This topic tells you how to use Namespace Provisioner to provision namespace-scoped resources in Tanzu Application Platform (commonly known as TAP).
There are two approaches to provisioning namespace-scoped resources supported:
Using Namespace Provisioner Controller is recommended for Tanzu Application Platform clusters that:
Using GitOps is required for Tanzu Application Platform clusters that meet any of the following:
Ensure that the following prerequisites are met before provisioning namespace-scoped resources using Namespace Provisioner Controller.
true
(Default is true
).The registry-credentials
secret referenced by the Tanzu Build Service is added to tap-install and exported to all namespaces. If you don’t want to export this secret to all namespaces for any reason, you must complete an additional step to create this secret in each namespace you want to provision.
tanzu secret registry add tbs-registry-credentials --server REGISTRY-SERVER --username REGISTRY-USERNAME --password REGISTRY-PASSWORD --export-to-all-namespaces --yes --namespace tap-install
tanzu secret registry add tbs-registry-credentials --server REGISTRY-SERVER --username REGISTRY-USERNAME --password REGISTRY-PASSWORD --yes --namespace YOUR-NEW-DEVELOPER-NAMESPACE
Complete the following steps to provision a new developer namespace:
Create a namespace using kubectl or any other means
kubectl create namespace YOUR-NEW-DEVELOPER-NAMESPACE
Label your new developer namespace with the label selector apps.tanzu.vmware.com/tap-ns=""
kubectl label namespaces YOUR-NEW-DEVELOPER-NAMESPACE apps.tanzu.vmware.com/tap-ns=""
(Optional) This step is only required if the registry-credentials
secret that was created during Tanzu Application Platform Installation was not exported to all namespaces (see the Prerequisites section above for details).
Add the registry-credentials secret referenced by the Tanzu Build Service to the new namespace and patch the service account that will be used by the workload to refer to this new secret.
tanzu secret registry add registry-credentials --server REGISTRY-SERVER --username REGISTRY-USERNAME --password REGISTRY-PASSWORD --yes --namespace YOUR-NEW-DEVELOPER-NAMESPACE
Run the following command to verify the correct resources were created in the namespace:
kubectl get secrets,serviceaccount,rolebinding,pods,workload,configmap -n YOUR-NEW-DEVELOPER-NAMESPACE
tap-values.yaml
file, see Default resources mapping.This section describes how to use GitOps to manage the list of namespaces in the desired-namespaces ConfigMap instead of the built-in controller.
WARNING If there is a namespace in your GitOps repository desired-namespaces ConfigMap list that does not exist on the cluster, the provisioner application fails to reconcile and cannot create resources. Creation of the namespaces is out of the scope for the Namespace Provisioner package.
The prerequisites for using GitOps are the same as those specified in the controller prerequisites above except for the controller
tap value key’s value as follows:
false
(Default is true
)For more information about provisioning namespaces with GitOps, see Control the desired-namespaces ConfigMap with GitOps.