Template reference for Supply Chain Choreographer

This topic describes the objects from templates that you can use with Supply Chain Choreographer.

All the objects referenced in this topic are Cartographer Templates packaged in Out of the Box Templates.

This topic describes:

  • The purpose of the templates
  • The one or more objects that the templates create
  • The supply chains that include the templates
  • The parameters that the templates use

source-template

Purpose

Creates an object to fetch source code and make that code available to other objects in the supply chain. See Building from Source.

Used by

Creates

The source-template creates one of three objects, either:

  • GitRepository. Created if the workload has .spec.source.git defined.
  • MavenArtifact. Created if the template is provided a value for the parameter maven.
  • ImageRepository. Created if the workload has .spec.source.image defined.

GitRepository

GitRepository makes source code from a particular commit available as a tarball in the cluster. Other resources in the supply chain can then access that code.

Parameters
Parameter name Meaning Example
gitImplementation The library used to fetch source code.
      - name: gitImplementation
        value: go-git`
      
source_credentials_secret Name of the secret used to provide credentials for the Git repository. The secret with this name must exist in the same namespace as the Workload. The credentials must be sufficient to read the repository. See Git authentication.
      - name: source_credentials_secret
        value: git-credentials
      
gitops_ssh_secret Deprecated Only used if provided and source_credentials_secret is not provided. Name of the secret used to provide credentials for the Git repository. The secret with this name must exist in the same namespace as the Workload. The credentials must be sufficient to read the repository. See Git authentication.
      - name: gitops_ssh_secret
        value: git-credentials
      
More information

For an example using the Tanzu CLI to create a Workload using GitHub as the provider of source code, see Create a workload from GitHub repository.

For information about GitRepository objects, see GitRepository.

ImageRepository

ImageRepository makes the contents of a container image available as a tarball on the cluster.

Parameters
Parameter name Meaning Example
serviceAccount Name of the service account, providing credentials to ImageRepository for fetching container images. The service account must exist in the same namespace as the Workload.
      - name: serviceAccount
        value: default
      
Note

When using the Tanzu CLI to configure this serviceAccount parameter, use --param serviceAccount=.... The similarly named --service-account flag sets a different value: the spec.serviceAccountName key in the Workload object.

More information

For information about the ImageRepository resource, see the ImageRepository reference documentation.

For information about how to use the Tanzu CLI to create a workload leveraging ImageRepository, see Create a workload from local source code.

MavenArtifact

MavenArtifact makes a pre-built Java artifact available to as a tarball on the cluster.

While the source-template leverages the workload’s .spec.source field when creating a GitRepository or ImageRepository object, the creation of the MavenArtifact relies only on parameters in the Workload.

Parameters
Parameter name Meaning Example
maven Points to the Maven artifact to fetch and the polling interval.
      - name: maven
        value:
          artifactId: springboot-initial
          groupId: com.example
          version: RELEASE
          classifier: sources         # optional
          type: jar                   # optional
          artifactRetryTimeout: 1m0s  # optional
      
maven_repository_url Specifies the Maven repository from which to fetch
      - name: maven_repository_url
        value: https://repo1.maven.org/maven2/
      
maven_repository_secret_name Specifies the secret containing credentials necessary to fetch from the Maven repository. The secret named must exist in the same workspace as the workload.
      - name: maven_repository_secret_name
        value: auth-secret
      
More information

For information about the custom resource, see MavenArtifact reference docs.

For information about how to use the custom resource with the Tanzu Apps CLI plug-in, see Create a workload from a Maven repository artifact.

testing-pipeline

Purpose

Tests the source code provided in the supply chain. Testing depends on a user provided Tekton Pipeline. Parameters for this template allow for selection of the proper Pipeline and for specification of additional values to pass to the Pipeline.

Used by

These are used as the source-tester resource.

Creates

testing-pipelinecreates a Runnable object. This Runnable provides inputs to the ClusterRunTemplate named tekton-source-pipelinerun.

Parameters

Parameter name Meaning Example
testing_pipeline_matching_labels Set of labels to use when searching for Tekton Pipeline objects in the same namespace as the Workload. By default, a Pipeline labeled as apps.tanzu.vmware.com/pipeline: test is selected.
      - name: testing_pipeline_matching_labels
        value:
          apps.tanzu.vmware.com/pipeline: test
          my.company/language: golang
      
testing_pipeline_params Set of parameters to pass to the Tekton Pipeline. To this set of parameters, the template always adds the source URL and revision as source-url and source-revision.
      - name: testing_pipeline_params
        value:
        - name: verbose
          value: true
        - name: foo
          value: bar
      

More information

For information about the ClusterRunTemplate that pairs with the Runnable, read tekton-source-pipelinerun

For information about the Tekton Pipeline that the user must create, read the OOTB Supply Chain Testing documentation of the Pipeline

source-scanner-template

Purpose

Scans the source code for vulnerabilities.

Used by

This is used as the source-scanner resource.

Creates

SourceScan

Parameters

Parameter name Meaning Example
scanning_source_template Name of the ScanTemplate object to use for running the scans. The ScanTemplate must be in the same namespace as the Workload.
      - name: scanning_source_template
        value: private-source-scan-template
      
scanning_source_policy Name of the ScanPolicy object to use when evaluating the scan results of a source scan. The ScanPolicy must be in the same namespace as the Workload.
      - name: scanning_source_policy
        value: allowlist-policy
      

More information

For information about how to set up the Workload namespace with the ScanPolicy and ScanTemplate required for this resource, see Out of the Box Supply Chain with Testing and Scanning.

For information about the SourceScan custom resource, see SourceScan reference.

For information about how the artifacts found during scanning are catalogued, see Supply Chain Security Tools for Tanzu – Store.

image-provider-template

Purpose

Fetches a container image of a prebuilt application, specified in the workload’s .spec.image field. This makes the content-addressable name, (e.g. the image name containing the digest) available to other resources in the supply chain.

Used by

These are used as the image-provider resource.

Creates

ImageRepository.source.apps.tanzu.vmware.com

Parameters

Parameter name Meaning Example
serviceAccount Name of the service account providing credentials for the target image registry. The service account must exist in the same namespace as the Workload.
      - name: serviceAccount
        value: default
      
Note

When using the Tanzu CLI to configure this serviceAccount parameter, use --param serviceAccount=.... The similarly named --service-account flag sets a different value: the spec.serviceAccountName key in the Workload object.

More information

For information about the ImageRepository resource, see ImageRepository reference docs.

For information about prebuilt images, see Using a prebuilt image.

kpack-template

Purpose

Builds an container image from source code using cloud native buildpacks.

Used by

These are used as the image-provider resource when the workload parameter dockerfile is not defined.

Creates

Image.kpack.io

Parameters

Parameter name Meaning Example
serviceAccount Name of the service account providing credentials for the configured image registry. Image uses these credentials to push built container images to the registry. The service account must exist in the same namespace as the Workload.
      - name: serviceAccount
        value: default
      
clusterBuilder Name of the Kpack Cluster Builder to use.
      - name: clusterBuilder
        value: nodejs-cluster-builder
      
buildServiceBindings Definition of a list of service bindings to make use at build time. For example, providing credentials for fetching dependencies from repositories that require credentials.
      - name: buildServiceBindings
        value:
          - name: settings-xml
            kind: Secret
            apiVersion: v1
      
live-update Enable the use of Tilt's live-update function.
      - name: live-update
        value: "true"
      
Note

When using the Tanzu CLI to configure this serviceAccount parameter, use --param serviceAccount=.... The similarly named --service-account flag sets a different value: the spec.serviceAccountName key in the Workload object.

More information

For information about the integration with Tanzu Build Service, see Tanzu Build Service Integration.

For information about live-update, see Developer Conventions and Overview of Tanzu Developer Tools for IntelliJ.

For information about using Kpack builders with clusterBuilder, see Builders.

For information about buildServiceBindings, see Service Bindings.

kaniko-template

Purpose

Build an image for source code that includes a Dockerfile.

Used by

These are used as the image-provider resource when the workload parameter dockerfile is defined.

Creates

A taskrun.tekton.dev provides configuration to the Tekton Task kaniko-build which builds an image with kaniko.

This template uses the lifecycle: tekton flag to create new immutable objects rather than updating the previous object.

Parameters

Parameter name Meaning Example
dockerfile relative path to the Dockerfile file in the build context
./Dockerfile
docker_build_context relative path to the directory where the build context is
.
docker_build_extra_args List of flags to pass directly to kaniko,such as providing arguments to a build.
- --build-arg=FOO=BAR
serviceAccount Name of the service account to use for providing Docker credentials. The service account must exist in the same namespace as the Workload. The service account must have a secret associated with the credentials. See Configuring authentication for Docker in the Tekton documentation.
      - name: serviceAccount
        value: default
      
registry Specification of the registry server and repository in which the built image is placed.
      - name: registry
        value:
          server: index.docker.io
          repository: web-team
      

More information

For information about how to use Dockerfile-based builds and limits associated with the function, see Dockerfile-based builds.

For information about lifecycle:tekton, read Cartographer Lifecycle.

image-scanner-template

Purpose

Scans the container image for vulnerabilities, persists the results in a store, and prevents the image from moving forward if CVEs are found which are not compliant with its referenced ScanPolicy.

Used by

Creates

ImageScan.scanning.apps.tanzu.vmware.com

Parameters

Parameter name Meaning Example
scanning_image_template Name of the ScanTemplate object for running the scans against a container image. The ScanTemplate must be in the same namespace as the Workload.
      - name: scanning_image_template
        value: private-image-scan-template
      
scanning_image_policy Name of the ScanPolicy object for evaluating the scan results of an image scan. The ScanPolicy must be in the same namespace as the Workload.
      - name: scanning_image_policy
        value: allowlist-policy
      

More information

For information about the ImageScan custom resource, see ImageScan reference.

For information about how the artifacts found during scanning are catalogued, see Supply Chain Security Tools for Tanzu – Store.

convention-template

Purpose

Create the PodTemplateSpec for the Kubernetes configuration (e.g. the knative service or kubernetes deployment) which are applied to the cluster.

Used by

Creates

Creates a PodIntent object. The PodIntent leverages conventions installed on the cluster. The PodIntent object is responsible for generating a PodTemplateSpec. The PodTemplateSpec is used in app configs, such as knative services and deployments, to represent the shape of the pods to run the application in containers.

Parameters

Parameter name Meaning Example
serviceAccount Name of the serviceAccount providing necessary credentials to PodIntent. The serviceAccount must be in the same namespace as the Workload. The serviceAccount is set as the serviceAccountName in the podtemplatespec. The credentials associated with the serviceAccount must allow fetching the container image used to inspect the metadata passed to convention servers.
      - name: serviceAccount
        value: default
      
annotations Extra set of annotations to pass down to the PodTemplateSpec.
      - name: annotations
        value:
          name: my-application
          version: v1.2.3
          team: store
      
debug Put the workload in debug mode.
      - name: debug
        value: "true"
      
live-update Enable live-updating of the code (for innerloop development).
      - name: live-update
        value: "true"
      
Note

When using the Tanzu CLI to configure this serviceAccount parameter, use --param serviceAccount=.... The similarly named --service-account flag sets a different value: the spec.serviceAccountName key in the Workload object.

More information

For information about PodTemplateSpec, see PodTemplateSpec in the Kubernetes documentation.

For information about conventions, see Cartographer Conventions.

For information about the two convention servers enabled by default in Tanzu Application Platform installations, see Developer Conventions and Spring Boot conventions.

config-template

Purpose

For workloads with the label apps.tanzu.vmware.com/workload-type: web, define a knative service.

Used by

Creates

A ConfigMap, in which the data field has a key delivery.yaml whose value is the definition of a knative service.

Parameters

None

More information

See workload types for more details about the three different types of workloads.

worker-template

Purpose

For workloads with the label apps.tanzu.vmware.com/workload-type: worker, define a Kubernetes Deployment.

Used by

Creates

A ConfigMap, in which the data field has a key delivery.yaml whose value is the definition of a Kubernetes Deployment.

Parameters

None

More information

For information about the three different types of workloads, see workload types.

server-template

Purpose

For workloads with the label apps.tanzu.vmware.com/workload-type: server, define a Kubernetes Deployment and a Kubernetes Service.

Used by

Creates

A ConfigMap, in which the data field has a key delivery.yaml whose value is the definitions of a Kubernetes Deployment and a Kubernetes Service to expose the pods.

Parameters

Parameter name Meaning Example
ports Set of network ports to expose from the application to the Kubernetes cluster.
      - name: ports
        value:
          - containerPort: 2025
            name: smtp
            port: 25
      

More information

For information about the three different types of workloads, see workload types.

For information about the ports parameter, see server-specific Workload parameters.

service-bindings

Purpose

Adds ServiceBindings to the set of Kubernetes configuration files.

Used by

Creates

A ConfigMap. This template consumes input of multiple deployment YAML files and enriches the input with ResourceClaims and ServiceBindings if the workload contains serviceClaims.

Parameters

Parameter name Meaning Example
annotations Extra set of annotations to pass down to the ServiceBinding and ResourceClaim objects.
      - name: annotations
        value:
          name: my-application
          version: v1.2.3
          team: store
      

More information

For an example of using --service-ref, see the Tanzu CLI Command Reference documentation.

For an overview of the function, see Consume services on Tanzu Application Platform.

api-descriptors

Purpose

The api-descriptor resource takes care of adding an APIDescriptor to the set of Kubernetes objects to deploy such that API auto registration takes place.

Used by

Creates

A ConfigMap. This template consumes input of multiple YAML files and enriches the input with an APIDescriptor if the workload has a label apis.apps.tanzu.vmware.com/register-api == to true.

Parameters

Parameter name Meaning Example
annotations Extra set of annotations to pass down to the APIDescriptor object.
      - name: annotations
        value:
          name: my-application
          version: v1.2.3
          team: store
      
api_descriptor Information used to fill the state that you want of the APIDescriptor object (its spec).
      - name: api_descriptor
        value:
          type: openapi
          location:
            baseURL: http://petclinic-hard-coded.my-apps.tapdemo.vmware.com/
            path: "/v3/api
          owner: team-petclinic
          system: pet-clinics
          description: "example"
      

More information

For information about API auto registration, see Use API Auto Registration.

config-writer-template

Purpose

Persist in an external system, such as a registry or git repository, the Kubernetes configuration passed to the template.

Used by

Creates

A runnable which creates a Tekton TaskRun that refers either to the Tekton Task git-writer or the Tekton Task image-writer.

Parameters

Parameter name Meaning Example
serviceAccount Name of the service account which provides the credentials to the registry or repository. The service account must exist in the same namespace as the Workload.
      - name: serviceAccount
        value: default
      
gitops_branch Name of the branch to push the configuration to.
      - name: gitops_branch
        value: main
      
gitops_user_name User name to use in the commits.
      - name: gitops_user_name
        value: "Alice Lee"
      
gitops_user_email User email address to use in the commits.
      - name: gitops_user_email
        value: alice@example.com
      
gitops_commit_message Message to write as the body of the commits produced for pushing configuration to the Git repository.
      - name: gitops_commit_message
        value: "ci bump"
      
gitops_repository The full repository URL to which the configuration is committed. DEPRECATED
      - name: gitops_repository
        value: "https://github.com/vmware-tanzu/cartographer"
      
gitops_repository_prefix The prefix of the repository URL. DEPRECATED
      - name: gitops_repository
        value: "https://github.com/vmware-tanzu/"
      
gitops_server_address The server URL of the Git repository to which configuration is applied.
      - name: gitops_server_address
        value: "https://github.com/"
      
gitops_repository_owner The owner/organization to which the repository belongs.
      - name: gitops_repository_owner
        value: vmware-tanzu
      
gitops_repository_name The name of the repository.
      - name: gitops_repository_name
        value: cartographer
      
registry Specification of the registry server and repository in which the configuration is placed.
      - name: registry
        value:
          server: index.docker.io
          repository: web-team
          ca_cert_data:
            -----BEGIN CERTIFICATE-----
            MIIFXzCCA0egAwIBAgIJAJYm37SFocjlMA0GCSqGSIb3DQEBDQUAMEY...
            -----END CERTIFICATE-----
      

More information

For information about operating this template, see Gitops vs RegistryOps and the config-writer-and-pull-requester-template.

config-writer-and-pull-requester-template

Purpose

Persist the passed in Kubernetes configuration to a branch in a repository and open a pull request to another branch. This process allows for manual review of configuration before deployment to a cluster.

Used by

Creates

A Tekton TaskRun refers to the Tekton Task commit-and-pr.

Parameters

Parameter name Meaning Example
serviceAccount Name of the service account which provides the credentials to the registry or repository. The service account must exist in the same namespace as the Workload.
      - name: serviceAccount
        value: default
      
gitops_commit_branch Name of the branch to which configuration is pushed.
      - name: gitops_commit_branch
        value: feature
      
gitops_branch Name of the branch to which a pull request is opened.
      - name: gitops_branch
        value: main
      
gitops_user_name User name to use in the commits.
      - name: gitops_user_name
        value: "Alice Lee"
      
gitops_user_email User email address to use in the commits.
      - name: gitops_user_email
        value: alice@example.com
      
gitops_commit_message Message to write as the body of the commits produced for pushing configuration to the Git repository.
      - name: gitops_commit_message
        value: "ci bump"
      
gitops_pull_request_title Title of the pull request to be opened.
      - name: gitops_pull_request_title
        value: "ready for review"
      
gitops_pull_request_body Body of the pull request to be opened.
      - name: gitops_pull_request_body
        value: "generated by supply chain"
      
gitops_server_address The server URL of the Git repository to which configuration is applied.
      - name: gitops_server_address
        value: "https://github.com/"
      
gitops_repository_owner The owner/organization to which the repository belongs.
      - name: gitops_repository_owner
        value: vmware-tanzu
      
gitops_repository_name The name of the repository.
      - name: gitops_repository_name
        value: cartographer
      
gitops_server_kind The kind of Git provider
      - name: gitops_server_kind
        value: gitlab
      
ca_cert_data The string contents of the ssl certificate of the git server
      - name: ca_cert_data
        value:
          -----BEGIN CERTIFICATE-----
          MIIFXzCCA0egAwIBAgIJAJYm37SFocjlMA0GCSqGSIb3DQEBDQUAMEY...
          -----END CERTIFICATE-----
      

More information

For information about the operation of this template, see Gitops vs RegistryOps and the config-writer-template.

deliverable-template

Purpose

Create a deliverable which pairs with a Delivery to deploy Kubernetes configuration on the cluster.

Used by

Creates

A Deliverable preconfigured with reference to a repository or registry from which to fetch Kubernetes configuration.

Parameters

Parameter name Meaning Example
serviceAccount Name of the service account providing the necessary permissions for the Delivery to create children objects. Populates the Deliverable's serviceAccount parameter. The service account must be in the same namespace as the Deliverable.
      - name: serviceAccount
        value: default
      
gitops_credentials_secret Name of the secret where credentials exist for fetching the configuration from a Git repository. Populates the Deliverable's `source_credentials_secret` parameter (The Workload's GitOps repository is the Deliverable's source reposiotor). The secret must be in the same namespace as the Deliverable.
      - name: gitops_credentials_secret
        value: git-secret
      
gitops_ssh_secret Deprecated. Use gitops_credentials_secret instead. Name of the secret where credentials exist for fetching the configuration from a Git repository. Populates the Deliverable's gitops_ssh_secret parameter. The secret must be in the same namespace as the Deliverable.
      - name: gitops_ssh_secret
        value: git-secret
      
gitops_branch Name of the branch from which to fetch the configuration.
      - name: gitops_branch
        value: main
      
gitops_repository The full repository URL to which the configuration is fetched. DEPRECATED
      - name: gitops_repository
        value: "https://github.com/vmware-tanzu/cartographer"
      
gitops_repository_prefix The prefix of the repository URL. DEPRECATED
      - name: gitops_repository
        value: "https://github.com/vmware-tanzu/"
      
gitops_server_address The server URL of the Git repository from which configuration is fetched.
      - name: gitops_server_address
        value: "https://github.com/"
      
gitops_repository_owner The owner/organization to which the repository belongs.
      - name: gitops_repository_owner
        value: vmware-tanzu
      
gitops_repository_name The name of the repository.
      - name: gitops_repository_name
        value: cartographer
      
registry Specification of the registry server and repository from which the configuration is fetched.
      - name: registry
        value:
          server: index.docker.io
          repository: web-team
          ca_cert_data:
            -----BEGIN CERTIFICATE-----
            MIIFXzCCA0egAwIBAgIJAJYm37SFocjlMA0GCSqGSIb3DQEBDQUAMEY...
            -----END CERTIFICATE-----
      
Note

When using the Tanzu CLI to configure this serviceAccount parameter, use --param serviceAccount=.... The similarly named --service-account flag sets a different value: the spec.serviceAccountName key in the Workload object.

More information

For information about the ClusterDelivery shipped with ootb-delivery-basic, see Out of the Box Delivery Basic.

external-deliverable-template

Purpose

Create a definition of a deliverable which a user can manually applied to an external kubernetes cluster. When a properly configured Delivery is installed on that external cluster, the Deliverable will pair with the Delivery to deploy Kubernetes configuration on the cluster. For example, the OOTB Delivery.

Used by

Creates

A configmap in which the .data field has a key deliverable for which the value is the YAML definition of a Deliverable.

Parameters

Parameter name Meaning Example
serviceAccount Name of the service account providing the necessary permissions for the Delivery to create children objects. Populates the Deliverable's serviceAccount parameter. The service account must be in the same namespace as the Deliverable.
      - name: serviceAccount
        value: default
      
gitops_ssh_secret Name of the secret where credentials exist for fetching the configuration from a Git repository. Populates the Deliverable's gitops_ssh_secret parameter. The secret must be in the same namespace as the Deliverable.
      - name: gitops_ssh_secret
        value: ssh-secret
      
gitops_branch Name of the branch from which to fetch the configuration.
      - name: gitops_branch
        value: main
      
gitops_repository The full repository URL to which the configuration is fetched. DEPRECATED
      - name: gitops_repository
        value: "https://github.com/vmware-tanzu/cartographer"
      
gitops_repository_prefix The prefix of the repository URL. DEPRECATED
      - name: gitops_repository
        value: "https://github.com/vmware-tanzu/"
      
gitops_server_address The server URL of the Git repository from which configuration is fetched.
      - name: gitops_server_address
        value: "https://github.com/"
      
gitops_repository_owner The owner/organization to which the repository belongs.
      - name: gitops_repository_owner
        value: vmware-tanzu
      
gitops_repository_name The name of the repository.
      - name: gitops_repository_name
        value: cartographer
      
registry Specification of the registry server and repository from which the configuration is fetched.
      - name: registry
        value:
          server: index.docker.io
          repository: web-team
          ca_cert_data:
            -----BEGIN CERTIFICATE-----
            MIIFXzCCA0egAwIBAgIJAJYm37SFocjlMA0GCSqGSIb3DQEBDQUAMEY...
            -----END CERTIFICATE-----
      

More information

For information about the ClusterDelivery shipped with ootb-delivery-basic, see Out of the Box Delivery Basic.

For information about using the Deliverable object in a multicluster environment, see Getting started with multicluster Tanzu Application Platform.

delivery-source-template

Purpose

Continuously fetches Kubernetes configuration files from a Git repository or container image registry and makes them available on the cluster.

Used by

Creates

The source-template creates one of three objects, either: - GitRepository. Created if the deliverable has .spec.source.git defined. - ImageRepository. Created if the deliverable has .spec.source.image defined.

GitRepository

GitRepository makes source code from a particular commit available as a tarball in the cluster. Other resources in the supply chain can then access that code.

Parameters
Parameter name Meaning Example
gitImplementation The library used to fetch source code.
      - name: gitImplementation
        value: go-git
      
source_credentials_secret Name of the secret used to provide credentials for the Git repository. The secret with this name must exist in the same namespace as the Deliverable. The credentials must be sufficient to read the repository. See Git authentication.
      - name: source_credentials_secret
        value: git-credentials
      
More information

For an example using the Tanzu CLI to create a Workload using GitHub as the provider of source code, see Create a workload from GitHub repository.

For information about GitRepository objects, see GitRepository.

ImageRepository

ImageRepository makes the contents of a container image available as a tarball on the cluster.

Parameters
Parameter name Meaning Example
serviceAccount Name of the service account, providing credentials to ImageRepository for fetching container images. The service account must exist in the same namespace as the Deliverable.
      - name: serviceAccount
        value: default
      
More information

For information about the ImageRepository resource, see ImageRepository reference docs.

app-deploy

Purpose

Applies Kubernetes configuration to the cluster.

Used by

Creates

A kapp App.

Parameters

Parameter name Meaning Example
serviceAccount Name of the service account providing the necessary privileges for App to apply the Kubernetes objects to the cluster. The service account must be in the same namespace as the Deliverable.
      - name: serviceAccount
        value: default
      
gitops_sub_path (deprecated) Sub directory within the configuration bundle that is used for looking up the files to apply to the Kubernetes cluster. DEPRECATED
      - name: gitops_sub_path
        value: ./config
      
Note

The gitops_sub_path parameter is deprecated. Use deliverable.spec.source.subPath instead.

More information

For details about RBAC and how kapp-controller makes use of the ServiceAccount provided through the Deliverable’s serviceAccount parameter, see kapp-controller’s Security Model.

carvel-package (experimental)

Purpose

Bundles Kubernetes configuration into a Carvel Package.

Used by

Creates

A taskrun.tekton.dev which provides configuration to the carvel-package Tekton Task which bundles Kubernetes configuration into a Carvel Package.

This template uses the lifecycle: tekton flag to create new immutable objects rather than updating the previous object.

Parameters

Parameter name Meaning Example
serviceAccount Name of the service account to use for providing Docker credentials. The service account must exist in the same namespace as the Workload. The service account must have a secret associated with the credentials. See Configuring authentication for Docker in the Tekton documentation.
      - name: serviceAccount
        value: default
      
registry Specification of the registry server and repository in which the built image is placed.
      - name: registry
        value:
          server: index.docker.io
          repository: web-team
      
carvel_package_gitops_subpath Specifies the subpath to which Carvel Packages should be written.
      - name: carvel_package_gitops_subpath
        value: path/to/my/dir
      
carvel_package_name_suffix Specifies the suffix to append to the Carvel Package name. The format is WORKLOAD_NAME.WORKLOAD_NAMESPACE.carvel_package_name_suffix The full Carvel Package name must be a valid DNS subdomain name as defined in RFC 1123.
      - name: carvel_package_name_suffix
        value: vmware.com
      
carvel_package_parameters Specifies the custom Carvel Package parameters
      - name: carvel_package_parameters
        value: |
        - selector:
            matchLabels:
              apps.tanzu.vmware.com/workload-type: server
          schema: |
            #@data/values-schema
            ---
            #@schema/title "Workload name"
            #@schema/example "tanzu-java-web-app"
            #@schema/validation min_len=1
            workload_name: ""

            #@schema/title "Replicas"
            replicas: 1

            #@schema/title "Port"
            port: 8080

            #@schema/title "Hostname"
            #@schema/example "app.tanzu.vmware.com"
            hostname: ""

            #@schema/title "Cluster Issuer"
            cluster_issuer: "tap-ingress-selfsigned"

            #@schema/nullable
            http_route:
                #@schema/default [{"protocol": "https", "name": "default-gateway"}]
                gateways:
                - protocol: ""
                  name: ""
          overlays: |
            #@ load("@ytt:overlay", "overlay")
            #@ load("@ytt:data", "data")

            #@overlay/match by=overlay.subset({"apiVersion":"apps/v1", "kind": "Deployment"})
            ---
            spec:
              #@overlay/match missing_ok=True
              replicas: #@ data.values.replicas

            #@ if data.values.http_route != None:
            ---
            apiVersion: gateway.networking.k8s.io/v1beta1
            kind: HTTPRoute
            metadata:
              name: #@ data.values.workload_name + "-route"
            spec:
              parentRefs:
              #@ for/end gateway in data.values.http_route.gateways:
              - group: gateway.networking.k8s.io
                kind: Gateway
                name: #@ gateway.name
                sectionName: #@ gateway.protocol + "-" + data.values.workload_name
              rules:
              - backendRefs:
                - name: #@ data.values.workload_name
                  port: #@ data.values.port
            #@ elif data.values.hostname != "":
            ---
            apiVersion: networking.k8s.io/v1
            kind: Ingress
            metadata:
              name: #@ data.values.workload_name
              annotations:
                cert-manager.io/cluster-issuer:  #@ data.values.cluster_issuer
                ingress.kubernetes.io/force-ssl-redirect: "true"
                kubernetes.io/ingress.class: contour
                kapp.k14s.io/change-rule: "upsert after upserting Services"
              labels:
                app.kubernetes.io/component: "run"
                carto.run/workload-name:  #@ data.values.workload_name
            spec:
              tls:
                - secretName: #@ data.values.workload_name
                  hosts:
                  - #@ data.values.hostname
              rules:
              - host: #@ data.values.hostname
                http:
                  paths:
                  - pathType: Prefix
                    path: /
                    backend:
                      service:
                        name: #@ data.values.workload_name
                        port:
                          number: #@ data.values.port
            #@ end
        - selector:
            matchLabels:
              apps.tanzu.vmware.com/workload-type: web
          schema: |
            #@data/values-schema
            ---
            #@schema/validation min_len=1
            workload_name: ""
          overlays: ""
        - selector:
            matchLabels:
              apps.tanzu.vmware.com/workload-type: worker
          schema: |
            #@data/values-schema
            ---
            #@schema/validation min_len=1
            workload_name: ""
            replicas: 1
          overlays: |
            #@ load("@ytt:overlay", "overlay")
            #@ load("@ytt:data", "data")
            #@overlay/match by=overlay.subset({"apiVersion":"apps/v1", "kind": "Deployment"})
            ---
            spec:
              #@overlay/match missing_ok=True
              replicas: #@ data.values.replicas
      
carvel_package_openapiv3_enabled Specifies whether the Carvel Package should include a generated OpenAPIv3 specification
      - name: carvel_package_openapiv3_enabled
        value: true
      

More information

To read more about lifecycle:tekton, read Cartographer Lifecycle.

package-config-writer-template (experimental)

Purpose

Persist in an external git repository the Carvel Package Kubernetes configuration passed to the template.

Used by

Creates

A runnable which creates a Tekton TaskRun that refers either to the Tekton Task git-writer.

Parameters

Parameter name Meaning Example
serviceAccount Name of the service account which provides the credentials to the registry or repository. The service account must exist in the same namespace as the Workload.
      - name: serviceAccount
        value: default
      
gitops_branch Name of the branch to push the configuration to.
      - name: gitops_branch
        value: main
      
gitops_user_name User name to use in the commits.
      - name: gitops_user_name
        value: "Alice Lee"
      
gitops_user_email User email address to use in the commits.
      - name: gitops_user_email
        value: alice@example.com
      
gitops_commit_message Message to write as the body of the commits produced for pushing configuration to the Git repository.
      - name: gitops_commit_message
        value: "ci bump"
      
gitops_repository The full repository URL to which the configuration is committed. DEPRECATED
      - name: gitops_repository
        value: "https://github.com/vmware-tanzu/cartographer"
      
gitops_repository_prefix The prefix of the repository URL. DEPRECATED
      - name: gitops_repository
        value: "https://github.com/vmware-tanzu/"
      
gitops_server_address The server URL of the Git repository to which configuration is applied.
      - name: gitops_server_address
        value: "https://github.com/"
      
gitops_repository_owner The owner/organization to which the repository belongs.
      - name: gitops_repository_owner
        value: vmware-tanzu
      
gitops_repository_name The name of the repository.
      - name: gitops_repository_name
        value: cartographer
      
registry Specification of the registry server and repository in which the configuration is placed.
      - name: registry
        value:
          server: index.docker.io
          repository: web-team
          ca_cert_data:
            -----BEGIN CERTIFICATE-----
            MIIFXzCCA0egAwIBAgIJAJYm37SFocjlMA0GCSqGSIb3DQEBDQUAMEY...
            -----END CERTIFICATE-----
      
carvel_package_gitops_subpath Specifies the subpath to which Carvel Packages should be written.
      - name: carvel_package_gitops_subpath
        value: path/to/my/dir
      
carvel_package_name_suffix Specifies the suffix to append to the Carvel Package name. The format is WORKLOAD_NAME.WORKLOAD_NAMESPACE.carvel_package_name_suffix The full Carvel Package name must be a valid DNS subdomain name as defined in RFC 1123.
      - name: carvel_package_name_suffix
        value: vmware.com
      

More information

See Gitops vs RegistryOps for more information about the operation of this template and of the package-config-writer-and-pull-requester-template (experimental).

package-config-writer-and-pull-requester-template (experimental)

Purpose

Persist the passed in Carvel Package Kubernetes configuration to a branch in a repository and open a pull request to another branch. (This process allows for manual review of configuration before deployment to a cluster)

Used by

Creates

A Tekton TaskRun which refers to the Tekton Task commit-and-pr.

Parameters

Parameter name Meaning Example
serviceAccount Name of the service account which provides the credentials to the registry or repository. The service account must exist in the same namespace as the Workload.
      - name: serviceAccount
        value: default
      
gitops_commit_branch Name of the branch to which configuration is pushed.
      - name: gitops_commit_branch
        value: feature
      
gitops_branch Name of the branch to which a pull request is opened.
      - name: gitops_branch
        value: main
      
gitops_user_name User name to use in the commits.
      - name: gitops_user_name
        value: "Alice Lee"
      
gitops_user_email User email address to use in the commits.
      - name: gitops_user_email
        value: alice@example.com
      
gitops_commit_message Message to write as the body of the commits produced for pushing configuration to the Git repository.
      - name: gitops_commit_message
        value: "ci bump"
      
gitops_pull_request_title Title of the pull request to be opened.
      - name: gitops_pull_request_title
        value: "ready for review"
      
gitops_pull_request_body Body of the pull request to be opened.
      - name: gitops_pull_request_body
        value: "generated by supply chain"
      
gitops_server_address The server URL of the Git repository to which configuration is applied.
      - name: gitops_server_address
        value: "https://github.com/"
      
gitops_repository_owner The owner/organization to which the repository belongs.
      - name: gitops_repository_owner
        value: vmware-tanzu
      
gitops_repository_name The name of the repository.
      - name: gitops_repository_name
        value: cartographer
      
gitops_server_kind The kind of Git provider
      - name: gitops_server_kind
        value: gitlab
      
carvel_package_gitops_subpath Specifies the subpath to which Carvel Packages should be written.
      - name: carvel_package_gitops_subpath
        value: path/to/my/dir
      
carvel_package_name_suffix Specifies the suffix to append to the Carvel Package name. The format is WORKLOAD_NAME.WORKLOAD_NAMESPACE.carvel_package_name_suffix The full Carvel Package name must be a valid DNS subdomain name as defined in RFC 1123.
      - name: carvel_package_name_suffix
        value: vmware.com
      
ca_cert_data The string contents of the ssl certificate of the git server
      - name: ca_cert_data
        value:
          -----BEGIN CERTIFICATE-----
          MIIFXzCCA0egAwIBAgIJAJYm37SFocjlMA0GCSqGSIb3DQEBDQUAMEY...
          -----END CERTIFICATE-----
      

More information

See Gitops vs RegistryOps for more information about the operation of this template and of the package-config-writer-template (experimental).

check-circle-line exclamation-circle-line close-line
Scroll to top icon