Provision namespace resources
This topic tells you how to use Namespace Provisioner to provision namespace-scoped resources in Tanzu Application Platform (commonly known as TAP).
There are two approaches to provisioning namespace-scoped resources supported:
Using Namespace Provisioner Controller is recommended for Tanzu Application Platform clusters that:
- include Out of the Box Supply Chain Basic
- require only the default namespace-scoped resources to be provisioned
Using GitOps is required for Tanzu Application Platform clusters that meet any of the following:
- include Out of the Box Supply Chain - Testing and Scanning
- require customization or extension of the default namespace-scoped resources that are provisioned
- prefer to control which namespaces get provisioned with GitOps
Using Namespace Provisioner Controller
Ensure that the following prerequisites are met before provisioning namespace-scoped resources using Namespace Provisioner Controller.
Prerequisites
- The Namespace Provisioner package is installed and reconciled.
- The controller tap value key is set to
true(Default istrue). -
The
registry-credentialssecret referenced by the Tanzu Build Service is added to tap-install and exported to all namespaces. If you don’t want to export this secret to all namespaces for any reason, you must complete an additional step to create this secret in each namespace you want to provision.- Example secret creation, exported to all namespaces
tanzu secret registry add tbs-registry-credentials --server REGISTRY-SERVER --username REGISTRY-USERNAME --password REGISTRY-PASSWORD --export-to-all-namespaces --yes --namespace tap-install- Example secret creation for a specific namespace
tanzu secret registry add tbs-registry-credentials --server REGISTRY-SERVER --username REGISTRY-USERNAME --password REGISTRY-PASSWORD --yes --namespace YOUR-NEW-DEVELOPER-NAMESPACE
Provision a new developer namespace
Complete the following steps to provision a new developer namespace:
-
Create a namespace using kubectl or any other means
kubectl create namespace YOUR-NEW-DEVELOPER-NAMESPACE -
Label your new developer namespace with the label selector
apps.tanzu.vmware.com/tap-ns=""kubectl label namespaces YOUR-NEW-DEVELOPER-NAMESPACE apps.tanzu.vmware.com/tap-ns=""- This label tells the controller to add this namespace to the desired-namespaces ConfigMap.
- The label’s value can be anything, including "".
- If required, you can change the default label selector by configuring the namespace_selector property/value in tap-values for namespace provisioner.
- This label tells the controller to add this namespace to the desired-namespaces ConfigMap.
-
(Optional) This step is only required if the
registry-credentialssecret that was created during Tanzu Application Platform Installation was not exported to all namespaces (see the Prerequisites section above for details).-
Add the registry-credentials secret referenced by the Tanzu Build Service to the new namespace and patch the service account that will be used by the workload to refer to this new secret.
tanzu secret registry add registry-credentials --server REGISTRY-SERVER --username REGISTRY-USERNAME --password REGISTRY-PASSWORD --yes --namespace YOUR-NEW-DEVELOPER-NAMESPACE
-
-
Run the following command to verify the correct resources were created in the namespace:
kubectl get secrets,serviceaccount,rolebinding,pods,workload,configmap -n YOUR-NEW-DEVELOPER-NAMESPACE- To see the list of resources that are provisioned in your namespace based on the installation profile and supply chain values configured in your
tap-values.yamlfile, see Default resources mapping.
- To see the list of resources that are provisioned in your namespace based on the installation profile and supply chain values configured in your
Using GitOps
This section describes how to use GitOps to manage the list of namespaces in the desired-namespaces ConfigMap instead of the built-in controller.
WARNING If there is a namespace in your GitOps repository desired-namespaces ConfigMap list that does not exist on the cluster, the provisioner application fails to reconcile and cannot create resources. Creation of the namespaces is out of the scope for the Namespace Provisioner package.
Prerequisites
The prerequisites for using GitOps are the same as those specified in the controller prerequisites above except for the controller tap value key’s value as follows:
- The controller tap value key is set to
false(Default istrue)
For more information about provisioning namespaces with GitOps, see Control the desired-namespaces ConfigMap with GitOps.
