store \ --package-name scst-store.tanzu.vmware.com \ --version 1.0.0-beta.0 \ --namespace tap-install \ --values-file scst-store-values.yaml - Installing package 'scst-store.tanzu.vmware.com' / Getting namespace 'tap-install' - Getting package metadata for 'scst-store.tanzu.vmware.com' / Creating service account 'metadata-store-tap-install-sa' / Creating cluster admin role 'metadata-store-tap-install-cluster-role' / Creating cluster role binding 'metadata-store-tap-install-cluster-rolebinding' / Creating secret 'metadata-store-tap-install-values' | Creating package resource - Package install status: Reconciling Added installed package 'metadata-store' in namespace 'tap-install'
Prerequsites: As part of the install instructions, we will ask you to provide a cosign public key to use to validate signed images. We will provide an example cosign public key that will be able to validate an image from cosign, but if you wish to provide your own key and images, you can follow the cosign quick start guide to generate your own keys and sign an image.
To install Supply Chain Security Tools - Sign:
-
Follow the instructions in Install Packages above.
-
Gather the values schema
tanzu package available get image-policy-webhook.signing.run.tanzu.vmware.com/1.0.0-beta.0 --values-schema --namespace tap-install
For example:
$ tanzu package available get image-policy-webhook.signing.run.tanzu.vmware.com/1.0.0-beta.0 --values-schema --namespace tap-install | Retrieving package details for image-policy-webhook.signing.run.tanzu.vmware.com/1.0.0-beta.0... KEY DEFAULT TYPE DESCRIPTION warn_on_unmatched false boolean Feature flag for enabling admission of images that do not match any patterns in the image policy configuration. Set to true to allow images that do not match any patterns into the cluster with a warning.
-
Create a file named
scst-sign-values.yamlwith awarn_on_unmatchedproperty.- For non-production environments: To warn the user when images do not match any pattern in the policy, but still allow them into the cluster, set
warn_on_unmatchedtotrue.--- warn_on_unmatched: true
- For production environments: To deny images that do not match any pattern in the policy, set
warn_on_unmatchedtofalse.Note: For a quicker installation process, VMware recommends that you set--- warn_on_unmatched: false
warn_on_unmatchedtotrue. This means that the webhook does not prevent unsigned images from running. To promote to a production environment, VMware recommends that you re-install the webhook withwarn_on_unmatchedset tofalse.
- For non-production environments: To warn the user when images do not match any pattern in the policy, but still allow them into the cluster, set
-
Install the package:
tanzu package install image-policy-webhook \ --package-name image-policy-webhook.signing.run.tanzu.vmware.com \ --version 1.0.0-beta.0 \ --namespace tap-install \ --values-file scst-sign-values.yaml
For example:
$ tanzu package install image-policy-webhook \ --package-name image-policy-webhook.signing.run.tanzu.vmware.com \ --version 1.0.0-beta.0 \ --namespace tap-install \ --values-file scst-sign-values.yaml | Installing package 'image-policy-webhook.signing.run.tanzu.vmware.com' | Getting namespace 'default' | Getting package metadata for 'image-policy-webhook.signing.run.tanzu.vmware.com' | Creating service account 'image-policy-webhook-default-sa' | Creating cluster admin role 'image-policy-webhook-default-cluster-role' | Creating cluster role binding 'image-policy-webhook-default-cluster-rolebinding' | Creating secret 'image-policy-webhook-default-values' / Creating package resource - Package install status: Reconciling Added installed package 'image-policy-webhook' in namespace 'tap-install'After you run the code above, the webhook is running.
-
Create a service account named
registry-credentialsin theimage-policy-systemnamespace. Run one of the following code options.-
If the images and signatures are in public registries: No additional configuration is needed. Run:
cat <<EOF | kubectl apply -f - apiVersion: v1 kind: ServiceAccount metadata: name: registry-credentials namespace: image-policy-system EOF
-
If the images and signatures are in private registries: Add secrets to the
imagePullSecretsproperty of the service account. Run:cat <<EOF | kubectl apply -f - apiVersion: v1 kind: ServiceAccount metadata: name: registry-credentials namespace: image-policy-system imagePullSecrets: - name: SECRET-1 EOF
Where
SECRET-1is a secret that allows the webhook to access the private registry. This secret can be created using the following command:kubectl create secret docker-registry SECRET-1 --docker-server=<server> --docker-username=<username> --docker-password=<password> --namespace image-policy-system
Add additional secrets to
imagePullSecretsas required.
-
-
Create a
ClusterImagePolicyto specify the images that the webhook validates.The cluster image policy is a custom resource definition containing the following information:
- A list of namespaces to which the policy should not be enforced.
- A list of public keys complementary to the private keys that were used to sign the images.
- A list of image name patterns against which the policy is enforced. Each image name pattern is mapped to the required public keys.
The following is an example
ClusterImagePolicy:--- apiVersion: signing.run.tanzu.vmware.com/v1alpha1 kind: ClusterImagePolicy metadata: name: image-policy spec: verification: exclude: resources: namespaces: - kube-system keys: - name: first-key publicKey: | -----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY----- images: - namePattern: registry.example.org/myproject/* keys: - name: first-key
Notes:
-
The
namefor theClusterImagePolicymust beimage-policy. -
In the
verification.exclude.resources.namespacessection, add any namespaces that run container images that are unsigned, such askube-system. -
If no
ClusterImagePolicyis created, images are permitted into the cluster with the following warning:Warning: clusterimagepolicies.signing.run.tanzu.vmware.com "image-policy" not found. -
For a quicker installation process in a non-production environment, VMware recommends you use the following YAML to create the
ClusterImagePolicy. This YAML includes a cosign public key, which signed the cosign image at v1.2.1. The cosign public key validates the specified cosign image. You can also add additional namespaces to exclude in theverification.exclude.resources.namespacessection, such as any system namespaces.cat <<EOF | kubectl apply -f - apiVersion: signing.run.tanzu.vmware.com/v1alpha1 kind: ClusterImagePolicy metadata: name: image-policy spec: verification: exclude: resources: namespaces: - kube-system keys: - name: cosign-key publicKey: | -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhyQCx0E9wQWSFI9ULGwy3BuRklnt IqozONbbdbqz11hlRJy9c7SG+hdcFl9jE9uE/dwtuwU2MqU9T/cN0YkWww== -----END PUBLIC KEY----- images: - namePattern: gcr.io/projectsigstore/cosign* keys: - name: cosign-key EOF
(Optional) Run the following commands to test the webhook if you are using the
cosign-key:- Verify a signed image which validates with a configured public key will launch
For example:
kubectl run cosign --image=gcr.io/projectsigstore/cosign:v1.2.1 --restart=Never --command -- sleep 900
$ kubectl run cosign --image=gcr.io/projectsigstore/cosign:v1.2.1 --restart=Never --command -- sleep 900 pod/cosign created
- Verify an unsigned image will not launch
For example:
kubectl run bb --image=busybox --restart=Never
$ kubectl run bb --image=busybox --restart=Never Warning: busybox didn't match any pattern in policy. Pod will be created as WarnOnUnmatched flag is true pod/bb created
- Verify a signed image which does not validate with a configured public key will not launch
For example:
kubectl run cosign-fail --image=gcr.io/projectsigstore/cosign:v0.3.0 --command -- sleep 900
$ kubectl run cosign-fail --image=gcr.io/projectsigstore/cosign:v0.3.0 --command -- sleep 900 Error from server (The image: gcr.io/projectsigstore/cosign:v0.3.0 is not signed): admission webhook "image-policy-webhook.signing.run.tanzu.vmware.com" denied the request: The image: gcr.io/projectsigstore/cosign:v0.3.0 is not signed
- Verify a signed image which validates with a configured public key will launch
The installation for Supply Chain Security Tools – Scan involves installing two packages: Scan Controller and Grype Scanner. Ensure both are installed.
To install Supply Chain Security Tools - Scan (Scan Controller):
-
Follow the instructions in Install Packages above.
tanzu package available get scanning.apps.tanzu.vmware.com/1.0.0-beta --values-schema -n tap-install
For example:
$ tanzu package available get scanning.apps.tanzu.vmware.com/1.0.0-beta --values-schema -n tap-install | Retrieving package details for scanning.apps.tanzu.vmware.com/1.0.0-beta... KEY DEFAULT TYPE DESCRIPTION metadataStoreTokenSecret string Token Secret of the Insight Metadata Store deployed in the cluster metadataStoreUrl https://metadata-store-app.metadata-store.svc.cluster.local:8443 string Url of the Insight Metadata Store deployed in the cluster namespace scan-link-system string Deployment namespace for the Scan Controller resources.limits.cpu 250m <nil> Limits describes the maximum amount of cpu resources allowed. resources.limits.memory 256Mi <nil> Limits describes the maximum amount of memory resources allowed. resources.requests.cpu 100m <nil> Requests describes the minimum amount of cpu resources required. resources.requests.memory 128Mi <nil> Requests describes the minimum amount of memory resources required. metadataStoreCa string CA Cert of the Insight Metadata Store deployed in the cluster
-
Gather the values schema.
-
Create a
scst-scan-controller-values.yamlusing the following sample as a guide:Sample
scst-scan-controller-values.yamlfor Scan Controller:--- metadataStoreUrl: https://metadata-store-app.metadata-store.svc.cluster.local:8443 metadataStoreCa: |- -----BEGIN CERTIFICATE----- MIIC8TCCAdmgAwIBAgIRAIGDgx7Dk/2unVKuT9KXetUwDQYJKoZIhvcNAQELBQAw ... hOSbQ50VLo+YPF9NtTPRaS7QaIcFWot0EPwBMOCZR6Dd1HU6Qg== -----END CERTIFICATE----- metadataStoreTokenSecret: metadata-store-secret
These values require the Supply Chain Security Tools - Store to have already been installed. The following code snippets show how to determine what these values are:
The
metadataStoreUrlvalue can be determined by:kubectl -n metadata-store get service -o name | grep app | xargs kubectl -n metadata-store get -o jsonpath='{.spec.ports[].name}{"://"}{.metadata.name}{"."}{.metadata.namespace}{".svc.cluster.local:"}{.spec.ports[].port}'
The
metadataStoreCavalue can be determined by (when pasting, ensure the certificate is indented by two spaces):kubectl get secret app-tls-cert -n metadata-store -o json | jq -r '.data."ca.crt"' | base64 -d
The
metadataStoreTokenSecretis the name of the secret for the metadata store token that we will also need to create.Create a
metadata-store-secret.yamlfor this secret:--- apiVersion: v1 kind: Secret metadata: name: metadata-store-secret namespace: scan-link-system type: kubernetes.io/opaque stringData: token: <METADATA_STORE_TOKEN>
The
METADATA_STORE_TOKENvalue can be determined by:kubectl get secrets -n tap-install -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='metadata-store-tap-install-sa')].data.token}" | base64 -d
Create namespace and deploy secret:
kubectl create namespace scan-link-system kubectl apply -f metadata-store-secret.yaml
-
Install the package by running:
tanzu package install scan-controller \ --package-name scanning.apps.tanzu.vmware.com \ --version 1.0.0-beta \ --namespace tap-install \ --values-file scst-scan-controller-values.yaml
For example:
$ tanzu package install scan-controller \ --package-name scanning.apps.tanzu.vmware.com \ --version 1.0.0-beta \ --namespace tap-install \ --values-file scst-scan-controller-values.yaml | Installing package 'scanning.apps.tanzu.vmware.com' | Getting namespace 'tap-install' | Getting package metadata for 'scanning.apps.tanzu.vmware.com' | Creating service account 'scan-controller-tap-install-sa' | Creating cluster admin role 'scan-controller-tap-install-cluster-role' | Creating cluster role binding 'scan-controller-tap-install-cluster-rolebinding' | Creating secret 'scan-controller-tap-install-values' / Creating package resource / Package install status: Reconciling Added installed package 'scan-controller' in namespace 'tap-install'
To install Supply Chain Security Tools - Scan (Grype Scanner):
-
Follow the instructions in Install Packages above.
tanzu package available get grype.scanning.apps.tanzu.vmware.com/1.0.0-beta --values-schema -n tap-install
For example:
$ tanzu package available get grype.scanning.apps.tanzu.vmware.com/1.0.0-beta --values-schema -n tap-install | Retrieving package details for grype.scanning.apps.tanzu.vmware.com/1.0.0-beta... KEY DEFAULT TYPE DESCRIPTION namespace default string Deployment namespace for the Scan Templates resources.limits.cpu 1000m <nil> Limits describes the maximum amount of cpu resources allowed. resources.requests.cpu 250m <nil> Requests describes the minimum amount of cpu resources required. resources.requests.memory 128Mi <nil> Requests describes the minimum amount of memory resources required.
-
The default values are appropriate for this package. If you want to change from the default values, use the Scan Controller instructions as a guide.
-
Install the package by running:
tanzu package install grype-scanner \ --package-name grype.scanning.apps.tanzu.vmware.com \ --version 1.0.0-beta \ --namespace tap-install
For example:
$ tanzu package install grype-scanner \ --package-name grype.scanning.apps.tanzu.vmware.com \ --version 1.0.0-beta \ --namespace tap-install / Installing package 'grype.scanning.apps.tanzu.vmware.com' | Getting namespace 'tap-install' | Getting package metadata for 'grype.scanning.apps.tanzu.vmware.com' | Creating service account 'grype-scanner-tap-install-sa' | Creating cluster admin role 'grype-scanner-tap-install-cluster-role' | Creating cluster role binding 'grype-scanner-tap-install-cluster-rolebinding' / Creating package resource - Package install status: Reconciling Added installed package 'grype-scanner' in namespace 'tap-install'
To install the API portal:
-
Follow the instructions in Install Packages above.
-
Check what versions of API portal are available to install by running:
tanzu package available list -n tap-install api-portal.tanzu.vmware.com
For example:
$ tanzu package available list -n tap-install api-portal.tanzu.vmware.com - Retrieving package versions for api-portal.tanzu.vmware.com... NAME VERSION RELEASED-AT api-portal.tanzu.vmware.com 1.0.2 2021-09-27T00:00:00Z
-
Create a container registry secret named
api-portal-image-pull-secretby running:kubectl create secret docker-registry api-portal-image-pull-secret -n tap-install \ --docker-server=registry.tanzu.vmware.com \ --docker-username=TANZU-NET-USER \ --docker-password=TANZU-NET-PASSWORD
Where
TANZU-NET-USERandTANZU-NET-PASSWORDare your credentials for Tanzu Network. -
Install API portal by running:
tanzu package install api-portal -n tap-install -p api-portal.tanzu.vmware.com -v 1.0.2For example:
$ tanzu package install api-portal -n tap-install -p api-portal.tanzu.vmware.com -v 1.0.2 / Installing package 'api-portal.tanzu.vmware.com' | Getting namespace 'api-portal' | Getting package metadata for 'api-portal.tanzu.vmware.com' | Creating service account 'api-portal-api-portal-sa' | Creating cluster admin role 'api-portal-api-portal-cluster-role' | Creating cluster role binding 'api-portal-api-portal-cluster-rolebinding' / Creating package resource - Package install status: Reconciling Added installed package 'api-portal' in namespace 'tap-install'
-
For more information about API portal, see API portal for VMware Tanzu.
To install Services Control Plane Toolkit:
-
See what versions of Services Control Plane Toolkit are available to install by running:
tanzu package available list -n tap-install scp-toolkit.tanzu.vmware.comFor example:
$ tanzu package available list -n tap-install scp-toolkit.tanzu.vmware.com - Retrieving package versions for scp-toolkit.tanzu.vmware.com... NAME VERSION RELEASED-AT scp-toolkit.tanzu.vmware.com 0.3.0 2021-09-17T13:53:29Z
-
Install Services Control Plane Toolkit by running:
tanzu package install scp-toolkit -n tap-install -p scp-toolkit.tanzu.vmware.com -v 0.3.0 -
Verify that the package installed by running:
tanzu package installed get scp-toolkit -n tap-installand checking that the
STATUSvalue isReconcile succeeded.For example:
$ tanzu package installed get scp-toolkit -n tap-install | Retrieving installation details for scp-toolkit... NAME: scp-toolkit PACKAGE-NAME: scp-toolkit.tanzu.vmware.com PACKAGE-VERSION: 0.3.0 STATUS: Reconcile succeeded CONDITIONS: [{ReconcileSucceeded True }] USEFUL-ERROR-MESSAGE:
STATUS should be
Reconcile succeeded.
Use the following procedure to verify that the packages are installed.
-
List the installed packages by running:
tanzu package installed list --namespace tap-install
For example:
$ tanzu package installed list --namespace tap-install \ Retrieving installed packages... NAME PACKAGE-NAME PACKAGE-VERSION STATUS api-portal api-portal.tanzu.vmware.com 1.0.2 Reconcile succeeded app-accelerator accelerator.apps.tanzu.vmware.com 0.3.0 Reconcile succeeded app-live-view appliveview.tanzu.vmware.com 0.2.0 Reconcile succeeded cloud-native-runtimes cnrs.tanzu.vmware.com 1.0.2 Reconcile succeeded convention-controller controller.conventions.apps.tanzu.vmware.com 0.4.2 Reconcile succeeded grype-scanner grype.scanning.apps.tanzu.vmware.com 1.0.0-beta Reconcile succeeded image-policy-webhook image-policy-webhook.signing.run.tanzu.vmware.com 1.0.0-beta.0 Reconcile succeeded metadata-store scst-store.tanzu.vmware.com 1.0.0-beta.0 Reconcile succeeded scan-controller scanning.apps.tanzu.vmware.com 1.0.0-beta Reconcile succeeded scp-toolkit scp-toolkit.tanzu.vmware.com 0.3.0 Reconcile succeeded service-bindings service-bindings.labs.vmware.com 0.5.0 Reconcile succeeded source-controller controller.source.apps.tanzu.vmware.com 0.1.2 Reconcile succeeded tbs buildservice.tanzu.vmware.com 1.3.0 Reconcile succeeded
To create a Cartographer Workload for your application that uses the registry credentials specified in the steps above,
add the following resources to your namespace before creating the Workload:
apiVersion: v1
kind: Secret
metadata:
name: tap-registry
annotations:
secretgen.carvel.dev/image-pull-secret: ""
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: e30K
---
apiVersion: v1
kind: Secret
metadata:
name: registry-credentials
annotations:
secretgen.carvel.dev/image-pull-secret: ""
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: e30K
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: service-account # use value from "Install Default Supply Chain"
secrets:
- name: registry-credentials
imagePullSecrets:
- name: registry-credentials
- name: tap-registry
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: kapp-permissions
annotations:
kapp.k14s.io/change-group: "role"
rules:
- apiGroups:
- serving.knative.dev
resources: ['services']
verbs: ['*']
- apiGroups: [""]
resources: ['configmaps']
verbs: ['get', 'watch', 'list', 'create', 'update', 'patch', 'delete']
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kapp-permissions
annotations:
kapp.k14s.io/change-rule: "upsert after upserting role"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kapp-permissions
subjects:
- kind: ServiceAccount
name: service-account # use value from "Install Default Supply Chain"