VMware Tanzu Application Platform Developer Components
VMware Tanzu Application Platform (informally known as TAP) provides development tools which allow developers to quickly build, test, deploy, and manage applications lifecycle.
Application Workloads
Tanzu Application Platform allows developers to quickly build and test applications. You can turn source code into a workload that runs in a container with a URL. A workload allows users to choose application specifications, such as repository location, environment variables, service binding, and so on.
While using the out-of-the-box Supply Chain, the apps.tanzu.vmware.com/workload-type annotation selects which style of deployment is suitable for your application. The valid values are as follows:
| Workload Type | Description | Indicators |
|---|---|---|
| web | Scalable Web Applications | - Scales based on request load - Automatically exposed by means of HTTP Ingress - Does not perform background work - Works with Service Bindings - Stateless |
| server | Traditional Applications | - Provides HTTP or TCP services on the network - Exposed by means of external Ingress or Load Balancer settings - Might perform background work from a queue - Works with Service Bindings - Fixed scaling, no disk persistence |
| worker | Background Applications | - Does not provide network services - Not exposed externally as a network service - Might perform background work from a queue - Works with Service Bindings - Fixed scaling, no disk persistence |
List of Tanzu Application Platform Developer Components (Inner-Loop)
Tanzu Application Platform Dev components include the following options:
NoteThe Tanzu Application Dev components are not limited to the below options only.
- Accelerator
- API Portal
- AppSSO
- API Auto Registration
- AppLiveView
- Supply Chain Security Tools (SCST) - Scan
Accelerator
The Application Accelerator user interface (UI) enables you to discover available accelerators, configure them, and generate new projects to download.
Accelerator Architecture
The Application Accelerator allows you to generate new projects from files in Git repositories. An accelerator.yaml file in the repository declares input options for the accelerator. The Accelerator custom resources (CRs) control which repositories appear in the Application Accelerator UI. The Accelerator controller reconciles the CRs with a Flux2 Source Controller to fetch files from GitHub or GitLab. For more information, see Tanzu Application Platform Accelerator.
API Portal
The API portal enables API consumers to find APIs that they can use in their own applications. The API portal assembles its dashboard and detailed API documentation views by ingesting OpenAPI documentation from the source URLs. For more information, see Tanzu Application Platform API portal.
AppSSO
The AppSSO conforms to the OIDC standard, and enables the use of external identity providers for user management, registration, and authentication. It supports OIDC providers such as Microsoft Active Directory, Okta, Google, Facebook, and so on.
AppSSO Architecture
The following components must be installed on the run cluster:
- IdentityProvider - these include social media providers, such as, Google, Facebook, or SAML providers, such as, Active Directory.
- AuthServer - the intermediary between the identity provider and the client application, where one or more identity providers are defined.
- ClientRegistration - handles requests for the client id and client secret on behalf of an application, and defines the scopes allowable by the backend authentication server.
- OAuth2 Proxy - a sidecar container deployed with an application for handling inbound and outbound authentication traffic to the end-user application in the same pod.
See the following sample:
Kind: AuthServer
spec:
replicas: 1
tls:
disabled: true
identityProviders:
- name: my-oidc-provider
openID:
issuerURI: https://auth-service.auth0.com
clientID: my-client-abcdef
clientSecretRef:
name: my-openid-client-secret
scopes:
- "openid"
- "other-scope"
authorizationUri: https://example.com/oauth2/authorize
tokenUri: https://example.com/oauth2/token
jwksUri: https://example.com/oauth2/jwks
claimMappings:
roles: my-oidc-provider-groups
The values in the identityProviders section can be retrieved from the identity provider and set here. For example, the issuerURI, in this case, is Auth0. It supports OIDC providers such as Microsoft Active Directory, Okta, Google, Facebook, and so on.
kind: ClientRegistration
spec:
authServerSelector:
matchLabels:
name: my-first-auth-server
env: tutorial
redirectURIs:
- "http://test-app.example.com/oauth2/callback"
requireUserConsent: false
clientAuthenticationMethod: basic
authorizationGrantTypes:
- "client_credentials"
- "authorization_code"
scopes:
- name: "openid"
- name: "email"
- name: "profile"
- name: "roles"
- name: "message.read"
The settings in ClientRegistration contain the redirectURL pointing to a page in the end-user application to be redirected to after the successful authentication. The settings here also reference the AuthServer by its pod’s labels on behalf of the end-user application. For more information, see Tanzu Application Platform AppSSO.
API Auto Registration
The API Auto Registration automates the registration of API specifications defined in a workload’s configuration, and makes them accessible in the Tanzu Application Platform GUI without additional steps. An automated workflow, using a supply chain, leverages API Auto Registration to create and manage a Kubernetes Custom Resource (CR) of kind APIDescriptor. It automatically generates and provides API specifications in OpenAPI, AsyncAPI, GraphQL, or gRPC API formats to the Tanzu Application GUI API Documentation plugin.
Tanzu Application Platform GUI Automated Workflow
The API Documentation plug-in displays a list of APIs provided by components registered in the Catalog providing an easy way for developers to find APIs in a single location.
API Auto Registration components are installed by the run and full profiles.
Recommendations
- The API Auto Registration package configuration in
runclusters must be updated to include the Tanzu Application Platform GUI URL allowing it to register workload APIs into the GUI in theviewcluster. - Workload configuration files must set the
register-apiproperty to true to enable this feature and include theapi_descriptorparameter. For example:apis.apps.tanzu.vmware.com/register-api: "true". - To use the OpenAPI “TRY IT OUT” feature in Tanzu Application GUI, the Workload must configure Cross-origin Resource Sharing (CORS) to allow requests originating from the GUI.
For more information about API Auto Registration, see API Auto Registration.
AppLiveView
Application Live View is a lightweight insights and troubleshooting tool that helps app developers and app operators to look inside running applications. The application provides information from inside the running processes using its HTTP endpoints, otherwise known as actuators. Application Live View uses those endpoints to get and interact with metric data from your application.
AppLiveView Cluster Architecture on Multi-Cluster Setup
The following packages are installed by default in a multi-cluster topology.
- backend.appliveview.tanzu.vmware.com should be included in the
viewcluster profile and exposed as a Kubernetes Service to connectors on theruncluster. - connector.appliveview.tanzu.vmware.com should be included in the
runcluster profile and deployed as a Kubernetes DaemonSet configured to communicate with the backend service on theviewcluster. - conventions.appliveview.tanzu.vmware.com should be included in the
buildprofile and deploy the Conventions service.
The relevant profile settings only apply to:
View Cluster
profile: view
appliveview:
ingressEnabled: true #optional, false by default
ingressDomain: <domain> #optional, overrides shared ingress
sslDisabled: true #optional, false by default
Run Clusters
profile: run
appliveview_connector:
backend:
sslDisabled: true #optional, false by default
host: appliveview.${view_domain} #appliveview is default subdomain
AppLiveView Dependencies
Application workloads require actuator endpoints to report metrics from within the application back to appliveview and viewable from the Tanzu Application Platform GUI portal.
Supply Chain Security Tools (SCST) - Scan
The Scan package includes enterprise-ready source code and container image scanning using the out-of-the-box Grype, with support planned for Snyk and Carbon Black. It integrates with the Tanzu Application Platform user interface by reading scan results from the SCST Store and displaying detailed reports of CVEs found by Scan during a build process. It can prevent software with vulnerabilities from being deployed in production environments through the use of scan policies to protect the network.
SCST Architecture
By default, the following components are installed in the build profile:
- Scan Controller - enables the use of a scanner. This component is packaged in
scanning.apps.tanzu.vmware.com. - Out-of-the-box Grype scanner - executes static source code and image scans - packaged in
grype.scanning.apps.tanzu.vmware.com.
The Tanzu CLI plugins include the following:
- Insight - used to create configuration settings for ScanController, and for querying the SCST Store source and image scan results.
The relevant profile settings are only configured in the build profile.
Profile: build
grype:
metadataStore:
url: https://metadata-store.${app_domain}
caSecret:
name: store-ca-cert
importFromNamespace: metadata-store-secrets
authSecret:
name: store-auth-token
importFromNamespace: metadata-store-secrets
SCST Dependencies
-
Scan requires the installation of SCST Store on the
viewcluster to send and save the results of source and image scans. -
The
viewcluster certificate and token must be extracted and set in thebuildprofile to enable the scanner components to communicate with theviewcluster where the results of scans are stored and available for inquiry.
CI/CD Pipelines for Custom Supply Chain
Tanzu Application Platform supports Tekton pipelines using the tekton-pipelines package to customize the supply chain. It allows developers to build, test, and deploy across cloud providers and on-premises systems. For more information, see Tekton documentation.
To learn more about all Tanzu Application Platform components, see Component documentation.
