This topic tells you how to install Tanzu Application Platform (commonly known as TAP) through GitOps with secrets managed in a Git repository.
CautionTanzu Application Platform (GitOps) is currently in beta and is intended for evaluation and test purposes only. Do not use in a production environment.
Tanzu GitOps Reference Implementation (RI) does not support changing the secrets management strategy for a cluster.
Before installing Tanzu Application Platform, you need:
Before installation, you must relocate the Tanzu Application Platform images from tanzu.packages.broadcom.com
to your own container image registry.
The supported registries are Harbor, Azure Container Registry, Google Container Registry, and Quay.io. See the following documentation to learn how to set up your container image registry:
To relocate images from tanzu.packages.broadcom.com
to your registry:
Retrieve your Broadcom registry API token:
Sign in to the Broadcom Support Portal.
Go to Tanzu Application Platform (TAP) and expand the VMware Tanzu Application Platform dropdown.
Click the Token Download icon next to the Tanzu Application Platform version you want to download.
Follow the instructions in the dialog box. Save the token as a variable named MY_BROADCOM_SUPPORT_ACCESS_TOKEN
. For example:
export MY_BROADCOM_SUPPORT_ACCESS_TOKEN=API-TOKEN
Where API-TOKEN
is your token from the Broadcom Support Portal.
Set up environment variables for installation use by running:
# Set tanzu.packages.broadcom.com as the source registry to copy the Tanzu Application Platform packages from.
export IMGPKG_REGISTRY_HOSTNAME_0=tanzu.packages.broadcom.com
export IMGPKG_REGISTRY_USERNAME_0=MY-BROADCOM-SUPPORT-USERNAME
export IMGPKG_REGISTRY_PASSWORD_0=${MY_BROADCOM_SUPPORT_ACCESS_TOKEN}
# The user’s registry for copying the Tanzu Application Platform package to.
export IMGPKG_REGISTRY_HOSTNAME_1=MY-REGISTRY
export IMGPKG_REGISTRY_USERNAME_1=MY-REGISTRY-USER
export IMGPKG_REGISTRY_PASSWORD_1=MY-REGISTRY-PASSWORD
# These environment variables starting with IMGPKG_* are used by the imgpkg command only.
# The registry from which the Tanzu Application Platform package is retrieved.
export INSTALL_REGISTRY_USERNAME="${IMGPKG_REGISTRY_USERNAME_1}"
export INSTALL_REGISTRY_PASSWORD="${IMGPKG_REGISTRY_PASSWORD_1}"
export INSTALL_REGISTRY_HOSTNAME="${IMGPKG_REGISTRY_HOSTNAME_1}"
export TAP_VERSION=VERSION-NUMBER
export INSTALL_REPO=TARGET-REPOSITORY
Where:
MY-BROADCOM-SUPPORT-USERNAME
is the user with access to the images in tanzu.packages.broadcom.com
.MY-REGISTRY
is your own container registry.MY-REGISTRY-USER
is the user with write access to MY-REGISTRY
.MY-REGISTRY-PASSWORD
is the password for MY-REGISTRY-USER
.VERSION-NUMBER
is your Tanzu Application Platform version. For example, 1.11.0
.TARGET-REPOSITORY
is your target repository. This is a folder or repository on MY-REGISTRY
that serves as the location for the Tanzu Application Platform installation files.VMware recommends using a JSON key file to authenticate with Google Container Registry. In this case, the value of INSTALL_REGISTRY_USERNAME
is _json_key
and the value of INSTALL_REGISTRY_PASSWORD
is the content of the JSON key file. For more information about how to generate the JSON key file, see Google Container Registry documentation.
Install the Carvel tool imgpkg
CLI.
To query for the available versions of Tanzu Application Platform on tanzu.packages.broadcom.com
, run:
imgpkg tag list -i tanzu.packages.broadcom.com/tanzu-application-platform/tap-packages | sort -V
Relocate the images with the imgpkg
CLI by running:
imgpkg copy -b tanzu.packages.broadcom.com/tanzu-application-platform/tap-packages:${TAP_VERSION} --to-repo ${INSTALL_REGISTRY_HOSTNAME}/${INSTALL_REPO}/tap-packages
Complete the following steps if you install Tanzu Application Platform in an air-gapped environment:
Retrieve the Tanzu Build Service version by running:
kubectl get package -n tap-install | grep buildservice
Relocate the Tanzu Build Service images to your registry by running:
imgpkg copy -b tanzu.packages.broadcom.com/tanzu-application-platform/full-tbs-deps-package-repo:TBS-VERSION --to-repo ${INSTALL_REGISTRY_HOSTNAME}/${INSTALL_REPO}/full-tbs-deps-package-repo
Where TBS-VERSION
is the version of Tanzu Build Service you retrieved.
Host a grype
database in the air-gapped environment. For more information, see Use vulnerability scanning in offline and air-gapped environments.
Follow these steps to create a new Git repository and set up the authentication:
In a hosted Git service, for example, GitHub or GitLab, create a new repository.
This version of Tanzu GitOps RI supports authenticating to a hosted Git repository by using SSH and Basic Authentication.
Initialize a new Git repository:
mkdir -p $HOME/tap-gitops
cd $HOME/tap-gitops
git init
git remote add origin git@github.com:my-organization/tap-gitops.git
Set up the authentication method.
GIT_SSH_PRIVATE_KEY
.
ImportantOnly use one of
ssh
orBasic Authentication
, not both.
Download Tanzu GitOps Reference Implementation for Tanzu Application Platform v1.11.0 from the Broadcom Support Portal.
Unpack the downloaded TGZ file into the $HOME/tap-gitops
directory by running:
tar xvf tanzu-gitops-ri-*.tgz -C $HOME/tap-gitops
Commit the initial state:
cd $HOME/tap-gitops
git add . && git commit -m "Initialize Tanzu GitOps RI"
git push -u origin
Seed configuration for a cluster using SOPS:
cd $HOME/tap-gitops
./setup-repo.sh CLUSTER-NAME sops
Where:
CLUSTER-NAME
the name of your cluster.sops
selects the Secrets OPerationS-based secrets management variant.Example:
cd $HOME/tap-gitops
./setup-repo.sh full-tap-cluster sops
Created cluster configuration in ./clusters/full-tap-cluster.
...
This script creates the directory clusters/full-tap-cluster/
and copies in the configuration required to sync this Git repository with the cluster and installing Tanzu Application Platform.
Commit and push:
git add . && git commit -m "Add full-tap-cluster"
git push
Tanzu Sync Reference Implementation (RI) splits the values configuration of Tanzu Application Platform into two categories:
The following sections describe how to create these values files.
Follow these steps to prepare the sensitive Tanzu Application Platform values:
Generate Age public or secrets keys:
NoteSkip this step if you already have an Age key to encrypt or decrypt secrets.
mkdir -p $HOME/tmp-enc
chmod 700 $HOME/tmp-enc
cd $HOME/tmp-enc
age-keygen -o key.txt
cat key.txt
# created: 2023-02-08T10:55:35-07:00
# public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
AGE-SECRET-KEY-my-secret-key
Create a plain YAML file tap-sensitive-values.yaml
outside of your Git repository that contains a placeholder for the sensitive portion of the Tanzu Application Platform values:
---
tap_install:
sensitive_values:
Encrypt tap-sensitive-values.yaml
with Age using SOPS:
export SOPS_AGE_RECIPIENTS=$(cat key.txt | grep "# public key: " | sed 's/# public key: //')
sops --encrypt tap-sensitive-values.yaml > tap-sensitive-values.sops.yaml
Where:
grep
is used to find the line containing the public key portion of the generated secret.sed
is used to extract the public key from the line found by grep
.(Optional) Verify the encrypted file can be decrypted:
export SOPS_AGE_KEY_FILE=key.txt
sops --decrypt tap-sensitive-values.sops.yaml
(Optional) Verify the encrypted file can be edited directly by using SOPS:
sops tap-sensitive-values.sops.yaml
Move the sensitive Tanzu Application Platform values into the cluster config:
mv tap-sensitive-values.sops.yaml GIT-REPO-ROOT/clusters/CLUSTER-NAME/cluster-config/values/
Example:
mv tap-sensitive-values.sops.yaml $HOME/tap-gitops/clusters/full-tap-cluster/cluster-config/values/
(Optional) Retain the Age identity key file in a safe and secure place such as a password manager, and purge the scratch space:
mv key.txt SAFE-LOCATION/
export SOPS_AGE_KEY_FILE=SAFE-LOCATION/key.txt
rm -rf $HOME/tmp-enc
Create a plain YAML file GIT-REPO-ROOT/clusters/CLUSTER-NAME/cluster-config/values/tap-non-sensitive-values.yaml
by using the Full Profile sample as a guide:
Example:
---
tap_install:
values:
ceip_policy_disclosed: true
excluded_packages:
- policy.apps.tanzu.vmware.com
...
To install Tanzu Application Platform in an offline environment, you must configure Tanzu Build Service
and Grype
to work in an air-gapped environment:
---
tap_install:
values:
...
buildservice:
exclude_dependencies: true
grype:
db:
dbUpdateUrl: INTERNAL-VULN-DB-URL
Where INTERNAL-VULN-DB-URL
is the URL that points to the internal file server.
For more information, see Components and installation profiles.
After filling in the non-sensitive values, follow these steps to extract the sensitive values into tap-sensitive-values.sops.yaml
that you prepared earlier:
Open an editor through SOPS to edit the encrypted sensitive values file:
sops GIT-REPO-ROOT/clusters/CLUSTER-NAME/cluster-config/values/tap-sensitive-values.sops.yaml
Example:
sops $HOME/tap-gitops/clusters/full-tap-cluster/cluster-config/values/tap-sensitive-values.sops.yaml
Add the sensitive values:
Example of the container registry credentials using basic authentication:
---
tap_install:
sensitive_values:
shared:
image_registry:
project_path: "example.com/my-project/tap"
username: "my_username"
password: "my_password"
Example of the container registry credentials using Google Container Registry:
---
tap_install:
sensitive_values:
shared:
image_registry:
project_path: "gcr.io/my-project/tap"
username: "_json_key"
password: |
{
"type": "service_account",
"project_id": "my-project",
"private_key_id": "my-private-key-id",
"private_key": "-----BEGIN PRIVATE KEY-----\n..........\n-----END PRIVATE KEY-----\n",
...
}
Follow these steps to prepare the sensitive Tanzu Sync values:
Create a plain YAML file tanzu-sync-values.yaml
outside of your Git repository that contains a placeholder for the sensitive portion of Tanzu Sync values:
---
secrets:
sops:
Encrypt tanzu-sync-values.yaml
with Age using SOPS:
export SOPS_AGE_RECIPIENTS=$(cat key.txt | grep "# public key: " | sed 's/# public key: //')
sops --encrypt tanzu-sync-values.yaml > tanzu-sync-values.sops.yaml
Where:
grep
is used to find the line containing the public key portion of the generated secret.sed
is used to extract the public key from the line found by grep
.Move the encrypted sensitive Tanzu Application Platform values into the Tanzu Sync config:
mv tanzu-sync-values.sops.yaml GIT-REPO-ROOT/clusters/CLUSTER-NAME/tanzu-sync/app/sensitive-values/tanzu-sync-values.sops.yaml
Example:
mv tanzu-sync-values.sops.yaml $HOME/tap-gitops/clusters/full-tap-cluster/tanzu-sync/app/sensitive-values/tanzu-sync-values.sops.yaml
Follow these steps to populate tap-sensitive-values.sops.yaml
with credentials:
Open an editor and use SOPS to edit the encrypted sensitive values file:
sops GIT-REPO-ROOT/clusters/CLUSTER-NAME/tanzu-sync/app/sensitive-values/tanzu-sync-values.sops.yaml
Example:
sops $HOME/tap-gitops/clusters/full-tap-cluster/tanzu-sync/app/sensitive-values/tanzu-sync-values.sops.yaml
Add the sensitive values:
Configuration example for the Git SSH authentication:
---
secrets:
sops:
age_key: |
AGE-KEY
registry:
hostname: MY-REGISTRY
username: MY-REGISTRY-USER
password: MY-REGISTRY-PASSWORD
git:
ssh:
private_key: |
PRIVATE-KEY
known_hosts: |
HOST-LIST
Configuration example for the Git basic authentication:
---
secrets:
sops:
age_key: |
AGE-KEY
registry:
hostname: MY-REGISTRY
username: MY-REGISTRY-USER
password: MY-REGISTRY-PASSWORD
git:
basic_auth:
username: MY-GIT-USERNAME
password: MY-GIT-PASSWORD
Where:
AGE-KEY
is the contents of the Age key generated earlier.MY-REGISTRY
is your container image registry.MY-REGISTRY-USER
is the user with read access to MY-REGISTRY
.MY-REGISTRY-PASSWORD
is the password for MY-REGISTRY-USER
.PRIVATE-KEY
is the contents of an SSH private key file with read access to your Git repository. Only applies when you use ssh
.HOST-LIST
is the list of known hosts for Git host service. Only applies when you use ssh
.MY-GIT-USERNAME
is the user with read access to your Git repository. Only applies when you use basic authentication
.MY-GIT-PASSWORD
is the password for MY-GIT-USERNAME
. Only applies when you use basic authentication
.You can find the schema for Tanzu Sync credentials in GIT-REPO-ROOT/clusters/CLUSTER-NAME/tanzu-sync/app/config/.tanzu-managed/schema--sops.yaml
Follow these steps to generate the Tanzu Application Platform installation and Tanzu Sync configuration:
Set up environment variables by running:
export TAP_PKGR_REPO=TAP-PACKAGE-OCI-REPOSITORY
export SOPS_AGE_KEY=AGE-KEY
Where:
TAP-PACKAGE-OCI-REPOSITORY
is the fully-qualified path to the OCI repository hosting the Tanzu Application Platform images. If the images are relocated as described in Relocate images to a registry, this value is ${INSTALL_REGISTRY_HOSTNAME}/${INSTALL_REPO}/tap-packages
.AGE-KEY
is the contents of the Age key generated earlier.Example of the Git repo hosted on GitHub:
export TAP_PKGR_REPO=tanzu.packages.broadcom.com/tanzu-application-platform/tap-packages
export SOPS_AGE_KEY=$(cat $HOME/tmp-enc/key.txt)
Generate the Tanzu Application Platform install and the Tanzu Sync configuration files by using the provided script:
cd GIT-REPO-ROOT/clusters/CLUSTER-NAME
./tanzu-sync/scripts/configure.sh
Example:
cd $HOME/tap-gitops/clusters/full-tap-cluster
./tanzu-sync/scripts/configure.sh
(Optional) Update Tanzu Application Platform to use the latest patch:
Update the Tanzu Application Platform version in GIT-REPO-ROOT/clusters/CLUSTER-NAME/cluster-config/values/tap-install-values.yaml
:
tap_install:
...
version:
package_repo_bundle_tag: "1.11.0" # Populate these values with the latest patch version.
package_version: "1.11.0"
Where:
package_repo_bundle_tag
is the version of Tanzu Application Platform you want to upgrade to.package_version
is the version of Tanzu Application Platform you want to upgrade to. This version must match package_repo_bundle_tag
.NoteTanzu GitOps RI does not provide a separate artifact for each patch version within a minor line. For example, Tanzu Application Platform v1.6.x only contains the v1.6.1 GitOps artifact.
Commit the generated configured to Git repository:
git add cluster-config/ tanzu-sync/
git commit -m "Configure install of TAP 1.6.1"
git push
Follow these steps to deploy Tanzu Sync:
Install the Carvel tools kapp
and ytt
onto your $PATH
:
sudo cp $HOME/tanzu-cluster-essentials/kapp /usr/local/bin/kapp
sudo cp $HOME/tanzu-cluster-essentials/ytt /usr/local/bin/ytt
Set the Kubernetes cluster context.
List the existing contexts:
kubectl config get-contexts
Set the context to the cluster that you want to deploy:
kubectl config use-context CONTEXT-NAME
Where CONTEXT-NAME
can be retrieved from the outputs of the previous step.
Deploy the Tanzu Sync component:
cd GIT-REPO-ROOT/clusters/CLUSTER-NAME
./tanzu-sync/scripts/deploy.sh
Example:
cd $HOME/tap-gitops/clusters/full-tap-cluster
./tanzu-sync/scripts/deploy.sh
NoteDepending on the profile and components included, it may take 5-10 minutes for Tanzu Application Platform to install. During this time,
kapp
waits for the deployment of Tanzu Sync to reconcile successfully. This is normal.