Install Namespace Provisioner

Namespace Provisioner is packaged and distributed using the Carvel set of tools.

The Namespace Provisioner Carvel package is published to the Tanzu Application Platform package repository and two installation approaches are supported:

• Install Namespace Provisioner
  • Install using a Profile
  • Customized Installation

Install using a Profile

To install Namespace Provisioner as part of a wider Tanzu Application Platform profile based installation, see Installing Tanzu Application Platform.

The Namespace Provisioner package is installed as part of the standard installation profiles. The default set of resources provisioned in a namespace is based on a combination of the Tanzu Application Platform installation profile employed and the supply chain that is installed on the cluster.

For a list of what resources are created for different profile and supply chain combinations, see default resource mapping table.

Customized Installation

Run:

tanzu package available get namespace-provisioner.apps.tanzu.vmware.com/0.1.2 --values-schema -n tap-install

The following values are configurable:

controller: Whether to install the controller that is part of the package. - Set to true (Default) to manage the desired-namespaces ConfigMap automatically using a controller on the cluster. - Set to false to populate the desired-namespaces ConfigMap using an external mechanism such as GitOps, see Control the desired-namespaces ConfigMap via GitOps.

aws_iam_role_arn: If the installation is on AWS with EKS, use the selected IAM Role for Kubernetes Service Accounts.

additional_sources: Add additional sources which contain Platform Operator templated resources to be set on the provisioned namespaces using GitOps in addition to the default-resources that are shipped with Tanzu Application Platform. - See the fetch section of the kapp App specification section for the format. Only the Git type fetch is supported. - See Extending the default provisioned resources

• namespace_selector: The label selector used by the controller to determine which namespaces should be added to the desired-namespaces ConfigMap. See label selector in the Kubernetes documentation.

Example snippet of tap-values.yaml:

...
namespace_provisioner:
  controller: true
  namespace_selector:
    matchExpressions:
    - key: apps.tanzu.vmware.com/tap-ns
      operator: Exists
  aws_iam_role_arn: "arn:aws:iam::123456789012:role/EKSIAMRole"
  additional_sources:
  # Patches the OOTB scan policy with a different rego data
  - git:
      ref: tap-1.4-np
      subPath: namespace-provisioner-gitops-examples/default-resources-overrides/overlays
      url: https://github.com/vmware-tanzu/application-accelerator-samples.git
    path: _ytt_lib/customize
  # Add a custom workload service account and a bunch of git secrets
  - git:
      ref: tap-1.4-np
      subPath: namespace-provisioner-gitops-examples/custom-resources/workload-sa
      url: https://github.com/vmware-tanzu/application-accelerator-samples.git
    path: _ytt_lib/workload-sa
...