This topic tells you how to set up Namespace Provisioner to automate resource creation needed for workloads to run on Out of the Box Supply Chain Basic and Out of the Box Supply Chain with Testing.
To create a developer namespace, see Provision Developer Namespaces.
Namespace Provisioner creates a set of default resources in all managed namespaces which are sufficient to run a workload through the Out of the Box Supply Chain Basic.
Run the following Tanzu CLI command to create a workload in your developer namespace.
Using the Tanzu CLI:
Create workload using Tanzu apps CLI command:
tanzu apps workload apply tanzu-java-web-app \
--git-repo https://github.com/sample-accelerators/tanzu-java-web-app \
--git-branch main \
--type web \
--app tanzu-java-web-app \
--namespace DEVELOPER-NAMESPACE \
--tail \
--yes
Using a workload YAML:
Create a workload.yaml
file:
apiVersion: carto.run/v1alpha1
kind: Workload
metadata:
labels:
app.kubernetes.io/part-of: tanzu-java-web-app
apps.tanzu.vmware.com/workload-type: web
name: tanzu-java-web-app
namespace: DEVELOPER-NAMESPACE
spec:
source:
git:
ref:
branch: main
url: https://github.com/sample-accelerators/tanzu-java-web-app
The Out of the Box Supply Chain with Testing adds the source-tester step in the supply chain which tests the source code pulled by the supply chain. For source code testing to work in the supply chain, Tekton Pipelines must exist in the same namespace as the Workload so that the Tekton PipelineRun object that is created to run the tests can reference the developer-provided Pipeline.
By default, the workload is matched to the corresponding pipeline to run using labels. Pipelines must have the label apps.tanzu.vmware.com/pipeline: test
. This provides a default match if no other labels are provided, but you can add additional labels. The pipeline expects two parameters:
source-url
is an HTTP address with a .tar.gz
file containing all the source code to test.source-revision
is the revision of the commit or image reference, such as setting workload.spec.source.image
instead of workload.spec.source.git
.For example:
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: tekton-pipeline-java
labels:
apps.tanzu.vmware.com/pipeline: test # (!) required
spec:
params:
- name: source-url # (!) required
- name: source-revision # (!) required
tasks:
- name: test
params:
- name: source-url
value: $(params.source-url)
- name: source-revision
value: $(params.source-revision)
taskSpec:
params:
- name: source-url
- name: source-revision
steps:
- name: test
image: gradle
script: |-
cd `mktemp -d`
wget -qO- $(params.source-url) | tar xvz -m
./mvnw test
To create a developer namespace, see the Provision Developer Namespaces.
Namespace Provisioner can automate the creation of a Tekton pipeline needed for the workload to run on an Out of the Box Supply Chain with Testing. You can create an example pipeline in your GitOps repository and add your GitOps repository as an additional source in Namespace Provisioner configuration in tap-values.yaml
. See Customize Installation of Namespace Provisioner.
Add the following configuration to tap-values.yaml
to add this example java pipeline to your developer namespace:
Using Namespace Provisioner Controller:
Example tap-values.yaml
configuration:
namespace_provisioner:
controller: true
additional_sources:
- git:
ref: origin/main
subPath: ns-provisioner-samples/testing-supplychain
url: https://github.com/vmware-tanzu/application-accelerator-samples.git
Using GitOps:
Example tap-values.yaml
configuration:
namespace_provisioner:
controller: false
additional_sources:
- git:
ref: origin/main
subPath: ns-provisioner-samples/testing-supplychain
url: https://github.com/vmware-tanzu/application-accelerator-samples.git
gitops_install:
ref: origin/main
subPath: ns-provisioner-samples/gitops-install
url: https://github.com/vmware-tanzu/application-accelerator-samples.git
The example pipeline resource has the following ytt logic which creates this pipeline only if the following conditions are met:
supply_chain
in your tap-values.yaml
file is either testing
or testing_scanning
profile
in your tap-values.yaml
file is either full, iterate
, or build
.#@ load("@ytt:data", "data")
#@ def in_list(key, list):
#@ return hasattr(data.values.tap_values, key) and (data.values.tap_values[key] in list)
#@ end
#@ if/end in_list('supply_chain', ['testing', 'testing_scanning']) and in_list('profile', ['full', 'iterate', 'build']):
After adding the additional source to your tap-values.yaml
file, you can see the tekton-pipeline-java
created in your developer namespace. To verify that the pipeline is created correctly:
kubectl get pipeline.tekton.dev -n DEVELOPER-NAMESPACE
Where DEVELOPER-NAMESPACE
is the name of the new developer namespace you want to use.
Run the following Tanzu CLI command to create a workload in your developer namespace:
Using the Tanzu CLI:
Create workload using Tanzu apps CLI command.
tanzu apps workload apply tanzu-java-web-app \
--git-repo https://github.com/sample-accelerators/tanzu-java-web-app \
--git-branch main \
--type web \
--app tanzu-java-web-app \
--label apps.tanzu.vmware.com/has-tests="true" \
--namespace DEVELOPER-NAMESPACE \
--tail \
--yes
Using workload YAML:
Create a workload.yaml
file:
apiVersion: carto.run/v1alpha1
kind: Workload
metadata:
labels:
app.kubernetes.io/part-of: tanzu-java-web-app
apps.tanzu.vmware.com/has-tests: "true"
apps.tanzu.vmware.com/workload-type: web
name: tanzu-java-web-app
namespace: DEVELOPER-NAMESPACE
spec:
source:
git:
ref:
branch: main
url: https://github.com/sample-accelerators/tanzu-java-web-app
The Out of the Box Supply Chain with Testing and Scanning adds the source-tester
, source-scanner
, and image-scanner
steps in the supply chain. See Scan Types for Supply Chain Security Tools - Scan. These steps test the source code pulled by the supply chain and scans for CVEs on the source and the image built by the supply chain. For these new testing and scanning steps to work, the following additional resources must exist in the same namespace as the workload:
Pipeline:
defines how to run the tests on the source code pulled by the supply chain and which image to use that has the tools to run those tests.ScanTemplate
: defines how to run a scan, you can change how the scan is run, either for images or source code.
A ScanTemplate defines the PodTemplateSpec used by a Job to run a particular scan, such as an image or source. When the supply chain initiates an ImageScan or SourceScan, they reference these templates which must be in the same namespace as the workload.
Although you can customize the templates, VMware recommends that you follow the installation of the grype.scanning.apps.tanzu.vmware.com
package. This is automatically created in all the namespaces managed by Namespace Provisioner. For more information, see About Source and Image Scans.
ScanPolicy
defines how to evaluate whether the artifacts scanned are compliant. For example, allowing one to be restrictive about particular vulnerabilities found.
To create a developer namespace, see Provision Developer Namespaces.
Namespace Provisioner can automate the creation of a Tekton pipeline and a ScanPolicy that is needed for the workload to run on an Out of the Box Supply Chain with Testing and Scanning. Create an example Pipeline and a ScanPolicy in your GitOps repository and add your GitOps repository as an additional source in Namespace Provisioner configuration in tap-values.yaml
. See Customize Installation of Namespace Provisioner.
Add the following configuration to your tap-values.yaml
file to add the example java pipeline and grype scan policy to your developer namespace. See application-accelerator-samples in GitHub.
Using Namespace Provisioner Controller:
Sample tap-values.yaml
configuration:
namespace_provisioner:
controller: true
additional_sources:
- git:
ref: origin/main
subPath: ns-provisioner-samples/testing-scanning-supplychain
url: https://github.com/vmware-tanzu/application-accelerator-samples.git
Using GitOps:
Example tap-values.yaml
configuration:
namespace_provisioner:
controller: false
additional_sources:
- git:
ref: origin/main
subPath: ns-provisioner-samples/testing-scanning-supplychain
url: https://github.com/vmware-tanzu/application-accelerator-samples.git
gitops_install:
ref: origin/main
subPath: ns-provisioner-samples/gitops-install
url: https://github.com/vmware-tanzu/application-accelerator-samples.git
The example Pipeline resource have the following ytt logic which creates this pipeline only if
supply_chain
in your tap-values.yaml
file is either testing
or testing_scanning
profile
in your tap-values.yaml
file is either full, iterate
, or build
.#@ load("@ytt:data", "data")
#@ def in_list(key, list):
#@ return hasattr(data.values.tap_values, key) and (data.values.tap_values[key] in list)
#@ end
#@ if/end in_list('supply_chain', ['testing', 'testing_scanning']) and in_list('profile', ['full', 'iterate', 'build']):
The example ScanPolicy resource have the following ytt logic which creates this pipeline only if
supply_chain
in your tap-values.yaml
file is testing_scanning
profile
in your tap-values.yaml
file is either full
or build
.After adding the additional source to your tap-values.yaml
file, you can see the tekton-pipeline-java and scan-policy
created in your developer namespace. To verify that the pipeline is created correctly:
kubectl get pipeline.tekton.dev,scanpolicies -n DEVELOPER-NAMESPACE
Where DEVELOPER-NAMESPACE
is the name of the new developer namespace you want to use.
Run the following Tanzu CLI command to create a workload in your developer namespace:
Using the Tanzu CLI:
Create workload using Tanzu apps CLI command.
tanzu apps workload apply tanzu-java-web-app \
--git-repo https://github.com/sample-accelerators/tanzu-java-web-app \
--git-branch main \
--type web \
--app tanzu-java-web-app \
--label apps.tanzu.vmware.com/has-tests="true" \
--namespace DEVELOPER-NAMESPACE \
--tail \
--yes
Using a workload YAML:
Create a workload.yaml file:
apiVersion: carto.run/v1alpha1
kind: Workload
metadata:
labels:
app.kubernetes.io/part-of: tanzu-java-web-app
apps.tanzu.vmware.com/has-tests: "true"
apps.tanzu.vmware.com/workload-type: web
name: tanzu-java-web-app
namespace: DEVELOPER-NAMESPACE
spec:
source:
git:
ref:
branch: main
url: https://github.com/sample-accelerators/tanzu-java-web-app