A while ago I wrote about an awesome new feature in Tanzu Mission Control: “Installing Tanzu Application Platform through Tanzu Mission Control“. This functionality enables you to effortlessly deploy TAP to a Kubernetes cluster using Tanzu Mission Control (TMC), where TMC takes full responsibility for meeting the prerequisites and executing the deployment.
In my previous article I showed how to deploy a very basic configuration, let’s see how to deploy a more advanced configuration using a custom tap-values.yaml (some of the settings are coming from our demo setup – kudos to my colleague Robert Jensen). In this setup we will:
- Configure authentication using GitHub OAuth.
- Do a GitOps deployment of our app (instead of RegistryOps).
- Configure and use a signed certificate for TAP GUI.
- Configuration of the NameSpace provisioner in GitOps mode, including automated distribution of scan- and testing policies.
The tap-values.yaml contains the settings of the components that form the foundation of tap. To get started go to Catalog in TMC and (for this example) choose Single Cluster. By the way, it’s now also possible to do a multi-cluster setup of TAP:
Choose “Install TAP” and give your installation a name. Setting up TAP requires a registry and a correct setup of required secret(s), in this example we will configure the required secret in TMC and then upload our tap-values.yaml file to the deployment wizard.
Without filling any of the properties, we click “create new secret” and we setup the secret for our registry like this:
Now the next step is to choose “Advanced” in the deployment wizard, select YAML and paste your tap-values.yaml file in the textbox. Be careful that the secret + namespace you’ve configured initially, are the same as is configured in your tap-values.yaml file.
Click done and then submit. Now sit back and relax to see how things are being deployed.
Post configuration steps
To get things up and running a couple of post configuration steps are required.
Setup a signed TLS certificate for TAP Gui
Tap-values.yaml points a tap-gui certificate in cert-manager namespace.
tap_gui: # TLS certificate configuration for TAP-GUI tls: namespace: cert-manager secretName: tap-gui
You have to create this certificate yourself.
Although creating a certificate a out-of-scope of this article you might find these files helpful to setup a Cluster Issuer and generate a certificate for Tap GUI. You can also comment the TLS part in the tap-values.yaml if you want to continue using self-signed certificates.
Setup DNS to get access to TAP
Now use:
kubectl get service -n tanzu-system-ingress envoy -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
to learn the IP address TAP can be accessed on. Configure a wildcard DNS A record that point to this address, it my example this would be *.tap.viktoriouslab.nl.
Configuration of the Namespace Provisioner
An important element of TAP is the Namespace Provisioner, a component responsible for deploying developer namespace(s) on the Kubernetes cluster. The Namespace Provisioner can operate in a Controller of GitOps mode. In this example the Namespace Provisioner is operating in GitOps mode, which means the configuration is hosted on a Git site (in my case github.com):
namespace_provisioner: controller: false sync_period: 30s # Namespace provisioner - list of namespaces gitops_install: ref: origin/main subPath: tap/ns-provisioner/namespaces url: https://github.com/viktoriousss/tanzu-demo-essentials.git
In this folder you will find a list of namespaces that are configured automatically on TAP.
The namespace also takes care of adding some standard components to each developer Kubernetes namespace. The components are defined in this folder. You will find some software testing definitions, scan policies and secret configuration here.
Setup up Git secret
The tap-values uses GitOps to store and deploy the Kubernetes artifacts generated by the secure supply chain.
ootb_supply_chain_testing_scanning: gitops: ssh_secret: git-https-secret branch: main commit_message: "Update from TAP Supply Chain Choreographer" server_address: https://github.com/ repository_owner: viktoriousss # github-account repository_name: tap-deliveries
To make this work you will need to configure a secret that contains logon credentials to (in this example) the tap-deliveries private repository. Creating this secret can be done by applying this yaml file. The YAML file will create a secret and a secret export.
This code in tap-values.yaml imports this secret from tap-install to the developer namespaces:
namespace_provisioner: additional_sources: - git: secretRef: name: git-https-secret # this is the new credential namespace: tap-install
while
namespace_provisioner: default_parameters: supply_chain_service_account: secrets: - git-https-secret
tells TAP to use this secret to access the repository.
Setup GitHub authentication
By default TAP allows guest logins, in the setup I’m using I’ve configured access through GitHub.com (using GitHubs oauth system). The configuration for this setup is under the tap-gui part in tap-values.yaml.
tap_gui: app_config: auth: allowGuestAccess: false environment: development providers: github: # This is for github OAuth authentication to the TAP portal. Configure a new OAuth app for TAP here: https://github.com/settings/developers. Homepage URL is http://tap-gui.. development: clientId: "" # you need to get this value from GitHub Developer Settings OAuth2 page clientSecret: ""
Now you’ve got everything setup and you can start deploying your first application to Tanzu Application Platform.