Deploy an air-gapped workload on Tanzu Application Platform
This topic for developers guides you through deploying your first workload on Tanzu Application Platform (commonly known as TAP) in an air-gapped environment.
For information about installing Tanzu Application Platform in an air-gapped environment, see Install Tanzu Application Platform in an air-gapped environment.
What you will do
- Create a workload from Git.
- Create a basic supply chain workload.
- Create a testing supply chain workload.
- Create a testing scanning supply chain workload.
Prerequisites
Before you begin, a Platform operator must configure the air-gapped environment using Namespace Provisioner. For instructions, see Work with Git repositories in air-gapped environments with Namespace Provisioner.
Create a workload from Git
To create a workload from Git through HTTPS, follow these steps:
-
(Optional) To pass in login credentials for a Git repository with the certificate authority (CA) certificate, create a file called
git-credentials.yaml. For example:apiVersion: v1 kind: Secret metadata: name: git-ca # namespace: default type: Opaque stringData: username: USERNAME password: PASSWORD caFile: | CADATAWhere:
USERNAMEis the user name.PASSWORDis the password.CADATAis the PEM-encoded CA certificate for the Git repository.
-
To pass in a custom
settings.xmlfor Java or NuGet:-
For Java, create a file called
settings-xml.yaml. For example:apiVersion: v1 kind: Secret metadata: name: settings-xml type: service.binding/maven stringData: type: maven provider: sample settings.xml: | <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd"> <mirrors> <mirror> <id>reposilite</id> <name>Tanzu seal Internal Repo</name> <url>https://reposilite.tap-trust.cf-app.com/releases</url> <mirrorOf>*</mirrorOf> </mirror> </mirrors> <servers> <server> <id>reposilite</id> <username>USERNAME</username> <password>PASSWORD</password> </server> </servers> </settings> -
For NuGet, create a file called
settings-xml.yaml. For example:apiVersion: v1 kind: Secret metadata: name: settings-xml type: service.binding/nugetconfig stringData: type: nugetconfig provider: sample nuget.config: | <?xml version="1.0" encoding="utf-8"?> <configuration> <packageSources> <clear /> <add key="nuget-proxy" value=https://internal_nuget-proxy_fqdn/repository/nuget.org-proxy/index.json /> </packageSources> </configuration>
-
-
Apply the file:
kubectl create -f settings-xml.yaml -n DEVELOPER-NAMESPACE
Create a basic supply chain workload
Next, create your basic supply chain workload.
To pass the CA certificate in when you create the workload, run:
tanzu apps workload create APP-NAME --git-repo https://GITREPO --git-branch BRANCH --type web --label app.kubernetes.io/part-of=CATALOGNAME --yes --param-yaml buildServiceBindings='[{"name": "settings-xml", "kind": "Secret"}]' --param "gitops_ssh_secret=git-ca"
Create a testing supply chain workload
For instructions about creating a workload with the testing supply chain, see Install OOTB Supply Chain with Testing.
To add the Tekton supply chain to the cluster, apply the following YAML to the cluster:
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: developer-defined-tekton-pipeline
labels:
apps.tanzu.vmware.com/pipeline: test # (!) required
spec:
params:
- name: source-url # (!) required
- name: source-revision # (!) required
tasks:
- name: test
params:
- name: source-url
value: $(params.source-url)
- name: source-revision
value: $(params.source-revision)
taskSpec:
params:
- name: source-url
- name: source-revision
steps:
- name: test
image: MY-REGISTRY/gradle
script: |-
cd `mktemp -d`
Where MY-REGISTRY is your container image registry. Relocate all the images given in the pipeline YAML to your private container registry.
Create the workload by running:
tanzu apps workload create APP-NAME --git-repo https://GITURL --git-branch BRANCH --type web --label app.kubernetes.io/part-of=CATALOGNAME --yes --param-yaml --label apps.tanzu.vmware.com/has-tests=true buildServiceBindings='[{"name": "settings-xml", "kind": "Secret"}]'
To instead pass the CA certificate when you create the workload, run:
tanzu apps workload create APP-NAME --git-repo https://GITREPO --git-branch BRANCH --type web --label app.kubernetes.io/part-of=CATALOGNAME --yes --param-yaml --label apps.tanzu.vmware.com/has-tests=true buildServiceBindings='[{"name": "settings-xml", "kind": "Secret"}]' --param "gitops_ssh_secret=git-ca"
Create a testing scanning supply chain workload
For instructions about creating a workload with the testing and scanning supply chain, see Install OOTB Supply Chain with Testing and Scanning.
In addition to the prerequisites given at Prerequisites, follow Using Grype in offline and air-gapped environments before workload creation.
Create workload by running:
tanzu apps workload create APP-NAME --git-repo https://GITURL --git-branch BRANCH --type web --label app.kubernetes.io/part-of=CATALOGNAME --yes --param-yaml --label apps.tanzu.vmware.com/has-tests=true buildServiceBindings='[{"name": "settings-xml", "kind": "Secret"}]'
To instead pass the CA certificate when you create the workload, run:
tanzu apps workload create APP-NAME --git-repo https://GITREPO --git-branch BRANCH --type web --label app.kubernetes.io/part-of=CATALOGNAME --yes --param-yaml --label apps.tanzu.vmware.com/has-tests=true buildServiceBindings='[{"name": "settings-xml", "kind": "Secret"}]' --param "gitops_ssh_secret=git-ca"
