VMware Tanzu Application Platform Developer Components

VMware Tanzu Application Platform (informally known as TAP) provides development tools which allow developers to quickly build, test, deploy, and manage applications lifecycle.

Application Workloads

Tanzu Application Platform allows developers to quickly build and test applications. You can turn source code into a workload that runs in a container with a URL. A workload allows users to choose application specifications, such as repository location, environment variables, service binding, and so on.

While using the out-of-the-box Supply Chain, the apps.tanzu.vmware.com/workload-type annotation selects which style of deployment is suitable for your application. The valid values are as follows:

Workload Type Description Indicators
web Scalable Web Applications - Scales based on request load
- Automatically exposed by means of HTTP Ingress
- Does not perform background work
- Works with Service Bindings
- Stateless
server Traditional Applications - Provides HTTP or TCP services on the network
- Exposed by means of external Ingress or Load Balancer settings
- Might perform background work from a queue
- Works with Service Bindings
- Fixed scaling, no disk persistence
worker Background Applications - Does not provide network services
- Not exposed externally as a network service
- Might perform background work from a queue
- Works with Service Bindings
- Fixed scaling, no disk persistence

Tanzu Application Platform Developer Components (Inner-Loop)

Tanzu Application Platform Dev components include the following options:

Note

The Tanzu Application Dev components are not limited to the below options only.

  • Accelerator
  • API Portal
  • AppSSO
  • API Auto Registration
  • AppLiveView
  • Supply Chain Security Tools (SCST) - Scan

Accelerator

The Application Accelerator user interface (UI) enables you discover the available accelerators, configure them, and generate new projects to download.

Accelerator Architecture

Accelerator Architecture

The Application Accelerator allows you to generate new projects from files in Git repositories. An accelerator.yaml file in the repository declares input options for the accelerator. The Accelerator custom resources (CRs) control which repositories appear in the Application Accelerator UI. The Accelerator controller reconciles the CRs with a Flux2 Source Controller to fetch files from GitHub or GitLab. For more information, see Tanzu Application Platform Accelerator.

API Portal

The API portal enables API consumers to find APIs that they can use in their own applications. The API portal assembles its dashboard and detailed API documentation views by ingesting OpenAPI documentation from the source URLs. For more information, see Tanzu Application Platform API portal.

AppSSO

The AppSSO conforms to the OIDC standard and enables the use of external identity providers for user management, registration, and authentication. It supports OIDC providers such as Microsoft Active Directory, Okta, Google, Facebook, and so on.

AppSSO Architecture

AppSSO Architecture

The following components must be installed on the run cluster:

  • IdentityProvider - these include social media providers, such as, Google, Facebook, or SAML providers, such as, Active Directory.
  • AuthServer - the intermediary between the identity provider and the client application, where one or more identity providers are defined.
  • ClientRegistration - handles requests for the client id and client secret on behalf of an application, and defines the scopes allowable by the backend authentication server.
  • OAuth2 Proxy - a sidecar container deployed with an application for handling inbound and outbound authentication traffic to the end-user application in the same pod.

See the following sample:

Kind: AuthServer
spec:
  replicas: 1
  tls:
    disabled: true
  identityProviders:
   - name: my-oidc-provider
      openID:
        issuerURI: https://auth-service.auth0.com
        clientID: my-client-abcdef
        clientSecretRef:
          name: my-openid-client-secret
        scopes:
          - "openid"
          - "other-scope"
        authorizationUri: https://example.com/oauth2/authorize
        tokenUri: https://example.com/oauth2/token
        jwksUri: https://example.com/oauth2/jwks
        claimMappings:
          roles: my-oidc-provider-groups

The values in the identityProviders section can be retrieved from the identity provider and set here. For example, the issuerURI, in this case, is Auth0. It supports OIDC providers such as Microsoft Active Directory, Okta, Google, Facebook, and so on.

kind: ClientRegistration
spec:
   authServerSelector:
      matchLabels:
         name: my-first-auth-server
         env: tutorial
   redirectURIs:
      - "http://test-app.example.com/oauth2/callback"
   requireUserConsent: false
   clientAuthenticationMethod: basic
   authorizationGrantTypes:
      - "client_credentials"
      - "authorization_code"
   scopes:
      - name: "openid"
      - name: "email"
      - name: "profile"
      - name: "roles"
      - name: "message.read"

The settings in ClientRegistration contain the redirectURL pointing to a page in the end-user application to be redirected to after the successful authentication. The settings here also reference the AuthServer by its pod’s labels on behalf of the end-user application. For more information, see Tanzu Application Platform AppSSO.

API Auto Registration

The API Auto Registration automates the registration of API specifications defined in a workload’s configuration, and makes them accessible in the Tanzu Application Platform GUI without additional steps. An automated workflow, using a supply chain, leverages API Auto Registration to create and manage a Kubernetes Custom Resource (CR) of kind APIDescriptor. It automatically generates and provides API specifications in OpenAPI, AsyncAPI, GraphQL, or gRPC API formats to the Tanzu Application GUI API Documentation plugin.

Tanzu Application Platform GUI Automated Workflow

TAP GUI automated workflow

The API Documentation plug-in displays a list of APIs provided by components registered in the Catalog providing an easy way for developers to find APIs in a single location.

API Auto Registration components are installed by the run and full profiles.

Recommendations

  • The API Auto Registration package configuration in run clusters must be updated to include the Tanzu Application Platform GUI URL allowing it to register workload APIs into the GUI in the view cluster.
  • Workload configuration files must set the register-api property to true to enable this feature and include the api_descriptor parameter. For example: apis.apps.tanzu.vmware.com/register-api: "true".
  • To use the OpenAPI “TRY IT OUT” feature in Tanzu Application GUI, the Workload must configure Cross-origin Resource Sharing (CORS) to allow requests originating from the GUI.

For more information about API Auto Registration, see API Auto Registration.

AppLiveView

Application Live View is a lightweight insights and troubleshooting tool that helps app developers and app operators to look inside running applications. The application provides information from inside the running processes using its HTTP endpoints, otherwise known as actuators. Application Live View uses those endpoints to get and interact with metric data from your application.

AppLiveView Cluster Architecture on Multi-Cluster Setup

AppLiveView Cluster Architecture

The following packages are installed by default in a multi-cluster topology.

  • backend.appliveview.tanzu.vmware.com should be included in the view cluster profile and exposed as a Kubernetes Service to connectors on the run cluster.
  • connector.appliveview.tanzu.vmware.com should be included in the run cluster profile and deployed as a Kubernetes DaemonSet configured to communicate with the backend service on the view cluster.
  • conventions.appliveview.tanzu.vmware.com should be included in the build profile and deploy the Conventions service.

The relevant profile settings only apply to the following clusters and dependencies:

View Cluster

profile: view
appliveview:
  ingressEnabled: true #optional, false by default
  ingressDomain: <domain> #optional, overrides shared ingress
  sslDisabled: true #optional, false by default

Run Clusters

profile: run
appliveview_connector:
  backend:
    sslDisabled: true #optional, false by default
    host: appliveview.${view_domain} #appliveview is default subdomain

AppLiveView Dependencies

Application workloads require actuator endpoints to report metrics from within the application back to appliveview, and viewable from the Tanzu Application Platform GUI portal.

Supply Chain Security Tools (SCST) - Scan

The Scan package includes enterprise-ready source code and container image scanning using the out-of-the-box Grype, with support planned for Snyk and Carbon Black. It integrates with the Tanzu Application Platform user interface by reading scan results from the SCST Store and displaying detailed reports of CVEs found by Scan during a build process. It can prevent software with vulnerabilities from being deployed in production environments through the use of scan policies to protect the network.

SCST Architecture

SCST Architecture

By default, the following components are installed in the build profile:

  • Scan Controller - enables the use of a scanner. This component is packaged in scanning.apps.tanzu.vmware.com.
  • Out-of-the-box Grype scanner - executes static source code and image scans - packaged in grype.scanning.apps.tanzu.vmware.com.

The Tanzu CLI plugins include the following:

  • Insight - used to create configuration settings for ScanController, and for querying the SCST Store source and image scan results.

The relevant profile settings are only configured in the build profile.

Profile: build
grype:
  metadataStore:
    url: https://metadata-store.${app_domain}
    caSecret:
        name: store-ca-cert
        importFromNamespace: metadata-store-secrets
    authSecret:
        name: store-auth-token
        importFromNamespace: metadata-store-secrets

SCST Dependencies

  • Scan requires the installation of SCST Store on the view cluster to send and save the results of source and image scans.

  • The view cluster certificate and token must be extracted and set in the build profile to enable the scanner components to communicate with the view cluster where the results of scans are stored and available for inquiry.

CI/CD Pipelines for Custom Supply Chain

Tanzu Application Platform supports Tekton pipelines using the tekton-pipelines package to customize the supply chain. It allows developers to build, test, and deploy across cloud providers and on-premises systems. For more information, see Tekton documentation.

To learn more about all Tanzu Application Platform components, see Component documentation.

check-circle-line exclamation-circle-line close-line
Scroll to top icon