├── gitops ├── tap-install-ns.yml ├── tap-install-config.yml.tpl ├── tap-install.yml ├── rbac.yml └── tap-install-secrets.yml.tpl ├── .gitignore ├── config ├── tap-namespace.yml ├── tap-values-secrets.yml ├── tap-values-input.yml ├── kapp-config.yml ├── tap-repo.yml ├── tap-registry.yml └── rbac.yml ├── config-full ├── tap-values-full-input.yml ├── dev-namespace.yml └── tap-values-full.yml ├── README.md ├── additional └── external-dns │ └── external-dns.yml └── LICENSE /gitops/tap-install-ns.yml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: tap-install-gitops 5 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | config-custom 3 | 4 | # SECRETS 5 | tap-install-config.yml 6 | tap-install-secrets.yml 7 | -------------------------------------------------------------------------------- /config/tap-namespace.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: #@ data.values.tap.namespace 7 | -------------------------------------------------------------------------------- /config-full/tap-values-full-input.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | 3 | #@overlay/match-child-defaults missing_ok=True 4 | --- 5 | tap: 6 | devNamespace: dev-tap 7 | 8 | domains: 9 | learningCenter: learningcenter.tap.tanzu.corp 10 | knative: apps.tap.tanzu.corp 11 | -------------------------------------------------------------------------------- /config/tap-values-secrets.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | 3 | #@overlay/match-child-defaults missing_ok=True 4 | --- 5 | tap: 6 | credentials: 7 | tanzuNet: 8 | host: registry.tanzu.vmware.com 9 | username: TANZUNET_USERNAME 10 | password: TANZUNET_PASSWORD 11 | registry: 12 | username: REGISTRY_USERNAME 13 | password: REGISTRY_PASSWORD 14 | -------------------------------------------------------------------------------- /config/tap-values-input.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | 3 | #@overlay/match-child-defaults missing_ok=True 4 | --- 5 | tap: 6 | version: "1.0.1" 7 | namespace: tap-install 8 | catalogs: [] 9 | 10 | registry: 11 | host: registry.tap.tanzu.corp 12 | repositories: 13 | buildService: repo/build-service 14 | ootbSupplyChain: repo/supply-chain 15 | 16 | domains: 17 | main: tap.tanzu.corp 18 | tapGui: tap-gui.tap.tanzu.corp 19 | -------------------------------------------------------------------------------- /config/kapp-config.yml: -------------------------------------------------------------------------------- 1 | apiVersion: kapp.k14s.io/v1alpha1 2 | kind: Config 3 | minimumRequiredVersion: 0.29.0 4 | waitRules: 5 | - supportsObservedGeneration: true 6 | conditionMatchers: 7 | - type: ReconcileFailed 8 | status: "True" 9 | failure: true 10 | - type: ReconcileSucceeded 11 | status: "True" 12 | success: true 13 | resourceMatchers: 14 | - apiVersionKindMatcher: 15 | apiVersion: packaging.carvel.dev/v1alpha1 16 | kind: PackageRepository 17 | -------------------------------------------------------------------------------- /config/tap-repo.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | apiVersion: packaging.carvel.dev/v1alpha1 4 | kind: PackageRepository 5 | metadata: 6 | name: tanzu-tap-repository 7 | namespace: #@ data.values.tap.namespace 8 | annotations: 9 | kapp.k14s.io/change-group: tap-install/tap-repo 10 | spec: 11 | fetch: 12 | imgpkgBundle: 13 | image: #@ "{}/tanzu-application-platform/tap-packages:{}".format(data.values.tap.credentials.tanzuNet.host, data.values.tap.version) 14 | secretRef: 15 | name: tap-registry 16 | -------------------------------------------------------------------------------- /gitops/tap-install-config.yml.tpl: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:yaml", "yaml") 2 | --- 3 | #@ def config(): 4 | tap: 5 | #! Set Backstage catalogs to include by default. 6 | catalogs: 7 | - https://github.com/tanzu-corp/tap-catalog/blob/main/catalog-info.yaml 8 | 9 | registry: 10 | host: registry.tanzu.corp 11 | repositories: 12 | buildService: tanzu/tanzu-build-service 13 | ootbSupplyChain: tanzu/tanzu-supply-chain 14 | 15 | domains: 16 | main: apps.tanzu.corp 17 | tapGui: tap-gui.apps.tanzu.corp 18 | learningCenter: learningcenter.apps.tanzu.corp 19 | knative: apps.tanzu.corp 20 | #@ end 21 | --- 22 | apiVersion: v1 23 | kind: ConfigMap 24 | metadata: 25 | name: tap-install-gitops 26 | namespace: tap-install-gitops 27 | data: 28 | tap-config.yml: #@ yaml.encode(config()) 29 | -------------------------------------------------------------------------------- /gitops/tap-install.yml: -------------------------------------------------------------------------------- 1 | apiVersion: kappctrl.k14s.io/v1alpha1 2 | kind: App 3 | metadata: 4 | name: tap-install-gitops 5 | namespace: tap-install-gitops 6 | annotations: 7 | kapp.k14s.io/change-group: tap-install-gitops/app 8 | kapp.k14s.io/change-rule: "upsert after upserting tap-install-gitops/rbac" 9 | spec: 10 | serviceAccountName: tap-install-gitops-sa 11 | fetch: 12 | - git: 13 | url: https://github.com/alexbarbato/declarative-tap.git 14 | ref: origin/main 15 | secretRef: 16 | name: tap-install-gitops-github 17 | template: 18 | - ytt: 19 | paths: 20 | - config 21 | - config-full 22 | - additional/external-dns 23 | valuesFrom: 24 | - configMapRef: 25 | name: tap-install-gitops 26 | - secretRef: 27 | name: tap-install-gitops 28 | deploy: 29 | - kapp: {} 30 | -------------------------------------------------------------------------------- /config/tap-registry.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:base64", "base64") 3 | #@ load("@ytt:json", "json") 4 | --- 5 | #@ def config(): 6 | #@ return { 7 | #@ "auths": { 8 | #@ data.values.tap.credentials.tanzuNet.host: { 9 | #@ "username": data.values.tap.credentials.tanzuNet.username, 10 | #@ "password": data.values.tap.credentials.tanzuNet.password 11 | #@ } 12 | #@ } 13 | #@ } 14 | #@ end 15 | --- 16 | apiVersion: v1 17 | kind: Secret 18 | metadata: 19 | name: tap-registry 20 | namespace: #@ data.values.tap.namespace 21 | type: kubernetes.io/dockerconfigjson 22 | stringData: 23 | .dockerconfigjson: #@ json.encode(config()) 24 | --- 25 | apiVersion: secretgen.carvel.dev/v1alpha1 26 | kind: SecretExport 27 | metadata: 28 | name: tap-registry 29 | namespace: #@ data.values.tap.namespace 30 | spec: 31 | toNamespaces: 32 | - '*' 33 | -------------------------------------------------------------------------------- /config/rbac.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | --- 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: tap-default-sa 7 | namespace: #@ data.values.tap.namespace 8 | annotations: 9 | kapp.k14s.io/change-group: tap-install/rbac 10 | kapp.k14s.io/change-rule: "delete after deleting tap-install/tap" 11 | --- 12 | apiVersion: rbac.authorization.k8s.io/v1 13 | kind: ClusterRole 14 | metadata: 15 | name: tap-default-role 16 | annotations: 17 | kapp.k14s.io/change-group: tap-install/rbac 18 | kapp.k14s.io/change-rule: "delete after deleting tap-install/tap" 19 | rules: 20 | - apiGroups: ["*"] 21 | resources: ["*"] 22 | verbs: ["*"] 23 | --- 24 | apiVersion: rbac.authorization.k8s.io/v1 25 | kind: ClusterRoleBinding 26 | metadata: 27 | name: tap-default-role-binding 28 | annotations: 29 | kapp.k14s.io/change-group: tap-install/rbac 30 | kapp.k14s.io/change-rule: "delete after deleting tap-install/tap" 31 | subjects: 32 | - kind: ServiceAccount 33 | name: tap-default-sa 34 | namespace: #@ data.values.tap.namespace 35 | roleRef: 36 | apiGroup: rbac.authorization.k8s.io 37 | kind: ClusterRole 38 | name: tap-default-role 39 | -------------------------------------------------------------------------------- /gitops/rbac.yml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: tap-install-gitops-sa 5 | namespace: tap-install-gitops 6 | annotations: 7 | kapp.k14s.io/change-group: tap-install-gitops/rbac 8 | kapp.k14s.io/change-rule: "delete after deleting tap-install-gitops/app" 9 | --- 10 | kind: ClusterRole 11 | apiVersion: rbac.authorization.k8s.io/v1 12 | metadata: 13 | name: tap-install-gitops-cluster-role 14 | annotations: 15 | kapp.k14s.io/change-group: tap-install-gitops/rbac 16 | kapp.k14s.io/change-rule: "delete after deleting tap-install-gitops/app" 17 | rules: 18 | - apiGroups: ["*"] 19 | resources: ["*"] 20 | verbs: ["*"] 21 | --- 22 | kind: ClusterRoleBinding 23 | apiVersion: rbac.authorization.k8s.io/v1 24 | metadata: 25 | name: cluster-admin-cluster-role-binding 26 | annotations: 27 | kapp.k14s.io/change-group: tap-install-gitops/rbac 28 | kapp.k14s.io/change-rule: "delete after deleting tap-install-gitops/app" 29 | subjects: 30 | - kind: ServiceAccount 31 | name: tap-install-gitops-sa 32 | namespace: default 33 | - kind: ServiceAccount 34 | name: tap-install-gitops-sa 35 | namespace: tap-install-gitops 36 | roleRef: 37 | apiGroup: rbac.authorization.k8s.io 38 | kind: ClusterRole 39 | name: tap-install-gitops-cluster-role 40 | -------------------------------------------------------------------------------- /gitops/tap-install-secrets.yml.tpl: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:yaml", "yaml") 2 | --- 3 | #@ def config(): 4 | tap: 5 | credentials: 6 | #! Pick one registry for downloading images: Tanzu Network or Pivotal Network 7 | #! (use tanzuNet as key). 8 | tanzuNet: 9 | username: INSERT-TANZUNET-USERNAME 10 | password: INSERT-TANZUNET-PASSWORD 11 | tanzuNet-pivnet: 12 | host: registry.pivotal.io 13 | username: INSERT-PIVNET-USERNAME 14 | password: INSERT-PIVNET-PASSWORD 15 | 16 | registry: 17 | username: INSERT-REGISTRY-USERNAME 18 | password: INSERT-REGISTRY-PASSWORD 19 | 20 | #! Remove suffix "-disabled" to enable GitHub integration: 21 | #! - set clientId and clientSecret to enable authentication, 22 | #! - set token to download resources from GitHub (such as Backstage catalogs). 23 | github-disabled: 24 | clientId: INSERT-GITHUB-CLIENTID 25 | clientSecret: INSERT-GITHUB-CLIENTSECRET 26 | token: INSERT-GITHUB-TOKEN 27 | 28 | #! Remove suffix "-disabled" to enable Backstage persistence. 29 | backstage-disabled: 30 | database: 31 | client: pg 32 | host: INSERT-DB-HOST 33 | port: 5432 34 | username: INSERT-DB-USERNAME 35 | password: INSERT-DB-PASSWORD 36 | 37 | #! ---------- Additional configuration beyond basic TAP installation ---------- 38 | 39 | #! Remove suffix "-disabled" to enable a provider for External DNS. 40 | externalDns: 41 | aws-disabled: 42 | region: eu-central-1 43 | credentials: #! Note internal VMware users: CloudGate credentials will not have the necessary permissions to work 44 | accessKey: 45 | secretKey: 46 | route_fifty_three_zone_id: 47 | 48 | cloudflare-disabled: 49 | credentials: 50 | apiToken: 51 | #@ end 52 | --- 53 | apiVersion: v1 54 | kind: Secret 55 | metadata: 56 | name: tap-install-gitops-github 57 | namespace: tap-install-gitops 58 | stringData: 59 | username: github 60 | password: INSERT-GITHUB-TOKEN 61 | --- 62 | apiVersion: v1 63 | kind: Secret 64 | metadata: 65 | name: tap-install-gitops 66 | namespace: tap-install-gitops 67 | stringData: 68 | tap-secrets.yml: #@ yaml.encode(config()) 69 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Deploying Tanzu Application Platform with GitOps 2 | 3 | This project shows how to deploy 4 | [Tanzu Application Platform](https://tanzu.vmware.com/application-platform) (TAP) 5 | with a GitOps approach. Using this strategy, you can share the same configuration 6 | across different installations 7 | (one commit means one `tanzu package installed update` for every cluster), 8 | while tracking any configuration updates with Git (easy rollbacks). 9 | 10 | **Please note that this project is authored by a VMware employee under open source license terms.** 11 | 12 | ## How does it work? 13 | 14 | This GitOps approach relies solely on [kapp-controller](https://carvel.dev/kapp-controller/) 15 | and [ytt](https://carvel.dev/ytt/) to track Git commits and apply the configuration 16 | to every cluster. These tools are part of the TAP prerequisites. 17 | 18 | ## How to use it? 19 | ### Setup 20 | 1. Make sure [Cluster Essentials for VMware Tanzu is deployed to your cluster](https://docs.vmware.com/en/Tanzu-Application-Platform/1.0/tap/GUID-install-general.html#install-cluster-essentials-for-vmware-tanzu-2). 21 | 22 | 1. Create new file `tap-install-config.yml` in `gitops`, reusing content from [`tap-install-config.yml.tpl`](gitops/tap-install-config.yml.tpl). 23 | Edit this file accordingly: 24 | 25 | 1. Do the same with [`tap-install-secrets.yml.tpl`](gitops/tap-install-secrets.yml.tpl) 26 | by creating `tap-install-secrets.yml`: 27 | - NOTE: This file is in the `.gitignore`. You'll want to make sure it's not committed (for the obvious reasons) 28 | 29 | 1. (OPTIONAL) Update the `tap-install.yml` with your repository if you've forked the project. Ultimately this is the "single" file that will be causing the declarative loop to occur. 30 | 31 | 1. (OPTIONAL) If you're updating any of the values of the TAP install, ala the TAP version or the like, you'll want to commit them to your git repo. 32 | 33 | 1. (OPTIONAL) Remove any of the additional packages from the app in [`tap-install.yml`](gitops/tap-install.yml) should you not want them deployed. (ex. `additional/external-dns`) 34 | 35 | ### Deploy 36 | You are now ready to apply the GitOps configuration: 37 | 38 | ```shell 39 | kapp deploy -a tap-install-gitops -f <(ytt -f gitops) 40 | ``` 41 | 42 | At this point, kapp-controller will monitor the Git repository: any updates 43 | (commits) will be applied to your cluster, without having to run any commands. 44 | 45 | Check that TAP is being deployed by running either command below: 46 | 47 | ```shell 48 | tanzu package installed list -n tap-install 49 | 50 | # OR 51 | 52 | kctrl package installed list -n tap-install 53 | ``` 54 | 55 | Enjoy! 56 | 57 | ## Contribute 58 | 59 | Contributions are always welcome! 60 | 61 | Feel free to open issues & send PR. 62 | 63 | ## License 64 | 65 | Copyright © 2022 [VMware, Inc. or its affiliates](https://vmware.com). 66 | 67 | This project is licensed under the [Apache Software License version 2.0](https://www.apache.org/licenses/LICENSE-2.0). 68 | -------------------------------------------------------------------------------- /config-full/dev-namespace.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:base64", "base64") 3 | #@ load("@ytt:json", "json") 4 | 5 | #@ if data.values.tap.devNamespace != "default" and data.values.tap.devNamespace != "": 6 | --- 7 | apiVersion: v1 8 | kind: Namespace 9 | metadata: 10 | name: #@ data.values.tap.devNamespace 11 | --- 12 | #@ def config(): 13 | #@ return { 14 | #@ "auths": { 15 | #@ data.values.tap.registry.host: { 16 | #@ "username": data.values.tap.credentials.registry.username, 17 | #@ "password": data.values.tap.credentials.registry.password 18 | #@ } 19 | #@ } 20 | #@ } 21 | #@ end 22 | --- 23 | apiVersion: v1 24 | kind: Secret 25 | metadata: 26 | name: registry-credentials 27 | namespace: #@ data.values.tap.devNamespace 28 | type: kubernetes.io/dockerconfigjson 29 | stringData: 30 | .dockerconfigjson: #@ json.encode(config()) 31 | --- 32 | apiVersion: v1 33 | kind: Secret 34 | metadata: 35 | name: tap-registry 36 | namespace: #@ data.values.tap.devNamespace 37 | annotations: 38 | secretgen.carvel.dev/image-pull-secret: "" 39 | type: kubernetes.io/dockerconfigjson 40 | data: 41 | .dockerconfigjson: e30K 42 | --- 43 | apiVersion: v1 44 | kind: ServiceAccount 45 | metadata: 46 | name: default 47 | namespace: #@ data.values.tap.devNamespace 48 | secrets: 49 | - name: registry-credentials 50 | imagePullSecrets: 51 | - name: registry-credentials 52 | - name: tap-registry 53 | --- 54 | apiVersion: rbac.authorization.k8s.io/v1 55 | kind: Role 56 | metadata: 57 | name: default 58 | namespace: #@ data.values.tap.devNamespace 59 | rules: 60 | - apiGroups: [source.toolkit.fluxcd.io] 61 | resources: [gitrepositories] 62 | verbs: ['*'] 63 | - apiGroups: [source.apps.tanzu.vmware.com] 64 | resources: [imagerepositories] 65 | verbs: ['*'] 66 | - apiGroups: [carto.run] 67 | resources: [deliverables, runnables] 68 | verbs: ['*'] 69 | - apiGroups: [kpack.io] 70 | resources: [images] 71 | verbs: ['*'] 72 | - apiGroups: [conventions.apps.tanzu.vmware.com] 73 | resources: [podintents] 74 | verbs: ['*'] 75 | - apiGroups: [""] 76 | resources: ['configmaps'] 77 | verbs: ['*'] 78 | - apiGroups: [""] 79 | resources: ['pods'] 80 | verbs: ['list'] 81 | - apiGroups: [tekton.dev] 82 | resources: [taskruns, pipelineruns] 83 | verbs: ['*'] 84 | - apiGroups: [tekton.dev] 85 | resources: [pipelines] 86 | verbs: ['list'] 87 | - apiGroups: [kappctrl.k14s.io] 88 | resources: [apps] 89 | verbs: ['*'] 90 | - apiGroups: [serving.knative.dev] 91 | resources: ['services'] 92 | verbs: ['*'] 93 | - apiGroups: [servicebinding.io] 94 | resources: ['servicebindings'] 95 | verbs: ['*'] 96 | - apiGroups: [services.apps.tanzu.vmware.com] 97 | resources: ['resourceclaims'] 98 | verbs: ['*'] 99 | - apiGroups: [scanning.apps.tanzu.vmware.com] 100 | resources: ['imagescans', 'sourcescans'] 101 | verbs: ['*'] 102 | --- 103 | apiVersion: rbac.authorization.k8s.io/v1 104 | kind: RoleBinding 105 | metadata: 106 | name: default 107 | namespace: #@ data.values.tap.devNamespace 108 | roleRef: 109 | apiGroup: rbac.authorization.k8s.io 110 | kind: Role 111 | name: default 112 | subjects: 113 | - kind: ServiceAccount 114 | name: default 115 | #@ end 116 | -------------------------------------------------------------------------------- /additional/external-dns/external-dns.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:yaml", "yaml") 3 | #@ load("@ytt:base64", "base64") 4 | 5 | --- 6 | apiVersion: v1 7 | kind: Namespace 8 | metadata: 9 | name: external-dns 10 | --- 11 | apiVersion: v1 12 | kind: ServiceAccount 13 | metadata: 14 | name: external-dns 15 | namespace: external-dns 16 | --- 17 | apiVersion: rbac.authorization.k8s.io/v1 18 | kind: ClusterRole 19 | metadata: 20 | name: external-dns 21 | namespace: external-dns 22 | rules: 23 | - apiGroups: [''] 24 | resources: ['endpoints', 'pods', 'services'] 25 | verbs: ['get', 'watch', 'list'] 26 | - apiGroups: ['extensions'] 27 | resources: ['ingresses'] 28 | verbs: ['get', 'watch', 'list'] 29 | - apiGroups: ["networking.k8s.io"] 30 | resources: ["ingresses"] 31 | verbs: ["get","watch","list"] 32 | - apiGroups: [""] 33 | resources: ["nodes"] 34 | verbs: ["watch", "list"] 35 | --- 36 | apiVersion: rbac.authorization.k8s.io/v1 37 | kind: ClusterRoleBinding 38 | metadata: 39 | name: external-dns-viewer 40 | roleRef: 41 | apiGroup: rbac.authorization.k8s.io 42 | kind: ClusterRole 43 | name: external-dns 44 | subjects: 45 | - kind: ServiceAccount 46 | name: external-dns 47 | namespace: external-dns 48 | --- 49 | apiVersion: apps/v1 50 | kind: Deployment 51 | metadata: 52 | name: external-dns 53 | namespace: external-dns 54 | spec: 55 | strategy: 56 | type: Recreate 57 | selector: 58 | matchLabels: 59 | app: external-dns 60 | template: 61 | metadata: 62 | labels: 63 | app: external-dns 64 | spec: 65 | serviceAccountName: external-dns 66 | containers: 67 | - name: external-dns 68 | image: k8s.gcr.io/external-dns/external-dns:v0.10.2 69 | args: 70 | - --source=service 71 | - --source=ingress 72 | - #@ "--domain-filter=" + str(data.values.tap.domains.main) 73 | #@ if "aws" in data.values.tap.credentials.externalDns: 74 | - --provider=aws 75 | - --aws-zone-type=public #! Looks only at public hosted zones. Valid values are public, private, or no value for both. 76 | - --aws-prefer-cname 77 | - #@ "--txt-owner-id=" + str(data.values.tap.credentials.externalDns.aws.route_fifty_three_zone_id) 78 | #@ else: 79 | - --provider=cloudflare 80 | #@ end 81 | - --policy=upsert-only 82 | - --txt-prefix=txt 83 | - --registry=txt 84 | env: 85 | #@ if "aws" in data.values.tap.credentials.externalDns: 86 | - name: AWS_ACCESS_KEY_ID 87 | valueFrom: 88 | secretKeyRef: 89 | name: external-dns-credentials 90 | key: aws_access_key_id 91 | - name: AWS_SECRET_ACCESS_KEY 92 | valueFrom: 93 | secretKeyRef: 94 | name: external-dns-credentials 95 | key: aws_secret_access_key 96 | #@ else: 97 | - name: CF_API_TOKEN 98 | valueFrom: 99 | secretKeyRef: 100 | name: external-dns-credentials 101 | key: cf_api_token 102 | #@ end 103 | --- 104 | apiVersion: v1 105 | kind: Secret 106 | metadata: 107 | name: external-dns-credentials 108 | namespace: external-dns 109 | stringData: 110 | #@ if "aws" in data.values.tap.credentials.externalDns: 111 | aws_access_key_id: #@ data.values.tap.credentials.externalDns.aws.credentials.accessKey 112 | aws_secret_access_key: #@ data.values.tap.credentials.externalDns.aws.credentials.secretKey 113 | #@ else: 114 | cf_api_token: #@ data.values.tap.credentials.externalDns.cloudflare.credentials.apiToken 115 | #@ end 116 | -------------------------------------------------------------------------------- /config-full/tap-values-full.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | #@ load("@ytt:yaml", "yaml") 3 | 4 | --- 5 | #@ def config(): 6 | profile: full 7 | ceip_policy_disclosed: true 8 | buildservice: 9 | kp_default_repository: #@ "{}/{}".format(data.values.tap.registry.host, data.values.tap.registry.repositories.buildService) 10 | kp_default_repository_username: #@ data.values.tap.credentials.registry.username 11 | kp_default_repository_password: #@ data.values.tap.credentials.registry.password 12 | tanzunet_username: #@ data.values.tap.credentials.tanzuNet.username 13 | tanzunet_password: #@ data.values.tap.credentials.tanzuNet.password 14 | descriptor_name: "tap-1.1-lite" 15 | enable_automatic_dependency_updates: true 16 | 17 | supply_chain: basic 18 | ootb_supply_chain_basic: 19 | registry: 20 | server: #@ data.values.tap.registry.host 21 | repository: #@ data.values.tap.registry.repositories.ootbSupplyChain 22 | gitops: 23 | ssh_secret: "" 24 | 25 | learningcenter: 26 | ingressDomain: #@ data.values.tap.domains.learningCenter 27 | 28 | tap_gui: 29 | service_type: ClusterIP 30 | ingressEnabled: "true" 31 | ingressDomain: #@ data.values.tap.domains.main 32 | app_config: 33 | app: 34 | baseUrl: #@ "http://{}".format(data.values.tap.domains.tapGui) 35 | integrations: 36 | #@ if "github" in data.values.tap.credentials and "token" in data.values.tap.credentials.github: 37 | github: 38 | - host: github.com 39 | token: #@ data.values.tap.credentials.github.token 40 | #@ end 41 | catalog: 42 | locations: 43 | #@ for catalog in data.values.tap.catalogs: 44 | - type: url 45 | target: #@ catalog 46 | #@ end 47 | backend: 48 | baseUrl: #@ "http://{}".format(data.values.tap.domains.tapGui) 49 | cors: 50 | origin: #@ "http://{}".format(data.values.tap.domains.tapGui) 51 | #@ if "backstage" in data.values.tap.credentials and "database" in data.values.tap.credentials.backstage: 52 | backend: 53 | database: 54 | client: #@ data.values.tap.credentials.backstage.database.client 55 | connection: 56 | host: #@ data.values.tap.credentials.backstage.database.host 57 | port: #@ data.values.tap.credentials.backstage.database.port 58 | user: #@ data.values.tap.credentials.backstage.database.username 59 | password: #@ data.values.tap.credentials.backstage.database.password 60 | ssl: {rejectUnauthorized: true} 61 | #@ end 62 | #@ if "github" in data.values.tap.credentials and "clientId" in data.values.tap.credentials.github and "clientSecret" in data.values.tap.credentials.github: 63 | auth: 64 | environment: development 65 | providers: 66 | github: 67 | development: 68 | clientId: #@ data.values.tap.credentials.github.clientId 69 | clientSecret: #@ data.values.tap.credentials.github.clientSecret 70 | #@ end 71 | 72 | metadata_store: 73 | app_service_type: LoadBalancer 74 | 75 | grype: 76 | namespace: #@ data.values.tap.devNamespace 77 | targetImagePullSecret: "tap-registry" 78 | 79 | contour: 80 | envoy: 81 | service: 82 | type: LoadBalancer 83 | 84 | cnrs: 85 | domain_name: #@ data.values.tap.domains.knative 86 | #@ end 87 | --- 88 | apiVersion: v1 89 | kind: Secret 90 | metadata: 91 | name: tap-values 92 | namespace: #@ data.values.tap.namespace 93 | type: Opaque 94 | stringData: 95 | values.yml: #@ yaml.encode(config()) 96 | --- 97 | apiVersion: packaging.carvel.dev/v1alpha1 98 | kind: PackageInstall 99 | metadata: 100 | name: tap 101 | namespace: #@ data.values.tap.namespace 102 | annotations: 103 | kapp.k14s.io/change-group: tap 104 | kapp.k14s.io/change-rule: "upsert after upserting tap-install/rbac" 105 | kapp.k14s.io/change-rule.repo: "upsert after upserting tap-install/tap-repo" 106 | spec: 107 | packageRef: 108 | refName: tap.tanzu.vmware.com 109 | versionSelection: 110 | constraints: #@ str(data.values.tap.version) 111 | prereleases: {} 112 | serviceAccountName: tap-default-sa 113 | values: 114 | - secretRef: 115 | name: tap-values 116 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | --------------------------------------------------------------------------------