This topic describes the objects from templates that you can use with Supply Chain Choreographer.
All the objects referenced in this topic are Cartographer Templates packaged in Out of the Box Templates.
This topic describes:
Creates an object to fetch source code and make that code available to other objects in the supply chain. See Building from Source.
source-provider
step.source-provider
step.source-provider
step.source-provider
step.The source-template creates one of three objects, either:
.spec.source.git
defined.maven
..spec.source.image
defined.GitRepository
makes source code from a particular commit available as a tarball in the cluster. Other resources in the supply chain can then access that code.
Parameter name | Meaning | Example |
---|---|---|
gitImplementation |
The library used to fetch source code. | - name: gitImplementation value: go-git` |
source_credentials_secret |
Name of the secret used to provide credentials for the Git repository. The secret with this name must exist in the same namespace as the Workload . The credentials must be sufficient to read the repository. See Git authentication. |
- name: source_credentials_secret value: git-credentials |
gitops_ssh_secret |
Deprecated Only used if provided and source_credentials_secret is not provided. Name of the secret used to provide credentials for the Git repository. The secret with this name must exist in the same namespace as the Workload . The credentials must be sufficient to read the repository. See Git authentication. |
- name: gitops_ssh_secret value: git-credentials |
For an example using the Tanzu CLI to create a Workload using GitHub as the provider of source code, see Create a workload from GitHub repository.
For information about GitRepository objects, see GitRepository.
ImageRepository
makes the contents of a container image available as a tarball on the cluster.
Parameter name | Meaning | Example |
---|---|---|
serviceAccount |
Name of the service account, providing credentials to ImageRepository for fetching container images. The service account must exist in the same namespace as the Workload. |
- name: serviceAccount value: default |
NoteWhen using the Tanzu CLI to configure this
serviceAccount
parameter, use--param serviceAccount=...
. The similarly named--service-account
flag sets a different value: thespec.serviceAccountName
key in the Workload object.
For information about the ImageRepository resource, see the ImageRepository reference documentation.
For information about how to use the Tanzu CLI to create a workload leveraging ImageRepository, see Create a workload from local source code.
MavenArtifact
makes a pre-built Java artifact available to as a tarball on the cluster.
While the source-template
leverages the workload’s .spec.source
field when creating a GitRepository
or ImageRepository
object, the creation of the MavenArtifact
relies only on parameters in the Workload.
Parameter name | Meaning | Example |
---|---|---|
maven |
Points to the Maven artifact to fetch and the polling interval. | - name: maven value: artifactId: springboot-initial groupId: com.example version: RELEASE classifier: sources # optional type: jar # optional artifactRetryTimeout: 1m0s # optional |
maven_repository_url |
Specifies the Maven repository from which to fetch | - name: maven_repository_url value: https://repo1.maven.org/maven2/ |
maven_repository_secret_name |
Specifies the secret containing credentials necessary to fetch from the Maven repository. The secret named must exist in the same workspace as the workload. | - name: maven_repository_secret_name value: auth-secret |
For information about the custom resource, see MavenArtifact reference docs.
For information about how to use the custom resource with the Tanzu Apps CLI plug-in, see Create a workload from a Maven repository artifact.
Tests the source code provided in the supply chain. Testing depends on a user provided Tekton Pipeline. Parameters for this template allow for selection of the proper Pipeline and for specification of additional values to pass to the Pipeline.
These are used as the source-tester
resource.
testing-pipeline
creates a Runnable object. This Runnable provides inputs to the ClusterRunTemplate named tekton-source-pipelinerun.
Parameter name | Meaning | Example |
---|---|---|
testing_pipeline_matching_labels |
Set of labels to use when searching for Tekton Pipeline objects in the same namespace as the Workload. By default, a Pipeline labeled as apps.tanzu.vmware.com/pipeline: test is selected. |
- name: testing_pipeline_matching_labels value: apps.tanzu.vmware.com/pipeline: test my.company/language: golang |
testing_pipeline_params |
Set of parameters to pass to the Tekton Pipeline. To this set of parameters, the template always adds the source URL and revision as source-url and source-revision . |
- name: testing_pipeline_params value: - name: verbose value: true - name: foo value: bar |
For information about the ClusterRunTemplate that pairs with the Runnable, read tekton-source-pipelinerun
For information about the Tekton Pipeline that the user must create, read the OOTB Supply Chain Testing documentation of the Pipeline
Scans the source code for vulnerabilities.
This is used as the source-scanner
resource.
Parameter name | Meaning | Example |
---|---|---|
scanning_source_template |
Name of the ScanTemplate object to use for running the scans. The ScanTemplate must be in the same namespace as the Workload. | - name: scanning_source_template value: private-source-scan-template |
scanning_source_policy |
Name of the ScanPolicy object to use when evaluating the scan results of a source scan. The ScanPolicy must be in the same namespace as the Workload. | - name: scanning_source_policy value: allowlist-policy |
For information about how to set up the Workload namespace with the ScanPolicy and ScanTemplate required for this resource, see Out of the Box Supply Chain with Testing and Scanning.
For information about the SourceScan custom resource, see SourceScan reference.
For information about how the artifacts found during scanning are catalogued, see Supply Chain Security Tools for Tanzu – Store.
Fetches a container image of a prebuilt application, specified in the workload’s .spec.image
field. This makes the content-addressable name, (e.g. the image name containing the digest) available to other resources in the supply chain.
These are used as the image-provider
resource.
ImageRepository.source.apps.tanzu.vmware.com
Parameter name | Meaning | Example |
---|---|---|
serviceAccount |
Name of the service account providing credentials for the target image registry. The service account must exist in the same namespace as the Workload. | - name: serviceAccount value: default |
NoteWhen using the Tanzu CLI to configure this
serviceAccount
parameter, use--param serviceAccount=...
. The similarly named--service-account
flag sets a different value: thespec.serviceAccountName
key in the Workload object.
For information about the ImageRepository resource, see ImageRepository reference docs.
For information about prebuilt images, see Using a prebuilt image.
Builds an container image from source code using cloud native buildpacks.
These are used as the image-provider
resource when the workload parameter dockerfile
is not defined.
Parameter name | Meaning | Example |
---|---|---|
serviceAccount |
Name of the service account providing credentials for the configured image registry. Image uses these credentials to push built container images to the registry. The service account must exist in the same namespace as the Workload. |
- name: serviceAccount value: default |
clusterBuilder |
Name of the Kpack Cluster Builder to use. | - name: clusterBuilder value: nodejs-cluster-builder |
buildServiceBindings |
Definition of a list of service bindings to make use at build time. For example, providing credentials for fetching dependencies from repositories that require credentials. | - name: buildServiceBindings value: - name: settings-xml kind: Secret apiVersion: v1 |
live-update |
Enable the use of Tilt's live-update function. | - name: live-update value: "true" |
NoteWhen using the Tanzu CLI to configure this
serviceAccount
parameter, use--param serviceAccount=...
. The similarly named--service-account
flag sets a different value: thespec.serviceAccountName
key in the Workload object.
For information about the integration with Tanzu Build Service, see Tanzu Build Service Integration.
For information about live-update
, see Developer Conventions and Overview of Tanzu Developer Tools for IntelliJ.
For information about using Kpack builders with clusterBuilder
, see Builders.
For information about buildServiceBindings
, see Service Bindings.
Build an image for source code that includes a Dockerfile.
These are used as the image-provider
resource when the workload parameter dockerfile
is defined.
A taskrun.tekton.dev provides configuration to the Tekton Task kaniko-build
which builds an image with kaniko.
This template uses the lifecycle: tekton flag to create new immutable objects rather than updating the previous object.
Parameter name | Meaning | Example |
---|---|---|
dockerfile |
relative path to the Dockerfile file in the build context | ./Dockerfile |
docker_build_context |
relative path to the directory where the build context is | . |
docker_build_extra_args |
List of flags to pass directly to kaniko,such as providing arguments to a build. | - --build-arg=FOO=BAR |
serviceAccount |
Name of the service account to use for providing Docker credentials. The service account must exist in the same namespace as the Workload. The service account must have a secret associated with the credentials. See Configuring authentication for Docker in the Tekton documentation. | - name: serviceAccount value: default |
registry |
Specification of the registry server and repository in which the built image is placed. | - name: registry value: server: index.docker.io repository: web-team |
For information about how to use Dockerfile-based builds and limits associated with the function, see Dockerfile-based builds.
For information about lifecycle:tekton
, read Cartographer Lifecycle.
Scans the container image for vulnerabilities, persists the results in a store, and prevents the image from moving forward if CVEs are found which are not compliant with its referenced ScanPolicy.
ImageScan.scanning.apps.tanzu.vmware.com
Parameter name | Meaning | Example |
---|---|---|
scanning_image_template |
Name of the ScanTemplate object for running the scans against a container image. The ScanTemplate must be in the same namespace as the Workload. | - name: scanning_image_template value: private-image-scan-template |
scanning_image_policy |
Name of the ScanPolicy object for evaluating the scan results of an image scan. The ScanPolicy must be in the same namespace as the Workload. | - name: scanning_image_policy value: allowlist-policy |
For information about the ImageScan custom resource, see ImageScan reference.
For information about how the artifacts found during scanning are catalogued, see Supply Chain Security Tools for Tanzu – Store.
Create the PodTemplateSpec for the Kubernetes configuration (e.g. the knative service or kubernetes deployment) which are applied to the cluster.
Creates a PodIntent object. The PodIntent leverages conventions installed on the cluster. The PodIntent object is responsible for generating a PodTemplateSpec. The PodTemplateSpec is used in app configs, such as knative services and deployments, to represent the shape of the pods to run the application in containers.
Parameter name | Meaning | Example |
---|---|---|
serviceAccount |
Name of the serviceAccount providing necessary credentials to PodIntent . The serviceAccount must be in the same namespace as the Workload. The serviceAccount is set as the serviceAccountName in the podtemplatespec. The credentials associated with the serviceAccount must allow fetching the container image used to inspect the metadata passed to convention servers. |
- name: serviceAccount value: default |
annotations |
Extra set of annotations to pass down to the PodTemplateSpec. | - name: annotations value: name: my-application version: v1.2.3 team: store |
debug |
Put the workload in debug mode. | - name: debug value: "true" |
live-update |
Enable live-updating of the code (for innerloop development). | - name: live-update value: "true" |
NoteWhen using the Tanzu CLI to configure this
serviceAccount
parameter, use--param serviceAccount=...
. The similarly named--service-account
flag sets a different value: thespec.serviceAccountName
key in the Workload object.
For information about PodTemplateSpec
, see PodTemplateSpec in the Kubernetes documentation.
For information about conventions, see Cartographer Conventions.
For information about the two convention servers enabled by default in Tanzu Application Platform installations, see Developer Conventions and Spring Boot conventions.
For workloads with the label apps.tanzu.vmware.com/workload-type: web
, define a knative service.
A ConfigMap, in which the data field has a key delivery.yaml
whose value is the definition of a knative service.
None
See workload types for more details about the three different types of workloads.
For workloads with the label apps.tanzu.vmware.com/workload-type: worker
, define a Kubernetes Deployment.
A ConfigMap, in which the data field has a key delivery.yaml
whose value is the definition of a Kubernetes Deployment.
None
For information about the three different types of workloads, see workload types.
For workloads with the label apps.tanzu.vmware.com/workload-type: server
, define a Kubernetes Deployment and a Kubernetes Service.
A ConfigMap, in which the data field has a key delivery.yaml
whose value is the definitions of a Kubernetes Deployment and a Kubernetes Service to expose the pods.
Parameter name | Meaning | Example |
---|---|---|
ports |
Set of network ports to expose from the application to the Kubernetes cluster. | - name: ports value: - containerPort: 2025 name: smtp port: 25 |
For information about the three different types of workloads, see workload types.
For information about the ports parameter, see server-specific Workload parameters.
Adds ServiceBindings to the set of Kubernetes configuration files.
A ConfigMap. This template consumes input of multiple deployment YAML files and enriches the input with ResourceClaims and ServiceBindings if the workload contains serviceClaims.
Parameter name | Meaning | Example |
---|---|---|
annotations |
Extra set of annotations to pass down to the ServiceBinding and ResourceClaim objects. | - name: annotations value: name: my-application version: v1.2.3 team: store |
For an example of using --service-ref
, see the Tanzu CLI Command Reference documentation.
For an overview of the function, see Consume services on Tanzu Application Platform.
The api-descriptor
resource takes care of adding an APIDescriptor to the set of Kubernetes objects to deploy such that API auto registration takes place.
A ConfigMap. This template consumes input of multiple YAML files and enriches the input with an APIDescriptor if the workload has a label apis.apps.tanzu.vmware.com/register-api
== to true
.
Parameter name | Meaning | Example |
---|---|---|
annotations |
Extra set of annotations to pass down to the APIDescriptor object. | - name: annotations value: name: my-application version: v1.2.3 team: store |
api_descriptor |
Information used to fill the state that you want of the APIDescriptor object (its spec). | - name: api_descriptor value: type: openapi location: baseURL: http://petclinic-hard-coded.my-apps.tapdemo.vmware.com/ path: "/v3/api owner: team-petclinic system: pet-clinics description: "example" |
For information about API auto registration, see Use API Auto Registration.
Persist in an external system, such as a registry or git repository, the Kubernetes configuration passed to the template.
A runnable which creates a Tekton TaskRun that refers either to the Tekton Task git-writer
or the Tekton Task image-writer
.
Parameter name | Meaning | Example |
---|---|---|
serviceAccount |
Name of the service account which provides the credentials to the registry or repository. The service account must exist in the same namespace as the Workload. | - name: serviceAccount value: default |
gitops_branch |
Name of the branch to push the configuration to. | - name: gitops_branch value: main |
gitops_user_name |
User name to use in the commits. | - name: gitops_user_name value: "Alice Lee" |
gitops_user_email |
User email address to use in the commits. | - name: gitops_user_email value: alice@example.com |
gitops_commit_message |
Message to write as the body of the commits produced for pushing configuration to the Git repository. | - name: gitops_commit_message value: "ci bump" |
gitops_repository |
The full repository URL to which the configuration is committed. DEPRECATED | - name: gitops_repository value: "https://github.com/vmware-tanzu/cartographer" |
gitops_repository_prefix |
The prefix of the repository URL. DEPRECATED | - name: gitops_repository value: "https://github.com/vmware-tanzu/" |
gitops_server_address |
The server URL of the Git repository to which configuration is applied. | - name: gitops_server_address value: "https://github.com/" |
gitops_repository_owner |
The owner/organization to which the repository belongs. | - name: gitops_repository_owner value: vmware-tanzu |
gitops_repository_name |
The name of the repository. | - name: gitops_repository_name value: cartographer |
registry |
Specification of the registry server and repository in which the configuration is placed. | - name: registry value: server: index.docker.io repository: web-team ca_cert_data: -----BEGIN CERTIFICATE----- MIIFXzCCA0egAwIBAgIJAJYm37SFocjlMA0GCSqGSIb3DQEBDQUAMEY... -----END CERTIFICATE----- |
For information about operating this template, see Gitops vs RegistryOps and the config-writer-and-pull-requester-template.
Persist the passed in Kubernetes configuration to a branch in a repository and open a pull request to another branch. This process allows for manual review of configuration before deployment to a cluster.
A Tekton TaskRun refers to the Tekton Task commit-and-pr
.
Parameter name | Meaning | Example |
---|---|---|
serviceAccount |
Name of the service account which provides the credentials to the registry or repository. The service account must exist in the same namespace as the Workload. | - name: serviceAccount value: default |
gitops_commit_branch |
Name of the branch to which configuration is pushed. | - name: gitops_commit_branch value: feature |
gitops_branch |
Name of the branch to which a pull request is opened. | - name: gitops_branch value: main |
gitops_user_name |
User name to use in the commits. | - name: gitops_user_name value: "Alice Lee" |
gitops_user_email |
User email address to use in the commits. | - name: gitops_user_email value: alice@example.com |
gitops_commit_message |
Message to write as the body of the commits produced for pushing configuration to the Git repository. | - name: gitops_commit_message value: "ci bump" |
gitops_pull_request_title |
Title of the pull request to be opened. | - name: gitops_pull_request_title value: "ready for review" |
gitops_pull_request_body |
Body of the pull request to be opened. | - name: gitops_pull_request_body value: "generated by supply chain" |
gitops_server_address |
The server URL of the Git repository to which configuration is applied. | - name: gitops_server_address value: "https://github.com/" |
gitops_repository_owner |
The owner/organization to which the repository belongs. | - name: gitops_repository_owner value: vmware-tanzu |
gitops_repository_name |
The name of the repository. | - name: gitops_repository_name value: cartographer |
gitops_server_kind |
The kind of Git provider | - name: gitops_server_kind value: gitlab |
ca_cert_data |
The string contents of the ssl certificate of the git server | - name: ca_cert_data value: -----BEGIN CERTIFICATE----- MIIFXzCCA0egAwIBAgIJAJYm37SFocjlMA0GCSqGSIb3DQEBDQUAMEY... -----END CERTIFICATE----- |
For information about the operation of this template, see Gitops vs RegistryOps and the config-writer-template.
Create a deliverable which pairs with a Delivery to deploy Kubernetes configuration on the cluster.
A Deliverable preconfigured with reference to a repository or registry from which to fetch Kubernetes configuration.
Parameter name | Meaning | Example |
---|---|---|
serviceAccount |
Name of the service account providing the necessary permissions for the Delivery to create children objects. Populates the Deliverable's serviceAccount parameter. The service account must be in the same namespace as the Deliverable. | - name: serviceAccount value: default |
gitops_credentials_secret |
Name of the secret where credentials exist for fetching the configuration from a Git repository. Populates the Deliverable's `source_credentials_secret` parameter (The Workload's GitOps repository is the Deliverable's source reposiotor). The secret must be in the same namespace as the Deliverable. | - name: gitops_credentials_secret value: git-secret |
gitops_ssh_secret |
Deprecated. Use gitops_credentials_secret instead. Name of the secret where credentials exist for fetching the configuration from a Git repository. Populates the Deliverable's gitops_ssh_secret parameter. The secret must be in the same namespace as the Deliverable. | - name: gitops_ssh_secret value: git-secret |
gitops_branch |
Name of the branch from which to fetch the configuration. | - name: gitops_branch value: main |
gitops_repository |
The full repository URL to which the configuration is fetched. DEPRECATED | - name: gitops_repository value: "https://github.com/vmware-tanzu/cartographer" |
gitops_repository_prefix |
The prefix of the repository URL. DEPRECATED | - name: gitops_repository value: "https://github.com/vmware-tanzu/" |
gitops_server_address |
The server URL of the Git repository from which configuration is fetched. | - name: gitops_server_address value: "https://github.com/" |
gitops_repository_owner |
The owner/organization to which the repository belongs. | - name: gitops_repository_owner value: vmware-tanzu |
gitops_repository_name |
The name of the repository. | - name: gitops_repository_name value: cartographer |
registry |
Specification of the registry server and repository from which the configuration is fetched. | - name: registry value: server: index.docker.io repository: web-team ca_cert_data: -----BEGIN CERTIFICATE----- MIIFXzCCA0egAwIBAgIJAJYm37SFocjlMA0GCSqGSIb3DQEBDQUAMEY... -----END CERTIFICATE----- |
NoteWhen using the Tanzu CLI to configure this
serviceAccount
parameter, use--param serviceAccount=...
. The similarly named--service-account
flag sets a different value: thespec.serviceAccountName
key in the Workload object.
For information about the ClusterDelivery shipped with ootb-delivery-basic
, see Out of the Box Delivery Basic.
Create a definition of a deliverable which a user can manually applied to an external kubernetes cluster. When a properly configured Delivery is installed on that external cluster, the Deliverable will pair with the Delivery to deploy Kubernetes configuration on the cluster. For example, the OOTB Delivery.
A configmap in which the .data
field has a key deliverable
for which the value is the YAML definition of a Deliverable.
Parameter name | Meaning | Example |
---|---|---|
serviceAccount |
Name of the service account providing the necessary permissions for the Delivery to create children objects. Populates the Deliverable's serviceAccount parameter. The service account must be in the same namespace as the Deliverable. | - name: serviceAccount value: default |
gitops_ssh_secret |
Name of the secret where credentials exist for fetching the configuration from a Git repository. Populates the Deliverable's gitops_ssh_secret parameter. The secret must be in the same namespace as the Deliverable. | - name: gitops_ssh_secret value: ssh-secret |
gitops_branch |
Name of the branch from which to fetch the configuration. | - name: gitops_branch value: main |
gitops_repository |
The full repository URL to which the configuration is fetched. DEPRECATED | - name: gitops_repository value: "https://github.com/vmware-tanzu/cartographer" |
gitops_repository_prefix |
The prefix of the repository URL. DEPRECATED | - name: gitops_repository value: "https://github.com/vmware-tanzu/" |
gitops_server_address |
The server URL of the Git repository from which configuration is fetched. | - name: gitops_server_address value: "https://github.com/" |
gitops_repository_owner |
The owner/organization to which the repository belongs. | - name: gitops_repository_owner value: vmware-tanzu |
gitops_repository_name |
The name of the repository. | - name: gitops_repository_name value: cartographer |
registry |
Specification of the registry server and repository from which the configuration is fetched. | - name: registry value: server: index.docker.io repository: web-team ca_cert_data: -----BEGIN CERTIFICATE----- MIIFXzCCA0egAwIBAgIJAJYm37SFocjlMA0GCSqGSIb3DQEBDQUAMEY... -----END CERTIFICATE----- |
For information about the ClusterDelivery shipped with ootb-delivery-basic
, see Out of the Box Delivery Basic.
For information about using the Deliverable object in a multicluster environment, see Getting started with multicluster Tanzu Application Platform.
Continuously fetches Kubernetes configuration files from a Git repository or container image registry and makes them available on the cluster.
The source-template creates one of three objects, either: - GitRepository. Created if the deliverable has .spec.source.git
defined. - ImageRepository. Created if the deliverable has .spec.source.image
defined.
GitRepository
makes source code from a particular commit available as a tarball in the cluster. Other resources in the supply chain can then access that code.
Parameter name | Meaning | Example |
---|---|---|
gitImplementation |
The library used to fetch source code. | - name: gitImplementation value: go-git |
source_credentials_secret |
Name of the secret used to provide credentials for the Git repository. The secret with this name must exist in the same namespace as the Deliverable . The credentials must be sufficient to read the repository. See Git authentication. |
- name: source_credentials_secret value: git-credentials |
For an example using the Tanzu CLI to create a Workload using GitHub as the provider of source code, see Create a workload from GitHub repository.
For information about GitRepository objects, see GitRepository.
ImageRepository
makes the contents of a container image available as a tarball on the cluster.
Parameter name | Meaning | Example |
---|---|---|
serviceAccount |
Name of the service account, providing credentials to ImageRepository for fetching container images. The service account must exist in the same namespace as the Deliverable. |
- name: serviceAccount value: default |
For information about the ImageRepository resource, see ImageRepository reference docs.
Applies Kubernetes configuration to the cluster.
A kapp App.
Parameter name | Meaning | Example |
---|---|---|
serviceAccount |
Name of the service account providing the necessary privileges for App to apply the Kubernetes objects to the cluster. The service account must be in the same namespace as the Deliverable. |
- name: serviceAccount value: default |
gitops_sub_path |
Sub directory within the configuration bundle that is used for looking up the files to apply to the Kubernetes cluster. DEPRECATED | - name: gitops_sub_path value: ./config |
NoteThe
gitops_sub_path
parameter is deprecated. Usedeliverable.spec.source.subPath
instead.
For details about RBAC and how kapp-controller
makes use of the ServiceAccount provided through the Deliverable’s serviceAccount
parameter, see kapp-controller’s Security Model.
Bundles Kubernetes configuration into a Carvel Package.
A taskrun.tekton.dev which provides configuration to the carvel-package
Tekton Task which bundles Kubernetes configuration into a Carvel Package.
This template uses the lifecycle: tekton flag to create new immutable objects rather than updating the previous object.
Parameter name | Meaning | Example |
---|---|---|
serviceAccount |
Name of the service account to use for providing Docker credentials. The service account must exist in the same namespace as the Workload. The service account must have a secret associated with the credentials. See Configuring authentication for Docker in the Tekton documentation. | - name: serviceAccount value: default |
registry |
Specification of the registry server and repository in which the built image is placed. | - name: registry value: server: index.docker.io repository: web-team |
carvel_package_gitops_subpath |
Specifies the subpath to which Carvel Packages should be written. | - name: carvel_package_gitops_subpath value: path/to/my/dir |
carvel_package_name_suffix |
Specifies the suffix to append to the Carvel Package name. The format is WORKLOAD_NAME.WORKLOAD_NAMESPACE.carvel_package_name_suffix The full Carvel Package name must be a valid DNS subdomain name as defined in RFC 1123. | - name: carvel_package_name_suffix value: vmware.com |
carvel_package_parameters |
Specifies the custom Carvel Package parameters | - name: carvel_package_parameters value: | - selector: matchLabels: apps.tanzu.vmware.com/workload-type: server schema: | #@data/values-schema --- #@schema/title "Workload name" #@schema/example "tanzu-java-web-app" #@schema/validation min_len=1 workload_name: "" #@schema/title "Replicas" replicas: 1 #@schema/title "Port" port: 8080 #@schema/title "Hostname" #@schema/example "app.tanzu.vmware.com" hostname: "" #@schema/title "Cluster Issuer" cluster_issuer: "tap-ingress-selfsigned" #@schema/nullable http_route: #@schema/default [{"protocol": "https", "name": "default-gateway"}] gateways: - protocol: "" name: "" overlays: | #@ load("@ytt:overlay", "overlay") #@ load("@ytt:data", "data") #@overlay/match by=overlay.subset({"apiVersion":"apps/v1", "kind": "Deployment"}) --- spec: #@overlay/match missing_ok=True replicas: #@ data.values.replicas #@ if data.values.http_route != None: --- apiVersion: gateway.networking.k8s.io/v1beta1 kind: HTTPRoute metadata: name: #@ data.values.workload_name + "-route" spec: parentRefs: #@ for/end gateway in data.values.http_route.gateways: - group: gateway.networking.k8s.io kind: Gateway name: #@ gateway.name sectionName: #@ gateway.protocol + "-" + data.values.workload_name rules: - backendRefs: - name: #@ data.values.workload_name port: #@ data.values.port #@ elif data.values.hostname != "": --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: #@ data.values.workload_name annotations: cert-manager.io/cluster-issuer: #@ data.values.cluster_issuer ingress.kubernetes.io/force-ssl-redirect: "true" kubernetes.io/ingress.class: contour kapp.k14s.io/change-rule: "upsert after upserting Services" labels: app.kubernetes.io/component: "run" carto.run/workload-name: #@ data.values.workload_name spec: tls: - secretName: #@ data.values.workload_name hosts: - #@ data.values.hostname rules: - host: #@ data.values.hostname http: paths: - pathType: Prefix path: / backend: service: name: #@ data.values.workload_name port: number: #@ data.values.port #@ end - selector: matchLabels: apps.tanzu.vmware.com/workload-type: web schema: | #@data/values-schema --- #@schema/validation min_len=1 workload_name: "" overlays: "" - selector: matchLabels: apps.tanzu.vmware.com/workload-type: worker schema: | #@data/values-schema --- #@schema/validation min_len=1 workload_name: "" replicas: 1 overlays: | #@ load("@ytt:overlay", "overlay") #@ load("@ytt:data", "data") #@overlay/match by=overlay.subset({"apiVersion":"apps/v1", "kind": "Deployment"}) --- spec: #@overlay/match missing_ok=True replicas: #@ data.values.replicas |
carvel_package_openapiv3_enabled |
Specifies whether the Carvel Package should include a generated OpenAPIv3 specification | - name: carvel_package_openapiv3_enabled value: true |
To read more about lifecycle:tekton
, read Cartographer Lifecycle.
Persist in an external git repository the Carvel Package Kubernetes configuration passed to the template.
A runnable which creates a Tekton TaskRun that refers either to the Tekton Task git-writer
.
Parameter name | Meaning | Example |
---|---|---|
serviceAccount |
Name of the service account which provides the credentials to the registry or repository. The service account must exist in the same namespace as the Workload. | - name: serviceAccount value: default |
gitops_branch |
Name of the branch to push the configuration to. | - name: gitops_branch value: main |
gitops_user_name |
User name to use in the commits. | - name: gitops_user_name value: "Alice Lee" |
gitops_user_email |
User email address to use in the commits. | - name: gitops_user_email value: alice@example.com |
gitops_commit_message |
Message to write as the body of the commits produced for pushing configuration to the Git repository. | - name: gitops_commit_message value: "ci bump" |
gitops_repository |
The full repository URL to which the configuration is committed. DEPRECATED | - name: gitops_repository value: "https://github.com/vmware-tanzu/cartographer" |
gitops_repository_prefix |
The prefix of the repository URL. DEPRECATED | - name: gitops_repository value: "https://github.com/vmware-tanzu/" |
gitops_server_address |
The server URL of the Git repository to which configuration is applied. | - name: gitops_server_address value: "https://github.com/" |
gitops_repository_owner |
The owner/organization to which the repository belongs. | - name: gitops_repository_owner value: vmware-tanzu |
gitops_repository_name |
The name of the repository. | - name: gitops_repository_name value: cartographer |
registry |
Specification of the registry server and repository in which the configuration is placed. | - name: registry value: server: index.docker.io repository: web-team ca_cert_data: -----BEGIN CERTIFICATE----- MIIFXzCCA0egAwIBAgIJAJYm37SFocjlMA0GCSqGSIb3DQEBDQUAMEY... -----END CERTIFICATE----- |
carvel_package_gitops_subpath |
Specifies the subpath to which Carvel Packages should be written. | - name: carvel_package_gitops_subpath value: path/to/my/dir |
carvel_package_name_suffix |
Specifies the suffix to append to the Carvel Package name. The format is WORKLOAD_NAME.WORKLOAD_NAMESPACE.carvel_package_name_suffix The full Carvel Package name must be a valid DNS subdomain name as defined in RFC 1123. | - name: carvel_package_name_suffix value: vmware.com |
See Gitops vs RegistryOps for more information about the operation of this template and of the package-config-writer-and-pull-requester-template (experimental).
Persist the passed in Carvel Package Kubernetes configuration to a branch in a repository and open a pull request to another branch. (This process allows for manual review of configuration before deployment to a cluster)
A Tekton TaskRun which refers to the Tekton Task commit-and-pr
.
Parameter name | Meaning | Example |
---|---|---|
serviceAccount |
Name of the service account which provides the credentials to the registry or repository. The service account must exist in the same namespace as the Workload. | - name: serviceAccount value: default |
gitops_commit_branch |
Name of the branch to which configuration is pushed. | - name: gitops_commit_branch value: feature |
gitops_branch |
Name of the branch to which a pull request is opened. | - name: gitops_branch value: main |
gitops_user_name |
User name to use in the commits. | - name: gitops_user_name value: "Alice Lee" |
gitops_user_email |
User email address to use in the commits. | - name: gitops_user_email value: alice@example.com |
gitops_commit_message |
Message to write as the body of the commits produced for pushing configuration to the Git repository. | - name: gitops_commit_message value: "ci bump" |
gitops_pull_request_title |
Title of the pull request to be opened. | - name: gitops_pull_request_title value: "ready for review" |
gitops_pull_request_body |
Body of the pull request to be opened. | - name: gitops_pull_request_body value: "generated by supply chain" |
gitops_server_address |
The server URL of the Git repository to which configuration is applied. | - name: gitops_server_address value: "https://github.com/" |
gitops_repository_owner |
The owner/organization to which the repository belongs. | - name: gitops_repository_owner value: vmware-tanzu |
gitops_repository_name |
The name of the repository. | - name: gitops_repository_name value: cartographer |
gitops_server_kind |
The kind of Git provider | - name: gitops_server_kind value: gitlab |
carvel_package_gitops_subpath |
Specifies the subpath to which Carvel Packages should be written. | - name: carvel_package_gitops_subpath value: path/to/my/dir |
carvel_package_name_suffix |
Specifies the suffix to append to the Carvel Package name. The format is WORKLOAD_NAME.WORKLOAD_NAMESPACE.carvel_package_name_suffix The full Carvel Package name must be a valid DNS subdomain name as defined in RFC 1123. | - name: carvel_package_name_suffix value: vmware.com |
ca_cert_data |
The string contents of the ssl certificate of the git server | - name: ca_cert_data value: -----BEGIN CERTIFICATE----- MIIFXzCCA0egAwIBAgIJAJYm37SFocjlMA0GCSqGSIb3DQEBDQUAMEY... -----END CERTIFICATE----- |
See Gitops vs RegistryOps for more information about the operation of this template and of the package-config-writer-template (experimental).