Deploy an air-gapped workload on Tanzu Application Platform
This topic for developers guides you through deploying your first workload on Tanzu Application Platform (commonly known as TAP) in an air-gapped environment.
For information about installing Tanzu Application Platform in an air-gapped environment, see Install Tanzu Application Platform in an air-gapped environment.
What you will do
- Create a workload from Git.
- Create a basic supply chain workload.
- Create a testing supply chain workload.
- Create a testing scanning supply chain workload.
Prerequisites
Before a developer can deploy an air-gapped workload, a platform operator must:
- Configure the air-gapped environment using Namespace Provisioner. For instructions, see Work with Git repositories in air-gapped environments with Namespace Provisioner.
- For the testing supply chain workload: Follow the steps in Install OOTB Supply Chain with Testing.
- For the testing scanning supply chain workload:
- Follow the steps in Install OOTB Supply Chain with Testing and Scanning.
- Set up vulnerability scanning. For instructions, see Use vulnerability scanning in offline and air-gapped environments.
Create a workload from Git
To create a workload from Git through HTTPS, follow these steps:
-
(Optional) To pass in login credentials for a Git repository with the certificate authority (CA) certificate, create a file called
git-credentials.yaml. For example:apiVersion: v1 kind: Secret metadata: name: git-ca # namespace: default type: Opaque stringData: username: USERNAME password: PASSWORD caFile: | CADATAWhere:
USERNAMEis the user name.PASSWORDis the password.CADATAis the PEM-encoded CA certificate for the Git repository.
-
To pass in a custom
settings.xmlfor Java or NuGet:-
For Java, create a file called
settings-xml.yaml. For example:apiVersion: v1 kind: Secret metadata: name: settings-xml type: service.binding/maven stringData: type: maven provider: sample settings.xml: | <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd"> <mirrors> <mirror> <id>reposilite</id> <name>Tanzu seal Internal Repo</name> <url>https://reposilite.tap-trust.cf-app.com/releases</url> <mirrorOf>*</mirrorOf> </mirror> </mirrors> <servers> <server> <id>reposilite</id> <username>USERNAME</username> <password>PASSWORD</password> </server> </servers> </settings> -
For NuGet, create a file called
settings-xml.yaml. For example:apiVersion: v1 kind: Secret metadata: name: settings-xml type: service.binding/nugetconfig stringData: type: nugetconfig provider: sample nuget.config: | <?xml version="1.0" encoding="utf-8"?> <configuration> <packageSources> <clear /> <add key="nuget-proxy" value=https://internal_nuget-proxy_fqdn/repository/nuget.org-proxy/index.json /> </packageSources> </configuration>
-
-
Apply the file:
kubectl create -f settings-xml.yaml -n DEVELOPER-NAMESPACE
Create a basic supply chain workload
Next, create your basic supply chain workload.
To pass the CA certificate in when you create the workload, run:
tanzu apps workload create APP-NAME --git-repo https://GITREPO --git-branch BRANCH --type web --label app.kubernetes.io/part-of=CATALOGNAME --yes --param-yaml buildServiceBindings='[{"name": "settings-xml", "kind": "Secret"}]' --param "source_credentials_secret=git-ca" --param "gitops_credentials_secret=git-ca"
Create a testing supply chain workload
To add the Tekton supply chain to the cluster, apply the following YAML to the cluster:
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: developer-defined-tekton-pipeline
labels:
apps.tanzu.vmware.com/pipeline: test # (!) required
spec:
params:
- name: source-url # (!) required
- name: source-revision # (!) required
tasks:
- name: test
params:
- name: source-url
value: $(params.source-url)
- name: source-revision
value: $(params.source-revision)
taskSpec:
params:
- name: source-url
- name: source-revision
steps:
- name: test
image: MY-REGISTRY/gradle
script: |-
cd `mktemp -d`
Where MY-REGISTRY is your container image registry. Relocate all the images given in the pipeline YAML to your private container registry.
Create the workload by running:
tanzu apps workload create APP-NAME --git-repo https://GITURL --git-branch BRANCH --type web --label app.kubernetes.io/part-of=CATALOGNAME --yes --param-yaml --label apps.tanzu.vmware.com/has-tests=true buildServiceBindings='[{"name": "settings-xml", "kind": "Secret"}]'
To instead pass the CA certificate when you create the workload, run:
tanzu apps workload create APP-NAME --git-repo https://GITREPO --git-branch BRANCH --type web --label app.kubernetes.io/part-of=CATALOGNAME --yes --param-yaml --label apps.tanzu.vmware.com/has-tests=true buildServiceBindings='[{"name": "settings-xml", "kind": "Secret"}]' --param "source_credentials_secret=git-ca" --param "gitops_credentials_secret=git-ca"
Create a testing scanning supply chain workload
Create workload by running:
tanzu apps workload create APP-NAME --git-repo https://GITURL --git-branch BRANCH --type web --label app.kubernetes.io/part-of=CATALOGNAME --yes --param-yaml --label apps.tanzu.vmware.com/has-tests=true buildServiceBindings='[{"name": "settings-xml", "kind": "Secret"}]'
To instead pass the CA certificate when you create the workload, run:
tanzu apps workload create APP-NAME --git-repo https://GITREPO --git-branch BRANCH --type web --label app.kubernetes.io/part-of=CATALOGNAME --yes --param-yaml --label apps.tanzu.vmware.com/has-tests=true buildServiceBindings='[{"name": "settings-xml", "kind": "Secret"}]' --param "source_credentials_secret=git-ca" --param "gitops_credentials_secret=git-ca"
