├── manifests
├── harbor
│ ├── values.yml
│ ├── certificate.yml
│ └── harbor.yml
├── tas
│ ├── values.yml
│ └── certificate.yml
├── concourse
│ ├── values.yml
│ ├── namespace.yml
│ ├── certificate.yml
│ ├── README.md
│ └── concourse.yml
├── kubeapps
│ ├── values.yml
│ ├── service-account.yml
│ ├── cluster-role-binding.yml
│ ├── certificate.yml
│ ├── kubeapps.yml
│ └── ingress.yml
├── product-api
│ ├── values.yaml
│ ├── namespace.yml
│ ├── services.yml
│ ├── certificate.yml
│ ├── deployment.yml
│ └── ingress.yml
├── spring-petclinic
│ ├── values.yaml
│ ├── namespace.yaml
│ ├── services.yml
│ ├── certificate.yml
│ ├── ingress.yml
│ ├── deployment.yml
│ └── wavefront-secrets.json
├── minibroker
│ ├── namespace.yml
│ └── minibroker.yml
├── helm-operator
│ ├── namespace.yml
│ └── README.md
├── images
│ ├── values.yml
│ ├── tbs-service-account.yml
│ ├── harbor-docker-creds.yml
│ ├── product-api.yml
│ └── spring-petclinic.yml
├── cert-manager
│ ├── clusterissuer.yml
│ └── cert-manager.yml
├── vsphere-storage
│ └── storageclass.yml
├── mysql
│ └── mysql.yml
├── ingress-nginx
│ └── ingress-nginx.yml
├── tbs
│ ├── descriptor-8.yaml
│ └── descriptor-9.yaml
├── sealed-secrets
│ └── controller.yaml
└── concourse-main
│ └── pipeline-secrets.json
├── install-mysql.sh
├── install-minibroker.sh
├── install-tbs-dependencies.sh
├── install-cert-manager.sh
├── install-concourse-main.sh
├── install-vsphere-storage.sh
├── install-ingress-nginx.sh
├── install-sealedsecrets.sh
├── install-harbor.sh
├── install-images.sh
├── concourse
├── show-pipeline-variables.sh
├── Helper
│ ├── .gitignore
│ └── Dockerfile
├── tasks
│ ├── create-wavefront-event
│ │ ├── create-wavefront-event.yml
│ │ └── create-wavefront-event.sh
│ ├── deploy-harbor
│ │ ├── deploy-harbor.yml
│ │ └── deploy-harbor.sh
│ ├── deploy-kubeapps
│ │ ├── deploy-kubeapps.yml
│ │ └── deploy-kubeapps.sh
│ ├── build-product-api-image
│ │ ├── build-product-api-image.yml
│ │ └── build-product-api-image.sh
│ ├── build-spring-petclinic-image
│ │ ├── build-spring-petclinic-image.yml
│ │ └── build-spring-petclinic-image.sh
│ ├── deploy-product-api-image
│ │ ├── deploy-product-api-image.yml
│ │ └── deploy-product-api-image.sh
│ ├── deploy-spring-petclinic-image
│ │ ├── deploy-spring-petclinic-image.yml
│ │ └── deploy-spring-petclinic-image.sh
│ └── deploy-tbs-dependencies
│ │ ├── deploy-tbs-dependencies.yml
│ │ └── deploy-tbs-dependencies.sh
└── pipeline
│ ├── harbor.yml
│ ├── kubeapps.yml
│ ├── tbs.yml
│ ├── product-api.yml
│ └── spring-petclinic.yml
├── install-kubeapps.sh
├── install-concourse.sh
├── install-product-api.sh
├── .gitignore
├── install-spring-petclinic.sh
├── configure-kubeapps.sh
├── secrets-cert-manager.sh
├── tmc-attach-cluster.sh
├── configure-tas-minibroker.sh
├── NOTICE
├── tas-reset-stack.sh
├── tas-update-stack.sh
├── secrets-spring-petclinic.sh
├── install-helm-operator.sh
├── install-tbs.sh
├── fly.sh
├── install-tas.sh
├── configure-tas.sh
├── secrets-concourse.sh
├── spring-petclinic.patch
├── tkgi-create-clusters.sh
├── LICENSE
├── .envrc.template
└── README.md
/manifests/harbor/values.yml:
--------------------------------------------------------------------------------
1 | #@data/values
2 | ---
3 | common_name: ""
--------------------------------------------------------------------------------
/manifests/tas/values.yml:
--------------------------------------------------------------------------------
1 | #@data/values
2 | ---
3 | primary_domain: ""
--------------------------------------------------------------------------------
/manifests/concourse/values.yml:
--------------------------------------------------------------------------------
1 | #@data/values
2 | ---
3 | concourse_hostname: ""
--------------------------------------------------------------------------------
/manifests/kubeapps/values.yml:
--------------------------------------------------------------------------------
1 | #@data/values
2 | ---
3 | kubeapps_hostname: ""
--------------------------------------------------------------------------------
/manifests/product-api/values.yaml:
--------------------------------------------------------------------------------
1 | #@data/values
2 | ---
3 | image: ""
4 | ingress_hostname: ""
--------------------------------------------------------------------------------
/manifests/spring-petclinic/values.yaml:
--------------------------------------------------------------------------------
1 | #@data/values
2 | ---
3 | image: ""
4 | ingress_hostname: ""
--------------------------------------------------------------------------------
/manifests/concourse/namespace.yml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: concourse
--------------------------------------------------------------------------------
/manifests/minibroker/namespace.yml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: minibroker
--------------------------------------------------------------------------------
/manifests/product-api/namespace.yml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: product-api
--------------------------------------------------------------------------------
/install-mysql.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | kapp deploy -a mysql -f manifests/mysql
--------------------------------------------------------------------------------
/manifests/helm-operator/namespace.yml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: helm-operator
--------------------------------------------------------------------------------
/manifests/spring-petclinic/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: spring-petclinic
--------------------------------------------------------------------------------
/manifests/images/values.yml:
--------------------------------------------------------------------------------
1 | #@data/values
2 | ---
3 | product_api_image: ""
4 | spring_petclinic_image: ""
5 | harbor: ""
--------------------------------------------------------------------------------
/install-minibroker.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | kapp deploy -a minibroker -f manifests/minibroker
--------------------------------------------------------------------------------
/install-tbs-dependencies.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | kp import -f manifests/tbs/descriptor-8.yaml
--------------------------------------------------------------------------------
/install-cert-manager.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | kapp deploy -a cert-manager -f manifests/cert-manager
--------------------------------------------------------------------------------
/manifests/kubeapps/service-account.yml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ServiceAccount
3 | metadata:
4 | name: kubeapps
5 | namespace: default
--------------------------------------------------------------------------------
/install-concourse-main.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | kapp deploy -a concourse-main -f manifests/concourse-main
--------------------------------------------------------------------------------
/install-vsphere-storage.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | kapp deploy -a vsphere-storage -f manifests/vsphere-storage
--------------------------------------------------------------------------------
/install-ingress-nginx.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | kapp deploy -a ingress-nginx -f manifests/ingress-nginx/ingress-nginx.yml
--------------------------------------------------------------------------------
/install-sealedsecrets.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | kapp deploy -a sealed-secrets -f manifests/sealed-secrets/controller.yaml
--------------------------------------------------------------------------------
/install-harbor.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | ytt --data-values-env=YTT_HARBOR -f manifests/harbor \
6 | | kapp deploy -a harbor -f- -y
--------------------------------------------------------------------------------
/install-images.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | ytt --data-values-env=YTT_TBS -f manifests/images \
6 | | kapp deploy -a images -f- -y
--------------------------------------------------------------------------------
/concourse/show-pipeline-variables.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | # Show me everything that looks like (( anything ))
6 | rg '\(\(.+\)\)'
--------------------------------------------------------------------------------
/install-kubeapps.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | ytt --data-values-env=YTT_KUBEAPPS -f manifests/kubeapps \
6 | | kapp deploy -a kubeapps -f- -y
--------------------------------------------------------------------------------
/install-concourse.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | ytt --data-values-env=YTT_CONCOURSE -f manifests/concourse \
6 | | kapp deploy -a concourse -f- -y
--------------------------------------------------------------------------------
/manifests/cert-manager/clusterissuer.yml:
--------------------------------------------------------------------------------
1 | apiVersion: cert-manager.io/v1
2 | kind: ClusterIssuer
3 | metadata:
4 | name: mkcert
5 | spec:
6 | ca:
7 | secretName: mkcert
--------------------------------------------------------------------------------
/install-product-api.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | ytt --data-values-env=YTT_PRODUCTAPI -f manifests/product-api \
6 | | kapp deploy -a product-api -f- -y
--------------------------------------------------------------------------------
/manifests/images/tbs-service-account.yml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ServiceAccount
3 | metadata:
4 | name: tbs-service-account
5 | namespace: images
6 | secrets:
7 | - name: harbor-creds
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .envrc
2 | tls.crt
3 | tls.key
4 | pipeline/vars.sh
5 | rootCA.pem
6 | build-service-1.0.2.tar
7 | tanzu-application-service.0.5.0-build.19.tar
8 | tanzu-application-service/
9 | tbs-install
10 | k8s-attach-manifest.yaml
11 | test-app/
--------------------------------------------------------------------------------
/install-spring-petclinic.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | ytt --data-values-env=YTT_SPRINGPETCLINIC -f manifests/spring-petclinic \
6 | | kapp deploy -a spring-petclinic -f- -f manifests/spring-petclinic/wavefront-secrets.json -y
--------------------------------------------------------------------------------
/manifests/product-api/services.yml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: product-api-stable
5 | namespace: product-api
6 | spec:
7 | selector:
8 | app: product-api
9 | ports:
10 | - name: http
11 | protocol: TCP
12 | port: 8080
--------------------------------------------------------------------------------
/concourse/Helper/.gitignore:
--------------------------------------------------------------------------------
1 | spring-petclinic/
2 | kubectl-linux-amd64-1.16.12
3 | pks-linux-amd64-1.7.1-build.26
4 | tkgi-linux-amd64-1.8.0-build.75
5 | kp-linux-0.1.1
6 | kapp-linux-amd64
7 | ytt-linux-amd64
8 | sd
9 | kubectl-argo-rollouts-linux-amd64
10 | pivnet-linux-amd64-2.0.0
--------------------------------------------------------------------------------
/configure-kubeapps.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | kubectl get secret $(kubectl get serviceaccount kubeapps -o jsonpath='{range .secrets[*]}{.name}{"\n"}{end}' | grep kubeapps-token) -o jsonpath='{.data.token}' -o go-template='{{.data.token | base64decode}}' && echo
6 |
--------------------------------------------------------------------------------
/manifests/spring-petclinic/services.yml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: spring-petclinic-stable
5 | namespace: spring-petclinic
6 | spec:
7 | selector:
8 | app: spring-petclinic
9 | ports:
10 | - name: http
11 | protocol: TCP
12 | port: 8080
--------------------------------------------------------------------------------
/secrets-cert-manager.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | # Root cert and key
6 | kubectl create secret generic mkcert \
7 | --from-file=tls.crt="$(mkcert -CAROOT)"/rootCA.pem \
8 | --from-file=tls.key="$(mkcert -CAROOT)"/rootCA-key.pem \
9 | --namespace cert-manager
10 |
11 |
--------------------------------------------------------------------------------
/concourse/tasks/create-wavefront-event/create-wavefront-event.yml:
--------------------------------------------------------------------------------
1 | platform: linux
2 |
3 | inputs:
4 | - name: tanzu-gitops
5 |
6 |
7 | params:
8 | WAVEFRONT_API_TOKEN:
9 | WAVEFRONT_URL:
10 |
11 |
12 | run:
13 | path: "tanzu-gitops/concourse/tasks/create-wavefront-event/create-wavefront-event.sh"
--------------------------------------------------------------------------------
/manifests/vsphere-storage/storageclass.yml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: storage.k8s.io/v1
3 | kind: StorageClass
4 | metadata:
5 | name: vsphere
6 | annotations:
7 | storageclass.kubernetes.io/is-default-class: "true"
8 | provisioner: kubernetes.io/vsphere-volume
9 | parameters:
10 | datastore: vsanDatastore
11 |
--------------------------------------------------------------------------------
/tmc-attach-cluster.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | CONTEXT=$1
6 |
7 | tmc cluster attach --group $TMC_CLUSTER_GROUP_NAME --name $TMC_CLUSTER_GROUP_NAME-$CONTEXT
8 | kubectl config use-context $CONTEXT && kapp deploy -a tmc -f k8s-attach-manifest.yaml -y
9 | rm k8s-attach-manifest.yaml
10 |
--------------------------------------------------------------------------------
/concourse/tasks/deploy-harbor/deploy-harbor.yml:
--------------------------------------------------------------------------------
1 | platform: linux
2 |
3 |
4 | inputs:
5 | - name: tanzu-gitops
6 |
7 | params:
8 | tkgicluster:
9 | tkgiapi:
10 | tkgiuser:
11 | tkgipassword:
12 | YTT_HARBOR_common_name:
13 |
14 | run:
15 | path: "tanzu-gitops/concourse/tasks/deploy-harbor/deploy-harbor.sh"
--------------------------------------------------------------------------------
/concourse/tasks/deploy-kubeapps/deploy-kubeapps.yml:
--------------------------------------------------------------------------------
1 | platform: linux
2 |
3 |
4 | inputs:
5 | - name: tanzu-gitops
6 |
7 | params:
8 | tkgicluster:
9 | tkgiapi:
10 | tkgiuser:
11 | tkgipassword:
12 | YTT_KUBEAPPS_kubeapps_hostname:
13 |
14 | run:
15 | path: "tanzu-gitops/concourse/tasks/deploy-kubeapps/deploy-kubeapps.sh"
--------------------------------------------------------------------------------
/concourse/tasks/deploy-harbor/deploy-harbor.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -xeuo pipefail
4 |
5 | tkgi login -a ${tkgiapi} \
6 | -u ${tkgiuser} \
7 | -p ${tkgipassword} \
8 | -k
9 |
10 | tkgi get-credentials ${tkgicluster}
11 |
12 | ytt --data-values-env=YTT_HARBOR -f tanzu-gitops/manifests/harbor \
13 | | kapp deploy -a harbor -f- -y
--------------------------------------------------------------------------------
/manifests/kubeapps/cluster-role-binding.yml:
--------------------------------------------------------------------------------
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: ClusterRoleBinding
3 | metadata:
4 | name: kubeapps
5 | subjects:
6 | - kind: ServiceAccount
7 | name: kubeapps
8 | namespace: default
9 | roleRef:
10 | kind: ClusterRole
11 | name: cluster-admin
12 | apiGroup: rbac.authorization.k8s.io
--------------------------------------------------------------------------------
/concourse/tasks/build-product-api-image/build-product-api-image.yml:
--------------------------------------------------------------------------------
1 | platform: linux
2 |
3 | inputs:
4 | - name: tanzu-gitops
5 | - name: product-api
6 |
7 | params:
8 | tkgicluster:
9 | tkgiapi:
10 | tkgiuser:
11 | tkgipassword:
12 |
13 | run:
14 | path: "tanzu-gitops/concourse/tasks/build-product-api-image/build-product-api-image.sh"
--------------------------------------------------------------------------------
/concourse/tasks/deploy-kubeapps/deploy-kubeapps.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -xeuo pipefail
4 |
5 | tkgi login -a ${tkgiapi} \
6 | -u ${tkgiuser} \
7 | -p ${tkgipassword} \
8 | -k
9 |
10 | tkgi get-credentials ${tkgicluster}
11 |
12 | ytt --data-values-env=YTT_KUBEAPPS -f tanzu-gitops/manifests/kubeapps \
13 | | kapp deploy -a kubeapps -f- -y
--------------------------------------------------------------------------------
/manifests/images/harbor-docker-creds.yml:
--------------------------------------------------------------------------------
1 | #@ load("@ytt:data", "data")
2 | apiVersion: v1
3 | kind: Secret
4 | metadata:
5 | name: harbor-creds
6 | namespace: images
7 | annotations:
8 | kpack.io/docker: #@ "https://" + data.values.harbor
9 | type: kubernetes.io/basic-auth
10 | stringData:
11 | username: admin
12 | password: Harbor12345
--------------------------------------------------------------------------------
/configure-tas-minibroker.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 |
6 | cf create-service-broker minibroker user pass http://minibroker-minibroker.minibroker.svc.cluster.local
7 | # Postgres and RabbitMQ don't work despite the docs saying they do
8 | cf enable-service-access redis
9 | cf enable-service-access mysql
10 | cf enable-service-access mongodb
--------------------------------------------------------------------------------
/concourse/tasks/build-spring-petclinic-image/build-spring-petclinic-image.yml:
--------------------------------------------------------------------------------
1 | platform: linux
2 |
3 | inputs:
4 | - name: tanzu-gitops
5 | - name: spring-petclinic
6 |
7 | params:
8 | tkgicluster:
9 | tkgiapi:
10 | tkgiuser:
11 | tkgipassword:
12 |
13 | run:
14 | path: "tanzu-gitops/concourse/tasks/build-spring-petclinic-image/build-spring-petclinic-image.sh"
--------------------------------------------------------------------------------
/manifests/harbor/certificate.yml:
--------------------------------------------------------------------------------
1 | #@ load("@ytt:data", "data")
2 |
3 | apiVersion: cert-manager.io/v1alpha2
4 | kind: Certificate
5 | metadata:
6 | name: harbor
7 | namespace: harbor
8 | spec:
9 | commonName: #@ data.values.common_name
10 | dnsNames:
11 | - #@ data.values.common_name
12 | issuerRef:
13 | kind: ClusterIssuer
14 | name: mkcert
15 | secretName: harbor
--------------------------------------------------------------------------------
/concourse/tasks/build-product-api-image/build-product-api-image.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | tkgi login -a ${tkgiapi} \
6 | -u ${tkgiuser} \
7 | -p ${tkgipassword} \
8 | -k
9 |
10 | tkgi get-credentials ${tkgicluster}
11 |
12 | cd product-api
13 | REVISION=$(git rev-parse HEAD)
14 | kp -n images image patch product-api --git-revision ${REVISION}
15 |
16 |
--------------------------------------------------------------------------------
/concourse/tasks/deploy-product-api-image/deploy-product-api-image.yml:
--------------------------------------------------------------------------------
1 | platform: linux
2 |
3 |
4 | inputs:
5 | - name: tanzu-gitops
6 | - name: product-api-image
7 |
8 |
9 | params:
10 | tkgicluster:
11 | tkgiapi:
12 | tkgiuser:
13 | tkgipassword:
14 | harbordomain:
15 |
16 | run:
17 | path: "tanzu-gitops/concourse/tasks/deploy-product-api-image/deploy-product-api-image.sh"
--------------------------------------------------------------------------------
/manifests/kubeapps/certificate.yml:
--------------------------------------------------------------------------------
1 | #@ load("@ytt:data", "data")
2 | apiVersion: cert-manager.io/v1alpha2
3 | kind: Certificate
4 | metadata:
5 | name: kubeapps
6 | namespace: default
7 | spec:
8 | commonName: #@ data.values.kubeapps_hostname
9 | dnsNames:
10 | - #@ data.values.kubeapps_hostname
11 | issuerRef:
12 | kind: ClusterIssuer
13 | name: mkcert
14 | secretName: kubeapps-tls
--------------------------------------------------------------------------------
/concourse/tasks/build-spring-petclinic-image/build-spring-petclinic-image.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | tkgi login -a ${tkgiapi} \
6 | -u ${tkgiuser} \
7 | -p ${tkgipassword} \
8 | -k
9 |
10 | tkgi get-credentials ${tkgicluster}
11 |
12 | cd spring-petclinic
13 | REVISION=$(git rev-parse HEAD)
14 | kp -n images image patch spring-petclinic --git-revision ${REVISION}
15 |
16 |
--------------------------------------------------------------------------------
/NOTICE:
--------------------------------------------------------------------------------
1 | Copyright 2022 VMware, Inc.
2 |
3 | This product is licensed to you under the BSD 2 clause (the "License"). You may not use this product except in compliance with the License.
4 |
5 | This product may include a number of subcomponents with separate copyright notices and license terms. Your use of these subcomponents is subject to the terms and conditions of the subcomponent's license, as noted in the LICENSE file.
--------------------------------------------------------------------------------
/concourse/tasks/deploy-spring-petclinic-image/deploy-spring-petclinic-image.yml:
--------------------------------------------------------------------------------
1 | platform: linux
2 |
3 |
4 | inputs:
5 | - name: tanzu-gitops
6 | - name: spring-petclinic-image
7 |
8 |
9 | params:
10 | tkgicluster:
11 | tkgiapi:
12 | tkgiuser:
13 | tkgipassword:
14 | harbordomain:
15 |
16 | run:
17 | path: "tanzu-gitops/concourse/tasks/deploy-spring-petclinic-image/deploy-spring-petclinic-image.sh"
--------------------------------------------------------------------------------
/manifests/concourse/certificate.yml:
--------------------------------------------------------------------------------
1 | #@ load("@ytt:data", "data")
2 |
3 | apiVersion: cert-manager.io/v1alpha2
4 | kind: Certificate
5 | metadata:
6 | name: concourse
7 | namespace: concourse
8 | spec:
9 | commonName: #@ data.values.concourse_hostname
10 | dnsNames:
11 | - #@ data.values.concourse_hostname
12 | issuerRef:
13 | kind: ClusterIssuer
14 | name: mkcert
15 | secretName: concourse-web-tls
--------------------------------------------------------------------------------
/manifests/product-api/certificate.yml:
--------------------------------------------------------------------------------
1 | #@ load("@ytt:data", "data")
2 |
3 | apiVersion: cert-manager.io/v1alpha2
4 | kind: Certificate
5 | metadata:
6 | name: product-api
7 | namespace: product-api
8 | spec:
9 | commonName: #@ data.values.ingress_hostname
10 | dnsNames:
11 | - #@ data.values.ingress_hostname
12 | issuerRef:
13 | kind: ClusterIssuer
14 | name: mkcert
15 | secretName: product-api-tls
--------------------------------------------------------------------------------
/concourse/tasks/deploy-product-api-image/deploy-product-api-image.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -xeuo pipefail
4 |
5 | tkgi login -a ${tkgiapi} \
6 | -u ${tkgiuser} \
7 | -p ${tkgipassword} \
8 | -k
9 |
10 | tkgi get-credentials ${tkgicluster}
11 |
12 | export DIGEST=$(cat product-api-image/digest)
13 | kubectl -n product-api set image deployment/product-api product-api=${harbordomain}/library/product-api@$DIGEST
--------------------------------------------------------------------------------
/concourse/tasks/deploy-tbs-dependencies/deploy-tbs-dependencies.yml:
--------------------------------------------------------------------------------
1 | platform: linux
2 |
3 |
4 | inputs:
5 | - name: tanzu-gitops
6 | - name: tbs-dependencies
7 |
8 |
9 | params:
10 | tkgicluster:
11 | tkgiapi:
12 | tkgiuser:
13 | tkgipassword:
14 | pivnetuser:
15 | pivnetpassword:
16 | harbordomain:
17 |
18 | run:
19 | path: "tanzu-gitops/concourse/tasks/deploy-tbs-dependencies/deploy-tbs-dependencies.sh"
--------------------------------------------------------------------------------
/manifests/spring-petclinic/certificate.yml:
--------------------------------------------------------------------------------
1 | #@ load("@ytt:data", "data")
2 |
3 | apiVersion: cert-manager.io/v1alpha2
4 | kind: Certificate
5 | metadata:
6 | name: spring-petclinic
7 | namespace: spring-petclinic
8 | spec:
9 | commonName: #@ data.values.ingress_hostname
10 | dnsNames:
11 | - #@ data.values.ingress_hostname
12 | issuerRef:
13 | kind: ClusterIssuer
14 | name: mkcert
15 | secretName: spring-petclinic-tls
--------------------------------------------------------------------------------
/manifests/kubeapps/kubeapps.yml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.fluxcd.io/v1
2 | kind: HelmRelease
3 | metadata:
4 | name: kubeapps
5 | namespace: default
6 | spec:
7 | helmVersion: v3
8 | targetNamespace: default
9 | releaseName: kubeapps
10 | wait: true
11 | test:
12 | enable: true
13 | chart:
14 | repository: https://charts.bitnami.com/bitnami
15 | name: kubeapps
16 | version: "3.9.2"
17 | values:
18 | useHelm3: true
--------------------------------------------------------------------------------
/concourse/tasks/deploy-spring-petclinic-image/deploy-spring-petclinic-image.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -xeuo pipefail
4 |
5 | tkgi login -a ${tkgiapi} \
6 | -u ${tkgiuser} \
7 | -p ${tkgipassword} \
8 | -k
9 |
10 | tkgi get-credentials ${tkgicluster}
11 |
12 | export DIGEST=$(cat spring-petclinic-image/digest)
13 | kubectl -n spring-petclinic set image deployment/spring-petclinic spring-petclinic=${harbordomain}/library/spring-petclinic@$DIGEST
--------------------------------------------------------------------------------
/tas-reset-stack.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | kubectl patch stack cflinuxfs3-stack \
6 | --namespace cf-workloads-staging \
7 | --type='json' \
8 | --patch='[{"op": "replace", "path": "/spec/buildImage/image", "value":"gcr.io/paketo-buildpacks/build@sha256:84f7b60192e69036cb363b2fc7d9834cff69dcbcf7aaf8c058d986fdee6941c3"},{"op": "replace", "path": "/spec/runImage/image", "value":"gcr.io/paketo-buildpacks/run@sha256:84f7b60192e69036cb363b2fc7d9834cff69dcbcf7aaf8c058d986fdee6941c3"}]'
--------------------------------------------------------------------------------
/tas-update-stack.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | kubectl patch stack cflinuxfs3-stack \
6 | --namespace cf-workloads-staging \
7 | --type='json' \
8 | --patch='[{"op": "replace", "path": "/spec/buildImage/image", "value":"gcr.io/paketo-buildpacks/build@sha256:a591ad9c9bb81d1d74ed29b930fe6fc8bf1b296a5c61291beca848aee4c94925"},{"op": "replace", "path": "/spec/runImage/image", "value":"gcr.io/paketo-buildpacks/run@sha256:12f8ebe599e62c7113dab4cac7290f87c46dcb388dd3bcdfa02860ba77424ec6"}]'
--------------------------------------------------------------------------------
/manifests/product-api/deployment.yml:
--------------------------------------------------------------------------------
1 | #@ load("@ytt:data", "data")
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: product-api
6 | namespace: product-api
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: product-api
12 | template:
13 | metadata:
14 | labels:
15 | app: product-api
16 | spec:
17 | containers:
18 | - name: product-api
19 | image: #@ data.values.image
20 | ports:
21 | - containerPort: 80
--------------------------------------------------------------------------------
/manifests/minibroker/minibroker.yml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.fluxcd.io/v1
2 | kind: HelmRelease
3 | metadata:
4 | name: minibroker
5 | namespace: minibroker
6 | spec:
7 | helmVersion: v3
8 | targetNamespace: minibroker
9 | releaseName: minibroker
10 | wait: true
11 | test:
12 | enable: true
13 | chart:
14 | repository: https://minibroker.blob.core.windows.net/charts
15 | name: minibroker
16 | version: "0.3.1"
17 | values:
18 | deployServiceCatalog: false
19 | defaultNamespace: minibroker
--------------------------------------------------------------------------------
/manifests/cert-manager/cert-manager.yml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: cert-manager
5 | ---
6 | apiVersion: helm.fluxcd.io/v1
7 | kind: HelmRelease
8 | metadata:
9 | name: cert-manager
10 | namespace: cert-manager
11 | spec:
12 | helmVersion: v3
13 | targetNamespace: cert-manager
14 | releaseName: cert-manager
15 | wait: true
16 | chart:
17 | repository: https://charts.jetstack.io
18 | name: cert-manager
19 | version: "v1.0.1"
20 | values:
21 | installCRDs: false
22 |
--------------------------------------------------------------------------------
/secrets-spring-petclinic.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | read -p "WAVEFRONT API TOKEN: " WAVEFRONT_API_TOKEN
6 | read -p "WAVEFRONT_URL: " WAVEFRONT_URL
7 |
8 |
9 | # spring-petclinic Wavefront secret
10 | kubectl create secret generic wavefront \
11 | --namespace spring-petclinic \
12 | --from-literal=wavefront_api_token="${WAVEFRONT_API_TOKEN}" \
13 | --from-literal=wavefront_url="${WAVEFRONT_URL}" \
14 | --dry-run=client \
15 | -o json | kubeseal > manifests/spring-petclinic/wavefront-secrets.json
--------------------------------------------------------------------------------
/install-helm-operator.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | helm repo add fluxcd https://charts.fluxcd.io
6 |
7 | export VERSION="1.1.0"
8 |
9 | helm template helm-operator fluxcd/helm-operator \
10 | --namespace helm-operator \
11 | --set helm.versions=v3 \
12 | --version $VERSION \
13 | | kapp deploy \
14 | -a helm-operator \
15 | --into-ns=helm-operator \
16 | -y \
17 | -f manifests/helm-operator/namespace.yml \
18 | -f https://raw.githubusercontent.com/fluxcd/helm-operator/$VERSION/deploy/crds.yaml \
19 | -f-
--------------------------------------------------------------------------------
/manifests/images/product-api.yml:
--------------------------------------------------------------------------------
1 | #@ load("@ytt:data", "data")
2 |
3 |
4 | apiVersion: v1
5 | kind: Namespace
6 | metadata:
7 | name: images
8 | ---
9 | apiVersion: kpack.io/v1alpha1
10 | kind: Image
11 | metadata:
12 | name: product-api
13 | namespace: images
14 | spec:
15 | tag: #@ data.values.product_api_image
16 | serviceAccount: tbs-service-account
17 | builder:
18 | name: full
19 | kind: ClusterBuilder
20 | source:
21 | git:
22 | url: https://github.com/techgnosis/product-api.git
23 | revision: demo
24 |
25 |
--------------------------------------------------------------------------------
/manifests/kubeapps/ingress.yml:
--------------------------------------------------------------------------------
1 | #@ load("@ytt:data", "data")
2 |
3 | apiVersion: extensions/v1beta1
4 | kind: Ingress
5 | metadata:
6 | name: kubeapps
7 | namespace: default
8 | annotations:
9 | kubernetes.io/ingress.class: nginx
10 | spec:
11 | rules:
12 | - host: #@ data.values.kubeapps_hostname
13 | http:
14 | paths:
15 | - backend:
16 | serviceName: kubeapps
17 | servicePort: http
18 | path: /
19 | tls:
20 | - hosts:
21 | - #@ data.values.kubeapps_hostname
22 | secretName: kubeapps-tls
--------------------------------------------------------------------------------
/manifests/images/spring-petclinic.yml:
--------------------------------------------------------------------------------
1 | #@ load("@ytt:data", "data")
2 | apiVersion: v1
3 | kind: Namespace
4 | metadata:
5 | name: images
6 | ---
7 | apiVersion: kpack.io/v1alpha1
8 | kind: Image
9 | metadata:
10 | name: spring-petclinic
11 | namespace: images
12 | spec:
13 | tag: #@ data.values.spring_petclinic_image
14 | serviceAccount: tbs-service-account
15 | builder:
16 | name: full
17 | kind: ClusterBuilder
18 | source:
19 | git:
20 | url: https://github.com/techgnosis/spring-petclinic.git
21 | revision: demo
22 |
23 |
--------------------------------------------------------------------------------
/manifests/product-api/ingress.yml:
--------------------------------------------------------------------------------
1 | #@ load("@ytt:data", "data")
2 | apiVersion: extensions/v1beta1
3 | kind: Ingress
4 | metadata:
5 | name: product-api
6 | namespace: product-api
7 | annotations:
8 | kubernetes.io/ingress.class: nginx
9 | spec:
10 | rules:
11 | - host: #@ data.values.ingress_hostname
12 | http:
13 | paths:
14 | - backend:
15 | serviceName: product-api-stable
16 | servicePort: http
17 | path: /
18 | tls:
19 | - hosts:
20 | - #@ data.values.ingress_hostname
21 | secretName: product-api-tls
--------------------------------------------------------------------------------
/manifests/concourse/README.md:
--------------------------------------------------------------------------------
1 | ### Notes
2 | 1. Your K8s cluster MUST support privileged containers. Concourse workers need to run as privileged containers.
3 | 1. This install uses an Ingress to receive traffic
4 | 1. [Concourse Helm chart docs](https://github.com/concourse/concourse-chart)
5 |
6 | ### Username and password
7 | `test` and `test`
8 |
9 | ### Vault
10 | Use the newer [var_sources](https://concourse-ci.org/vars.html#var-sources) functionality so new sources of secrets can be configured with YAML at the pipeline level instead of with flags during Concourse install.
--------------------------------------------------------------------------------
/manifests/spring-petclinic/ingress.yml:
--------------------------------------------------------------------------------
1 | #@ load("@ytt:data", "data")
2 | apiVersion: extensions/v1beta1
3 | kind: Ingress
4 | metadata:
5 | name: spring-petclinic
6 | namespace: spring-petclinic
7 | annotations:
8 | kubernetes.io/ingress.class: nginx
9 | spec:
10 | rules:
11 | - host: #@ data.values.ingress_hostname
12 | http:
13 | paths:
14 | - backend:
15 | serviceName: spring-petclinic-stable
16 | servicePort: http
17 | path: /
18 | tls:
19 | - hosts:
20 | - #@ data.values.ingress_hostname
21 | secretName: spring-petclinic-tls
--------------------------------------------------------------------------------
/concourse/Helper/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ubuntu:18.04
2 |
3 | RUN apt-get update \
4 | && apt-get install -y --no-install-recommends docker.io git wget curl ca-certificates \
5 | && rm -rf /var/lib/apt/lists/*
6 |
7 | COPY kapp-linux-amd64 /usr/bin/kapp
8 | COPY kp-linux-0.1.1 /usr/bin/kp
9 | COPY kubectl-linux-amd64-1.16.12 /usr/bin/kubectl
10 | COPY pivnet-linux-amd64-2.0.0 /usr/bin/pivnet
11 | COPY tkgi-linux-amd64-1.8.0-build.75 /usr/bin/tkgi
12 | COPY ytt-linux-amd64 /usr/bin/ytt
13 |
14 | COPY rootCA.pem /tmp/rootCA.pem
15 |
16 |
17 |
18 | RUN cat /tmp/rootCA.pem >> /etc/ssl/certs/ca-certificates.crt
--------------------------------------------------------------------------------
/manifests/mysql/mysql.yml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: mysql
5 | ---
6 | apiVersion: helm.fluxcd.io/v1
7 | kind: HelmRelease
8 | metadata:
9 | name: mysql
10 | namespace: mysql
11 | spec:
12 | helmVersion: v3
13 | targetNamespace: mysql
14 | releaseName: mysql
15 | wait: true
16 | test:
17 | enable: true
18 | chart:
19 | repository: https://charts.trials.tac.bitnami.com/demo
20 | name: mysql
21 | version: "6.14.5"
22 | values:
23 | replication:
24 | enabled: false
25 | root:
26 | password: petclinic
27 | db:
28 | user: petclinic
29 | password: petclinic
30 | name: petclinic
--------------------------------------------------------------------------------
/concourse/tasks/create-wavefront-event/create-wavefront-event.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | START_TIME=$(date +%s000)
6 | sleep 1
7 | END_TIME=$(date +%s000)
8 |
9 |
10 | curl \
11 | -X POST \
12 | --header "Content-Type: application/json" \
13 | --header "Accept: application/json" \
14 | --header "Authorization: Bearer ${WAVEFRONT_API_TOKEN}" \
15 | -d "{
16 | \"name\": \"tanzu-gitops-spring-petclinic-deploy\",
17 | \"annotations\": {
18 | \"severity\": \"info\",
19 | \"type\": \"image deploy\",
20 | \"details\": \"new spring-petclinic image deployed\"
21 | },
22 | \"startTime\": "${START_TIME}",
23 | \"endTime\": "${END_TIME}"
24 | }" "${WAVEFRONT_URL}/api/v2/event"
--------------------------------------------------------------------------------
/install-tbs.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | if [ -d "tbs-install" ]; then
6 | rm -rf tbs-install && mkdir tbs-install
7 | fi
8 |
9 | tar -xvf build-service-1.0.2.tar -C tbs-install
10 |
11 |
12 | kbld relocate \
13 | -f ./tbs-install/images.lock \
14 | --lock-output ./tbs-install/images-relocated.lock \
15 | --repository "$HARBOR_DOMAIN/library/build-service"
16 |
17 |
18 | ytt -f ./tbs-install/values.yaml \
19 | -f ./tbs-install/manifests/ \
20 | -f "$(mkcert -CAROOT)"/rootCA.pem \
21 | -v docker_repository="$HARBOR_DOMAIN/library/build-service" \
22 | -v docker_username="admin" \
23 | -v docker_password="Harbor12345" \
24 | | kbld -f ./tbs-install/images-relocated.lock -f- \
25 | | kapp deploy -a tanzu-build-service -f- -y
--------------------------------------------------------------------------------
/manifests/helm-operator/README.md:
--------------------------------------------------------------------------------
1 | There are a few ways to manage supporting infrastructure in a GitOps manner:
2 | 1. Handwritten YAML that is deployed like all your other K8s manifests from Git
3 | 1. `helm template` to disk and then commit it to Git
4 | 1. Only track the helm chart version in Git
5 | 1. Custom operators, with CRDs checked into Git
6 | 1. The Helm operator
7 |
8 | The Helm operator lets you use CRDs to manage Helm releases, which is the best of both worlds. You get the huge ecosystem of Helm charts with the everything-in-git goodness of a GitOps workflow.
9 |
10 | Per the helm-operator GitHub, the Helm controller will replace it one day
11 | https://github.com/fluxcd/helm-controller
12 |
13 | # GitOps Toolkit
14 | https://toolkit.fluxcd.io/
15 |
--------------------------------------------------------------------------------
/concourse/tasks/deploy-tbs-dependencies/deploy-tbs-dependencies.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -xeuo pipefail
4 |
5 | tkgi login -a ${tkgiapi} \
6 | -u ${tkgiuser} \
7 | -p ${tkgipassword} \
8 | -k
9 |
10 | tkgi get-credentials ${tkgicluster}
11 |
12 | docker login registry.pivotal.io -u ${pivnetusername} -p ${pivnetpassword}
13 |
14 | # Do not delete this echo statement. For some reason
15 | # if you do then the docker login afterward will try
16 | # to login to 'domain' instead of the value of harbordomain.
17 | # It's got to be something about how docker login processes
18 | # text...who knows.
19 | # I know you don't believe me - just try it
20 | echo "${harbordomain}"
21 | docker login "${harbordomain}" -u admin -p Harbor12345
22 |
23 | kp import -f ./tbs-dependencies/descriptor-*.yaml
--------------------------------------------------------------------------------
/manifests/ingress-nginx/ingress-nginx.yml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: ingress-nginx
5 | ---
6 | apiVersion: helm.fluxcd.io/v1
7 | kind: HelmRelease
8 | metadata:
9 | name: ingress-nginx
10 | namespace: ingress-nginx
11 | spec:
12 | helmVersion: v3
13 | targetNamespace: ingress-nginx
14 | releaseName: ingress-nginx
15 | wait: true
16 | test:
17 | enable: true
18 | chart:
19 | repository: https://kubernetes.github.io/ingress-nginx
20 | name: ingress-nginx
21 | version: "2.11.1"
22 | values:
23 | controller:
24 | metrics:
25 | enabled: true
26 | podAnnotations:
27 | "prometheus.io/scrape": "true"
28 | "prometheus.io/port": "10254"
29 | hostNetwork: true
30 | dnsPolicy: ClusterFirstWithHostNet
31 | kind: DaemonSet
32 | service:
33 | type: ClusterIP
--------------------------------------------------------------------------------
/fly.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | fly login \
6 | --target=lab \
7 | --concourse-url="https://concourse.$PRIMARY_DOMAIN" \
8 | --username=test \
9 | --password=test
10 |
11 | fly set-pipeline -t lab \
12 | -p spring-petclinic \
13 | -c concourse/pipeline/spring-petclinic.yml \
14 | -v harbordomain=$HARBOR_DOMAIN
15 |
16 | fly set-pipeline -t lab \
17 | -p product-api \
18 | -c concourse/pipeline/product-api.yml \
19 | -v harbordomain=$HARBOR_DOMAIN
20 |
21 | fly set-pipeline -t lab \
22 | -p harbor \
23 | -c concourse/pipeline/harbor.yml \
24 | -v harbordomain=$HARBOR_DOMAIN
25 |
26 | fly set-pipeline -t lab \
27 | -p kubeapps \
28 | -c concourse/pipeline/kubeapps.yml \
29 | -v harbordomain=$HARBOR_DOMAIN \
30 | -v kubeappshostname=$KUBEAPPS_HOSTNAME
31 |
32 | fly set-pipeline -t lab \
33 | -p tbs \
34 | -c concourse/pipeline/tbs.yml \
35 | -v harbordomain=$HARBOR_DOMAIN
36 |
--------------------------------------------------------------------------------
/manifests/concourse/concourse.yml:
--------------------------------------------------------------------------------
1 | #@ load("@ytt:data", "data")
2 | apiVersion: helm.fluxcd.io/v1
3 | kind: HelmRelease
4 | metadata:
5 | name: concourse
6 | namespace: concourse
7 | spec:
8 | helmVersion: v3
9 | targetNamespace: concourse
10 | releaseName: concourse
11 | wait: true
12 | test:
13 | enable: true
14 | chart:
15 | repository: https://concourse-charts.storage.googleapis.com/
16 | name: concourse
17 | version: "11.4.0"
18 | values:
19 | concourse:
20 | web:
21 | externalUrl: #@ "https://" + data.values.concourse_hostname
22 | kubernetes:
23 | keepNamespaces: false
24 | web:
25 | ingress:
26 | enabled: true
27 | hosts:
28 | - #@ data.values.concourse_hostname
29 | tls:
30 | - secretName: concourse-web-tls
31 | hosts:
32 | - #@ data.values.concourse_hostname
--------------------------------------------------------------------------------
/install-tas.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | kubectl apply \
6 | -f https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.3.6/components.yaml
7 |
8 | # This script is powered by `ytt`
9 | # `ytt` is informed by environment variables. See `.envrc.template`
10 | # Note: the files app-registry-values.yml and system-registry-values.yml are still required
11 | # YTT values files are required even when using YTT_ environment variables
12 |
13 | ./tanzu-application-service/bin/generate-values.sh -d "${SYSTEM_DOMAIN}" > ./tanzu-application-service/configuration-values/deployment-values.yml
14 |
15 | ./tanzu-application-service/bin/install-tas.sh ./tanzu-application-service/configuration-values
16 |
17 | # Install the Certificate resource into istio-system so I can
18 | # use it in configure-tas.sh
19 | ytt --data-values-env=YTT_TLSTAS -f manifests/tas \
20 | | kapp deploy -a tas-tls -f- -y
--------------------------------------------------------------------------------
/manifests/tas/certificate.yml:
--------------------------------------------------------------------------------
1 | #@ load("@ytt:data", "data")
2 |
3 | apiVersion: cert-manager.io/v1alpha2
4 | kind: Certificate
5 | metadata:
6 | name: sys-domain-cert
7 | namespace: istio-system
8 | spec:
9 | commonName: #@ "*.sys.tas." + data.values.primary_domain
10 | dnsNames:
11 | - #@ "sys.tas." + data.values.primary_domain
12 | - #@ "*.sys.tas." + data.values.primary_domain
13 | issuerRef:
14 | kind: ClusterIssuer
15 | name: mkcert
16 | secretName: sys-domain-cert
17 | ---
18 | apiVersion: cert-manager.io/v1alpha2
19 | kind: Certificate
20 | metadata:
21 | name: apps-domain-cert
22 | namespace: istio-system
23 | spec:
24 | commonName: #@ "*.apps.sys.tas." + data.values.primary_domain
25 | dnsNames:
26 | - #@ "apps.sys.tas." + data.values.primary_domain
27 | - #@ "*.apps.sys.tas." + data.values.primary_domain
28 | issuerRef:
29 | kind: ClusterIssuer
30 | name: mkcert
31 | secretName: apps-domain-cert
--------------------------------------------------------------------------------
/configure-tas.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 | kubectl patch gateway istio-ingressgateway \
6 | --namespace cf-system \
7 | --type='json' \
8 | --patch='[{"op": "replace", "path": "/spec/servers/1/tls/credentialName", "value":"sys-domain-cert"}]'
9 |
10 | kubectl patch gateway istio-ingressgateway \
11 | --namespace cf-system \
12 | --type='json' \
13 | --patch='[{"op": "replace", "path": "/spec/servers/2/tls/credentialName", "value":"apps-domain-cert"}]'
14 |
15 | cf api "api.$SYSTEM_DOMAIN"
16 |
17 | export CF_ADMIN_PASSWORD="$(bosh interpolate tanzu-application-service/configuration-values/deployment-values.yml --path /cf_admin_password)"
18 |
19 | cf auth admin "$CF_ADMIN_PASSWORD"
20 |
21 | cf create-org test-org
22 | cf create-space -o test-org test-space
23 | cf target -o test-org -s test-space
24 |
25 | if [ ! -d "test-app" ]; then
26 | git clone https://github.com/cloudfoundry-samples/test-app.git
27 | fi
28 |
29 | cf push test-app -p test-app
30 | curl "https://test-app.apps.$SYSTEM_DOMAIN"
31 |
--------------------------------------------------------------------------------
/manifests/spring-petclinic/deployment.yml:
--------------------------------------------------------------------------------
1 | #@ load("@ytt:data", "data")
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: spring-petclinic
6 | namespace: spring-petclinic
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: spring-petclinic
12 | template:
13 | metadata:
14 | labels:
15 | app: spring-petclinic
16 | spec:
17 | containers:
18 | - name: spring-petclinic
19 | image: #@ data.values.image
20 | ports:
21 | - containerPort: 8080
22 | env:
23 | - name: WAVEFRONT_API_TOKEN
24 | valueFrom:
25 | secretKeyRef:
26 | name: wavefront
27 | key: wavefront_api_token
28 | - name: WAVEFRONT_URL
29 | valueFrom:
30 | secretKeyRef:
31 | name: wavefront
32 | key: wavefront_url
33 | - name: spring_profiles_active
34 | value: mysql
35 | - name: MYSQL_URL
36 | value: "jdbc:mysql://mysql.mysql.svc.cluster.local/petclinic"
--------------------------------------------------------------------------------
/manifests/harbor/harbor.yml:
--------------------------------------------------------------------------------
1 | #@ load("@ytt:data", "data")
2 |
3 | apiVersion: v1
4 | kind: Namespace
5 | metadata:
6 | name: harbor
7 | ---
8 | apiVersion: helm.fluxcd.io/v1
9 | kind: HelmRelease
10 | metadata:
11 | name: harbor
12 | namespace: harbor
13 | spec:
14 | helmVersion: v3
15 | targetNamespace: harbor
16 | releaseName: harbor
17 | wait: true
18 | test:
19 | enable: true
20 | chart:
21 | repository: https://helm.goharbor.io
22 | name: harbor
23 | version: "1.4.2"
24 | values:
25 | clair:
26 | enabled: false
27 | chartmuseum:
28 | enabled: false
29 | trivy:
30 | enabled: true
31 | notary:
32 | enabled: true
33 | expose:
34 | type: ingress
35 | tls:
36 | enabled: true
37 | secretName: harbor
38 | ingress:
39 | hosts:
40 | core: #@ data.values.common_name
41 | externalURL: #@ "https://" + data.values.common_name
42 | persistence:
43 | resourcePolicy: "keep"
44 | persistentVolumeClaim:
45 | registry:
46 | size: 100Gi
--------------------------------------------------------------------------------
/concourse/pipeline/harbor.yml:
--------------------------------------------------------------------------------
1 | resources:
2 | - name: tanzu-gitops
3 | type: git
4 | source:
5 | uri: https://github.com/techgnosis/tanzu-gitops.git
6 | branch: master
7 | paths:
8 | - "manifests/harbor/*"
9 | - "concourse/tasks/**"
10 | - name: concourse-helper
11 | type: docker-image
12 | source:
13 | repository: ((harbordomain))/library/concourse-helper
14 | tag: 1
15 | ca_certs:
16 | - domain: ((harbordomain))
17 | cert: |
18 | ((tanzu-gitops.ca_cert))
19 |
20 |
21 | jobs:
22 | - name: deploy harbor
23 | public: true
24 | serial: true
25 | plan:
26 | - get: concourse-helper
27 | - get: tanzu-gitops
28 | trigger: true
29 | - task: deploy harbor
30 | image: concourse-helper
31 | file: tanzu-gitops/concourse/tasks/deploy-harbor/deploy-harbor.yml
32 | params:
33 | tkgicluster: harbor
34 | tkgiapi: ((tanzu-gitops.tkgi_url))
35 | tkgiuser: ((tanzu-gitops.tkgi_user))
36 | tkgipassword: ((tanzu-gitops.tkgi_password))
37 | YTT_HARBOR_common_name: ((harbordomain))
38 |
39 |
40 |
--------------------------------------------------------------------------------
/concourse/pipeline/kubeapps.yml:
--------------------------------------------------------------------------------
1 | resources:
2 | - name: tanzu-gitops
3 | type: git
4 | source:
5 | uri: https://github.com/techgnosis/tanzu-gitops.git
6 | branch: master
7 | paths:
8 | - "manifests/kubeapps/*"
9 | - "concourse/tasks/**"
10 | - name: concourse-helper
11 | type: docker-image
12 | source:
13 | repository: ((harbordomain))/library/concourse-helper
14 | tag: 1
15 | ca_certs:
16 | - domain: ((harbordomain))
17 | cert: |
18 | ((tanzu-gitops.ca_cert))
19 |
20 |
21 | jobs:
22 | - name: deploy kubeapps
23 | public: true
24 | serial: true
25 | plan:
26 | - get: concourse-helper
27 | - get: tanzu-gitops
28 | trigger: true
29 | - task: deploy kubeapps
30 | image: concourse-helper
31 | file: tanzu-gitops/concourse/tasks/deploy-kubeapps/deploy-kubeapps.yml
32 | params:
33 | tkgicluster: kubeapps
34 | tkgiapi: ((tanzu-gitops.tkgi_url))
35 | tkgiuser: ((tanzu-gitops.tkgi_user))
36 | tkgipassword: ((tanzu-gitops.tkgi_password))
37 | YTT_KUBEAPPS_kubeapps_hostname: ((kubeappshostname))
38 |
39 |
40 |
--------------------------------------------------------------------------------
/secrets-concourse.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | set -euo pipefail
4 |
5 |
6 | read -p "TKGI URL: " TKGI_URL
7 | read -p "TKGI_USER: " TKGI_USER
8 | read -p "TKGI_PASSWORD: " TKGI_PASSWORD
9 | read -p "WAVEFRONT API TOKEN: " WAVEFRONT_API_TOKEN
10 | read -p "WAVEFRONT_URL: " WAVEFRONT_URL
11 | read -p "PIVNET API TOKEN: " PIVNET_API_TOKEN
12 | read -p "PIVNET USERNAME: " PIVNET_USERNAME
13 | read -p "PIVNET PASSWORD: " PIVNET_PASSWORD
14 |
15 |
16 |
17 |
18 | # Pipeline secrets
19 |
20 | kubectl create secret generic tanzu-gitops \
21 | --namespace concourse-main \
22 | --from-literal=tkgi_url="${TKGI_URL}" \
23 | --from-literal=tkgi_user="${TKGI_USER}" \
24 | --from-literal=tkgi_password="${TKGI_PASSWORD}" \
25 | --from-file=ca_cert="$(mkcert -CAROOT)/rootCA.pem" \
26 | --from-literal=wavefront_api_token="${WAVEFRONT_API_TOKEN}" \
27 | --from-literal=wavefront_url="${WAVEFRONT_URL}" \
28 | --from-literal=pivnet_api_token="${PIVNET_API_TOKEN}" \
29 | --from-literal=pivnet_username="${PIVNET_USERNAME}" \
30 | --from-literal=pivnet_password="${PIVNET_PASSWORD}" \
31 | --dry-run=client \
32 | -o json | kubeseal > manifests/concourse-main/pipeline-secrets.json
33 |
--------------------------------------------------------------------------------
/spring-petclinic.patch:
--------------------------------------------------------------------------------
1 | diff --git a/pom.xml b/pom.xml
2 | index 5ac0cc4..3768917 100644
3 | --- a/pom.xml
4 | +++ b/pom.xml
5 | @@ -69,6 +69,16 @@
6 |
7 |
8 |
9 | +
10 | + com.wavefront
11 | + wavefront-spring-boot-starter
12 | + 2.0.0
13 | +
14 |
15 |
16 | diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
17 | index 4d4784e..48c6214 100644
18 | --- a/src/main/resources/application.properties
19 | +++ b/src/main/resources/application.properties
20 | @@ -23,3 +23,10 @@ logging.level.org.springframework=INFO
21 |
22 | # Maximum time static resources should be cached
23 | spring.resources.cache.cachecontrol.max-age=12h
24 | +
25 | +
26 | +wavefront.application.name=tanzu-gitops
27 | +wavefront.application.service=spring-petclinic
28 | +management.metrics.export.wavefront.api-token=${WAVEFRONT_API_TOKEN:invalid}
29 | +management.metrics.export.wavefront.uri=${WAVEFRONT_URL:invalid}
30 | +wavefront.freemium-account=false
--------------------------------------------------------------------------------
/tkgi-create-clusters.sh:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env bash
2 |
3 | # Uses the default plans "small" and "medium"
4 | # Uses a custom plan called "singleVM" that has one worker node with good specs
5 | # Change as you see fit. These numbers work for my lab and my workloads
6 |
7 | tkgi create-cluster concourse \
8 | --external-hostname=k8s-concourse.$PRIMARY_DOMAIN \
9 | --plan=singleVM
10 |
11 | tkgi create-cluster harbor \
12 | --external-hostname=k8s-harbor.$PRIMARY_DOMAIN \
13 | --plan=singleVM
14 |
15 | tkgi create-cluster tbs \
16 | --external-hostname=k8s-tbs.$PRIMARY_DOMAIN \
17 | --plan=medium \
18 | --num-nodes=2
19 |
20 | tkgi create-cluster spring-petclinic \
21 | --external-hostname=k8s-spring-petclinic.$PRIMARY_DOMAIN \
22 | --plan=small \
23 | --num-nodes 1
24 |
25 | tkgi create-cluster product-api \
26 | --external-hostname=k8s-product-api.$PRIMARY_DOMAIN \
27 | --plan=small \
28 | --num-nodes 1
29 |
30 | tkgi create-cluster kubeapps \
31 | --external-hostname=k8s-kubeapps.$PRIMARY_DOMAIN \
32 | --plan=small \
33 | --num-nodes 3
34 |
35 | # TAS4K8s won't install on less than 5 small workers
36 | tkgi create-cluster tas \
37 | --external-hostname=k8s-tas.$PRIMARY_DOMAIN \
38 | --plan=small \
39 | --num-nodes 5
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Redistribution and use in source and binary forms, with or without
2 | modification, are permitted provided that the following conditions are
3 | met:
4 |
5 | 1. Redistributions of source code must retain the above copyright
6 | notice, this list of conditions and the following disclaimer.
7 |
8 | 2. Redistributions in binary form must reproduce the above
9 | copyright notice, this list of conditions and the following
10 | disclaimer in the documentation and/or other materials provided
11 | with the distribution.
12 |
13 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
14 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
15 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
16 | A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
17 | HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
18 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
19 | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--------------------------------------------------------------------------------
/concourse/pipeline/tbs.yml:
--------------------------------------------------------------------------------
1 | resource_types:
2 | - name: pivnet
3 | type: docker-image
4 | source:
5 | repository: pivotalcf/pivnet-resource
6 | tag: v1.0.1
7 |
8 | resources:
9 | - name: tbs-dependencies
10 | type: pivnet
11 | source:
12 | api_token: ((tanzu-gitops.pivnet_api_token))
13 | product_slug: tbs-dependencies
14 | - name: concourse-helper
15 | type: docker-image
16 | source:
17 | repository: ((harbordomain))/library/concourse-helper
18 | tag: 1
19 | ca_certs:
20 | - domain: ((harbordomain))
21 | cert: |
22 | ((tanzu-gitops.ca_cert))
23 | - name: tanzu-gitops
24 | type: git
25 | source:
26 | uri: https://github.com/techgnosis/tanzu-gitops.git
27 | branch: master
28 | paths:
29 | - "concourse/tasks/**"
30 |
31 | jobs:
32 | - name: deploy tbs dependencies
33 | public: true
34 | serial: true
35 | plan:
36 | - get: concourse-helper
37 | - get: tanzu-gitops
38 | - get: tbs-dependencies
39 | trigger: true
40 | - task: deploy tbs dependencies
41 | image: concourse-helper
42 | file: tanzu-gitops/concourse/tasks/deploy-tbs-dependencies/deploy-tbs-dependencies.yml
43 | params:
44 | tkgicluster: tbs
45 | tkgiapi: ((tanzu-gitops.tkgi_url))
46 | tkgiuser: ((tanzu-gitops.tkgi_user))
47 | tkgipassword: ((tanzu-gitops.tkgi_password))
48 | pivnetusername: ((tanzu-gitops.pivnet_username))
49 | pivnetpassword: ((tanzu-gitops.pivnet_password))
50 | harbordomain: ((harbordomain))
51 |
52 |
53 |
--------------------------------------------------------------------------------
/.envrc.template:
--------------------------------------------------------------------------------
1 | # It is assumed that everything will exist in this domain
2 | # You must be able to make DNS entries for this domain
3 | export PRIMARY_DOMAIN="lab.home"
4 |
5 | # Hostname of Harbor.
6 | export HARBOR_DOMAIN="harbor.$PRIMARY_DOMAIN"
7 |
8 | # YTT product-api
9 | export YTT_PRODUCTAPI_image="$HARBOR_DOMAIN/library/product-api:latest"
10 | export YTT_PRODUCTAPI_ingress_hostname="product-api.lab.home"
11 |
12 | # YTT spring-petclinic
13 | export YTT_SPRINGPETCLINIC_image="$HARBOR_DOMAIN/library/spring-petclinic:latest"
14 | export YTT_SPRINGPETCLINIC_ingress_hostname="spring-petclinic.lab.home"
15 |
16 | # YTT harbor
17 | export YTT_HARBOR_common_name="harbor.lab.home"
18 |
19 | # YTT concourse
20 | export YTT_CONCOURSE_concourse_hostname="concourse.lab.home"
21 |
22 | # YTT kubeapps
23 | export YTT_KUBEAPPS_kubeapps_hostname="kubeapps.$PRIMARY_DOMAIN"
24 |
25 | # YTT images
26 | export YTT_TBS_product_api_image="$HARBOR_DOMAIN/library/product-api"
27 | export YTT_TBS_spring_petclinic_image="$HARBOR_DOMAIN/library/spring-petclinic"
28 | export YTT_TBS_harbor="$HARBOR_DOMAIN"
29 |
30 | # TAS4K8s
31 | export YTT_CF_app_registry__hostname="$HARBOR_DOMAIN"
32 | export YTT_CF_app_registry__repository_prefix="$HARBOR_DOMAIN/library"
33 | export YTT_CF_app_registry__username="admin"
34 | export YTT_CF_app_registry__password="Harbor12345"
35 |
36 | export YTT_TAS_app_registry__ca="$(cat "$(mkcert --CAROOT)"/rootCA.pem)"
37 | export YTT_TAS_system_registry__hostname="registry.pivotal.io"
38 | # Your PivNet login (email address)
39 | export YTT_TAS_system_registry__username=""
40 | # Your PivNet password
41 | export YTT_TAS_system_registry__password=""
42 | # The primary domain for TAS4K8s.
43 | export SYSTEM_DOMAIN="sys.tas.$PRIMARY_DOMAIN"
44 |
45 | export YTT_TAS_TLS_primary_domain="lab.home"
46 |
47 |
48 | # TMC
49 | # Clusters in TMC can be added to groups
50 | # Group needs to already exist. This value is used by the TMC CLI
51 | export TMC_CLUSTER_GROUP_NAME=""
--------------------------------------------------------------------------------
/manifests/spring-petclinic/wavefront-secrets.json:
--------------------------------------------------------------------------------
1 | {
2 | "kind": "SealedSecret",
3 | "apiVersion": "bitnami.com/v1alpha1",
4 | "metadata": {
5 | "name": "wavefront",
6 | "namespace": "spring-petclinic",
7 | "creationTimestamp": null
8 | },
9 | "spec": {
10 | "template": {
11 | "metadata": {
12 | "name": "wavefront",
13 | "namespace": "spring-petclinic",
14 | "creationTimestamp": null
15 | }
16 | },
17 | "encryptedData": {
18 | "wavefront_api_token": "AgCG/TrsWpuH93aId/TqiO1Erz3P65xU65EXfskw8WPs4FcdLYoM/EyhpgF/S1PFa/FRpD9Zfn8XV5DmaaBc7Js5vNEfR7kwLHIgWtPD7ejJCN6eGqNo9/KqDJ/qZazMabaaRRahg/CsbJgu28ilk7qgv00m95eW7Puf5zo+CtyfYfz9pXr7DOflBkX6ccNZFyA0k2H2WhkWgLuKifoX6Mo/xBgnpA8Mxz+8Fkoke/GY547w3AP7nK6CXhGmM+0ptppEvVFNJV7Ug+8QykzsUFLrDa95koGJzfiNo1hGMAAHN7TqqoZWFor2hD8GfnVkgZyXsPPxIPngM+K1Atp/DX7PnQJsnIZn5pZh5EG++6cuknCMHcQigPIdxT8w4XYZoV/iNqNHlnZBi0Hh6zRerYUkcgh8eG+tPdbGmjmmFlQJE8FMYqvRRa9A14lYIOr86njlA8rgBQvQxPKSdHxvNFSQT209+sXVEUfA86d/9acrEqWic4Vj7GpI29no1ITGUVa0xYVfLj78Gsfx77VWe5nliPHcXaZV+YocAmTueI4/aEVeJyFst6fqo5N4hT7CeSHyoVhgLKVNnSo3nO5gQLZbkPl6ClmU3wHUdwsWw7lyRfw3rI9aD/SfgUgoLMPvlypzUXFChGivPZiNM/H9C9PRtTlckjU77xbJAvRIRVie97W3+t55SkyTvbE09ZjxVrvUhfoN9Xx6lXzPM180+9Cop1rGyrwyFfIpvBxHJJogsRPZGbM=",
19 | "wavefront_url": "AgAJGpUXtsegFwBoxAEDQQ+Cv9raATC5iiqM0OZmiaBFkkREABvlmvhgpML/HLtm88QkgS9k1NbwMZtFpHI465SgoZqQCYq6rLkW3wVPY8/uLwSC9m8bG+H9k5Ms5b7nesiPNf7qZBgb49UJ0kXy7305/Z5u6vVmEQldi1DNWojIs/pm2fUhJIb9DL/Ktg6kPk2WqurDO88cyIqN6wui5Stxyih6Dys9yF6HAZl3MYwhY57iY341e86VgULeqm87ufg2ZuXCo1Y/M6QwBkKap/hSkwstw9OtO0uEdv5DTfs+EMjjYpVsfX+h57fTv4dS0KlpZJyQDWtSN8/Y8k4JO6sAoHQNm5le59peuFHMouVMiG60BlkwfG/YtEhI61FpHTUvykH3JxJVjxdSADvffOSRbddigZu8S3KuOeCJbcjTOy8apiuvy1dvn3m93UEoF97KgN9Rod072yq0bPXMnlmhWtLXEBL6+VnzcHwhIEWuDAyv8mnKgmyNsvPVdEIZGRge/v9j8ooaaNqQlf7MPkg4uJhlDhJiqoX42sg2Wvoo6bD9+6pUZEYvL2Tr9SM/RGC7fGqYiZSBlx+qDBTFYtS92cywRYrO+lWrtBqm0CQ0PZUMRoyKLv1n+cmpGFrhrDX0am7TxALm46CvLruELaZYyRuPEATWM42QqLHja5PeADAx4VQPzwKpptt3xY9FMkJMGFl7GafTvnzaZMnu8qsKxQfsZUKowiRMwWzr"
20 | }
21 | }
22 | }
23 |
--------------------------------------------------------------------------------
/concourse/pipeline/product-api.yml:
--------------------------------------------------------------------------------
1 | resources:
2 | - name: product-api
3 | type: git
4 | source:
5 | uri: https://github.com/techgnosis/product-api.git
6 | branch: demo
7 | - name: tanzu-gitops
8 | type: git
9 | source:
10 | uri: https://github.com/techgnosis/tanzu-gitops.git
11 | branch: master
12 | paths:
13 | - "concourse/tasks/**"
14 | - name: product-api-image
15 | type: docker-image
16 | source:
17 | repository: ((harbordomain))/library/product-api
18 | tag: latest
19 | ca_certs:
20 | - domain: ((harbordomain))
21 | cert: |
22 | ((tanzu-gitops.ca_cert))
23 | - name: concourse-helper
24 | type: docker-image
25 | source:
26 | repository: ((harbordomain))/library/concourse-helper
27 | tag: 1
28 | ca_certs:
29 | - domain: ((harbordomain))
30 | cert: |
31 | ((tanzu-gitops.ca_cert))
32 |
33 |
34 |
35 |
36 | jobs:
37 | - name: Build with TBS
38 | public: true
39 | serial: true
40 | plan:
41 | - get: product-api
42 | trigger: true
43 | - get: concourse-helper
44 | - get: tanzu-gitops
45 | - task: handoff to TBS
46 | image: concourse-helper
47 | file: tanzu-gitops/concourse/tasks/build-product-api-image/build-product-api-image.yml
48 | params:
49 | tkgicluster: tbs
50 | tkgiapi: ((tanzu-gitops.tkgi_url))
51 | tkgiuser: ((tanzu-gitops.tkgi_user))
52 | tkgipassword: ((tanzu-gitops.tkgi_password))
53 |
54 |
55 |
56 | - name: Deploy to cluster
57 | public: true
58 | serial: true
59 | plan:
60 | - get: product-api-image
61 | trigger: true
62 | - get: tanzu-gitops
63 | - get: concourse-helper
64 | - task: handoff to Deployment controller
65 | file: tanzu-gitops/concourse/tasks/deploy-product-api-image/deploy-product-api-image.yml
66 | image: concourse-helper
67 | params:
68 | tkgicluster: product-api
69 | tkgiapi: ((tanzu-gitops.tkgi_url))
70 | tkgiuser: ((tanzu-gitops.tkgi_user))
71 | tkgipassword: ((tanzu-gitops.tkgi_password))
72 | harbordomain: ((harbordomain))
73 |
74 |
75 |
--------------------------------------------------------------------------------
/concourse/pipeline/spring-petclinic.yml:
--------------------------------------------------------------------------------
1 | resources:
2 | - name: spring-petclinic
3 | type: git
4 | source:
5 | uri: https://github.com/techgnosis/spring-petclinic.git
6 | branch: demo
7 | - name: tanzu-gitops
8 | type: git
9 | source:
10 | uri: https://github.com/techgnosis/tanzu-gitops.git
11 | branch: master
12 | paths:
13 | - "concourse/tasks/**"
14 | - name: spring-petclinic-image
15 | type: docker-image
16 | source:
17 | repository: ((harbordomain))/library/spring-petclinic
18 | tag: latest
19 | ca_certs:
20 | - domain: ((harbordomain))
21 | cert: |
22 | ((tanzu-gitops.ca_cert))
23 | - name: concourse-helper
24 | type: docker-image
25 | source:
26 | repository: ((harbordomain))/library/concourse-helper
27 | tag: 1
28 | ca_certs:
29 | - domain: ((harbordomain))
30 | cert: |
31 | ((tanzu-gitops.ca_cert))
32 |
33 |
34 |
35 |
36 | jobs:
37 | - name: Build with TBS
38 | public: true
39 | serial: true
40 | plan:
41 | - get: spring-petclinic
42 | trigger: true
43 | - get: concourse-helper
44 | - get: tanzu-gitops
45 | - task: handoff to TBS
46 | image: concourse-helper
47 | file: tanzu-gitops/concourse/tasks/build-spring-petclinic-image/build-spring-petclinic-image.yml
48 | params:
49 | tkgicluster: tbs
50 | tkgiapi: ((tanzu-gitops.tkgi_url))
51 | tkgiuser: ((tanzu-gitops.tkgi_user))
52 | tkgipassword: ((tanzu-gitops.tkgi_password))
53 |
54 |
55 |
56 | - name: Deploy to cluster
57 | public: true
58 | serial: true
59 | plan:
60 | - get: spring-petclinic-image
61 | trigger: true
62 | - get: tanzu-gitops
63 | - get: concourse-helper
64 | - task: handoff to Deployment controller
65 | file: tanzu-gitops/concourse/tasks/deploy-spring-petclinic-image/deploy-spring-petclinic-image.yml
66 | image: concourse-helper
67 | params:
68 | tkgicluster: spring-petclinic
69 | tkgiapi: ((tanzu-gitops.tkgi_url))
70 | tkgiuser: ((tanzu-gitops.tkgi_user))
71 | tkgipassword: ((tanzu-gitops.tkgi_password))
72 | harbordomain: ((harbordomain))
73 | - task: create wavefront event
74 | image: concourse-helper
75 | file: tanzu-gitops/concourse/tasks/create-wavefront-event/create-wavefront-event.yml
76 | params:
77 | WAVEFRONT_API_TOKEN: ((tanzu-gitops.wavefront_api_token))
78 | WAVEFRONT_URL: ((tanzu-gitops.wavefront_url))
79 |
80 |
81 |
--------------------------------------------------------------------------------
/manifests/tbs/descriptor-8.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kp.kpack.io/v1alpha1
2 | kind: DependencyDescriptor
3 | defaultClusterBuilder: full
4 | defaultStack: full
5 | stores:
6 | - name: default
7 | sources:
8 | - image: registry.pivotal.io/tanzu-go-buildpack/go@sha256:b3aabeec621a74bb57c7b97ad5e3d8ee31a83ab367a47455a9aaac7b79cbc022
9 | - image: registry.pivotal.io/tanzu-java-buildpack/java@sha256:38db548c31a198bee8aee0570f1bb1262582e802c92aa14fe7021941d3856701
10 | - image: registry.pivotal.io/tanzu-nodejs-buildpack/nodejs@sha256:f7b485ec28630ed38d4bbef3bfdcc5a01610551cff1518edf099ae133d592e58
11 | - image: registry.pivotal.io/tbs-dependencies/tanzu-buildpacks_dotnet-core@sha256:a1abf15b4ebb5cc7f86993f9134567b3cf7ebdb90ad3e3f4b2080f2ef27e776f
12 | - image: registry.pivotal.io/tbs-dependencies/tanzu-buildpacks_php@sha256:7af56f344798284732ddc33a1d5d6973d1635d3f0e9b8d960e027b08ab3894ad
13 | - image: registry.pivotal.io/tbs-dependencies/tanzu-buildpacks_nginx@sha256:d3592a9214ed78506c76fddd2785bccc864666f7c88972b039dd0b112760f2ec
14 | - image: registry.pivotal.io/tbs-dependencies/tanzu-buildpacks_httpd@sha256:892c824d98afb32198cd5b303098eee5be2600f076455bd8f7da3a34adf2c340
15 | - image: registry.pivotal.io/tbs-dependencies/paketo-buildpacks_procfile@sha256:e9f731b4cd3f8a13f2f70295713b0ef0970e02e03a530be467bf25703ee5e086
16 | stacks:
17 | - name: tiny
18 | buildImage:
19 | image: registry.pivotal.io/tbs-dependencies/build-tiny@sha256:5288d9c5b7cf7068d07b5a184f3ec2f124fbc5842401b8b23c74485c4d2ba23a
20 | runImage:
21 | image: registry.pivotal.io/tbs-dependencies/run-tiny@sha256:34b01fd9a3745fcaa345f8993938291c931f7977cc2bee78ed377da2edc55e3d
22 | - name: base
23 | buildImage:
24 | image: registry.pivotal.io/tbs-dependencies/build-base@sha256:136bea967b99e41497664896ca8b8829cc96b75405edcc31b5e111ad0415c399
25 | runImage:
26 | image: registry.pivotal.io/tbs-dependencies/run-base@sha256:30cd86c9a265a39629421fea0172be15cd4aefb9f7f432e98a330583196f172e
27 | - name: full
28 | buildImage:
29 | image: registry.pivotal.io/tbs-dependencies/build-full@sha256:423b15b46ee55ddb32851f0460468e1abecbf0d7b894ca9a9ab03543e008e9ab
30 | runImage:
31 | image: registry.pivotal.io/tbs-dependencies/run-full@sha256:d2019a8b64c252e6d164f84afa89d699cc6d6a2ff9b7ad6553278fc710626a15
32 | clusterBuilders:
33 | - name: base
34 | stack: base
35 | store: default
36 | order:
37 | - group:
38 | - id: tanzu-buildpacks/dotnet-core
39 | - group:
40 | - id: tanzu-buildpacks/nodejs
41 | - group:
42 | - id: tanzu-buildpacks/go
43 | - group:
44 | - id: tanzu-buildpacks/php
45 | - group:
46 | - id: tanzu-buildpacks/nginx
47 | - group:
48 | - id: tanzu-buildpacks/httpd
49 | - group:
50 | - id: tanzu-buildpacks/java
51 | - group:
52 | - id: paketo-buildpacks/procfile
53 | - name: full
54 | stack: full
55 | store: default
56 | order:
57 | - group:
58 | - id: tanzu-buildpacks/dotnet-core
59 | - group:
60 | - id: tanzu-buildpacks/nodejs
61 | - group:
62 | - id: tanzu-buildpacks/go
63 | - group:
64 | - id: tanzu-buildpacks/php
65 | - group:
66 | - id: tanzu-buildpacks/nginx
67 | - group:
68 | - id: tanzu-buildpacks/httpd
69 | - group:
70 | - id: tanzu-buildpacks/java
71 | - group:
72 | - id: paketo-buildpacks/procfile
73 | - name: tiny
74 | stack: tiny
75 | store: default
76 | order:
77 | - group:
78 | - id: tanzu-buildpacks/go
79 | - group:
80 | - id: paketo-buildpacks/procfile
81 |
--------------------------------------------------------------------------------
/manifests/tbs/descriptor-9.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kp.kpack.io/v1alpha1
2 | kind: DependencyDescriptor
3 | defaultClusterBuilder: full
4 | defaultStack: full
5 | stores:
6 | - name: default
7 | sources:
8 | - image: registry.pivotal.io/tanzu-go-buildpack/go@sha256:b3aabeec621a74bb57c7b97ad5e3d8ee31a83ab367a47455a9aaac7b79cbc022
9 | - image: registry.pivotal.io/tanzu-java-buildpack/java@sha256:38db548c31a198bee8aee0570f1bb1262582e802c92aa14fe7021941d3856701
10 | - image: registry.pivotal.io/tanzu-nodejs-buildpack/nodejs@sha256:f7b485ec28630ed38d4bbef3bfdcc5a01610551cff1518edf099ae133d592e58
11 | - image: registry.pivotal.io/tanzu-java-native-image-buildpack/java-native-image@sha256:1c5c4840249752ec88907717af2298602febe6a153108df8f85a156211685257
12 | - image: registry.pivotal.io/tbs-dependencies/tanzu-buildpacks_dotnet-core@sha256:d8ce44165166da988cc334e13956838623d233861b57eaf011d43535b1b86bf4
13 | - image: registry.pivotal.io/tbs-dependencies/tanzu-buildpacks_php@sha256:7af56f344798284732ddc33a1d5d6973d1635d3f0e9b8d960e027b08ab3894ad
14 | - image: registry.pivotal.io/tbs-dependencies/tanzu-buildpacks_nginx@sha256:e0363a5e6ce01f0935df65d6f89994a91bee63c2f25249c62a84788f53eb4346
15 | - image: registry.pivotal.io/tbs-dependencies/tanzu-buildpacks_httpd@sha256:892c824d98afb32198cd5b303098eee5be2600f076455bd8f7da3a34adf2c340
16 | - image: registry.pivotal.io/tbs-dependencies/paketo-buildpacks_procfile@sha256:e9f731b4cd3f8a13f2f70295713b0ef0970e02e03a530be467bf25703ee5e086
17 | stacks:
18 | - name: tiny
19 | buildImage:
20 | image: registry.pivotal.io/tbs-dependencies/build-tiny@sha256:5288d9c5b7cf7068d07b5a184f3ec2f124fbc5842401b8b23c74485c4d2ba23a
21 | runImage:
22 | image: registry.pivotal.io/tbs-dependencies/run-tiny@sha256:34b01fd9a3745fcaa345f8993938291c931f7977cc2bee78ed377da2edc55e3d
23 | - name: base
24 | buildImage:
25 | image: registry.pivotal.io/tbs-dependencies/build-base@sha256:136bea967b99e41497664896ca8b8829cc96b75405edcc31b5e111ad0415c399
26 | runImage:
27 | image: registry.pivotal.io/tbs-dependencies/run-base@sha256:30cd86c9a265a39629421fea0172be15cd4aefb9f7f432e98a330583196f172e
28 | - name: full
29 | buildImage:
30 | image: registry.pivotal.io/tbs-dependencies/build-full@sha256:0177ac09cec02e43ba70cf191a469ba03ccdd108a007153465910f501e769539
31 | runImage:
32 | image: registry.pivotal.io/tbs-dependencies/run-full@sha256:00910a0bfe8544892e56a251b58119103532c25afb0034e1be9da494b3969e68
33 | clusterBuilders:
34 | - name: base
35 | stack: base
36 | store: default
37 | order:
38 | - group:
39 | - id: tanzu-buildpacks/dotnet-core
40 | - group:
41 | - id: tanzu-buildpacks/nodejs
42 | - group:
43 | - id: tanzu-buildpacks/go
44 | - group:
45 | - id: tanzu-buildpacks/php
46 | - group:
47 | - id: tanzu-buildpacks/nginx
48 | - group:
49 | - id: tanzu-buildpacks/httpd
50 | - group:
51 | - id: tanzu-buildpacks/java-native-image
52 | - group:
53 | - id: tanzu-buildpacks/java
54 | - group:
55 | - id: paketo-buildpacks/procfile
56 | - name: full
57 | stack: full
58 | store: default
59 | order:
60 | - group:
61 | - id: tanzu-buildpacks/dotnet-core
62 | - group:
63 | - id: tanzu-buildpacks/nodejs
64 | - group:
65 | - id: tanzu-buildpacks/go
66 | - group:
67 | - id: tanzu-buildpacks/php
68 | - group:
69 | - id: tanzu-buildpacks/nginx
70 | - group:
71 | - id: tanzu-buildpacks/httpd
72 | - group:
73 | - id: tanzu-buildpacks/java-native-image
74 | - group:
75 | - id: tanzu-buildpacks/java
76 | - group:
77 | - id: paketo-buildpacks/procfile
78 | - name: tiny
79 | stack: tiny
80 | store: default
81 | order:
82 | - group:
83 | - id: tanzu-buildpacks/go
84 | - group:
85 | - id: tanzu-buildpacks/java-native-image
86 | - group:
87 | - id: paketo-buildpacks/procfile
88 |
--------------------------------------------------------------------------------
/manifests/sealed-secrets/controller.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | annotations: {}
6 | labels:
7 | name: sealed-secrets-controller
8 | name: sealed-secrets-controller
9 | namespace: kube-system
10 | spec:
11 | minReadySeconds: 30
12 | replicas: 1
13 | revisionHistoryLimit: 10
14 | selector:
15 | matchLabels:
16 | name: sealed-secrets-controller
17 | strategy:
18 | rollingUpdate:
19 | maxSurge: 25%
20 | maxUnavailable: 25%
21 | type: RollingUpdate
22 | template:
23 | metadata:
24 | annotations: {}
25 | labels:
26 | name: sealed-secrets-controller
27 | spec:
28 | containers:
29 | - args: []
30 | command:
31 | - controller
32 | env: []
33 | image: quay.io/bitnami/sealed-secrets-controller:v0.12.5
34 | imagePullPolicy: Always
35 | livenessProbe:
36 | httpGet:
37 | path: /healthz
38 | port: http
39 | name: sealed-secrets-controller
40 | ports:
41 | - containerPort: 8080
42 | name: http
43 | readinessProbe:
44 | httpGet:
45 | path: /healthz
46 | port: http
47 | securityContext:
48 | readOnlyRootFilesystem: true
49 | runAsNonRoot: true
50 | runAsUser: 1001
51 | stdin: false
52 | tty: false
53 | volumeMounts:
54 | - mountPath: /tmp
55 | name: tmp
56 | imagePullSecrets: []
57 | initContainers: []
58 | securityContext:
59 | fsGroup: 65534
60 | serviceAccountName: sealed-secrets-controller
61 | terminationGracePeriodSeconds: 30
62 | volumes:
63 | - emptyDir: {}
64 | name: tmp
65 | ---
66 | apiVersion: apiextensions.k8s.io/v1beta1
67 | kind: CustomResourceDefinition
68 | metadata:
69 | name: sealedsecrets.bitnami.com
70 | spec:
71 | group: bitnami.com
72 | names:
73 | kind: SealedSecret
74 | listKind: SealedSecretList
75 | plural: sealedsecrets
76 | singular: sealedsecret
77 | scope: Namespaced
78 | subresources:
79 | status: {}
80 | version: v1alpha1
81 | ---
82 | apiVersion: rbac.authorization.k8s.io/v1beta1
83 | kind: Role
84 | metadata:
85 | annotations: {}
86 | labels:
87 | name: sealed-secrets-service-proxier
88 | name: sealed-secrets-service-proxier
89 | namespace: kube-system
90 | rules:
91 | - apiGroups:
92 | - ""
93 | resourceNames:
94 | - 'http:sealed-secrets-controller:'
95 | - sealed-secrets-controller
96 | resources:
97 | - services/proxy
98 | verbs:
99 | - create
100 | - get
101 | ---
102 | apiVersion: v1
103 | kind: ServiceAccount
104 | metadata:
105 | annotations: {}
106 | labels:
107 | name: sealed-secrets-controller
108 | name: sealed-secrets-controller
109 | namespace: kube-system
110 | ---
111 | apiVersion: v1
112 | kind: Service
113 | metadata:
114 | annotations: {}
115 | labels:
116 | name: sealed-secrets-controller
117 | name: sealed-secrets-controller
118 | namespace: kube-system
119 | spec:
120 | ports:
121 | - port: 8080
122 | targetPort: 8080
123 | selector:
124 | name: sealed-secrets-controller
125 | type: ClusterIP
126 | ---
127 | apiVersion: rbac.authorization.k8s.io/v1beta1
128 | kind: RoleBinding
129 | metadata:
130 | annotations: {}
131 | labels:
132 | name: sealed-secrets-service-proxier
133 | name: sealed-secrets-service-proxier
134 | namespace: kube-system
135 | roleRef:
136 | apiGroup: rbac.authorization.k8s.io
137 | kind: Role
138 | name: sealed-secrets-service-proxier
139 | subjects:
140 | - apiGroup: rbac.authorization.k8s.io
141 | kind: Group
142 | name: system:authenticated
143 | ---
144 | apiVersion: rbac.authorization.k8s.io/v1beta1
145 | kind: RoleBinding
146 | metadata:
147 | annotations: {}
148 | labels:
149 | name: sealed-secrets-controller
150 | name: sealed-secrets-controller
151 | namespace: kube-system
152 | roleRef:
153 | apiGroup: rbac.authorization.k8s.io
154 | kind: Role
155 | name: sealed-secrets-key-admin
156 | subjects:
157 | - kind: ServiceAccount
158 | name: sealed-secrets-controller
159 | namespace: kube-system
160 | ---
161 | apiVersion: rbac.authorization.k8s.io/v1beta1
162 | kind: Role
163 | metadata:
164 | annotations: {}
165 | labels:
166 | name: sealed-secrets-key-admin
167 | name: sealed-secrets-key-admin
168 | namespace: kube-system
169 | rules:
170 | - apiGroups:
171 | - ""
172 | resources:
173 | - secrets
174 | verbs:
175 | - create
176 | - list
177 | ---
178 | apiVersion: rbac.authorization.k8s.io/v1beta1
179 | kind: ClusterRoleBinding
180 | metadata:
181 | annotations: {}
182 | labels:
183 | name: sealed-secrets-controller
184 | name: sealed-secrets-controller
185 | roleRef:
186 | apiGroup: rbac.authorization.k8s.io
187 | kind: ClusterRole
188 | name: secrets-unsealer
189 | subjects:
190 | - kind: ServiceAccount
191 | name: sealed-secrets-controller
192 | namespace: kube-system
193 | ---
194 | apiVersion: rbac.authorization.k8s.io/v1beta1
195 | kind: ClusterRole
196 | metadata:
197 | annotations: {}
198 | labels:
199 | name: secrets-unsealer
200 | name: secrets-unsealer
201 | rules:
202 | - apiGroups:
203 | - bitnami.com
204 | resources:
205 | - sealedsecrets
206 | verbs:
207 | - get
208 | - list
209 | - watch
210 | - apiGroups:
211 | - bitnami.com
212 | resources:
213 | - sealedsecrets/status
214 | verbs:
215 | - update
216 | - apiGroups:
217 | - ""
218 | resources:
219 | - secrets
220 | verbs:
221 | - get
222 | - create
223 | - update
224 | - delete
225 | - apiGroups:
226 | - ""
227 | resources:
228 | - events
229 | verbs:
230 | - create
231 | - patch
232 |
--------------------------------------------------------------------------------
/manifests/concourse-main/pipeline-secrets.json:
--------------------------------------------------------------------------------
1 | {
2 | "kind": "SealedSecret",
3 | "apiVersion": "bitnami.com/v1alpha1",
4 | "metadata": {
5 | "name": "tanzu-gitops",
6 | "namespace": "concourse-main",
7 | "creationTimestamp": null
8 | },
9 | "spec": {
10 | "template": {
11 | "metadata": {
12 | "name": "tanzu-gitops",
13 | "namespace": "concourse-main",
14 | "creationTimestamp": null
15 | }
16 | },
17 | "encryptedData": {
18 | "ca_cert": "AgAcbDoM+YzLqOMYRkKwnKkHLjR5nOGpe7XX9Dk1zg369xOcsi/IiQ6upo8oKdcJ1G/qZOTHczRbYOsrz5NWyqqoLRf5buravHmwDjM0R10w4n0RsxNn0v8i98Qy+Gojn5sMcaaDC2gjfqjKKXr6Hp2CeWwa47FXhMSkzAY6UW/hb0CAtKYRac2M54tqf5XQKKmwY3x2gQ1fgsekLqUwYlKb5Q921BIQ7UUrxcUVkDVxtmoVCCo171avgf9d1mU+OCkm2M2wjeOYs+7xi12NqIdAmpmh+PKhd+sx3yBkl562PIZvUYPQHyHiPGcKwx/0lGdNo8wcDQpXYOs7bPfFghXZI0JLSFo0LNEcvv79lhqqZpqZhpRMYCaR05wgQGNGI/RDjCGG1NQjyRKWeq1N7nb9Uhg2cijyEw1lsJwOQ7f3mj3L4817uADnDOCbE9JINxWcLuV9nXKYusUgCOURSW4TgkJ0iXy+dyK75xWXoQTkyz6Q8swb5UyV99hMHSTeWx8D4ArmO9Z4+mVHgEZOEiXLua0GwIPGt4JYBX1I2/JR1ryGRB57MrpE1Db3bLgSDaDzJ3o6OarvK0FmtlEAznFqLiPxQGPm+Zowbv26EeWKB7CHA3/OEzUIot36axcQ+1EtrjNvrhHG1U8K7hZmPyBQh3r9/H8mnbVCV8RGtJpsJZAhOGZDk8IqJBhzYNRFv1FyKRKiYVmDznnkwpl/twGw5hyDmaSEqZbEo7ewbv8DPEgT0HdjD8L9EklOnC/AdLxcX8i1eXyygeAnaI7NaKtJS2gt3m/DotFWJfP65jgwq1gStueaQbqhldeoqN5sHlY8FvhjfS7gTJNc+WgMOOvrZA4kN0gLBGnj5By1BSTkShd8sbsB4vZeBksVWsKrn65n3MvZxt0x3pkq/UJosynMkm5b0wBB77Lg0oTQlC10uhk90b+oMIEZwDeEF24MCCwnr1NKDTwdZyjMz+PLX1qCn8gv9ewI2+30mIMqTr/vDmpBe3k7KLEDIaQHdUBMtW7JOtDIvXA7jhsISBD5hgA0cpHH0C9tADqTeVnWOH9dh78jAvTvT6gDqyAkrGNdsbtvgCYYmeS40JWNU9M1mAGzV0rm72h93GvYG/aN1tPtzdvUlh5sKaBfn8+m7wv5sTKquA0x/4gB5xKTiSVJ6ta/rBJGR3G/7l5hoioi7vBYbVfamudTkGbdZaEqvae2JOCm9Xmx00siNQ+P+e7TWeydAA8NR+v+bJxSQI2wZuRxEp/NDl/eLPZzj4uvLdXxrXoLV/+ddyVqCcR08/o9SWmTl4e82HjUBTMBsVzhlF3Ze9BQXTZuFy1sfns9sT3whb6j4WdfHsH7vEWWNvqMQgrbA0bHy9DwNg8mWRONZX4/hoinjz+14g2L/AdeAIpB6Lus5yZQJ9I6JJ9oZY+xYK8mNtQB+M6+DARgaKsL3Qu+LHLfCiDythP/yl0IVjbCRVQSM5TsM/s7Q+g74HByNdSBqRdAKuD/DdMHJlRS0U0WqtYErxqiBKCq3WPEjEuxRQTmtnn6V4qyT3nudqglbgJdByCnn/PxjS5ZqXFuczJ7NHSdRLWb/ij4O7s8o1sGtJ/IYcryBvkkyinEOFupZFDgerzr0GlTdT9uijF3/Wn3Eou9bLbC9Hov5yJ/ksWjLce+kevB6ty5g05BspN2/ZYa4ej98k6dD0D/vMGV1NPHB1GI1YQOoCP6ecptp911U70lg6RUkiQ9HZFCPDnwHjq6G3cyhJY5Q7DSmnkxSTX5V9hREGt66WhiD5n8qfRr7dmJ3K6BSCLcF9hssJ3xxPfLbSyftCCj4JdvWtXNJELMuhtU5oPscAQR+nBV+xCTtrwdVsMd5sgkHRSrTv8ZcIAuX0cJ8v2e4jJrImCidgikTiqqulHYd2rjCburU7mH7OczvluMVty4LizIjlLFbwCFS9Z2/XTZTFqdTMCEuE9f6UIU3aIegeKHD9oO3dZLZCltQjhfPyiAet7p9oF+KzR1+eO44n/KWfCPstPhiXmKUlo4+FHr6Xwmf5NJJXLNttzOSYTVeCxnTZ8jIe47Tx4R1kB+V1NapThhlC6T4T4BIBhNgftRTCI1EJDqGN/tHqHCZpYQqPgcdH3iWBAyb1VMx3Q5Lptbtg3o8kfNih0YemjvWt2gCOZdgn14+vOo+FWH8YY2VFLyvj0EDWII8NyCd/x6QEAaOOIPQrg721Wg9i6ZDakL82a7ioavzqAg4qUb0/8vcDJpi/AOem1XOLUmVrI27PjkxJ5cuO671ApbAUei2TubvzyBmB2N9OcN7OrDehkhp34xUk/vV68yNrMxH/mCaXB6SWk7XQ2KXs9xYhUHtaMwf3rjFbQC6juufWHfzraIzmK1uFAfK8bCLej4kHePP3/brFCxaZtIanCuBX7d/KazbRdxuHac4O4wPBdvC9mWb96OFg+VWsUSSQBjbO7emf4wC7Ip7HUtdX6SUBj+nnfGlq7etmLFnQJnm58LnwJuRRI46xtdh5t1h5yeMDFUDJy4FCia5HLPki8fONkwH4G0JpyEoqROnIMGG6VeZQfmJsw7gXe1kwjfdpu5A9wm3BJDlHKhqpQ8GNJ6GzwR16nLjvANNxBQiWEZJROUxigHyD4alSkQksUnJTJMwVCAPGQlCVUM2y1w/xt+YB4w58ScuLZafW/MeT0oBAphAyANDAIBko9Wt7AfcMbXDIvf3xAgiWihNjsAtdsHKDfVVbOZ+/zRQrtiCXKf+F/WNsnPaiFOsqJBYK5a8z5bdw6dBRaSTcSApxL8l1eul+EILdcrlcgEYUmcP0Poa87fbMXR2Tht5C/Gvomo46sKfnVSvU2Aho+0b+MvB4ieVbDVonQwlCYcPXp1XKh8yQYlhAe6KW+RBM4nMFWiOQ0xooxZE/9AlGKMtcKwzJrtaPRE73cMUpHVqGxmPAokm+9ddS8RPkH0YLJyOzuFk7u2bsDap6m558R+F0QS",
19 | "pivnet_api_token": "AgBR6FE87VDBrqvoLmDsfhxYLiKPekxxCkCaOd5gpc0ytSxerBs3aWcPnfeEXWFIagJVCN5yQCQovLtHHISaKYkzfysLGw/CmY3bbEnomjhgX6zye45THTSMvCquJ3gendP7LW1muCNkMvj7//Jfbn+hE8BhzDrkW4+1O6k0rnXdhQau7d1JH1fcp1tpfMcAji5Xok3+P00d6y0kXqkFj8DtexhtcB410olpoXIIuk9s/Sw2ZhWHzeOUI8a93s1s5B2Hdk6BfSP0uN+h78nhCePrkk0nfqeUFdnzmPIZqseLJxzrbgV9W9cqfqq96jCmNmJtNx0srL/u7k0d7vOh3/I293NNYGc8YTj0i3AsRsuQLqQBRKcViUs8md33L6G/v6bjWMoPwXl8poN0IyOg+iQUDEqIr0131ymip2LdzekYkBWZIKKxhmUR+mr20fueXCRuvPdghCbHP31yMvnKjmO7YyXEUya3n9yHovymmc8tP3EkAU2ORdofaMDuNWJNHe8MkpnoPOJabYoEx3jHs40nLLAmjOBIZWIK7kfWidifoXNEf3LP0HlAvowE/RXl/Ua4UoTQDkkWKPKYz1v3T0C+PKC7ZdBB3oRSyt3U8tIfUD1NizUbaiWB7RWnyrca+ciWuG/0jF9QlBmoFhwtuQcbx6iP8BVcJQaGcrJzKRht2pd+mqNYhOqnY6ithdhXsC86zhsnJY48SwaWuBDfzjoQV/0Seg==",
20 | "pivnet_password": "AgACgCLBWCn8z9MEpbonMOv/tvPtnht5NPeDd+akBn0yAJL55IjXzp1ibFi8oENkXOqtgdsHquiZUzihxGmJV6szzt0pd+8mNpUli3Grjf1I/77IPtFySnn6Hoeo3/3GSUb3N4+eMGGCgF+axeuO8vn6U8GT5XzwNyma5gE6Lr/4+/EyMKf20TIV9vHhh2drtJG6dJKJswwTtmsjKZC/0TJQzOOEu05fg+3c9V+KB8yOqrRATe+Ib8y4j32fVICeRLoWHYgpRqkm1TzReZx12DR6V+OIrvtQdaSgZ2STy8rDvfSGKGEAIv0fxwjs77ji+lsPW6DK+9uJwzvRRoQyL88OIO4Or1+HMNOw5UNWaykixVop3HH89kC/X4lCCsNb+2tITaylYjGsKgJpyMDlamL7KgkuTuBU5Wr0KHLK5r768Zbb0UnVRLZzDCGYhZUQ/RnvGO5CjEnN9WDGQ9aSDt/FTuuSUd1OBNKyYzH+oMiIA8xyJdxOubAh/cQ0XhaHpZAUwlSIynJpMUpPdWNc940PQ9YtTow2Nwj89rRJ5N6SMKo6o8j9BG/eXsrjDPmOrrL+b51LSPAzsUHdRYbTyvr2vyerZyCyQiddY4H+MtXQnYVqjDqRMc1CZe3Hhw8XeaAMHFc8xlWzwfmBVpsa5cYZT5Il/UmmJtWQf3uRm4bRp9+MSQf8xJRQFufCeo0tLorVfgBFa3tUiq5odZ2RF/zr6hPV",
21 | "pivnet_username": "AgDV94JN/DrZ7dZtFUjGCa1YRNRKUrp/0q1xaSB9Rbbr9lYsrE/4v5vMNSROKaRQu0VsN3BMFEW3PCPt1UJR1BMiHbM1dMiaZPkIpyhIYm/rYWIho6JKIdbBZrh2rA3VVVIMU0aNGrd8mmjt9KnO9lFKZC3sHXaG9tFQIkftK7E5jw1WRvNOa5hn3h8rw2iXMu/G7J2cB9zbvMoR2bVv5cCp1HLvMzjRdUxb4Hdol9Nee6x5c7rAxH8oki4MMCAPqp5+Z9t0X5VZKRXmE7povWWBS4CvGnVYimX4gDC4CEtu2oqUzrFQoawffbEMcZPLc1hHk+05bQz//fm1/86xUeVGHW+774d3VapEneKRciB2jdVJK8ytFvRVbM4dXq3W0dqMDfZ3ugpVGZHuX/879sr/tXGGuvvM01y7xfNjnm/soBWQBQcIsGuck4tmg13KwPQ/66dXrk7iZWsZbTD74yLczMJnQtT5CfAX/RyJtPX0Y4y4v9ZnWMJI8MXlnobCu85jER5tYxONykBUyyVe00pMVjilKprt+ahn11zjCO1ai1cNRKa7IAAne2vsyjPbLmE7w5h4VGtSVETtAm7aH0zivZbNK89i05a07PebHMRQaCQHFOmLJdyrhcfr73JuyQKRKP+8s/S9kRveW1XxuF4EvxvJvxBWGDVAt4BdxGVeR2q4beOxywWYCIkX3K5VaA8RV/ctX9Hy/E180OJoGYiZVyTaddGbUg==",
22 | "tkgi_password": "AgDwfvwhhRjdLt7pEOLBF14StPnwMx9XfKrH0VWvf7gxD2RWtHyUYjnELwveZ790yCTsDe7Uqc4TTA15imGaEhRJep09s/7biCzZ0nsmTtxLYvogtNkXsF2qHfUZaJEbulsfBFcPK9s+/++xRMS10rz+li5upfgfFOlj/Qk9/AX1mChSUdJdU0mcBA9OGdR4bb3MXT+asWfCPmtwoECE/tjJ6jYeqIeVMPsh3iIKcPEARxkmEiyTnyQeheyCGVDEfEai15vmrxQJ4Eky7pEcLsQqahJLtv2SdllTYiq1bVGFunYi/eT6+1pScq4WtjQVfYUy4GOPUyJaWrB53iQ4BLPeaJ82pn/hCv0t6Ge9sbksFdgf/Qlqv6UWEUFk5WBnV1eefSpQOhMf09pCI9C/C9IYLVNqVwpp4CnUtEyQcFWEhao798ecHW3g+tqHyI0lVi8/z2JcEoxohRxqXELSPQjUWVA+v2GxImqUSvsyZmMgTSlDC6VeTM1AHQII+p/8OyBiTb8+Q8QBlAle4GUCHp5nddYYqZaP9BA2NzkcIKO7te42neISlhtrvsmUh8iUM+YPfCxjora2hnBZWM7f/AC4MbUn8fq4DwyTAPxi6brty8uS7R/b+VX1w82q2hqnz+kQ6NFXzPi5AG7VkRirCAAyaRviTBpLfMOPr6PL4LbUc92eTu5tCkXwj0lkvJPeGgCjMA5M8ehnuLie7vY=",
23 | "tkgi_url": "AgCQRzz7UZwTUV0I8eUR2olg2e/E2pEHX2w188bAxm4qKScF1bYJvPyPgvls0wReV2bJEdPPvqkZhMMJg+hcIaR/0pzc/5h8Zavl/4E2KCHAptp7CcK6Cg72I7DsW+JlXEpa78+okb7Pj4yhuUjkjdrwGXtXjrFIh16iK2tW6NLv/jREFUzSXi3x734u63MwEJriQWEOpZyXXXFj8f6C59Z2M6lVRRA/AfXXGIygOYTXEqxa17HO2fgDVMJh9tCVzw9BbQ0/0fF0a2MS4n3LD48H0WX0EkZDDlhFxHcKwkkeQG+YjFvNF8IXiqcg182L2/q3daiZziI0ZYVlA/yQSaAbuPID00NcBArHqht+pkvLbErlx4h7HHsuMnjhtATo2X+KiLWalh+QO2TlM7a1hqweU+yQ8R50ngDc+6SXRn0D4b1GGdwGaLKq7dgnk78QXhqZAFtjNn0XgEPkpGD3go6zYWDRn1+iVbiWwjmABS59cOEMrBBMhYLvUlPZXpskVmMkuttdOJz8XGcifuJD9rWS0GaJhf0NYq2+Qjpovv/drpDJ3rxPy03Yb61aV9jPbv8j88VK2RnO1sLINE5HnJ8RvN2pOJqzyUd8b5sbOGNTUrs9oFRFlDzkoOp9XFk+mWvllxzJ7z6tUpknObOP1tQ+eov2qoJXtKGM/uXJrobp2W26DQgLnEgdu2VBfvkNKbGj90XvU/By690eoR2CCwabwzf69hiNv0uI4w==",
24 | "tkgi_user": "AgBDCmv5yJTIM9bS0GYc7wTMSgt9s/2XxV1+U+BypFLSM4/J4AFiub1uEUZG88ODYtU1mYlg71/3Fds6T6o0hWxcDCsfH2ii2SGY92r+TZsAKmEuEWDzeO4w2NIrAREICmj2TA0sGMUkTIW57T9EnendOAAxEeYDasER4dJkuB6Dn/gSz1BrrZRey5FKhrcQG0awRmIHmt7/zdm7fzP/6igs6luSFwb0n0ow5Az7PVP4wY1o9SuZ8xNiCaRCsf5r6NXaGc/IKdAVSjrPL/016FXhXIqX4kLVk1VYWZ8xGqN5V9BMpyq29zPOJpnOgw8LmYDipNOTW/LXRLYV0fDzZaw//n0ym5d47sVuqvS9mTADvePRPOIgmUktHrPO0FR5hEBtMhS1WzeNmCHP7OpBpGPvWtDfHkpjhnas08jWeCTeK27hln07ArooAcWqm3Prijbmhnol8Z/slt9qJf48DXHatYq8C5Ns11TD25p+2KG2B0UgWuEUWOvMiqYP35JtLT8g8/QFfYCmheRTPtIqG7KDOdX599GHyJqI6QeSzNFDR2fTVPJmIFDfmF0zMM3oVl0o+DaU4TuEOYGP0Q37vfNhg8Gade9PdQrZ3hufs9akWy4eNtOt+SQyGkCebwGFjhlgXYgNPC6WRGyo86MEpL3f1USjyDw7aE3PzaVD8GOPZtrZraDgPunQ5ql1jmTkj34MQZzxnZgNluRPwe4=",
25 | "wavefront_api_token": "AgDMC6Y4/NvddK9d4vbjJs2+N8jIHkq1fOJY54voS87RPaapD7qZYmXwkkLerKQ/vDwE/kya83BbYxra2CBSvJhettTVXgkDPEWPx/EnvBygEDFMCnz7f6hAeQyXAZRs6fiLA2yCrKiv/cESbN081awJ9GjSGd8bt0Tm/O6/EbaZ4w2Jxuo9v16rWmRorHvzoheJiVflRijz6wswydoRS3MRxJRbh2GIRsQSiSnxrR/N9w2xNFXNgkPUL7kzFXS5tNWbw14MmmG8ka/+gXXCI18VvAaLs5BfqSIvJWqnQGkMXocko0vVktqmYIomYEWpEfm8TuXauZgizPETZ+nz+vrJzQw8rSmfc4JFwF421ytW1eww1Ck06QrEYpkzAodIckMc6/S0IORKh9LQ4TiJVIrX9alQytdKbTgphtlEtC26JripaUGcJdWorLXzGDzV2HeFS2oG7RvmQSUpNZ4IPcOsdqc47uOgo8KWuJLFXjVN+hCPls79etdDd0MjmHxIb1lYjE0c932YTGGc5oiQXwdEr+dfif8ilcUwDzh7apknI2QbdOq+N0p8MB0hI541LZKzpAmtHyqyZ9SVXaTmy8RnmDMa57HM1J/7KNggyk/L6UF4SvewOavZL5Psw4lEoEkBH0ug6mYat4a43Tv+UPfbsRDq9koX4EVTYigKpIMutILiWdS4JuzUiOhI+oQV4kWqZGdUpAeDZ7v/EkmGNPuWEvp+8eIQOxn/2K2hIEOnIak9Zwo=",
26 | "wavefront_url": "AgATDz4zl7iTA5f8JV3pwQFH4p/UxKbt062jImnGUTH6VNeGL+7dvMiyrKE8pQ5mzMaYavPP8tcbAHUURpZOpqUukhY+p2ExF85TR5zxzLfkexku6q3iY72DwDttZXhJkpGWu164/WYXMoUasveBbrSTmXZ0Mmrth7LbN1GHgEEStlOcyNZUioyC6leairuzdOJohUQ2ezWYnoVkWad67kBpuZrRFCDT1kwntV89S3pBDmvRg6Kvm710Vx4TVdti28k8IQHUv3CvtUIB2zo1WugutHDUQoPrzOFZtjommmuUzVpdPcpyNio5TsiBjCN1j6IBUPz0Db2/anxs/bEwmqgAFtUt7kaembn5X5liz9RIbaR4U3fn40WqKKzVsOuNmp6ffXQJZFNp/lFGKAwrZImuIYp78Em4txqf9JPmjl8W7iRUgEPUcEZ9yjjc1YxTiq27VlAXW3AmyYYTHROWYcyfYOfkzFLqPNyVqgyQPQJq2+ktsOioZfqb8J0nTtR9zdYejLxjf7dMbBy5O2uaFTPKOUO8DYPgQLsu/rMWyfaN/5bUSN4jFJZvI8A2NHVLmGHpL56rucJJdmxJ95lMzRhgO09ZtO4U5lck0nneaw/TMWRDxGmXsxKUi2cqTlWoJU1Gs/URLkybAQt8yyuueF24Pl6RdyyVZZajhOj38SCGhLbHSQ81R/y9Z6TeE0K+58LKI/EAEdB/BIo2nkxSI4muvqHWIVJpq14eW9g4"
27 | }
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Tanzu GitOps
2 | The goal of this repo is to use the Tanzu portfolio to create easy-to-use, low maintenance Kubernetes environments for developers.
3 |
4 | ## Use the [**gtm-e2e-demo**](https://github.com/Pivotal-Field-Engineering/tanzu-gitops/blob/gtm-e2e-demo/README.md) branch to setup and execute a simpler version of the demo
5 |
6 | Tanzu Kubernetes Grid Integrated Edition:
7 | * Kubernetes cluster lifecycle platform
8 | * Allows individual cluster upgrades or all-at-once upgrades
9 | * Integration with your LDAP or SAML IdP for cluster authentication
10 |
11 | Tanzu Misson Control:
12 | * Manage cluster access
13 | * Manage admission and network policy
14 | * Use TO integration to monitor cluster metrics
15 | * Use Data Protection to backup clusters
16 |
17 | Tanzu Observability:
18 | * Sole source of metrics for platform teams and application teams
19 | * Show everything from IaaS to K8s to application metrics
20 | * Provide metrics for use in Canary deploy
21 |
22 | Tanzu Build Service:
23 | * Build secure OCI images without Docker
24 | * Keep images up-to-date on latest golden image
25 |
26 | Tanzu Application Catalog:
27 | * Build trusted Helm charts and images onto your golden image
28 | * Provide helpful audit information for the images, like CVE scans and open-source licenses
29 |
30 | Tanzu Application Service:
31 | * Managed multi-tenancy for teams that don't want to touch Kubernetes
32 |
33 | ## Install Steps
34 |
35 | ### Pre-reqs
36 | * Ability to make DNS entries for a domain you own
37 | * `tkgi` to create and authenticate to K8s clusters
38 | * `direnv` to handle environment variables
39 | * `helm` to install the Helm operator
40 | * `kapp` to install everything else
41 | * `bash` to run all the install scripts
42 | * `kubectl` and `kubeseal` to create `SealedSecrets`
43 | * `mkcert` for all TLS certs
44 |
45 | ### Architecture Decisions
46 | * This repo is full of default usernames and passwords. It's meant to be easy to setup and use as a demo environment. It's not meant to be a production environment.
47 | * I use TKGI for my Kubernetes clusters. Most of this project is not dependent on TKGI but the Concourse tasks use the `tkgi` CLI to authenticate
48 | * If a piece of software has a Helm chart, I use the Helm chart
49 | * If a piece of software does not have a Helm chart then I use `ytt` to template and `kapp` to install
50 | * I use environment variables heavily as they are the most portable way to configure software
51 | * Demo environments don't need Lets Encrypt so this project uses `mkcert` which is much easier
52 | * The Concourse tasks are not generic or re-usable. This is to make them easier to read and understand.
53 | * Secrets are handled by `kubeseal` so they can be added to source control. TLS secrets are handled by `cert-manager`
54 |
55 | ### Preparation
56 | 1. Copy `.envrc.template` to `.envrc` and fill out all the values
57 | 1. Use `direnv` to load those values into your environment
58 |
59 | ### TKGI
60 | Create 7 clusters:
61 | * `harbor`
62 | * `tbs`
63 | * `concourse`
64 | * `spring-petclinic`
65 | * `product-api`
66 | * `kubeapps`
67 | * `tas`
68 |
69 | ### TMC steps
70 | 1. `./tmc-attach-cluster.sh `
71 | 1. Repeat for the rest of the clusters
72 |
73 | ### Harbor
74 | 1. `./install-vsphere-storage.sh`
75 | 1. `./install-sealedsecrets.sh`
76 | 1. `./install-helm-operator.sh`
77 | 1. `./install-cert-manager.sh`
78 | 1. `./secrets-cert-manager.sh`
79 | 1. `./install-ingress-nginx.sh`
80 | 1. `./install-harbor.sh`
81 |
82 | ### TBS
83 | 1. `./install-vsphere-storage.sh`
84 | 1. `./install-tbs.sh`
85 | 1. `./install-tbs-dependencies.sh`
86 | 1. `./install-images.sh`
87 |
88 | ### Concourse
89 | 1. `./install-vsphere-storage.sh`
90 | 1. `./install-sealedsecrets.sh`
91 | 1. `./install-helm-operator.sh`
92 | 1. `./install-ingress-nginx.sh`
93 | 1. `./install-cert-manager.sh`
94 | 1. `./secrets-cert-manager.sh`
95 | 1. `./secrets-concourse.sh`
96 | 1. `./install-concourse.sh`
97 | 1. `./install-concourse-main.sh`
98 | 1. `./fly.sh`
99 |
100 |
101 | ### spring-petclinic
102 | 1. `./install-vsphere-storage.sh`
103 | 1. `./install-sealedsecrets.sh`
104 | 1. `./install-helm-operator.sh`
105 | 1. `./install-ingress-nginx.sh`
106 | 1. `./install-mysql.sh`
107 | 1. `./secrets-spring-petclinic.sh`
108 | 1. `./install-spring-petclinic.sh`
109 |
110 | ### product-api
111 | 1. `./install-vsphere-storage.sh`
112 | 1. `./install-sealedsecrets.sh`
113 | 1. `./install-helm-operator.sh`
114 | 1. `./install-ingress-nginx.sh`
115 | 1. `./secrets-product-api.sh`
116 | 1. `./install-product-api.sh`
117 |
118 | ### Kubeapps
119 | 1. `./install-vsphere-storage.sh`
120 | 1. `./install-sealedsecrets.sh`
121 | 1. `./install-helm-operator.sh`
122 | 1. `./install-ingress-nginx.sh`
123 | 1. `./install-cert-manager.sh`
124 | 1. `./secrets-cert-manager.sh`
125 | 1. `./install-kubeapps.sh`
126 | 1. `./configure-kubeapps.sh`
127 |
128 | ### TAS
129 | 1. `./install-vsphere-storage.sh`
130 | 1. `./install-sealedsecrets.sh`
131 | 1. `./install-helm-operator.sh`
132 | 1. `./install-minibroker.sh`
133 | 1. `./install-tas.sh`
134 | 1. `./secrets-tas.sh`
135 | 1. `./configure-tas.sh`
136 |
137 | ## Component descriptions
138 |
139 | ### vSphere Storage
140 | Every cluster that has stateful workloads needs a `StorageClass` so that `PersistentVolumes` can be created automatically via `PersistentVolumeClaims`.
141 |
142 | ### Sealed Secrets
143 | In the earlier days of Kubernetes, the idea of GitOps famously suffered from the problem of "everything in Git except Secrets". Kubernetes `Secrets` are of course not a secret as they are simply base64 encoded. With the SealedSecrets project, you can use the `kubeseal` CLI to encrypt regular `Secrets` into `SealedSecrets` using a secret key in the cluster. When a `SealedSecret` is applied to a cluster, that secret key is used to decode the `SealedSecret` into a regular `Secret`. Anyone with access to the cluster can still base64 decode the secret.
144 |
145 | ### Helm Operator
146 | The Helm Operator makes it easy to use Helm while also sticking to an infrastructure-as-code/GitOps mindset. It allows you to use Helm in a declarative sense using `HelmRelease` resources, instead of using Helm in an imperative manner with `helm install`. This also allows best practices of using Helm to be used without anyone having to learn them since those best practices are captured in the custom Kubernetes controller.
147 |
148 | ### Ingress
149 | Ingress controllers are easier to manage than NodePorts for every app. Use the [Kubernetes in-tree nginx Ingress controller](https://github.com/techgnosis/ingress). It works fine for a lab environment. This implementation uses `hostNetwork: true` to bind port 443 for convenience.
150 |
151 | ### cert-manager
152 | [cert-manager](https://cert-manager.io/docs/) allows you to create certificates as Kubernetes resources. It supports a variety of backends. In this repo we are using `mkcert` as a CA and using cert-manager in CA mode.
153 |
154 | ### Harbor
155 | Harbor is an OCI image registry with lots of great security features. Harbor uses Trivy to scan your images for CVEs and can prevent images with CVEs from being downloaded.
156 |
157 | ### Tanzu Build Service
158 | Tanzu Build Service (TBS) uses Cloud Native Buildpacks to turn source code into OCI images.
159 |
160 | ### Concourse
161 | Concourse is a container workflow tool commonly used for "CI/CD". Container workflow tools are the "glue" to connect pieces of the software delivery chain together. In this repo Concourse is used to direct a git commit to TBS and then send the resulting image to the Deployment controller.
162 |
163 | ### spring-petclinic
164 | [spring-petclinic](https://github.com/techgnosis/spring-petclinic) is a canonical example of a Spring Boot app. spring-petclinic can use an external MySQL instance instead of its own in-memory DB.
165 |
166 | ### Kubeapps
167 | Kubeapps is a GUI for Helm that makes it easy to explore Helm repos
168 |
169 | ### Wavefront
170 | The Concourse pipeline in this project creates a Wavefront Event after a new image is deployed. In order for this to work, you need to setup Wavefront. Follow these steps to get Wavefront ready:
171 | 1. Follow the [Spring Boot Wavefront tutorial](https://docs.wavefront.com/wavefront_springboot_tutorial.html) to get Spring-Petclinic integrated with Wavefront
172 | 1. Clone the default dashboard Wavefront creates for you
173 | 1. Edit the clone
174 | 1. Click "Settings"
175 | 1. Click "Advanced"
176 | 1. Add the following events query `events(name="tanzu-gitops-spring-petclinic-deploy")`
177 | 1. In your dashboard at the top right where it says "Show Events" change it to "From Dashboard Settings". This will cause your events query to be the source of events for all charts in your dashboard.
178 |
179 |
180 | ## Quirks I have observed
181 | * Kubeapps only seems to behave if it is installed in the `default` namespace. Otherwise it doesn't recognize App Respositories when you try to install anything in a different namespace than `default`.
182 |
183 |
184 | ## TODO
185 | * Combine spring-petclinic and product-api into the same cluster called `diy`. Use some RBAC to make it work. Apply it with TMC.
186 | * Add a pipeline to get test-app into TAS
187 | * Learn how to use NSX-T so I don't have to set my ingress controller to `hostNetwork: true` in order to use port 443
188 | * When using OIDC for K8s auth, how do you provide a username and password to `tkgi get-credentials` for use with Concourse? Otherwise I get a password prompt when using OIDC. It seems its an environment variable.
189 |
--------------------------------------------------------------------------------