├── .envrc.template ├── .gitignore ├── LICENSE ├── NOTICE ├── README.md ├── build-concourse-helper.sh ├── concourse ├── Helper │ ├── .gitignore │ └── Dockerfile ├── pipeline │ ├── harbor.yml │ ├── kubeapps.yml │ ├── product-api.yml │ ├── spring-petclinic.yml │ └── tbs.yml ├── show-pipeline-variables.sh └── tasks │ ├── build-product-api-image │ ├── build-product-api-image.sh │ └── build-product-api-image.yml │ ├── build-spring-petclinic-image │ ├── build-spring-petclinic-image.sh │ └── build-spring-petclinic-image.yml │ ├── create-wavefront-event │ ├── create-wavefront-event.sh │ └── create-wavefront-event.yml │ ├── deploy-harbor │ ├── deploy-harbor.sh │ └── deploy-harbor.yml │ ├── deploy-kubeapps │ ├── deploy-kubeapps.sh │ └── deploy-kubeapps.yml │ ├── deploy-product-api-image │ ├── deploy-product-api-image.sh │ └── deploy-product-api-image.yml │ ├── deploy-spring-petclinic-image │ ├── deploy-spring-petclinic-image.sh │ └── deploy-spring-petclinic-image.yml │ └── deploy-tbs-dependencies │ ├── deploy-tbs-dependencies.sh │ └── deploy-tbs-dependencies.yml ├── configure-kubeapps.sh ├── configure-tas-minibroker.sh ├── configure-tas.sh ├── fly.sh ├── install-cert-manager.sh ├── install-concourse-main.sh ├── install-concourse.sh ├── install-harbor.sh ├── install-helm-operator.sh ├── install-images.sh ├── install-ingress-nginx.sh ├── install-kubeapps.sh ├── install-minibroker.sh ├── install-mysql.sh ├── install-product-api.sh ├── install-sealedsecrets.sh ├── install-spring-petclinic.sh ├── install-tas.sh ├── install-tbs-dependencies.sh ├── install-tbs.sh ├── install-vsphere-storage.sh ├── manifests ├── cert-manager │ ├── cert-manager.crds.yaml │ ├── cert-manager.yml │ └── clusterissuer.yml ├── concourse-main │ └── pipeline-secrets.json ├── concourse │ ├── README.md │ ├── certificate.yml │ ├── concourse.yml │ ├── namespace.yml │ └── values.yml ├── harbor │ ├── certificate.yml │ ├── harbor.yml │ └── values.yml ├── helm-operator │ ├── README.md │ └── namespace.yml ├── images │ ├── harbor-docker-creds.yml │ ├── product-api.yml │ ├── spring-petclinic.yml │ ├── tbs-service-account.yml │ └── values.yml ├── ingress-nginx │ └── ingress-nginx.yml ├── kubeapps │ ├── certificate.yml │ ├── cluster-role-binding.yml │ ├── ingress.yml │ ├── kubeapps.yml │ ├── service-account.yml │ └── values.yml ├── minibroker │ ├── minibroker.yml │ └── namespace.yml ├── mysql │ └── mysql.yml ├── product-api │ ├── certificate.yml │ ├── deployment.yml │ ├── ingress.yml │ ├── namespace.yml │ ├── services.yml │ └── values.yaml ├── sealed-secrets │ └── controller.yaml ├── spring-petclinic │ ├── certificate.yml │ ├── deployment.yml │ ├── ingress.yml │ ├── namespace.yaml │ ├── services.yml │ ├── values.yaml │ └── wavefront-secrets.json ├── tas │ ├── certificate.yml │ └── values.yml ├── tbs │ ├── descriptor-8.yaml │ └── descriptor-9.yaml └── vsphere-storage │ └── storageclass.yml ├── secrets-cert-manager.sh ├── secrets-concourse.sh ├── secrets-spring-petclinic.sh ├── spring-petclinic.patch ├── tas-reset-stack.sh ├── tas-update-stack.sh ├── tkgi-create-clusters.sh └── tmc-attach-cluster.sh /.envrc.template: -------------------------------------------------------------------------------- 1 | # It is assumed that everything will exist in this domain 2 | # You must be able to make DNS entries for this domain 3 | export PRIMARY_DOMAIN="lab.home" 4 | 5 | # Hostname of Harbor. 6 | export HARBOR_DOMAIN="harbor.$PRIMARY_DOMAIN" 7 | 8 | # YTT product-api 9 | export YTT_PRODUCTAPI_image="$HARBOR_DOMAIN/library/product-api:latest" 10 | export YTT_PRODUCTAPI_ingress_hostname="product-api.lab.home" 11 | 12 | # YTT spring-petclinic 13 | export YTT_SPRINGPETCLINIC_image="$HARBOR_DOMAIN/library/spring-petclinic:latest" 14 | export YTT_SPRINGPETCLINIC_ingress_hostname="spring-petclinic.lab.home" 15 | 16 | # YTT harbor 17 | export YTT_HARBOR_common_name="harbor.lab.home" 18 | 19 | # YTT concourse 20 | export YTT_CONCOURSE_concourse_hostname="concourse.lab.home" 21 | 22 | # YTT kubeapps 23 | export YTT_KUBEAPPS_kubeapps_hostname="kubeapps.$PRIMARY_DOMAIN" 24 | 25 | # YTT images 26 | export YTT_TBS_product_api_image="$HARBOR_DOMAIN/library/product-api" 27 | export YTT_TBS_spring_petclinic_image="$HARBOR_DOMAIN/library/spring-petclinic" 28 | export YTT_TBS_harbor="$HARBOR_DOMAIN" 29 | 30 | # TAS4K8s 31 | export YTT_CF_app_registry__hostname="$HARBOR_DOMAIN" 32 | export YTT_CF_app_registry__repository_prefix="$HARBOR_DOMAIN/library" 33 | export YTT_CF_app_registry__username="admin" 34 | export YTT_CF_app_registry__password="Harbor12345" 35 | 36 | export YTT_TAS_app_registry__ca="$(cat "$(mkcert --CAROOT)"/rootCA.pem)" 37 | export YTT_TAS_system_registry__hostname="registry.pivotal.io" 38 | # Your PivNet login (email address) 39 | export YTT_TAS_system_registry__username="" 40 | # Your PivNet password 41 | export YTT_TAS_system_registry__password="" 42 | # The primary domain for TAS4K8s. 43 | export SYSTEM_DOMAIN="sys.tas.$PRIMARY_DOMAIN" 44 | 45 | export YTT_TAS_TLS_primary_domain="lab.home" 46 | 47 | 48 | # TMC 49 | # Clusters in TMC can be added to groups 50 | # Group needs to already exist. This value is used by the TMC CLI 51 | export TMC_CLUSTER_GROUP_NAME="" -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .envrc 2 | tls.crt 3 | tls.key 4 | pipeline/vars.sh 5 | rootCA.pem 6 | build-service-1.0.2.tar 7 | tanzu-application-service.0.5.0-build.19.tar 8 | tanzu-application-service/ 9 | tbs-install 10 | k8s-attach-manifest.yaml 11 | test-app/ -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Redistribution and use in source and binary forms, with or without 2 | modification, are permitted provided that the following conditions are 3 | met: 4 | 5 | 1. Redistributions of source code must retain the above copyright 6 | notice, this list of conditions and the following disclaimer. 7 | 8 | 2. Redistributions in binary form must reproduce the above 9 | copyright notice, this list of conditions and the following 10 | disclaimer in the documentation and/or other materials provided 11 | with the distribution. 12 | 13 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 14 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 15 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 16 | A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 17 | HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 18 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 19 | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 23 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- /NOTICE: -------------------------------------------------------------------------------- 1 | Copyright 2022 VMware, Inc. 2 | 3 | This product is licensed to you under the BSD 2 clause (the "License"). You may not use this product except in compliance with the License. 4 | 5 | This product may include a number of subcomponents with separate copyright notices and license terms. Your use of these subcomponents is subject to the terms and conditions of the subcomponent's license, as noted in the LICENSE file. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Tanzu GitOps 2 | The goal of this repo is to use the Tanzu portfolio to create easy-to-use, low maintenance Kubernetes environments for developers. 3 | 4 | ## Use the [**gtm-e2e-demo**](https://github.com/Pivotal-Field-Engineering/tanzu-gitops/blob/gtm-e2e-demo/README.md) branch to setup and execute a simpler version of the demo 5 | 6 | Tanzu Kubernetes Grid Integrated Edition: 7 | * Kubernetes cluster lifecycle platform 8 | * Allows individual cluster upgrades or all-at-once upgrades 9 | * Integration with your LDAP or SAML IdP for cluster authentication 10 | 11 | Tanzu Misson Control: 12 | * Manage cluster access 13 | * Manage admission and network policy 14 | * Use TO integration to monitor cluster metrics 15 | * Use Data Protection to backup clusters 16 | 17 | Tanzu Observability: 18 | * Sole source of metrics for platform teams and application teams 19 | * Show everything from IaaS to K8s to application metrics 20 | * Provide metrics for use in Canary deploy 21 | 22 | Tanzu Build Service: 23 | * Build secure OCI images without Docker 24 | * Keep images up-to-date on latest golden image 25 | 26 | Tanzu Application Catalog: 27 | * Build trusted Helm charts and images onto your golden image 28 | * Provide helpful audit information for the images, like CVE scans and open-source licenses 29 | 30 | Tanzu Application Service: 31 | * Managed multi-tenancy for teams that don't want to touch Kubernetes 32 | 33 | ## Install Steps 34 | 35 | ### Pre-reqs 36 | * Ability to make DNS entries for a domain you own 37 | * `tkgi` to create and authenticate to K8s clusters 38 | * `direnv` to handle environment variables 39 | * `helm` to install the Helm operator 40 | * `kapp` to install everything else 41 | * `bash` to run all the install scripts 42 | * `kubectl` and `kubeseal` to create `SealedSecrets` 43 | * `mkcert` for all TLS certs 44 | 45 | ### Architecture Decisions 46 | * This repo is full of default usernames and passwords. It's meant to be easy to setup and use as a demo environment. It's not meant to be a production environment. 47 | * I use TKGI for my Kubernetes clusters. Most of this project is not dependent on TKGI but the Concourse tasks use the `tkgi` CLI to authenticate 48 | * If a piece of software has a Helm chart, I use the Helm chart 49 | * If a piece of software does not have a Helm chart then I use `ytt` to template and `kapp` to install 50 | * I use environment variables heavily as they are the most portable way to configure software 51 | * Demo environments don't need Lets Encrypt so this project uses `mkcert` which is much easier 52 | * The Concourse tasks are not generic or re-usable. This is to make them easier to read and understand. 53 | * Secrets are handled by `kubeseal` so they can be added to source control. TLS secrets are handled by `cert-manager` 54 | 55 | ### Preparation 56 | 1. Copy `.envrc.template` to `.envrc` and fill out all the values 57 | 1. Use `direnv` to load those values into your environment 58 | 59 | ### TKGI 60 | Create 7 clusters: 61 | * `harbor` 62 | * `tbs` 63 | * `concourse` 64 | * `spring-petclinic` 65 | * `product-api` 66 | * `kubeapps` 67 | * `tas` 68 | 69 | ### TMC steps 70 | 1. `./tmc-attach-cluster.sh ` 71 | 1. Repeat for the rest of the clusters 72 | 73 | ### Harbor 74 | 1. `./install-vsphere-storage.sh` 75 | 1. `./install-sealedsecrets.sh` 76 | 1. `./install-helm-operator.sh` 77 | 1. `./install-cert-manager.sh` 78 | 1. `./secrets-cert-manager.sh` 79 | 1. `./install-ingress-nginx.sh` 80 | 1. `./install-harbor.sh` 81 | 82 | ### TBS 83 | 1. `./install-vsphere-storage.sh` 84 | 1. `./install-tbs.sh` 85 | 1. `./install-tbs-dependencies.sh` 86 | 1. `./install-images.sh` 87 | 88 | ### Concourse 89 | 1. `./install-vsphere-storage.sh` 90 | 1. `./install-sealedsecrets.sh` 91 | 1. `./install-helm-operator.sh` 92 | 1. `./install-ingress-nginx.sh` 93 | 1. `./install-cert-manager.sh` 94 | 1. `./secrets-cert-manager.sh` 95 | 1. `./secrets-concourse.sh` 96 | 1. `./install-concourse.sh` 97 | 1. `./install-concourse-main.sh` 98 | 1. `./fly.sh` 99 | 100 | 101 | ### spring-petclinic 102 | 1. `./install-vsphere-storage.sh` 103 | 1. `./install-sealedsecrets.sh` 104 | 1. `./install-helm-operator.sh` 105 | 1. `./install-ingress-nginx.sh` 106 | 1. `./install-mysql.sh` 107 | 1. `./secrets-spring-petclinic.sh` 108 | 1. `./install-spring-petclinic.sh` 109 | 110 | ### product-api 111 | 1. `./install-vsphere-storage.sh` 112 | 1. `./install-sealedsecrets.sh` 113 | 1. `./install-helm-operator.sh` 114 | 1. `./install-ingress-nginx.sh` 115 | 1. `./secrets-product-api.sh` 116 | 1. `./install-product-api.sh` 117 | 118 | ### Kubeapps 119 | 1. `./install-vsphere-storage.sh` 120 | 1. `./install-sealedsecrets.sh` 121 | 1. `./install-helm-operator.sh` 122 | 1. `./install-ingress-nginx.sh` 123 | 1. `./install-cert-manager.sh` 124 | 1. `./secrets-cert-manager.sh` 125 | 1. `./install-kubeapps.sh` 126 | 1. `./configure-kubeapps.sh` 127 | 128 | ### TAS 129 | 1. `./install-vsphere-storage.sh` 130 | 1. `./install-sealedsecrets.sh` 131 | 1. `./install-helm-operator.sh` 132 | 1. `./install-minibroker.sh` 133 | 1. `./install-tas.sh` 134 | 1. `./secrets-tas.sh` 135 | 1. `./configure-tas.sh` 136 | 137 | ## Component descriptions 138 | 139 | ### vSphere Storage 140 | Every cluster that has stateful workloads needs a `StorageClass` so that `PersistentVolumes` can be created automatically via `PersistentVolumeClaims`. 141 | 142 | ### Sealed Secrets 143 | In the earlier days of Kubernetes, the idea of GitOps famously suffered from the problem of "everything in Git except Secrets". Kubernetes `Secrets` are of course not a secret as they are simply base64 encoded. With the SealedSecrets project, you can use the `kubeseal` CLI to encrypt regular `Secrets` into `SealedSecrets` using a secret key in the cluster. When a `SealedSecret` is applied to a cluster, that secret key is used to decode the `SealedSecret` into a regular `Secret`. Anyone with access to the cluster can still base64 decode the secret. 144 | 145 | ### Helm Operator 146 | The Helm Operator makes it easy to use Helm while also sticking to an infrastructure-as-code/GitOps mindset. It allows you to use Helm in a declarative sense using `HelmRelease` resources, instead of using Helm in an imperative manner with `helm install`. This also allows best practices of using Helm to be used without anyone having to learn them since those best practices are captured in the custom Kubernetes controller. 147 | 148 | ### Ingress 149 | Ingress controllers are easier to manage than NodePorts for every app. Use the [Kubernetes in-tree nginx Ingress controller](https://github.com/techgnosis/ingress). It works fine for a lab environment. This implementation uses `hostNetwork: true` to bind port 443 for convenience. 150 | 151 | ### cert-manager 152 | [cert-manager](https://cert-manager.io/docs/) allows you to create certificates as Kubernetes resources. It supports a variety of backends. In this repo we are using `mkcert` as a CA and using cert-manager in CA mode. 153 | 154 | ### Harbor 155 | Harbor is an OCI image registry with lots of great security features. Harbor uses Trivy to scan your images for CVEs and can prevent images with CVEs from being downloaded. 156 | 157 | ### Tanzu Build Service 158 | Tanzu Build Service (TBS) uses Cloud Native Buildpacks to turn source code into OCI images. 159 | 160 | ### Concourse 161 | Concourse is a container workflow tool commonly used for "CI/CD". Container workflow tools are the "glue" to connect pieces of the software delivery chain together. In this repo Concourse is used to direct a git commit to TBS and then send the resulting image to the Deployment controller. 162 | 163 | ### spring-petclinic 164 | [spring-petclinic](https://github.com/techgnosis/spring-petclinic) is a canonical example of a Spring Boot app. spring-petclinic can use an external MySQL instance instead of its own in-memory DB. 165 | 166 | ### Kubeapps 167 | Kubeapps is a GUI for Helm that makes it easy to explore Helm repos 168 | 169 | ### Wavefront 170 | The Concourse pipeline in this project creates a Wavefront Event after a new image is deployed. In order for this to work, you need to setup Wavefront. Follow these steps to get Wavefront ready: 171 | 1. Follow the [Spring Boot Wavefront tutorial](https://docs.wavefront.com/wavefront_springboot_tutorial.html) to get Spring-Petclinic integrated with Wavefront 172 | 1. Clone the default dashboard Wavefront creates for you 173 | 1. Edit the clone 174 | 1. Click "Settings" 175 | 1. Click "Advanced" 176 | 1. Add the following events query `events(name="tanzu-gitops-spring-petclinic-deploy")` 177 | 1. In your dashboard at the top right where it says "Show Events" change it to "From Dashboard Settings". This will cause your events query to be the source of events for all charts in your dashboard. 178 | 179 | 180 | ## Quirks I have observed 181 | * Kubeapps only seems to behave if it is installed in the `default` namespace. Otherwise it doesn't recognize App Respositories when you try to install anything in a different namespace than `default`. 182 | 183 | 184 | ## TODO 185 | * Combine spring-petclinic and product-api into the same cluster called `diy`. Use some RBAC to make it work. Apply it with TMC. 186 | * Add a pipeline to get test-app into TAS 187 | * Learn how to use NSX-T so I don't have to set my ingress controller to `hostNetwork: true` in order to use port 443 188 | * When using OIDC for K8s auth, how do you provide a username and password to `tkgi get-credentials` for use with Concourse? Otherwise I get a password prompt when using OIDC. It seems its an environment variable. 189 | -------------------------------------------------------------------------------- /build-concourse-helper.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | cd concourse/helper 6 | cp "$(mkcert -CAROOT)/rootCA.pem" . 7 | docker build -t $HARBOR_DOMAIN/library/concourse-helper:1 . 8 | docker push $HARBOR_DOMAIN/library/concourse-helper:1 -------------------------------------------------------------------------------- /concourse/Helper/.gitignore: -------------------------------------------------------------------------------- 1 | spring-petclinic/ 2 | kubectl-linux-amd64-1.16.12 3 | pks-linux-amd64-1.7.1-build.26 4 | tkgi-linux-amd64-1.8.0-build.75 5 | kp-linux-0.1.1 6 | kapp-linux-amd64 7 | ytt-linux-amd64 8 | sd 9 | kubectl-argo-rollouts-linux-amd64 10 | pivnet-linux-amd64-2.0.0 -------------------------------------------------------------------------------- /concourse/Helper/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | 3 | RUN apt-get update \ 4 | && apt-get install -y --no-install-recommends docker.io git wget curl ca-certificates \ 5 | && rm -rf /var/lib/apt/lists/* 6 | 7 | COPY kapp-linux-amd64 /usr/bin/kapp 8 | COPY kp-linux-0.1.1 /usr/bin/kp 9 | COPY kubectl-linux-amd64-1.16.12 /usr/bin/kubectl 10 | COPY pivnet-linux-amd64-2.0.0 /usr/bin/pivnet 11 | COPY tkgi-linux-amd64-1.8.0-build.75 /usr/bin/tkgi 12 | COPY ytt-linux-amd64 /usr/bin/ytt 13 | 14 | COPY rootCA.pem /tmp/rootCA.pem 15 | 16 | 17 | 18 | RUN cat /tmp/rootCA.pem >> /etc/ssl/certs/ca-certificates.crt -------------------------------------------------------------------------------- /concourse/pipeline/harbor.yml: -------------------------------------------------------------------------------- 1 | resources: 2 | - name: tanzu-gitops 3 | type: git 4 | source: 5 | uri: https://github.com/techgnosis/tanzu-gitops.git 6 | branch: master 7 | paths: 8 | - "manifests/harbor/*" 9 | - "concourse/tasks/**" 10 | - name: concourse-helper 11 | type: docker-image 12 | source: 13 | repository: ((harbordomain))/library/concourse-helper 14 | tag: 1 15 | ca_certs: 16 | - domain: ((harbordomain)) 17 | cert: | 18 | ((tanzu-gitops.ca_cert)) 19 | 20 | 21 | jobs: 22 | - name: deploy harbor 23 | public: true 24 | serial: true 25 | plan: 26 | - get: concourse-helper 27 | - get: tanzu-gitops 28 | trigger: true 29 | - task: deploy harbor 30 | image: concourse-helper 31 | file: tanzu-gitops/concourse/tasks/deploy-harbor/deploy-harbor.yml 32 | params: 33 | tkgicluster: harbor 34 | tkgiapi: ((tanzu-gitops.tkgi_url)) 35 | tkgiuser: ((tanzu-gitops.tkgi_user)) 36 | tkgipassword: ((tanzu-gitops.tkgi_password)) 37 | YTT_HARBOR_common_name: ((harbordomain)) 38 | 39 | 40 | -------------------------------------------------------------------------------- /concourse/pipeline/kubeapps.yml: -------------------------------------------------------------------------------- 1 | resources: 2 | - name: tanzu-gitops 3 | type: git 4 | source: 5 | uri: https://github.com/techgnosis/tanzu-gitops.git 6 | branch: master 7 | paths: 8 | - "manifests/kubeapps/*" 9 | - "concourse/tasks/**" 10 | - name: concourse-helper 11 | type: docker-image 12 | source: 13 | repository: ((harbordomain))/library/concourse-helper 14 | tag: 1 15 | ca_certs: 16 | - domain: ((harbordomain)) 17 | cert: | 18 | ((tanzu-gitops.ca_cert)) 19 | 20 | 21 | jobs: 22 | - name: deploy kubeapps 23 | public: true 24 | serial: true 25 | plan: 26 | - get: concourse-helper 27 | - get: tanzu-gitops 28 | trigger: true 29 | - task: deploy kubeapps 30 | image: concourse-helper 31 | file: tanzu-gitops/concourse/tasks/deploy-kubeapps/deploy-kubeapps.yml 32 | params: 33 | tkgicluster: kubeapps 34 | tkgiapi: ((tanzu-gitops.tkgi_url)) 35 | tkgiuser: ((tanzu-gitops.tkgi_user)) 36 | tkgipassword: ((tanzu-gitops.tkgi_password)) 37 | YTT_KUBEAPPS_kubeapps_hostname: ((kubeappshostname)) 38 | 39 | 40 | -------------------------------------------------------------------------------- /concourse/pipeline/product-api.yml: -------------------------------------------------------------------------------- 1 | resources: 2 | - name: product-api 3 | type: git 4 | source: 5 | uri: https://github.com/techgnosis/product-api.git 6 | branch: demo 7 | - name: tanzu-gitops 8 | type: git 9 | source: 10 | uri: https://github.com/techgnosis/tanzu-gitops.git 11 | branch: master 12 | paths: 13 | - "concourse/tasks/**" 14 | - name: product-api-image 15 | type: docker-image 16 | source: 17 | repository: ((harbordomain))/library/product-api 18 | tag: latest 19 | ca_certs: 20 | - domain: ((harbordomain)) 21 | cert: | 22 | ((tanzu-gitops.ca_cert)) 23 | - name: concourse-helper 24 | type: docker-image 25 | source: 26 | repository: ((harbordomain))/library/concourse-helper 27 | tag: 1 28 | ca_certs: 29 | - domain: ((harbordomain)) 30 | cert: | 31 | ((tanzu-gitops.ca_cert)) 32 | 33 | 34 | 35 | 36 | jobs: 37 | - name: Build with TBS 38 | public: true 39 | serial: true 40 | plan: 41 | - get: product-api 42 | trigger: true 43 | - get: concourse-helper 44 | - get: tanzu-gitops 45 | - task: handoff to TBS 46 | image: concourse-helper 47 | file: tanzu-gitops/concourse/tasks/build-product-api-image/build-product-api-image.yml 48 | params: 49 | tkgicluster: tbs 50 | tkgiapi: ((tanzu-gitops.tkgi_url)) 51 | tkgiuser: ((tanzu-gitops.tkgi_user)) 52 | tkgipassword: ((tanzu-gitops.tkgi_password)) 53 | 54 | 55 | 56 | - name: Deploy to cluster 57 | public: true 58 | serial: true 59 | plan: 60 | - get: product-api-image 61 | trigger: true 62 | - get: tanzu-gitops 63 | - get: concourse-helper 64 | - task: handoff to Deployment controller 65 | file: tanzu-gitops/concourse/tasks/deploy-product-api-image/deploy-product-api-image.yml 66 | image: concourse-helper 67 | params: 68 | tkgicluster: product-api 69 | tkgiapi: ((tanzu-gitops.tkgi_url)) 70 | tkgiuser: ((tanzu-gitops.tkgi_user)) 71 | tkgipassword: ((tanzu-gitops.tkgi_password)) 72 | harbordomain: ((harbordomain)) 73 | 74 | 75 | -------------------------------------------------------------------------------- /concourse/pipeline/spring-petclinic.yml: -------------------------------------------------------------------------------- 1 | resources: 2 | - name: spring-petclinic 3 | type: git 4 | source: 5 | uri: https://github.com/techgnosis/spring-petclinic.git 6 | branch: demo 7 | - name: tanzu-gitops 8 | type: git 9 | source: 10 | uri: https://github.com/techgnosis/tanzu-gitops.git 11 | branch: master 12 | paths: 13 | - "concourse/tasks/**" 14 | - name: spring-petclinic-image 15 | type: docker-image 16 | source: 17 | repository: ((harbordomain))/library/spring-petclinic 18 | tag: latest 19 | ca_certs: 20 | - domain: ((harbordomain)) 21 | cert: | 22 | ((tanzu-gitops.ca_cert)) 23 | - name: concourse-helper 24 | type: docker-image 25 | source: 26 | repository: ((harbordomain))/library/concourse-helper 27 | tag: 1 28 | ca_certs: 29 | - domain: ((harbordomain)) 30 | cert: | 31 | ((tanzu-gitops.ca_cert)) 32 | 33 | 34 | 35 | 36 | jobs: 37 | - name: Build with TBS 38 | public: true 39 | serial: true 40 | plan: 41 | - get: spring-petclinic 42 | trigger: true 43 | - get: concourse-helper 44 | - get: tanzu-gitops 45 | - task: handoff to TBS 46 | image: concourse-helper 47 | file: tanzu-gitops/concourse/tasks/build-spring-petclinic-image/build-spring-petclinic-image.yml 48 | params: 49 | tkgicluster: tbs 50 | tkgiapi: ((tanzu-gitops.tkgi_url)) 51 | tkgiuser: ((tanzu-gitops.tkgi_user)) 52 | tkgipassword: ((tanzu-gitops.tkgi_password)) 53 | 54 | 55 | 56 | - name: Deploy to cluster 57 | public: true 58 | serial: true 59 | plan: 60 | - get: spring-petclinic-image 61 | trigger: true 62 | - get: tanzu-gitops 63 | - get: concourse-helper 64 | - task: handoff to Deployment controller 65 | file: tanzu-gitops/concourse/tasks/deploy-spring-petclinic-image/deploy-spring-petclinic-image.yml 66 | image: concourse-helper 67 | params: 68 | tkgicluster: spring-petclinic 69 | tkgiapi: ((tanzu-gitops.tkgi_url)) 70 | tkgiuser: ((tanzu-gitops.tkgi_user)) 71 | tkgipassword: ((tanzu-gitops.tkgi_password)) 72 | harbordomain: ((harbordomain)) 73 | - task: create wavefront event 74 | image: concourse-helper 75 | file: tanzu-gitops/concourse/tasks/create-wavefront-event/create-wavefront-event.yml 76 | params: 77 | WAVEFRONT_API_TOKEN: ((tanzu-gitops.wavefront_api_token)) 78 | WAVEFRONT_URL: ((tanzu-gitops.wavefront_url)) 79 | 80 | 81 | -------------------------------------------------------------------------------- /concourse/pipeline/tbs.yml: -------------------------------------------------------------------------------- 1 | resource_types: 2 | - name: pivnet 3 | type: docker-image 4 | source: 5 | repository: pivotalcf/pivnet-resource 6 | tag: v1.0.1 7 | 8 | resources: 9 | - name: tbs-dependencies 10 | type: pivnet 11 | source: 12 | api_token: ((tanzu-gitops.pivnet_api_token)) 13 | product_slug: tbs-dependencies 14 | - name: concourse-helper 15 | type: docker-image 16 | source: 17 | repository: ((harbordomain))/library/concourse-helper 18 | tag: 1 19 | ca_certs: 20 | - domain: ((harbordomain)) 21 | cert: | 22 | ((tanzu-gitops.ca_cert)) 23 | - name: tanzu-gitops 24 | type: git 25 | source: 26 | uri: https://github.com/techgnosis/tanzu-gitops.git 27 | branch: master 28 | paths: 29 | - "concourse/tasks/**" 30 | 31 | jobs: 32 | - name: deploy tbs dependencies 33 | public: true 34 | serial: true 35 | plan: 36 | - get: concourse-helper 37 | - get: tanzu-gitops 38 | - get: tbs-dependencies 39 | trigger: true 40 | - task: deploy tbs dependencies 41 | image: concourse-helper 42 | file: tanzu-gitops/concourse/tasks/deploy-tbs-dependencies/deploy-tbs-dependencies.yml 43 | params: 44 | tkgicluster: tbs 45 | tkgiapi: ((tanzu-gitops.tkgi_url)) 46 | tkgiuser: ((tanzu-gitops.tkgi_user)) 47 | tkgipassword: ((tanzu-gitops.tkgi_password)) 48 | pivnetusername: ((tanzu-gitops.pivnet_username)) 49 | pivnetpassword: ((tanzu-gitops.pivnet_password)) 50 | harbordomain: ((harbordomain)) 51 | 52 | 53 | -------------------------------------------------------------------------------- /concourse/show-pipeline-variables.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | # Show me everything that looks like (( anything )) 6 | rg '\(\(.+\)\)' -------------------------------------------------------------------------------- /concourse/tasks/build-product-api-image/build-product-api-image.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | tkgi login -a ${tkgiapi} \ 6 | -u ${tkgiuser} \ 7 | -p ${tkgipassword} \ 8 | -k 9 | 10 | tkgi get-credentials ${tkgicluster} 11 | 12 | cd product-api 13 | REVISION=$(git rev-parse HEAD) 14 | kp -n images image patch product-api --git-revision ${REVISION} 15 | 16 | -------------------------------------------------------------------------------- /concourse/tasks/build-product-api-image/build-product-api-image.yml: -------------------------------------------------------------------------------- 1 | platform: linux 2 | 3 | inputs: 4 | - name: tanzu-gitops 5 | - name: product-api 6 | 7 | params: 8 | tkgicluster: 9 | tkgiapi: 10 | tkgiuser: 11 | tkgipassword: 12 | 13 | run: 14 | path: "tanzu-gitops/concourse/tasks/build-product-api-image/build-product-api-image.sh" -------------------------------------------------------------------------------- /concourse/tasks/build-spring-petclinic-image/build-spring-petclinic-image.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | tkgi login -a ${tkgiapi} \ 6 | -u ${tkgiuser} \ 7 | -p ${tkgipassword} \ 8 | -k 9 | 10 | tkgi get-credentials ${tkgicluster} 11 | 12 | cd spring-petclinic 13 | REVISION=$(git rev-parse HEAD) 14 | kp -n images image patch spring-petclinic --git-revision ${REVISION} 15 | 16 | -------------------------------------------------------------------------------- /concourse/tasks/build-spring-petclinic-image/build-spring-petclinic-image.yml: -------------------------------------------------------------------------------- 1 | platform: linux 2 | 3 | inputs: 4 | - name: tanzu-gitops 5 | - name: spring-petclinic 6 | 7 | params: 8 | tkgicluster: 9 | tkgiapi: 10 | tkgiuser: 11 | tkgipassword: 12 | 13 | run: 14 | path: "tanzu-gitops/concourse/tasks/build-spring-petclinic-image/build-spring-petclinic-image.sh" -------------------------------------------------------------------------------- /concourse/tasks/create-wavefront-event/create-wavefront-event.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | START_TIME=$(date +%s000) 6 | sleep 1 7 | END_TIME=$(date +%s000) 8 | 9 | 10 | curl \ 11 | -X POST \ 12 | --header "Content-Type: application/json" \ 13 | --header "Accept: application/json" \ 14 | --header "Authorization: Bearer ${WAVEFRONT_API_TOKEN}" \ 15 | -d "{ 16 | \"name\": \"tanzu-gitops-spring-petclinic-deploy\", 17 | \"annotations\": { 18 | \"severity\": \"info\", 19 | \"type\": \"image deploy\", 20 | \"details\": \"new spring-petclinic image deployed\" 21 | }, 22 | \"startTime\": "${START_TIME}", 23 | \"endTime\": "${END_TIME}" 24 | }" "${WAVEFRONT_URL}/api/v2/event" -------------------------------------------------------------------------------- /concourse/tasks/create-wavefront-event/create-wavefront-event.yml: -------------------------------------------------------------------------------- 1 | platform: linux 2 | 3 | inputs: 4 | - name: tanzu-gitops 5 | 6 | 7 | params: 8 | WAVEFRONT_API_TOKEN: 9 | WAVEFRONT_URL: 10 | 11 | 12 | run: 13 | path: "tanzu-gitops/concourse/tasks/create-wavefront-event/create-wavefront-event.sh" -------------------------------------------------------------------------------- /concourse/tasks/deploy-harbor/deploy-harbor.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -xeuo pipefail 4 | 5 | tkgi login -a ${tkgiapi} \ 6 | -u ${tkgiuser} \ 7 | -p ${tkgipassword} \ 8 | -k 9 | 10 | tkgi get-credentials ${tkgicluster} 11 | 12 | ytt --data-values-env=YTT_HARBOR -f tanzu-gitops/manifests/harbor \ 13 | | kapp deploy -a harbor -f- -y -------------------------------------------------------------------------------- /concourse/tasks/deploy-harbor/deploy-harbor.yml: -------------------------------------------------------------------------------- 1 | platform: linux 2 | 3 | 4 | inputs: 5 | - name: tanzu-gitops 6 | 7 | params: 8 | tkgicluster: 9 | tkgiapi: 10 | tkgiuser: 11 | tkgipassword: 12 | YTT_HARBOR_common_name: 13 | 14 | run: 15 | path: "tanzu-gitops/concourse/tasks/deploy-harbor/deploy-harbor.sh" -------------------------------------------------------------------------------- /concourse/tasks/deploy-kubeapps/deploy-kubeapps.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -xeuo pipefail 4 | 5 | tkgi login -a ${tkgiapi} \ 6 | -u ${tkgiuser} \ 7 | -p ${tkgipassword} \ 8 | -k 9 | 10 | tkgi get-credentials ${tkgicluster} 11 | 12 | ytt --data-values-env=YTT_KUBEAPPS -f tanzu-gitops/manifests/kubeapps \ 13 | | kapp deploy -a kubeapps -f- -y -------------------------------------------------------------------------------- /concourse/tasks/deploy-kubeapps/deploy-kubeapps.yml: -------------------------------------------------------------------------------- 1 | platform: linux 2 | 3 | 4 | inputs: 5 | - name: tanzu-gitops 6 | 7 | params: 8 | tkgicluster: 9 | tkgiapi: 10 | tkgiuser: 11 | tkgipassword: 12 | YTT_KUBEAPPS_kubeapps_hostname: 13 | 14 | run: 15 | path: "tanzu-gitops/concourse/tasks/deploy-kubeapps/deploy-kubeapps.sh" -------------------------------------------------------------------------------- /concourse/tasks/deploy-product-api-image/deploy-product-api-image.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -xeuo pipefail 4 | 5 | tkgi login -a ${tkgiapi} \ 6 | -u ${tkgiuser} \ 7 | -p ${tkgipassword} \ 8 | -k 9 | 10 | tkgi get-credentials ${tkgicluster} 11 | 12 | export DIGEST=$(cat product-api-image/digest) 13 | kubectl -n product-api set image deployment/product-api product-api=${harbordomain}/library/product-api@$DIGEST -------------------------------------------------------------------------------- /concourse/tasks/deploy-product-api-image/deploy-product-api-image.yml: -------------------------------------------------------------------------------- 1 | platform: linux 2 | 3 | 4 | inputs: 5 | - name: tanzu-gitops 6 | - name: product-api-image 7 | 8 | 9 | params: 10 | tkgicluster: 11 | tkgiapi: 12 | tkgiuser: 13 | tkgipassword: 14 | harbordomain: 15 | 16 | run: 17 | path: "tanzu-gitops/concourse/tasks/deploy-product-api-image/deploy-product-api-image.sh" -------------------------------------------------------------------------------- /concourse/tasks/deploy-spring-petclinic-image/deploy-spring-petclinic-image.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -xeuo pipefail 4 | 5 | tkgi login -a ${tkgiapi} \ 6 | -u ${tkgiuser} \ 7 | -p ${tkgipassword} \ 8 | -k 9 | 10 | tkgi get-credentials ${tkgicluster} 11 | 12 | export DIGEST=$(cat spring-petclinic-image/digest) 13 | kubectl -n spring-petclinic set image deployment/spring-petclinic spring-petclinic=${harbordomain}/library/spring-petclinic@$DIGEST -------------------------------------------------------------------------------- /concourse/tasks/deploy-spring-petclinic-image/deploy-spring-petclinic-image.yml: -------------------------------------------------------------------------------- 1 | platform: linux 2 | 3 | 4 | inputs: 5 | - name: tanzu-gitops 6 | - name: spring-petclinic-image 7 | 8 | 9 | params: 10 | tkgicluster: 11 | tkgiapi: 12 | tkgiuser: 13 | tkgipassword: 14 | harbordomain: 15 | 16 | run: 17 | path: "tanzu-gitops/concourse/tasks/deploy-spring-petclinic-image/deploy-spring-petclinic-image.sh" -------------------------------------------------------------------------------- /concourse/tasks/deploy-tbs-dependencies/deploy-tbs-dependencies.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -xeuo pipefail 4 | 5 | tkgi login -a ${tkgiapi} \ 6 | -u ${tkgiuser} \ 7 | -p ${tkgipassword} \ 8 | -k 9 | 10 | tkgi get-credentials ${tkgicluster} 11 | 12 | docker login registry.pivotal.io -u ${pivnetusername} -p ${pivnetpassword} 13 | 14 | # Do not delete this echo statement. For some reason 15 | # if you do then the docker login afterward will try 16 | # to login to 'domain' instead of the value of harbordomain. 17 | # It's got to be something about how docker login processes 18 | # text...who knows. 19 | # I know you don't believe me - just try it 20 | echo "${harbordomain}" 21 | docker login "${harbordomain}" -u admin -p Harbor12345 22 | 23 | kp import -f ./tbs-dependencies/descriptor-*.yaml -------------------------------------------------------------------------------- /concourse/tasks/deploy-tbs-dependencies/deploy-tbs-dependencies.yml: -------------------------------------------------------------------------------- 1 | platform: linux 2 | 3 | 4 | inputs: 5 | - name: tanzu-gitops 6 | - name: tbs-dependencies 7 | 8 | 9 | params: 10 | tkgicluster: 11 | tkgiapi: 12 | tkgiuser: 13 | tkgipassword: 14 | pivnetuser: 15 | pivnetpassword: 16 | harbordomain: 17 | 18 | run: 19 | path: "tanzu-gitops/concourse/tasks/deploy-tbs-dependencies/deploy-tbs-dependencies.sh" -------------------------------------------------------------------------------- /configure-kubeapps.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | kubectl get secret $(kubectl get serviceaccount kubeapps -o jsonpath='{range .secrets[*]}{.name}{"\n"}{end}' | grep kubeapps-token) -o jsonpath='{.data.token}' -o go-template='{{.data.token | base64decode}}' && echo 6 | -------------------------------------------------------------------------------- /configure-tas-minibroker.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | 6 | cf create-service-broker minibroker user pass http://minibroker-minibroker.minibroker.svc.cluster.local 7 | # Postgres and RabbitMQ don't work despite the docs saying they do 8 | cf enable-service-access redis 9 | cf enable-service-access mysql 10 | cf enable-service-access mongodb -------------------------------------------------------------------------------- /configure-tas.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | kubectl patch gateway istio-ingressgateway \ 6 | --namespace cf-system \ 7 | --type='json' \ 8 | --patch='[{"op": "replace", "path": "/spec/servers/1/tls/credentialName", "value":"sys-domain-cert"}]' 9 | 10 | kubectl patch gateway istio-ingressgateway \ 11 | --namespace cf-system \ 12 | --type='json' \ 13 | --patch='[{"op": "replace", "path": "/spec/servers/2/tls/credentialName", "value":"apps-domain-cert"}]' 14 | 15 | cf api "api.$SYSTEM_DOMAIN" 16 | 17 | export CF_ADMIN_PASSWORD="$(bosh interpolate tanzu-application-service/configuration-values/deployment-values.yml --path /cf_admin_password)" 18 | 19 | cf auth admin "$CF_ADMIN_PASSWORD" 20 | 21 | cf create-org test-org 22 | cf create-space -o test-org test-space 23 | cf target -o test-org -s test-space 24 | 25 | if [ ! -d "test-app" ]; then 26 | git clone https://github.com/cloudfoundry-samples/test-app.git 27 | fi 28 | 29 | cf push test-app -p test-app 30 | curl "https://test-app.apps.$SYSTEM_DOMAIN" 31 | -------------------------------------------------------------------------------- /fly.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | fly login \ 6 | --target=lab \ 7 | --concourse-url="https://concourse.$PRIMARY_DOMAIN" \ 8 | --username=test \ 9 | --password=test 10 | 11 | fly set-pipeline -t lab \ 12 | -p spring-petclinic \ 13 | -c concourse/pipeline/spring-petclinic.yml \ 14 | -v harbordomain=$HARBOR_DOMAIN 15 | 16 | fly set-pipeline -t lab \ 17 | -p product-api \ 18 | -c concourse/pipeline/product-api.yml \ 19 | -v harbordomain=$HARBOR_DOMAIN 20 | 21 | fly set-pipeline -t lab \ 22 | -p harbor \ 23 | -c concourse/pipeline/harbor.yml \ 24 | -v harbordomain=$HARBOR_DOMAIN 25 | 26 | fly set-pipeline -t lab \ 27 | -p kubeapps \ 28 | -c concourse/pipeline/kubeapps.yml \ 29 | -v harbordomain=$HARBOR_DOMAIN \ 30 | -v kubeappshostname=$KUBEAPPS_HOSTNAME 31 | 32 | fly set-pipeline -t lab \ 33 | -p tbs \ 34 | -c concourse/pipeline/tbs.yml \ 35 | -v harbordomain=$HARBOR_DOMAIN 36 | -------------------------------------------------------------------------------- /install-cert-manager.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | kapp deploy -a cert-manager -f manifests/cert-manager -------------------------------------------------------------------------------- /install-concourse-main.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | kapp deploy -a concourse-main -f manifests/concourse-main -------------------------------------------------------------------------------- /install-concourse.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | ytt --data-values-env=YTT_CONCOURSE -f manifests/concourse \ 6 | | kapp deploy -a concourse -f- -y -------------------------------------------------------------------------------- /install-harbor.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | ytt --data-values-env=YTT_HARBOR -f manifests/harbor \ 6 | | kapp deploy -a harbor -f- -y -------------------------------------------------------------------------------- /install-helm-operator.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | helm repo add fluxcd https://charts.fluxcd.io 6 | 7 | export VERSION="1.1.0" 8 | 9 | helm template helm-operator fluxcd/helm-operator \ 10 | --namespace helm-operator \ 11 | --set helm.versions=v3 \ 12 | --version $VERSION \ 13 | | kapp deploy \ 14 | -a helm-operator \ 15 | --into-ns=helm-operator \ 16 | -y \ 17 | -f manifests/helm-operator/namespace.yml \ 18 | -f https://raw.githubusercontent.com/fluxcd/helm-operator/$VERSION/deploy/crds.yaml \ 19 | -f- -------------------------------------------------------------------------------- /install-images.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | ytt --data-values-env=YTT_TBS -f manifests/images \ 6 | | kapp deploy -a images -f- -y -------------------------------------------------------------------------------- /install-ingress-nginx.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | kapp deploy -a ingress-nginx -f manifests/ingress-nginx/ingress-nginx.yml -------------------------------------------------------------------------------- /install-kubeapps.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | ytt --data-values-env=YTT_KUBEAPPS -f manifests/kubeapps \ 6 | | kapp deploy -a kubeapps -f- -y -------------------------------------------------------------------------------- /install-minibroker.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | kapp deploy -a minibroker -f manifests/minibroker -------------------------------------------------------------------------------- /install-mysql.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | kapp deploy -a mysql -f manifests/mysql -------------------------------------------------------------------------------- /install-product-api.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | ytt --data-values-env=YTT_PRODUCTAPI -f manifests/product-api \ 6 | | kapp deploy -a product-api -f- -y -------------------------------------------------------------------------------- /install-sealedsecrets.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | kapp deploy -a sealed-secrets -f manifests/sealed-secrets/controller.yaml -------------------------------------------------------------------------------- /install-spring-petclinic.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | ytt --data-values-env=YTT_SPRINGPETCLINIC -f manifests/spring-petclinic \ 6 | | kapp deploy -a spring-petclinic -f- -f manifests/spring-petclinic/wavefront-secrets.json -y -------------------------------------------------------------------------------- /install-tas.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | kubectl apply \ 6 | -f https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.3.6/components.yaml 7 | 8 | # This script is powered by `ytt` 9 | # `ytt` is informed by environment variables. See `.envrc.template` 10 | # Note: the files app-registry-values.yml and system-registry-values.yml are still required 11 | # YTT values files are required even when using YTT_ environment variables 12 | 13 | ./tanzu-application-service/bin/generate-values.sh -d "${SYSTEM_DOMAIN}" > ./tanzu-application-service/configuration-values/deployment-values.yml 14 | 15 | ./tanzu-application-service/bin/install-tas.sh ./tanzu-application-service/configuration-values 16 | 17 | # Install the Certificate resource into istio-system so I can 18 | # use it in configure-tas.sh 19 | ytt --data-values-env=YTT_TLSTAS -f manifests/tas \ 20 | | kapp deploy -a tas-tls -f- -y -------------------------------------------------------------------------------- /install-tbs-dependencies.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | kp import -f manifests/tbs/descriptor-8.yaml -------------------------------------------------------------------------------- /install-tbs.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | if [ -d "tbs-install" ]; then 6 | rm -rf tbs-install && mkdir tbs-install 7 | fi 8 | 9 | tar -xvf build-service-1.0.2.tar -C tbs-install 10 | 11 | 12 | kbld relocate \ 13 | -f ./tbs-install/images.lock \ 14 | --lock-output ./tbs-install/images-relocated.lock \ 15 | --repository "$HARBOR_DOMAIN/library/build-service" 16 | 17 | 18 | ytt -f ./tbs-install/values.yaml \ 19 | -f ./tbs-install/manifests/ \ 20 | -f "$(mkcert -CAROOT)"/rootCA.pem \ 21 | -v docker_repository="$HARBOR_DOMAIN/library/build-service" \ 22 | -v docker_username="admin" \ 23 | -v docker_password="Harbor12345" \ 24 | | kbld -f ./tbs-install/images-relocated.lock -f- \ 25 | | kapp deploy -a tanzu-build-service -f- -y -------------------------------------------------------------------------------- /install-vsphere-storage.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | kapp deploy -a vsphere-storage -f manifests/vsphere-storage -------------------------------------------------------------------------------- /manifests/cert-manager/cert-manager.yml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: cert-manager 5 | --- 6 | apiVersion: helm.fluxcd.io/v1 7 | kind: HelmRelease 8 | metadata: 9 | name: cert-manager 10 | namespace: cert-manager 11 | spec: 12 | helmVersion: v3 13 | targetNamespace: cert-manager 14 | releaseName: cert-manager 15 | wait: true 16 | chart: 17 | repository: https://charts.jetstack.io 18 | name: cert-manager 19 | version: "v1.0.1" 20 | values: 21 | installCRDs: false 22 | -------------------------------------------------------------------------------- /manifests/cert-manager/clusterissuer.yml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: ClusterIssuer 3 | metadata: 4 | name: mkcert 5 | spec: 6 | ca: 7 | secretName: mkcert -------------------------------------------------------------------------------- /manifests/concourse-main/pipeline-secrets.json: -------------------------------------------------------------------------------- 1 | { 2 | "kind": "SealedSecret", 3 | "apiVersion": "bitnami.com/v1alpha1", 4 | "metadata": { 5 | "name": "tanzu-gitops", 6 | "namespace": "concourse-main", 7 | "creationTimestamp": null 8 | }, 9 | "spec": { 10 | "template": { 11 | "metadata": { 12 | "name": "tanzu-gitops", 13 | "namespace": "concourse-main", 14 | "creationTimestamp": null 15 | } 16 | }, 17 | "encryptedData": { 18 | "ca_cert": "AgAcbDoM+YzLqOMYRkKwnKkHLjR5nOGpe7XX9Dk1zg369xOcsi/IiQ6upo8oKdcJ1G/qZOTHczRbYOsrz5NWyqqoLRf5buravHmwDjM0R10w4n0RsxNn0v8i98Qy+Gojn5sMcaaDC2gjfqjKKXr6Hp2CeWwa47FXhMSkzAY6UW/hb0CAtKYRac2M54tqf5XQKKmwY3x2gQ1fgsekLqUwYlKb5Q921BIQ7UUrxcUVkDVxtmoVCCo171avgf9d1mU+OCkm2M2wjeOYs+7xi12NqIdAmpmh+PKhd+sx3yBkl562PIZvUYPQHyHiPGcKwx/0lGdNo8wcDQpXYOs7bPfFghXZI0JLSFo0LNEcvv79lhqqZpqZhpRMYCaR05wgQGNGI/RDjCGG1NQjyRKWeq1N7nb9Uhg2cijyEw1lsJwOQ7f3mj3L4817uADnDOCbE9JINxWcLuV9nXKYusUgCOURSW4TgkJ0iXy+dyK75xWXoQTkyz6Q8swb5UyV99hMHSTeWx8D4ArmO9Z4+mVHgEZOEiXLua0GwIPGt4JYBX1I2/JR1ryGRB57MrpE1Db3bLgSDaDzJ3o6OarvK0FmtlEAznFqLiPxQGPm+Zowbv26EeWKB7CHA3/OEzUIot36axcQ+1EtrjNvrhHG1U8K7hZmPyBQh3r9/H8mnbVCV8RGtJpsJZAhOGZDk8IqJBhzYNRFv1FyKRKiYVmDznnkwpl/twGw5hyDmaSEqZbEo7ewbv8DPEgT0HdjD8L9EklOnC/AdLxcX8i1eXyygeAnaI7NaKtJS2gt3m/DotFWJfP65jgwq1gStueaQbqhldeoqN5sHlY8FvhjfS7gTJNc+WgMOOvrZA4kN0gLBGnj5By1BSTkShd8sbsB4vZeBksVWsKrn65n3MvZxt0x3pkq/UJosynMkm5b0wBB77Lg0oTQlC10uhk90b+oMIEZwDeEF24MCCwnr1NKDTwdZyjMz+PLX1qCn8gv9ewI2+30mIMqTr/vDmpBe3k7KLEDIaQHdUBMtW7JOtDIvXA7jhsISBD5hgA0cpHH0C9tADqTeVnWOH9dh78jAvTvT6gDqyAkrGNdsbtvgCYYmeS40JWNU9M1mAGzV0rm72h93GvYG/aN1tPtzdvUlh5sKaBfn8+m7wv5sTKquA0x/4gB5xKTiSVJ6ta/rBJGR3G/7l5hoioi7vBYbVfamudTkGbdZaEqvae2JOCm9Xmx00siNQ+P+e7TWeydAA8NR+v+bJxSQI2wZuRxEp/NDl/eLPZzj4uvLdXxrXoLV/+ddyVqCcR08/o9SWmTl4e82HjUBTMBsVzhlF3Ze9BQXTZuFy1sfns9sT3whb6j4WdfHsH7vEWWNvqMQgrbA0bHy9DwNg8mWRONZX4/hoinjz+14g2L/AdeAIpB6Lus5yZQJ9I6JJ9oZY+xYK8mNtQB+M6+DARgaKsL3Qu+LHLfCiDythP/yl0IVjbCRVQSM5TsM/s7Q+g74HByNdSBqRdAKuD/DdMHJlRS0U0WqtYErxqiBKCq3WPEjEuxRQTmtnn6V4qyT3nudqglbgJdByCnn/PxjS5ZqXFuczJ7NHSdRLWb/ij4O7s8o1sGtJ/IYcryBvkkyinEOFupZFDgerzr0GlTdT9uijF3/Wn3Eou9bLbC9Hov5yJ/ksWjLce+kevB6ty5g05BspN2/ZYa4ej98k6dD0D/vMGV1NPHB1GI1YQOoCP6ecptp911U70lg6RUkiQ9HZFCPDnwHjq6G3cyhJY5Q7DSmnkxSTX5V9hREGt66WhiD5n8qfRr7dmJ3K6BSCLcF9hssJ3xxPfLbSyftCCj4JdvWtXNJELMuhtU5oPscAQR+nBV+xCTtrwdVsMd5sgkHRSrTv8ZcIAuX0cJ8v2e4jJrImCidgikTiqqulHYd2rjCburU7mH7OczvluMVty4LizIjlLFbwCFS9Z2/XTZTFqdTMCEuE9f6UIU3aIegeKHD9oO3dZLZCltQjhfPyiAet7p9oF+KzR1+eO44n/KWfCPstPhiXmKUlo4+FHr6Xwmf5NJJXLNttzOSYTVeCxnTZ8jIe47Tx4R1kB+V1NapThhlC6T4T4BIBhNgftRTCI1EJDqGN/tHqHCZpYQqPgcdH3iWBAyb1VMx3Q5Lptbtg3o8kfNih0YemjvWt2gCOZdgn14+vOo+FWH8YY2VFLyvj0EDWII8NyCd/x6QEAaOOIPQrg721Wg9i6ZDakL82a7ioavzqAg4qUb0/8vcDJpi/AOem1XOLUmVrI27PjkxJ5cuO671ApbAUei2TubvzyBmB2N9OcN7OrDehkhp34xUk/vV68yNrMxH/mCaXB6SWk7XQ2KXs9xYhUHtaMwf3rjFbQC6juufWHfzraIzmK1uFAfK8bCLej4kHePP3/brFCxaZtIanCuBX7d/KazbRdxuHac4O4wPBdvC9mWb96OFg+VWsUSSQBjbO7emf4wC7Ip7HUtdX6SUBj+nnfGlq7etmLFnQJnm58LnwJuRRI46xtdh5t1h5yeMDFUDJy4FCia5HLPki8fONkwH4G0JpyEoqROnIMGG6VeZQfmJsw7gXe1kwjfdpu5A9wm3BJDlHKhqpQ8GNJ6GzwR16nLjvANNxBQiWEZJROUxigHyD4alSkQksUnJTJMwVCAPGQlCVUM2y1w/xt+YB4w58ScuLZafW/MeT0oBAphAyANDAIBko9Wt7AfcMbXDIvf3xAgiWihNjsAtdsHKDfVVbOZ+/zRQrtiCXKf+F/WNsnPaiFOsqJBYK5a8z5bdw6dBRaSTcSApxL8l1eul+EILdcrlcgEYUmcP0Poa87fbMXR2Tht5C/Gvomo46sKfnVSvU2Aho+0b+MvB4ieVbDVonQwlCYcPXp1XKh8yQYlhAe6KW+RBM4nMFWiOQ0xooxZE/9AlGKMtcKwzJrtaPRE73cMUpHVqGxmPAokm+9ddS8RPkH0YLJyOzuFk7u2bsDap6m558R+F0QS", 19 | "pivnet_api_token": "AgBR6FE87VDBrqvoLmDsfhxYLiKPekxxCkCaOd5gpc0ytSxerBs3aWcPnfeEXWFIagJVCN5yQCQovLtHHISaKYkzfysLGw/CmY3bbEnomjhgX6zye45THTSMvCquJ3gendP7LW1muCNkMvj7//Jfbn+hE8BhzDrkW4+1O6k0rnXdhQau7d1JH1fcp1tpfMcAji5Xok3+P00d6y0kXqkFj8DtexhtcB410olpoXIIuk9s/Sw2ZhWHzeOUI8a93s1s5B2Hdk6BfSP0uN+h78nhCePrkk0nfqeUFdnzmPIZqseLJxzrbgV9W9cqfqq96jCmNmJtNx0srL/u7k0d7vOh3/I293NNYGc8YTj0i3AsRsuQLqQBRKcViUs8md33L6G/v6bjWMoPwXl8poN0IyOg+iQUDEqIr0131ymip2LdzekYkBWZIKKxhmUR+mr20fueXCRuvPdghCbHP31yMvnKjmO7YyXEUya3n9yHovymmc8tP3EkAU2ORdofaMDuNWJNHe8MkpnoPOJabYoEx3jHs40nLLAmjOBIZWIK7kfWidifoXNEf3LP0HlAvowE/RXl/Ua4UoTQDkkWKPKYz1v3T0C+PKC7ZdBB3oRSyt3U8tIfUD1NizUbaiWB7RWnyrca+ciWuG/0jF9QlBmoFhwtuQcbx6iP8BVcJQaGcrJzKRht2pd+mqNYhOqnY6ithdhXsC86zhsnJY48SwaWuBDfzjoQV/0Seg==", 20 | "pivnet_password": "AgACgCLBWCn8z9MEpbonMOv/tvPtnht5NPeDd+akBn0yAJL55IjXzp1ibFi8oENkXOqtgdsHquiZUzihxGmJV6szzt0pd+8mNpUli3Grjf1I/77IPtFySnn6Hoeo3/3GSUb3N4+eMGGCgF+axeuO8vn6U8GT5XzwNyma5gE6Lr/4+/EyMKf20TIV9vHhh2drtJG6dJKJswwTtmsjKZC/0TJQzOOEu05fg+3c9V+KB8yOqrRATe+Ib8y4j32fVICeRLoWHYgpRqkm1TzReZx12DR6V+OIrvtQdaSgZ2STy8rDvfSGKGEAIv0fxwjs77ji+lsPW6DK+9uJwzvRRoQyL88OIO4Or1+HMNOw5UNWaykixVop3HH89kC/X4lCCsNb+2tITaylYjGsKgJpyMDlamL7KgkuTuBU5Wr0KHLK5r768Zbb0UnVRLZzDCGYhZUQ/RnvGO5CjEnN9WDGQ9aSDt/FTuuSUd1OBNKyYzH+oMiIA8xyJdxOubAh/cQ0XhaHpZAUwlSIynJpMUpPdWNc940PQ9YtTow2Nwj89rRJ5N6SMKo6o8j9BG/eXsrjDPmOrrL+b51LSPAzsUHdRYbTyvr2vyerZyCyQiddY4H+MtXQnYVqjDqRMc1CZe3Hhw8XeaAMHFc8xlWzwfmBVpsa5cYZT5Il/UmmJtWQf3uRm4bRp9+MSQf8xJRQFufCeo0tLorVfgBFa3tUiq5odZ2RF/zr6hPV", 21 | "pivnet_username": "AgDV94JN/DrZ7dZtFUjGCa1YRNRKUrp/0q1xaSB9Rbbr9lYsrE/4v5vMNSROKaRQu0VsN3BMFEW3PCPt1UJR1BMiHbM1dMiaZPkIpyhIYm/rYWIho6JKIdbBZrh2rA3VVVIMU0aNGrd8mmjt9KnO9lFKZC3sHXaG9tFQIkftK7E5jw1WRvNOa5hn3h8rw2iXMu/G7J2cB9zbvMoR2bVv5cCp1HLvMzjRdUxb4Hdol9Nee6x5c7rAxH8oki4MMCAPqp5+Z9t0X5VZKRXmE7povWWBS4CvGnVYimX4gDC4CEtu2oqUzrFQoawffbEMcZPLc1hHk+05bQz//fm1/86xUeVGHW+774d3VapEneKRciB2jdVJK8ytFvRVbM4dXq3W0dqMDfZ3ugpVGZHuX/879sr/tXGGuvvM01y7xfNjnm/soBWQBQcIsGuck4tmg13KwPQ/66dXrk7iZWsZbTD74yLczMJnQtT5CfAX/RyJtPX0Y4y4v9ZnWMJI8MXlnobCu85jER5tYxONykBUyyVe00pMVjilKprt+ahn11zjCO1ai1cNRKa7IAAne2vsyjPbLmE7w5h4VGtSVETtAm7aH0zivZbNK89i05a07PebHMRQaCQHFOmLJdyrhcfr73JuyQKRKP+8s/S9kRveW1XxuF4EvxvJvxBWGDVAt4BdxGVeR2q4beOxywWYCIkX3K5VaA8RV/ctX9Hy/E180OJoGYiZVyTaddGbUg==", 22 | "tkgi_password": "AgDwfvwhhRjdLt7pEOLBF14StPnwMx9XfKrH0VWvf7gxD2RWtHyUYjnELwveZ790yCTsDe7Uqc4TTA15imGaEhRJep09s/7biCzZ0nsmTtxLYvogtNkXsF2qHfUZaJEbulsfBFcPK9s+/++xRMS10rz+li5upfgfFOlj/Qk9/AX1mChSUdJdU0mcBA9OGdR4bb3MXT+asWfCPmtwoECE/tjJ6jYeqIeVMPsh3iIKcPEARxkmEiyTnyQeheyCGVDEfEai15vmrxQJ4Eky7pEcLsQqahJLtv2SdllTYiq1bVGFunYi/eT6+1pScq4WtjQVfYUy4GOPUyJaWrB53iQ4BLPeaJ82pn/hCv0t6Ge9sbksFdgf/Qlqv6UWEUFk5WBnV1eefSpQOhMf09pCI9C/C9IYLVNqVwpp4CnUtEyQcFWEhao798ecHW3g+tqHyI0lVi8/z2JcEoxohRxqXELSPQjUWVA+v2GxImqUSvsyZmMgTSlDC6VeTM1AHQII+p/8OyBiTb8+Q8QBlAle4GUCHp5nddYYqZaP9BA2NzkcIKO7te42neISlhtrvsmUh8iUM+YPfCxjora2hnBZWM7f/AC4MbUn8fq4DwyTAPxi6brty8uS7R/b+VX1w82q2hqnz+kQ6NFXzPi5AG7VkRirCAAyaRviTBpLfMOPr6PL4LbUc92eTu5tCkXwj0lkvJPeGgCjMA5M8ehnuLie7vY=", 23 | "tkgi_url": "AgCQRzz7UZwTUV0I8eUR2olg2e/E2pEHX2w188bAxm4qKScF1bYJvPyPgvls0wReV2bJEdPPvqkZhMMJg+hcIaR/0pzc/5h8Zavl/4E2KCHAptp7CcK6Cg72I7DsW+JlXEpa78+okb7Pj4yhuUjkjdrwGXtXjrFIh16iK2tW6NLv/jREFUzSXi3x734u63MwEJriQWEOpZyXXXFj8f6C59Z2M6lVRRA/AfXXGIygOYTXEqxa17HO2fgDVMJh9tCVzw9BbQ0/0fF0a2MS4n3LD48H0WX0EkZDDlhFxHcKwkkeQG+YjFvNF8IXiqcg182L2/q3daiZziI0ZYVlA/yQSaAbuPID00NcBArHqht+pkvLbErlx4h7HHsuMnjhtATo2X+KiLWalh+QO2TlM7a1hqweU+yQ8R50ngDc+6SXRn0D4b1GGdwGaLKq7dgnk78QXhqZAFtjNn0XgEPkpGD3go6zYWDRn1+iVbiWwjmABS59cOEMrBBMhYLvUlPZXpskVmMkuttdOJz8XGcifuJD9rWS0GaJhf0NYq2+Qjpovv/drpDJ3rxPy03Yb61aV9jPbv8j88VK2RnO1sLINE5HnJ8RvN2pOJqzyUd8b5sbOGNTUrs9oFRFlDzkoOp9XFk+mWvllxzJ7z6tUpknObOP1tQ+eov2qoJXtKGM/uXJrobp2W26DQgLnEgdu2VBfvkNKbGj90XvU/By690eoR2CCwabwzf69hiNv0uI4w==", 24 | "tkgi_user": "AgBDCmv5yJTIM9bS0GYc7wTMSgt9s/2XxV1+U+BypFLSM4/J4AFiub1uEUZG88ODYtU1mYlg71/3Fds6T6o0hWxcDCsfH2ii2SGY92r+TZsAKmEuEWDzeO4w2NIrAREICmj2TA0sGMUkTIW57T9EnendOAAxEeYDasER4dJkuB6Dn/gSz1BrrZRey5FKhrcQG0awRmIHmt7/zdm7fzP/6igs6luSFwb0n0ow5Az7PVP4wY1o9SuZ8xNiCaRCsf5r6NXaGc/IKdAVSjrPL/016FXhXIqX4kLVk1VYWZ8xGqN5V9BMpyq29zPOJpnOgw8LmYDipNOTW/LXRLYV0fDzZaw//n0ym5d47sVuqvS9mTADvePRPOIgmUktHrPO0FR5hEBtMhS1WzeNmCHP7OpBpGPvWtDfHkpjhnas08jWeCTeK27hln07ArooAcWqm3Prijbmhnol8Z/slt9qJf48DXHatYq8C5Ns11TD25p+2KG2B0UgWuEUWOvMiqYP35JtLT8g8/QFfYCmheRTPtIqG7KDOdX599GHyJqI6QeSzNFDR2fTVPJmIFDfmF0zMM3oVl0o+DaU4TuEOYGP0Q37vfNhg8Gade9PdQrZ3hufs9akWy4eNtOt+SQyGkCebwGFjhlgXYgNPC6WRGyo86MEpL3f1USjyDw7aE3PzaVD8GOPZtrZraDgPunQ5ql1jmTkj34MQZzxnZgNluRPwe4=", 25 | "wavefront_api_token": "AgDMC6Y4/NvddK9d4vbjJs2+N8jIHkq1fOJY54voS87RPaapD7qZYmXwkkLerKQ/vDwE/kya83BbYxra2CBSvJhettTVXgkDPEWPx/EnvBygEDFMCnz7f6hAeQyXAZRs6fiLA2yCrKiv/cESbN081awJ9GjSGd8bt0Tm/O6/EbaZ4w2Jxuo9v16rWmRorHvzoheJiVflRijz6wswydoRS3MRxJRbh2GIRsQSiSnxrR/N9w2xNFXNgkPUL7kzFXS5tNWbw14MmmG8ka/+gXXCI18VvAaLs5BfqSIvJWqnQGkMXocko0vVktqmYIomYEWpEfm8TuXauZgizPETZ+nz+vrJzQw8rSmfc4JFwF421ytW1eww1Ck06QrEYpkzAodIckMc6/S0IORKh9LQ4TiJVIrX9alQytdKbTgphtlEtC26JripaUGcJdWorLXzGDzV2HeFS2oG7RvmQSUpNZ4IPcOsdqc47uOgo8KWuJLFXjVN+hCPls79etdDd0MjmHxIb1lYjE0c932YTGGc5oiQXwdEr+dfif8ilcUwDzh7apknI2QbdOq+N0p8MB0hI541LZKzpAmtHyqyZ9SVXaTmy8RnmDMa57HM1J/7KNggyk/L6UF4SvewOavZL5Psw4lEoEkBH0ug6mYat4a43Tv+UPfbsRDq9koX4EVTYigKpIMutILiWdS4JuzUiOhI+oQV4kWqZGdUpAeDZ7v/EkmGNPuWEvp+8eIQOxn/2K2hIEOnIak9Zwo=", 26 | "wavefront_url": "AgATDz4zl7iTA5f8JV3pwQFH4p/UxKbt062jImnGUTH6VNeGL+7dvMiyrKE8pQ5mzMaYavPP8tcbAHUURpZOpqUukhY+p2ExF85TR5zxzLfkexku6q3iY72DwDttZXhJkpGWu164/WYXMoUasveBbrSTmXZ0Mmrth7LbN1GHgEEStlOcyNZUioyC6leairuzdOJohUQ2ezWYnoVkWad67kBpuZrRFCDT1kwntV89S3pBDmvRg6Kvm710Vx4TVdti28k8IQHUv3CvtUIB2zo1WugutHDUQoPrzOFZtjommmuUzVpdPcpyNio5TsiBjCN1j6IBUPz0Db2/anxs/bEwmqgAFtUt7kaembn5X5liz9RIbaR4U3fn40WqKKzVsOuNmp6ffXQJZFNp/lFGKAwrZImuIYp78Em4txqf9JPmjl8W7iRUgEPUcEZ9yjjc1YxTiq27VlAXW3AmyYYTHROWYcyfYOfkzFLqPNyVqgyQPQJq2+ktsOioZfqb8J0nTtR9zdYejLxjf7dMbBy5O2uaFTPKOUO8DYPgQLsu/rMWyfaN/5bUSN4jFJZvI8A2NHVLmGHpL56rucJJdmxJ95lMzRhgO09ZtO4U5lck0nneaw/TMWRDxGmXsxKUi2cqTlWoJU1Gs/URLkybAQt8yyuueF24Pl6RdyyVZZajhOj38SCGhLbHSQ81R/y9Z6TeE0K+58LKI/EAEdB/BIo2nkxSI4muvqHWIVJpq14eW9g4" 27 | } 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /manifests/concourse/README.md: -------------------------------------------------------------------------------- 1 | ### Notes 2 | 1. Your K8s cluster MUST support privileged containers. Concourse workers need to run as privileged containers. 3 | 1. This install uses an Ingress to receive traffic 4 | 1. [Concourse Helm chart docs](https://github.com/concourse/concourse-chart) 5 | 6 | ### Username and password 7 | `test` and `test` 8 | 9 | ### Vault 10 | Use the newer [var_sources](https://concourse-ci.org/vars.html#var-sources) functionality so new sources of secrets can be configured with YAML at the pipeline level instead of with flags during Concourse install. -------------------------------------------------------------------------------- /manifests/concourse/certificate.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | 3 | apiVersion: cert-manager.io/v1alpha2 4 | kind: Certificate 5 | metadata: 6 | name: concourse 7 | namespace: concourse 8 | spec: 9 | commonName: #@ data.values.concourse_hostname 10 | dnsNames: 11 | - #@ data.values.concourse_hostname 12 | issuerRef: 13 | kind: ClusterIssuer 14 | name: mkcert 15 | secretName: concourse-web-tls -------------------------------------------------------------------------------- /manifests/concourse/concourse.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | apiVersion: helm.fluxcd.io/v1 3 | kind: HelmRelease 4 | metadata: 5 | name: concourse 6 | namespace: concourse 7 | spec: 8 | helmVersion: v3 9 | targetNamespace: concourse 10 | releaseName: concourse 11 | wait: true 12 | test: 13 | enable: true 14 | chart: 15 | repository: https://concourse-charts.storage.googleapis.com/ 16 | name: concourse 17 | version: "11.4.0" 18 | values: 19 | concourse: 20 | web: 21 | externalUrl: #@ "https://" + data.values.concourse_hostname 22 | kubernetes: 23 | keepNamespaces: false 24 | web: 25 | ingress: 26 | enabled: true 27 | hosts: 28 | - #@ data.values.concourse_hostname 29 | tls: 30 | - secretName: concourse-web-tls 31 | hosts: 32 | - #@ data.values.concourse_hostname -------------------------------------------------------------------------------- /manifests/concourse/namespace.yml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: concourse -------------------------------------------------------------------------------- /manifests/concourse/values.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | concourse_hostname: "" -------------------------------------------------------------------------------- /manifests/harbor/certificate.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | 3 | apiVersion: cert-manager.io/v1alpha2 4 | kind: Certificate 5 | metadata: 6 | name: harbor 7 | namespace: harbor 8 | spec: 9 | commonName: #@ data.values.common_name 10 | dnsNames: 11 | - #@ data.values.common_name 12 | issuerRef: 13 | kind: ClusterIssuer 14 | name: mkcert 15 | secretName: harbor -------------------------------------------------------------------------------- /manifests/harbor/harbor.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: harbor 7 | --- 8 | apiVersion: helm.fluxcd.io/v1 9 | kind: HelmRelease 10 | metadata: 11 | name: harbor 12 | namespace: harbor 13 | spec: 14 | helmVersion: v3 15 | targetNamespace: harbor 16 | releaseName: harbor 17 | wait: true 18 | test: 19 | enable: true 20 | chart: 21 | repository: https://helm.goharbor.io 22 | name: harbor 23 | version: "1.4.2" 24 | values: 25 | clair: 26 | enabled: false 27 | chartmuseum: 28 | enabled: false 29 | trivy: 30 | enabled: true 31 | notary: 32 | enabled: true 33 | expose: 34 | type: ingress 35 | tls: 36 | enabled: true 37 | secretName: harbor 38 | ingress: 39 | hosts: 40 | core: #@ data.values.common_name 41 | externalURL: #@ "https://" + data.values.common_name 42 | persistence: 43 | resourcePolicy: "keep" 44 | persistentVolumeClaim: 45 | registry: 46 | size: 100Gi -------------------------------------------------------------------------------- /manifests/harbor/values.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | common_name: "" -------------------------------------------------------------------------------- /manifests/helm-operator/README.md: -------------------------------------------------------------------------------- 1 | There are a few ways to manage supporting infrastructure in a GitOps manner: 2 | 1. Handwritten YAML that is deployed like all your other K8s manifests from Git 3 | 1. `helm template` to disk and then commit it to Git 4 | 1. Only track the helm chart version in Git 5 | 1. Custom operators, with CRDs checked into Git 6 | 1. The Helm operator 7 | 8 | The Helm operator lets you use CRDs to manage Helm releases, which is the best of both worlds. You get the huge ecosystem of Helm charts with the everything-in-git goodness of a GitOps workflow. 9 | 10 | Per the helm-operator GitHub, the Helm controller will replace it one day 11 | https://github.com/fluxcd/helm-controller 12 | 13 | # GitOps Toolkit 14 | https://toolkit.fluxcd.io/ 15 | -------------------------------------------------------------------------------- /manifests/helm-operator/namespace.yml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: helm-operator -------------------------------------------------------------------------------- /manifests/images/harbor-docker-creds.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: harbor-creds 6 | namespace: images 7 | annotations: 8 | kpack.io/docker: #@ "https://" + data.values.harbor 9 | type: kubernetes.io/basic-auth 10 | stringData: 11 | username: admin 12 | password: Harbor12345 -------------------------------------------------------------------------------- /manifests/images/product-api.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | 3 | 4 | apiVersion: v1 5 | kind: Namespace 6 | metadata: 7 | name: images 8 | --- 9 | apiVersion: kpack.io/v1alpha1 10 | kind: Image 11 | metadata: 12 | name: product-api 13 | namespace: images 14 | spec: 15 | tag: #@ data.values.product_api_image 16 | serviceAccount: tbs-service-account 17 | builder: 18 | name: full 19 | kind: ClusterBuilder 20 | source: 21 | git: 22 | url: https://github.com/techgnosis/product-api.git 23 | revision: demo 24 | 25 | -------------------------------------------------------------------------------- /manifests/images/spring-petclinic.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: images 6 | --- 7 | apiVersion: kpack.io/v1alpha1 8 | kind: Image 9 | metadata: 10 | name: spring-petclinic 11 | namespace: images 12 | spec: 13 | tag: #@ data.values.spring_petclinic_image 14 | serviceAccount: tbs-service-account 15 | builder: 16 | name: full 17 | kind: ClusterBuilder 18 | source: 19 | git: 20 | url: https://github.com/techgnosis/spring-petclinic.git 21 | revision: demo 22 | 23 | -------------------------------------------------------------------------------- /manifests/images/tbs-service-account.yml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: tbs-service-account 5 | namespace: images 6 | secrets: 7 | - name: harbor-creds -------------------------------------------------------------------------------- /manifests/images/values.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | product_api_image: "" 4 | spring_petclinic_image: "" 5 | harbor: "" -------------------------------------------------------------------------------- /manifests/ingress-nginx/ingress-nginx.yml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: ingress-nginx 5 | --- 6 | apiVersion: helm.fluxcd.io/v1 7 | kind: HelmRelease 8 | metadata: 9 | name: ingress-nginx 10 | namespace: ingress-nginx 11 | spec: 12 | helmVersion: v3 13 | targetNamespace: ingress-nginx 14 | releaseName: ingress-nginx 15 | wait: true 16 | test: 17 | enable: true 18 | chart: 19 | repository: https://kubernetes.github.io/ingress-nginx 20 | name: ingress-nginx 21 | version: "2.11.1" 22 | values: 23 | controller: 24 | metrics: 25 | enabled: true 26 | podAnnotations: 27 | "prometheus.io/scrape": "true" 28 | "prometheus.io/port": "10254" 29 | hostNetwork: true 30 | dnsPolicy: ClusterFirstWithHostNet 31 | kind: DaemonSet 32 | service: 33 | type: ClusterIP -------------------------------------------------------------------------------- /manifests/kubeapps/certificate.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | apiVersion: cert-manager.io/v1alpha2 3 | kind: Certificate 4 | metadata: 5 | name: kubeapps 6 | namespace: default 7 | spec: 8 | commonName: #@ data.values.kubeapps_hostname 9 | dnsNames: 10 | - #@ data.values.kubeapps_hostname 11 | issuerRef: 12 | kind: ClusterIssuer 13 | name: mkcert 14 | secretName: kubeapps-tls -------------------------------------------------------------------------------- /manifests/kubeapps/cluster-role-binding.yml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: kubeapps 5 | subjects: 6 | - kind: ServiceAccount 7 | name: kubeapps 8 | namespace: default 9 | roleRef: 10 | kind: ClusterRole 11 | name: cluster-admin 12 | apiGroup: rbac.authorization.k8s.io -------------------------------------------------------------------------------- /manifests/kubeapps/ingress.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | 3 | apiVersion: extensions/v1beta1 4 | kind: Ingress 5 | metadata: 6 | name: kubeapps 7 | namespace: default 8 | annotations: 9 | kubernetes.io/ingress.class: nginx 10 | spec: 11 | rules: 12 | - host: #@ data.values.kubeapps_hostname 13 | http: 14 | paths: 15 | - backend: 16 | serviceName: kubeapps 17 | servicePort: http 18 | path: / 19 | tls: 20 | - hosts: 21 | - #@ data.values.kubeapps_hostname 22 | secretName: kubeapps-tls -------------------------------------------------------------------------------- /manifests/kubeapps/kubeapps.yml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.fluxcd.io/v1 2 | kind: HelmRelease 3 | metadata: 4 | name: kubeapps 5 | namespace: default 6 | spec: 7 | helmVersion: v3 8 | targetNamespace: default 9 | releaseName: kubeapps 10 | wait: true 11 | test: 12 | enable: true 13 | chart: 14 | repository: https://charts.bitnami.com/bitnami 15 | name: kubeapps 16 | version: "3.9.2" 17 | values: 18 | useHelm3: true -------------------------------------------------------------------------------- /manifests/kubeapps/service-account.yml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: kubeapps 5 | namespace: default -------------------------------------------------------------------------------- /manifests/kubeapps/values.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | kubeapps_hostname: "" -------------------------------------------------------------------------------- /manifests/minibroker/minibroker.yml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.fluxcd.io/v1 2 | kind: HelmRelease 3 | metadata: 4 | name: minibroker 5 | namespace: minibroker 6 | spec: 7 | helmVersion: v3 8 | targetNamespace: minibroker 9 | releaseName: minibroker 10 | wait: true 11 | test: 12 | enable: true 13 | chart: 14 | repository: https://minibroker.blob.core.windows.net/charts 15 | name: minibroker 16 | version: "0.3.1" 17 | values: 18 | deployServiceCatalog: false 19 | defaultNamespace: minibroker -------------------------------------------------------------------------------- /manifests/minibroker/namespace.yml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: minibroker -------------------------------------------------------------------------------- /manifests/mysql/mysql.yml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: mysql 5 | --- 6 | apiVersion: helm.fluxcd.io/v1 7 | kind: HelmRelease 8 | metadata: 9 | name: mysql 10 | namespace: mysql 11 | spec: 12 | helmVersion: v3 13 | targetNamespace: mysql 14 | releaseName: mysql 15 | wait: true 16 | test: 17 | enable: true 18 | chart: 19 | repository: https://charts.trials.tac.bitnami.com/demo 20 | name: mysql 21 | version: "6.14.5" 22 | values: 23 | replication: 24 | enabled: false 25 | root: 26 | password: petclinic 27 | db: 28 | user: petclinic 29 | password: petclinic 30 | name: petclinic -------------------------------------------------------------------------------- /manifests/product-api/certificate.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | 3 | apiVersion: cert-manager.io/v1alpha2 4 | kind: Certificate 5 | metadata: 6 | name: product-api 7 | namespace: product-api 8 | spec: 9 | commonName: #@ data.values.ingress_hostname 10 | dnsNames: 11 | - #@ data.values.ingress_hostname 12 | issuerRef: 13 | kind: ClusterIssuer 14 | name: mkcert 15 | secretName: product-api-tls -------------------------------------------------------------------------------- /manifests/product-api/deployment.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: product-api 6 | namespace: product-api 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: product-api 12 | template: 13 | metadata: 14 | labels: 15 | app: product-api 16 | spec: 17 | containers: 18 | - name: product-api 19 | image: #@ data.values.image 20 | ports: 21 | - containerPort: 80 -------------------------------------------------------------------------------- /manifests/product-api/ingress.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | apiVersion: extensions/v1beta1 3 | kind: Ingress 4 | metadata: 5 | name: product-api 6 | namespace: product-api 7 | annotations: 8 | kubernetes.io/ingress.class: nginx 9 | spec: 10 | rules: 11 | - host: #@ data.values.ingress_hostname 12 | http: 13 | paths: 14 | - backend: 15 | serviceName: product-api-stable 16 | servicePort: http 17 | path: / 18 | tls: 19 | - hosts: 20 | - #@ data.values.ingress_hostname 21 | secretName: product-api-tls -------------------------------------------------------------------------------- /manifests/product-api/namespace.yml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: product-api -------------------------------------------------------------------------------- /manifests/product-api/services.yml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: product-api-stable 5 | namespace: product-api 6 | spec: 7 | selector: 8 | app: product-api 9 | ports: 10 | - name: http 11 | protocol: TCP 12 | port: 8080 -------------------------------------------------------------------------------- /manifests/product-api/values.yaml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | image: "" 4 | ingress_hostname: "" -------------------------------------------------------------------------------- /manifests/sealed-secrets/controller.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | annotations: {} 6 | labels: 7 | name: sealed-secrets-controller 8 | name: sealed-secrets-controller 9 | namespace: kube-system 10 | spec: 11 | minReadySeconds: 30 12 | replicas: 1 13 | revisionHistoryLimit: 10 14 | selector: 15 | matchLabels: 16 | name: sealed-secrets-controller 17 | strategy: 18 | rollingUpdate: 19 | maxSurge: 25% 20 | maxUnavailable: 25% 21 | type: RollingUpdate 22 | template: 23 | metadata: 24 | annotations: {} 25 | labels: 26 | name: sealed-secrets-controller 27 | spec: 28 | containers: 29 | - args: [] 30 | command: 31 | - controller 32 | env: [] 33 | image: quay.io/bitnami/sealed-secrets-controller:v0.12.5 34 | imagePullPolicy: Always 35 | livenessProbe: 36 | httpGet: 37 | path: /healthz 38 | port: http 39 | name: sealed-secrets-controller 40 | ports: 41 | - containerPort: 8080 42 | name: http 43 | readinessProbe: 44 | httpGet: 45 | path: /healthz 46 | port: http 47 | securityContext: 48 | readOnlyRootFilesystem: true 49 | runAsNonRoot: true 50 | runAsUser: 1001 51 | stdin: false 52 | tty: false 53 | volumeMounts: 54 | - mountPath: /tmp 55 | name: tmp 56 | imagePullSecrets: [] 57 | initContainers: [] 58 | securityContext: 59 | fsGroup: 65534 60 | serviceAccountName: sealed-secrets-controller 61 | terminationGracePeriodSeconds: 30 62 | volumes: 63 | - emptyDir: {} 64 | name: tmp 65 | --- 66 | apiVersion: apiextensions.k8s.io/v1beta1 67 | kind: CustomResourceDefinition 68 | metadata: 69 | name: sealedsecrets.bitnami.com 70 | spec: 71 | group: bitnami.com 72 | names: 73 | kind: SealedSecret 74 | listKind: SealedSecretList 75 | plural: sealedsecrets 76 | singular: sealedsecret 77 | scope: Namespaced 78 | subresources: 79 | status: {} 80 | version: v1alpha1 81 | --- 82 | apiVersion: rbac.authorization.k8s.io/v1beta1 83 | kind: Role 84 | metadata: 85 | annotations: {} 86 | labels: 87 | name: sealed-secrets-service-proxier 88 | name: sealed-secrets-service-proxier 89 | namespace: kube-system 90 | rules: 91 | - apiGroups: 92 | - "" 93 | resourceNames: 94 | - 'http:sealed-secrets-controller:' 95 | - sealed-secrets-controller 96 | resources: 97 | - services/proxy 98 | verbs: 99 | - create 100 | - get 101 | --- 102 | apiVersion: v1 103 | kind: ServiceAccount 104 | metadata: 105 | annotations: {} 106 | labels: 107 | name: sealed-secrets-controller 108 | name: sealed-secrets-controller 109 | namespace: kube-system 110 | --- 111 | apiVersion: v1 112 | kind: Service 113 | metadata: 114 | annotations: {} 115 | labels: 116 | name: sealed-secrets-controller 117 | name: sealed-secrets-controller 118 | namespace: kube-system 119 | spec: 120 | ports: 121 | - port: 8080 122 | targetPort: 8080 123 | selector: 124 | name: sealed-secrets-controller 125 | type: ClusterIP 126 | --- 127 | apiVersion: rbac.authorization.k8s.io/v1beta1 128 | kind: RoleBinding 129 | metadata: 130 | annotations: {} 131 | labels: 132 | name: sealed-secrets-service-proxier 133 | name: sealed-secrets-service-proxier 134 | namespace: kube-system 135 | roleRef: 136 | apiGroup: rbac.authorization.k8s.io 137 | kind: Role 138 | name: sealed-secrets-service-proxier 139 | subjects: 140 | - apiGroup: rbac.authorization.k8s.io 141 | kind: Group 142 | name: system:authenticated 143 | --- 144 | apiVersion: rbac.authorization.k8s.io/v1beta1 145 | kind: RoleBinding 146 | metadata: 147 | annotations: {} 148 | labels: 149 | name: sealed-secrets-controller 150 | name: sealed-secrets-controller 151 | namespace: kube-system 152 | roleRef: 153 | apiGroup: rbac.authorization.k8s.io 154 | kind: Role 155 | name: sealed-secrets-key-admin 156 | subjects: 157 | - kind: ServiceAccount 158 | name: sealed-secrets-controller 159 | namespace: kube-system 160 | --- 161 | apiVersion: rbac.authorization.k8s.io/v1beta1 162 | kind: Role 163 | metadata: 164 | annotations: {} 165 | labels: 166 | name: sealed-secrets-key-admin 167 | name: sealed-secrets-key-admin 168 | namespace: kube-system 169 | rules: 170 | - apiGroups: 171 | - "" 172 | resources: 173 | - secrets 174 | verbs: 175 | - create 176 | - list 177 | --- 178 | apiVersion: rbac.authorization.k8s.io/v1beta1 179 | kind: ClusterRoleBinding 180 | metadata: 181 | annotations: {} 182 | labels: 183 | name: sealed-secrets-controller 184 | name: sealed-secrets-controller 185 | roleRef: 186 | apiGroup: rbac.authorization.k8s.io 187 | kind: ClusterRole 188 | name: secrets-unsealer 189 | subjects: 190 | - kind: ServiceAccount 191 | name: sealed-secrets-controller 192 | namespace: kube-system 193 | --- 194 | apiVersion: rbac.authorization.k8s.io/v1beta1 195 | kind: ClusterRole 196 | metadata: 197 | annotations: {} 198 | labels: 199 | name: secrets-unsealer 200 | name: secrets-unsealer 201 | rules: 202 | - apiGroups: 203 | - bitnami.com 204 | resources: 205 | - sealedsecrets 206 | verbs: 207 | - get 208 | - list 209 | - watch 210 | - apiGroups: 211 | - bitnami.com 212 | resources: 213 | - sealedsecrets/status 214 | verbs: 215 | - update 216 | - apiGroups: 217 | - "" 218 | resources: 219 | - secrets 220 | verbs: 221 | - get 222 | - create 223 | - update 224 | - delete 225 | - apiGroups: 226 | - "" 227 | resources: 228 | - events 229 | verbs: 230 | - create 231 | - patch 232 | -------------------------------------------------------------------------------- /manifests/spring-petclinic/certificate.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | 3 | apiVersion: cert-manager.io/v1alpha2 4 | kind: Certificate 5 | metadata: 6 | name: spring-petclinic 7 | namespace: spring-petclinic 8 | spec: 9 | commonName: #@ data.values.ingress_hostname 10 | dnsNames: 11 | - #@ data.values.ingress_hostname 12 | issuerRef: 13 | kind: ClusterIssuer 14 | name: mkcert 15 | secretName: spring-petclinic-tls -------------------------------------------------------------------------------- /manifests/spring-petclinic/deployment.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: spring-petclinic 6 | namespace: spring-petclinic 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: spring-petclinic 12 | template: 13 | metadata: 14 | labels: 15 | app: spring-petclinic 16 | spec: 17 | containers: 18 | - name: spring-petclinic 19 | image: #@ data.values.image 20 | ports: 21 | - containerPort: 8080 22 | env: 23 | - name: WAVEFRONT_API_TOKEN 24 | valueFrom: 25 | secretKeyRef: 26 | name: wavefront 27 | key: wavefront_api_token 28 | - name: WAVEFRONT_URL 29 | valueFrom: 30 | secretKeyRef: 31 | name: wavefront 32 | key: wavefront_url 33 | - name: spring_profiles_active 34 | value: mysql 35 | - name: MYSQL_URL 36 | value: "jdbc:mysql://mysql.mysql.svc.cluster.local/petclinic" -------------------------------------------------------------------------------- /manifests/spring-petclinic/ingress.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | apiVersion: extensions/v1beta1 3 | kind: Ingress 4 | metadata: 5 | name: spring-petclinic 6 | namespace: spring-petclinic 7 | annotations: 8 | kubernetes.io/ingress.class: nginx 9 | spec: 10 | rules: 11 | - host: #@ data.values.ingress_hostname 12 | http: 13 | paths: 14 | - backend: 15 | serviceName: spring-petclinic-stable 16 | servicePort: http 17 | path: / 18 | tls: 19 | - hosts: 20 | - #@ data.values.ingress_hostname 21 | secretName: spring-petclinic-tls -------------------------------------------------------------------------------- /manifests/spring-petclinic/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: spring-petclinic -------------------------------------------------------------------------------- /manifests/spring-petclinic/services.yml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: spring-petclinic-stable 5 | namespace: spring-petclinic 6 | spec: 7 | selector: 8 | app: spring-petclinic 9 | ports: 10 | - name: http 11 | protocol: TCP 12 | port: 8080 -------------------------------------------------------------------------------- /manifests/spring-petclinic/values.yaml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | image: "" 4 | ingress_hostname: "" -------------------------------------------------------------------------------- /manifests/spring-petclinic/wavefront-secrets.json: -------------------------------------------------------------------------------- 1 | { 2 | "kind": "SealedSecret", 3 | "apiVersion": "bitnami.com/v1alpha1", 4 | "metadata": { 5 | "name": "wavefront", 6 | "namespace": "spring-petclinic", 7 | "creationTimestamp": null 8 | }, 9 | "spec": { 10 | "template": { 11 | "metadata": { 12 | "name": "wavefront", 13 | "namespace": "spring-petclinic", 14 | "creationTimestamp": null 15 | } 16 | }, 17 | "encryptedData": { 18 | "wavefront_api_token": "AgCG/TrsWpuH93aId/TqiO1Erz3P65xU65EXfskw8WPs4FcdLYoM/EyhpgF/S1PFa/FRpD9Zfn8XV5DmaaBc7Js5vNEfR7kwLHIgWtPD7ejJCN6eGqNo9/KqDJ/qZazMabaaRRahg/CsbJgu28ilk7qgv00m95eW7Puf5zo+CtyfYfz9pXr7DOflBkX6ccNZFyA0k2H2WhkWgLuKifoX6Mo/xBgnpA8Mxz+8Fkoke/GY547w3AP7nK6CXhGmM+0ptppEvVFNJV7Ug+8QykzsUFLrDa95koGJzfiNo1hGMAAHN7TqqoZWFor2hD8GfnVkgZyXsPPxIPngM+K1Atp/DX7PnQJsnIZn5pZh5EG++6cuknCMHcQigPIdxT8w4XYZoV/iNqNHlnZBi0Hh6zRerYUkcgh8eG+tPdbGmjmmFlQJE8FMYqvRRa9A14lYIOr86njlA8rgBQvQxPKSdHxvNFSQT209+sXVEUfA86d/9acrEqWic4Vj7GpI29no1ITGUVa0xYVfLj78Gsfx77VWe5nliPHcXaZV+YocAmTueI4/aEVeJyFst6fqo5N4hT7CeSHyoVhgLKVNnSo3nO5gQLZbkPl6ClmU3wHUdwsWw7lyRfw3rI9aD/SfgUgoLMPvlypzUXFChGivPZiNM/H9C9PRtTlckjU77xbJAvRIRVie97W3+t55SkyTvbE09ZjxVrvUhfoN9Xx6lXzPM180+9Cop1rGyrwyFfIpvBxHJJogsRPZGbM=", 19 | "wavefront_url": "AgAJGpUXtsegFwBoxAEDQQ+Cv9raATC5iiqM0OZmiaBFkkREABvlmvhgpML/HLtm88QkgS9k1NbwMZtFpHI465SgoZqQCYq6rLkW3wVPY8/uLwSC9m8bG+H9k5Ms5b7nesiPNf7qZBgb49UJ0kXy7305/Z5u6vVmEQldi1DNWojIs/pm2fUhJIb9DL/Ktg6kPk2WqurDO88cyIqN6wui5Stxyih6Dys9yF6HAZl3MYwhY57iY341e86VgULeqm87ufg2ZuXCo1Y/M6QwBkKap/hSkwstw9OtO0uEdv5DTfs+EMjjYpVsfX+h57fTv4dS0KlpZJyQDWtSN8/Y8k4JO6sAoHQNm5le59peuFHMouVMiG60BlkwfG/YtEhI61FpHTUvykH3JxJVjxdSADvffOSRbddigZu8S3KuOeCJbcjTOy8apiuvy1dvn3m93UEoF97KgN9Rod072yq0bPXMnlmhWtLXEBL6+VnzcHwhIEWuDAyv8mnKgmyNsvPVdEIZGRge/v9j8ooaaNqQlf7MPkg4uJhlDhJiqoX42sg2Wvoo6bD9+6pUZEYvL2Tr9SM/RGC7fGqYiZSBlx+qDBTFYtS92cywRYrO+lWrtBqm0CQ0PZUMRoyKLv1n+cmpGFrhrDX0am7TxALm46CvLruELaZYyRuPEATWM42QqLHja5PeADAx4VQPzwKpptt3xY9FMkJMGFl7GafTvnzaZMnu8qsKxQfsZUKowiRMwWzr" 20 | } 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /manifests/tas/certificate.yml: -------------------------------------------------------------------------------- 1 | #@ load("@ytt:data", "data") 2 | 3 | apiVersion: cert-manager.io/v1alpha2 4 | kind: Certificate 5 | metadata: 6 | name: sys-domain-cert 7 | namespace: istio-system 8 | spec: 9 | commonName: #@ "*.sys.tas." + data.values.primary_domain 10 | dnsNames: 11 | - #@ "sys.tas." + data.values.primary_domain 12 | - #@ "*.sys.tas." + data.values.primary_domain 13 | issuerRef: 14 | kind: ClusterIssuer 15 | name: mkcert 16 | secretName: sys-domain-cert 17 | --- 18 | apiVersion: cert-manager.io/v1alpha2 19 | kind: Certificate 20 | metadata: 21 | name: apps-domain-cert 22 | namespace: istio-system 23 | spec: 24 | commonName: #@ "*.apps.sys.tas." + data.values.primary_domain 25 | dnsNames: 26 | - #@ "apps.sys.tas." + data.values.primary_domain 27 | - #@ "*.apps.sys.tas." + data.values.primary_domain 28 | issuerRef: 29 | kind: ClusterIssuer 30 | name: mkcert 31 | secretName: apps-domain-cert -------------------------------------------------------------------------------- /manifests/tas/values.yml: -------------------------------------------------------------------------------- 1 | #@data/values 2 | --- 3 | primary_domain: "" -------------------------------------------------------------------------------- /manifests/tbs/descriptor-8.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kp.kpack.io/v1alpha1 2 | kind: DependencyDescriptor 3 | defaultClusterBuilder: full 4 | defaultStack: full 5 | stores: 6 | - name: default 7 | sources: 8 | - image: registry.pivotal.io/tanzu-go-buildpack/go@sha256:b3aabeec621a74bb57c7b97ad5e3d8ee31a83ab367a47455a9aaac7b79cbc022 9 | - image: registry.pivotal.io/tanzu-java-buildpack/java@sha256:38db548c31a198bee8aee0570f1bb1262582e802c92aa14fe7021941d3856701 10 | - image: registry.pivotal.io/tanzu-nodejs-buildpack/nodejs@sha256:f7b485ec28630ed38d4bbef3bfdcc5a01610551cff1518edf099ae133d592e58 11 | - image: registry.pivotal.io/tbs-dependencies/tanzu-buildpacks_dotnet-core@sha256:a1abf15b4ebb5cc7f86993f9134567b3cf7ebdb90ad3e3f4b2080f2ef27e776f 12 | - image: registry.pivotal.io/tbs-dependencies/tanzu-buildpacks_php@sha256:7af56f344798284732ddc33a1d5d6973d1635d3f0e9b8d960e027b08ab3894ad 13 | - image: registry.pivotal.io/tbs-dependencies/tanzu-buildpacks_nginx@sha256:d3592a9214ed78506c76fddd2785bccc864666f7c88972b039dd0b112760f2ec 14 | - image: registry.pivotal.io/tbs-dependencies/tanzu-buildpacks_httpd@sha256:892c824d98afb32198cd5b303098eee5be2600f076455bd8f7da3a34adf2c340 15 | - image: registry.pivotal.io/tbs-dependencies/paketo-buildpacks_procfile@sha256:e9f731b4cd3f8a13f2f70295713b0ef0970e02e03a530be467bf25703ee5e086 16 | stacks: 17 | - name: tiny 18 | buildImage: 19 | image: registry.pivotal.io/tbs-dependencies/build-tiny@sha256:5288d9c5b7cf7068d07b5a184f3ec2f124fbc5842401b8b23c74485c4d2ba23a 20 | runImage: 21 | image: registry.pivotal.io/tbs-dependencies/run-tiny@sha256:34b01fd9a3745fcaa345f8993938291c931f7977cc2bee78ed377da2edc55e3d 22 | - name: base 23 | buildImage: 24 | image: registry.pivotal.io/tbs-dependencies/build-base@sha256:136bea967b99e41497664896ca8b8829cc96b75405edcc31b5e111ad0415c399 25 | runImage: 26 | image: registry.pivotal.io/tbs-dependencies/run-base@sha256:30cd86c9a265a39629421fea0172be15cd4aefb9f7f432e98a330583196f172e 27 | - name: full 28 | buildImage: 29 | image: registry.pivotal.io/tbs-dependencies/build-full@sha256:423b15b46ee55ddb32851f0460468e1abecbf0d7b894ca9a9ab03543e008e9ab 30 | runImage: 31 | image: registry.pivotal.io/tbs-dependencies/run-full@sha256:d2019a8b64c252e6d164f84afa89d699cc6d6a2ff9b7ad6553278fc710626a15 32 | clusterBuilders: 33 | - name: base 34 | stack: base 35 | store: default 36 | order: 37 | - group: 38 | - id: tanzu-buildpacks/dotnet-core 39 | - group: 40 | - id: tanzu-buildpacks/nodejs 41 | - group: 42 | - id: tanzu-buildpacks/go 43 | - group: 44 | - id: tanzu-buildpacks/php 45 | - group: 46 | - id: tanzu-buildpacks/nginx 47 | - group: 48 | - id: tanzu-buildpacks/httpd 49 | - group: 50 | - id: tanzu-buildpacks/java 51 | - group: 52 | - id: paketo-buildpacks/procfile 53 | - name: full 54 | stack: full 55 | store: default 56 | order: 57 | - group: 58 | - id: tanzu-buildpacks/dotnet-core 59 | - group: 60 | - id: tanzu-buildpacks/nodejs 61 | - group: 62 | - id: tanzu-buildpacks/go 63 | - group: 64 | - id: tanzu-buildpacks/php 65 | - group: 66 | - id: tanzu-buildpacks/nginx 67 | - group: 68 | - id: tanzu-buildpacks/httpd 69 | - group: 70 | - id: tanzu-buildpacks/java 71 | - group: 72 | - id: paketo-buildpacks/procfile 73 | - name: tiny 74 | stack: tiny 75 | store: default 76 | order: 77 | - group: 78 | - id: tanzu-buildpacks/go 79 | - group: 80 | - id: paketo-buildpacks/procfile 81 | -------------------------------------------------------------------------------- /manifests/tbs/descriptor-9.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kp.kpack.io/v1alpha1 2 | kind: DependencyDescriptor 3 | defaultClusterBuilder: full 4 | defaultStack: full 5 | stores: 6 | - name: default 7 | sources: 8 | - image: registry.pivotal.io/tanzu-go-buildpack/go@sha256:b3aabeec621a74bb57c7b97ad5e3d8ee31a83ab367a47455a9aaac7b79cbc022 9 | - image: registry.pivotal.io/tanzu-java-buildpack/java@sha256:38db548c31a198bee8aee0570f1bb1262582e802c92aa14fe7021941d3856701 10 | - image: registry.pivotal.io/tanzu-nodejs-buildpack/nodejs@sha256:f7b485ec28630ed38d4bbef3bfdcc5a01610551cff1518edf099ae133d592e58 11 | - image: registry.pivotal.io/tanzu-java-native-image-buildpack/java-native-image@sha256:1c5c4840249752ec88907717af2298602febe6a153108df8f85a156211685257 12 | - image: registry.pivotal.io/tbs-dependencies/tanzu-buildpacks_dotnet-core@sha256:d8ce44165166da988cc334e13956838623d233861b57eaf011d43535b1b86bf4 13 | - image: registry.pivotal.io/tbs-dependencies/tanzu-buildpacks_php@sha256:7af56f344798284732ddc33a1d5d6973d1635d3f0e9b8d960e027b08ab3894ad 14 | - image: registry.pivotal.io/tbs-dependencies/tanzu-buildpacks_nginx@sha256:e0363a5e6ce01f0935df65d6f89994a91bee63c2f25249c62a84788f53eb4346 15 | - image: registry.pivotal.io/tbs-dependencies/tanzu-buildpacks_httpd@sha256:892c824d98afb32198cd5b303098eee5be2600f076455bd8f7da3a34adf2c340 16 | - image: registry.pivotal.io/tbs-dependencies/paketo-buildpacks_procfile@sha256:e9f731b4cd3f8a13f2f70295713b0ef0970e02e03a530be467bf25703ee5e086 17 | stacks: 18 | - name: tiny 19 | buildImage: 20 | image: registry.pivotal.io/tbs-dependencies/build-tiny@sha256:5288d9c5b7cf7068d07b5a184f3ec2f124fbc5842401b8b23c74485c4d2ba23a 21 | runImage: 22 | image: registry.pivotal.io/tbs-dependencies/run-tiny@sha256:34b01fd9a3745fcaa345f8993938291c931f7977cc2bee78ed377da2edc55e3d 23 | - name: base 24 | buildImage: 25 | image: registry.pivotal.io/tbs-dependencies/build-base@sha256:136bea967b99e41497664896ca8b8829cc96b75405edcc31b5e111ad0415c399 26 | runImage: 27 | image: registry.pivotal.io/tbs-dependencies/run-base@sha256:30cd86c9a265a39629421fea0172be15cd4aefb9f7f432e98a330583196f172e 28 | - name: full 29 | buildImage: 30 | image: registry.pivotal.io/tbs-dependencies/build-full@sha256:0177ac09cec02e43ba70cf191a469ba03ccdd108a007153465910f501e769539 31 | runImage: 32 | image: registry.pivotal.io/tbs-dependencies/run-full@sha256:00910a0bfe8544892e56a251b58119103532c25afb0034e1be9da494b3969e68 33 | clusterBuilders: 34 | - name: base 35 | stack: base 36 | store: default 37 | order: 38 | - group: 39 | - id: tanzu-buildpacks/dotnet-core 40 | - group: 41 | - id: tanzu-buildpacks/nodejs 42 | - group: 43 | - id: tanzu-buildpacks/go 44 | - group: 45 | - id: tanzu-buildpacks/php 46 | - group: 47 | - id: tanzu-buildpacks/nginx 48 | - group: 49 | - id: tanzu-buildpacks/httpd 50 | - group: 51 | - id: tanzu-buildpacks/java-native-image 52 | - group: 53 | - id: tanzu-buildpacks/java 54 | - group: 55 | - id: paketo-buildpacks/procfile 56 | - name: full 57 | stack: full 58 | store: default 59 | order: 60 | - group: 61 | - id: tanzu-buildpacks/dotnet-core 62 | - group: 63 | - id: tanzu-buildpacks/nodejs 64 | - group: 65 | - id: tanzu-buildpacks/go 66 | - group: 67 | - id: tanzu-buildpacks/php 68 | - group: 69 | - id: tanzu-buildpacks/nginx 70 | - group: 71 | - id: tanzu-buildpacks/httpd 72 | - group: 73 | - id: tanzu-buildpacks/java-native-image 74 | - group: 75 | - id: tanzu-buildpacks/java 76 | - group: 77 | - id: paketo-buildpacks/procfile 78 | - name: tiny 79 | stack: tiny 80 | store: default 81 | order: 82 | - group: 83 | - id: tanzu-buildpacks/go 84 | - group: 85 | - id: tanzu-buildpacks/java-native-image 86 | - group: 87 | - id: paketo-buildpacks/procfile 88 | -------------------------------------------------------------------------------- /manifests/vsphere-storage/storageclass.yml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: storage.k8s.io/v1 3 | kind: StorageClass 4 | metadata: 5 | name: vsphere 6 | annotations: 7 | storageclass.kubernetes.io/is-default-class: "true" 8 | provisioner: kubernetes.io/vsphere-volume 9 | parameters: 10 | datastore: vsanDatastore 11 | -------------------------------------------------------------------------------- /secrets-cert-manager.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | # Root cert and key 6 | kubectl create secret generic mkcert \ 7 | --from-file=tls.crt="$(mkcert -CAROOT)"/rootCA.pem \ 8 | --from-file=tls.key="$(mkcert -CAROOT)"/rootCA-key.pem \ 9 | --namespace cert-manager 10 | 11 | -------------------------------------------------------------------------------- /secrets-concourse.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | 6 | read -p "TKGI URL: " TKGI_URL 7 | read -p "TKGI_USER: " TKGI_USER 8 | read -p "TKGI_PASSWORD: " TKGI_PASSWORD 9 | read -p "WAVEFRONT API TOKEN: " WAVEFRONT_API_TOKEN 10 | read -p "WAVEFRONT_URL: " WAVEFRONT_URL 11 | read -p "PIVNET API TOKEN: " PIVNET_API_TOKEN 12 | read -p "PIVNET USERNAME: " PIVNET_USERNAME 13 | read -p "PIVNET PASSWORD: " PIVNET_PASSWORD 14 | 15 | 16 | 17 | 18 | # Pipeline secrets 19 | 20 | kubectl create secret generic tanzu-gitops \ 21 | --namespace concourse-main \ 22 | --from-literal=tkgi_url="${TKGI_URL}" \ 23 | --from-literal=tkgi_user="${TKGI_USER}" \ 24 | --from-literal=tkgi_password="${TKGI_PASSWORD}" \ 25 | --from-file=ca_cert="$(mkcert -CAROOT)/rootCA.pem" \ 26 | --from-literal=wavefront_api_token="${WAVEFRONT_API_TOKEN}" \ 27 | --from-literal=wavefront_url="${WAVEFRONT_URL}" \ 28 | --from-literal=pivnet_api_token="${PIVNET_API_TOKEN}" \ 29 | --from-literal=pivnet_username="${PIVNET_USERNAME}" \ 30 | --from-literal=pivnet_password="${PIVNET_PASSWORD}" \ 31 | --dry-run=client \ 32 | -o json | kubeseal > manifests/concourse-main/pipeline-secrets.json 33 | -------------------------------------------------------------------------------- /secrets-spring-petclinic.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | read -p "WAVEFRONT API TOKEN: " WAVEFRONT_API_TOKEN 6 | read -p "WAVEFRONT_URL: " WAVEFRONT_URL 7 | 8 | 9 | # spring-petclinic Wavefront secret 10 | kubectl create secret generic wavefront \ 11 | --namespace spring-petclinic \ 12 | --from-literal=wavefront_api_token="${WAVEFRONT_API_TOKEN}" \ 13 | --from-literal=wavefront_url="${WAVEFRONT_URL}" \ 14 | --dry-run=client \ 15 | -o json | kubeseal > manifests/spring-petclinic/wavefront-secrets.json -------------------------------------------------------------------------------- /spring-petclinic.patch: -------------------------------------------------------------------------------- 1 | diff --git a/pom.xml b/pom.xml 2 | index 5ac0cc4..3768917 100644 3 | --- a/pom.xml 4 | +++ b/pom.xml 5 | @@ -69,6 +69,16 @@ 6 | 7 | 8 | 9 | + 10 | + com.wavefront 11 | + wavefront-spring-boot-starter 12 | + 2.0.0 13 | + 14 | 15 | 16 | diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties 17 | index 4d4784e..48c6214 100644 18 | --- a/src/main/resources/application.properties 19 | +++ b/src/main/resources/application.properties 20 | @@ -23,3 +23,10 @@ logging.level.org.springframework=INFO 21 | 22 | # Maximum time static resources should be cached 23 | spring.resources.cache.cachecontrol.max-age=12h 24 | + 25 | + 26 | +wavefront.application.name=tanzu-gitops 27 | +wavefront.application.service=spring-petclinic 28 | +management.metrics.export.wavefront.api-token=${WAVEFRONT_API_TOKEN:invalid} 29 | +management.metrics.export.wavefront.uri=${WAVEFRONT_URL:invalid} 30 | +wavefront.freemium-account=false -------------------------------------------------------------------------------- /tas-reset-stack.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | kubectl patch stack cflinuxfs3-stack \ 6 | --namespace cf-workloads-staging \ 7 | --type='json' \ 8 | --patch='[{"op": "replace", "path": "/spec/buildImage/image", "value":"gcr.io/paketo-buildpacks/build@sha256:84f7b60192e69036cb363b2fc7d9834cff69dcbcf7aaf8c058d986fdee6941c3"},{"op": "replace", "path": "/spec/runImage/image", "value":"gcr.io/paketo-buildpacks/run@sha256:84f7b60192e69036cb363b2fc7d9834cff69dcbcf7aaf8c058d986fdee6941c3"}]' -------------------------------------------------------------------------------- /tas-update-stack.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | kubectl patch stack cflinuxfs3-stack \ 6 | --namespace cf-workloads-staging \ 7 | --type='json' \ 8 | --patch='[{"op": "replace", "path": "/spec/buildImage/image", "value":"gcr.io/paketo-buildpacks/build@sha256:a591ad9c9bb81d1d74ed29b930fe6fc8bf1b296a5c61291beca848aee4c94925"},{"op": "replace", "path": "/spec/runImage/image", "value":"gcr.io/paketo-buildpacks/run@sha256:12f8ebe599e62c7113dab4cac7290f87c46dcb388dd3bcdfa02860ba77424ec6"}]' -------------------------------------------------------------------------------- /tkgi-create-clusters.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | # Uses the default plans "small" and "medium" 4 | # Uses a custom plan called "singleVM" that has one worker node with good specs 5 | # Change as you see fit. These numbers work for my lab and my workloads 6 | 7 | tkgi create-cluster concourse \ 8 | --external-hostname=k8s-concourse.$PRIMARY_DOMAIN \ 9 | --plan=singleVM 10 | 11 | tkgi create-cluster harbor \ 12 | --external-hostname=k8s-harbor.$PRIMARY_DOMAIN \ 13 | --plan=singleVM 14 | 15 | tkgi create-cluster tbs \ 16 | --external-hostname=k8s-tbs.$PRIMARY_DOMAIN \ 17 | --plan=medium \ 18 | --num-nodes=2 19 | 20 | tkgi create-cluster spring-petclinic \ 21 | --external-hostname=k8s-spring-petclinic.$PRIMARY_DOMAIN \ 22 | --plan=small \ 23 | --num-nodes 1 24 | 25 | tkgi create-cluster product-api \ 26 | --external-hostname=k8s-product-api.$PRIMARY_DOMAIN \ 27 | --plan=small \ 28 | --num-nodes 1 29 | 30 | tkgi create-cluster kubeapps \ 31 | --external-hostname=k8s-kubeapps.$PRIMARY_DOMAIN \ 32 | --plan=small \ 33 | --num-nodes 3 34 | 35 | # TAS4K8s won't install on less than 5 small workers 36 | tkgi create-cluster tas \ 37 | --external-hostname=k8s-tas.$PRIMARY_DOMAIN \ 38 | --plan=small \ 39 | --num-nodes 5 -------------------------------------------------------------------------------- /tmc-attach-cluster.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | CONTEXT=$1 6 | 7 | tmc cluster attach --group $TMC_CLUSTER_GROUP_NAME --name $TMC_CLUSTER_GROUP_NAME-$CONTEXT 8 | kubectl config use-context $CONTEXT && kapp deploy -a tmc -f k8s-attach-manifest.yaml -y 9 | rm k8s-attach-manifest.yaml 10 | --------------------------------------------------------------------------------