The Documentation Sops

Dokyung included in Documentation

2023-06-20 2023-09-17 About 1100 words 6 minutes

Contents

VMware TANZU SOPS or ESO?

TANZU APPLICATION PLATFORM을 설치 할 때 GITOPS로 두가지 방식으로 설치 할 수 있다. SOPS 및 ESO 방식으로 설치 할 수 있으며 현재는 베타 버전이며 프로덕션 환경에서는 권장 하지 않는다.

ESO의 경우 외부에 AWS Secrets Manager를 통해서 배포 할 수 있기 때문에 이 문서에서는 SOPS방식으로 배포를 할 예정이다.

VMware TANZU GITOPS

Prerequisites

SOPS CLI to view and edit SOPS encrypted files. To install the SOPS CLI, see SOPS documentationin GitHub.
Age CLI to create an ecryption key used to encrypt and decrypt sensitive data. To install the Age CLI, see age documentation in GitHub.
Completed the Prerequisites.
Accepted Tanzu Application Platform EULA and installed Tanzu CLI with any required plug-ins.
Installed Cluster Essentials for Tanzu.

Relocate images to a registry

탄주 네트워크에 있는 도커 이미지들을 내부에 내부 레지스트리에 저장 하는 것을 권장 한다. 탄주 네트워크 레지스트리를 사용 할 시 가동시간을 보장 하지 않기 때문이다. 지원되는 레지스트리는 Harbor, Azure Container Registry, Google Container Registry 및 Quay.io를 제공하고 있습니다. 설정 방법을 알아 보려면 다음 문서를 참조 하면 된다.

environment variables를 설정 한다.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


export IMGPKG_REGISTRY_HOSTNAME_0=registry.tanzu.vmware.com
export IMGPKG_REGISTRY_USERNAME_0=MY-TANZUNET-USERNAME
export IMGPKG_REGISTRY_PASSWORD_0=MY-TANZUNET-PASSWORD
export IMGPKG_REGISTRY_HOSTNAME_1=MY-REGISTRY
export IMGPKG_REGISTRY_USERNAME_1=MY-REGISTRY-USER
export IMGPKG_REGISTRY_PASSWORD_1=MY-REGISTRY-PASSWORD
export INSTALL_REGISTRY_USERNAME=MY-REGISTRY-USER
export INSTALL_REGISTRY_PASSWORD=MY-REGISTRY-PASSWORD
export INSTALL_REGISTRY_HOSTNAME=MY-REGISTRY
export TAP_VERSION=VERSION-NUMBER
export INSTALL_REPO=TARGET-REPOSITORY

Install the Carvel tool imgpkg CLI.

1
2
3
4
5


## 이미지 버전 확인
imgpkg tag list -i registry.tanzu.vmware.com/tanzu-application-platform/tap-packages | sort -V

## 이미지 버전을 내부 레지스트리로 복사
imgpkg copy -b registry.tanzu.vmware.com/tanzu-application-platform/tap-packages:${TAP_VERSION} --to-repo ${INSTALL_REGISTRY_HOSTNAME}/${INSTALL_REPO}/tap-packages

Create a new Git repository

GIT에 프로젝트를 생성 한다.

1
2
3
4
5


mkdir -p $HOME/tap-gitops
cd $HOME/tap-gitops

git init
git remote add origin git@github.com:my-organization/tap-gitops.git

Download and unpack Tanzu GitOps Reference Implementation (RI)

Tanzu Network에서 Tanzu GitOps Reference Implementation(RI)을 다운로드 받는다.

다운로드 받은 RI를 내부 GIT에 업로드 한다.

1
2
3
4
5
6


tar xvf tanzu-gitops-ri-*.tgz -C $HOME/tap-gitops

cd $HOME/tap-gitops

git add . && git commit -m "Initialize Tanzu GitOps RI"
git push -u origin

Create cluster configuration

CLUSTER-NAME은 현재 내가 설정한 CLUSTER를 선택한다

1
2
3
4
5
6
7
8
9


kubectl config get-contexts 

cd $HOME/tap-gitops

./setup-repo.sh CLUSTER-NAME sops

## Git에 업로드 
git add . && git commit -m "Add full-tap-cluster"
git push

Preparing sensitive Tanzu Application Platform values

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97


mkdir -p $HOME/tmp-enc
chmod 700 $HOME/tmp-enc
cd $HOME/tmp-enc

age-keygen -o key.txt

cat key.txt
# created: 2023-02-08T10:55:35-07:00
# public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
AGE-SECRET-KEY-my-secret-key

## 아래 내용을 채워 준다.
## 만약에 멀티 클러스터를 구성 하고 싶으면 아래 내용을 분리 해준 후 각각 클러스터별로 실행 해주면 된다.

cat << EOF > $HOME/tmp-enc/tap-sensitive-values.yaml
---
tap_install:
  sensitive_values:
    shared:
      ingress_domain: "INGRESS-DOMAIN"
      ingress_issuer: # Optional, can denote a cert-manager.io/v1/ClusterIssuer of your choice. Defaults to "tap-ingress-selfsigned".
    
      image_registry:
        project_path: "SERVER-NAME/REPO-NAME"
        secret:
          name: "KP-DEFAULT-REPO-SECRET"
          namespace: "KP-DEFAULT-REPO-SECRET-NAMESPACE"
    
      kubernetes_distribution: "K8S-DISTRO" # Only required if the distribution is OpenShift and must be used with the following kubernetes_version key.
    
      kubernetes_version: "K8S-VERSION" # Required regardless of distribution when Kubernetes version is 1.25 or later.
    
      ca_cert_data: | # To be passed if using custom certificates.
          -----BEGIN CERTIFICATE-----
          MIIFXzCCA0egAwIBAgIJAJYm37SFocjlMA0GCSqGSIb3DQEBDQUAMEY...
          -----END CERTIFICATE-----
    
    ceip_policy_disclosed: FALSE-OR-TRUE-VALUE # Installation fails if this is not set to true. Not a string.
    
    #The above keys are minimum numbers of entries needed in tap-values.yaml to get a functioning TAP Full profile installation.
    
    #Below are the keys which may have default values set, but can be overridden.
    
    profile: full # Can take iterate, build, run, view.
    
    supply_chain: basic # Can take testing, testing_scanning.
    
    ootb_supply_chain_basic: # Based on supply_chain set above, can be changed to ootb_supply_chain_testing, ootb_supply_chain_testing_scanning.
      registry:
        server: "SERVER-NAME" # Takes the value from the shared section by default, but can be overridden by setting a different value.
        repository: "REPO-NAME" # Takes the value from the shared section by default, but can be overridden by setting a different value.
      gitops:
        ssh_secret: "SSH-SECRET-KEY" # Takes "" as value by default; but can be overridden by setting a different value.
    
    contour:
      envoy:
        service:
          type: LoadBalancer # This is set by default, but can be overridden by setting a different value.
    
    buildservice:
      # Takes the value from the shared section by default, but can be overridden by setting a different value.
      kp_default_repository: "KP-DEFAULT-REPO"
      kp_default_repository_secret: # Takes the value from the shared section above by default, but can be overridden by setting a different value.
        name: "KP-DEFAULT-REPO-SECRET"
        namespace: "KP-DEFAULT-REPO-SECRET-NAMESPACE"
    
    tap_gui:
      metadataStoreAutoconfiguration: true # Creates a service account, the Kubernetes control plane token and the requisite app_config block to enable communications between Tanzu Application Platform GUI and SCST - Store.
      app_config:
        catalog:
          locations:
            - type: url
              target: https://GIT-CATALOG-URL/catalog-info.yaml
    
    metadata_store:
      ns_for_export_app_cert: "MY-DEV-NAMESPACE" # Verify this namespace is available within your cluster before initiating the Tanzu Application Platform installation.
      app_service_type: ClusterIP # Defaults to LoadBalancer. If shared.ingress_domain is set earlier, this must be set to ClusterIP.
    
    scanning:
      metadataStore:
        url: "" # Configuration is moved, so set this string to empty.
    
    grype:
      namespace: "MY-DEV-NAMESPACE" # Verify this namespace is available within your cluster before initiating the Tanzu Application Platform installation.
      targetImagePullSecret: "TARGET-REGISTRY-CREDENTIALS-SECRET"
      # In a single cluster, the connection between the scanning pod and the metadata store happens inside the cluster and does not pass through ingress. This is automatically configured, you do not need to provide an ingress connection to the store.
    
    policy:
      tuf_enabled: false # By default, TUF initialization and keyless verification are deactivated.
    tap_telemetry:
      customer_entitlement_account_number: "CUSTOMER-ENTITLEMENT-ACCOUNT-NUMBER" # (Optional) Identify data for creating the Tanzu Application Platform usage reports.
EOF

export SOPS_AGE_RECIPIENTS=$(cat key.txt | grep "# public key: " | sed 's/# public key: //')
sops --encrypt tap-sensitive-values.yaml > tap-sensitive-values.sops.yaml

mv tap-sensitive-values.sops.yaml $HOME/tap-gitops/clusters/full-tap-cluster/cluster-config/values/

Generate Tanzu Application Platform installation and Tanzu Sync configuration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


export INSTALL_REGISTRY_HOSTNAME=MY-REGISTRY
export INSTALL_REGISTRY_USERNAME=MY-REGISTRY-USER
export INSTALL_REGISTRY_PASSWORD=MY-REGISTRY-PASSWORD
export GIT_SSH_PRIVATE_KEY=PRIVATE-KEY
export GIT_KNOWN_HOSTS=KNOWN-HOST-LIST
export SOPS_AGE_KEY=AGE-KEY
export TAP_PKGR_REPO=TAP-PACKAGE-OCI-REPOSITORY

cd $HOME/tap-gitops/clusters/full-tap-cluster

./tanzu-sync/scripts/configure.sh
git add cluster-config/ tanzu-sync/
git commit -m "Configure install of TAP 1.5.0"
git push

Deploy Tanzu Sync

1
2
3


cd $HOME/tap-gitops/clusters/full-tap-cluster

./tanzu-sync/scripts/deploy.sh

결과

완료가 되면 자동으로 모든게 다 설치가 되는 것을 확인 할 수 있지만.. 솔직히 불편하다.. 그냥 설치하는게 편한거 같은 느낌은.. 아직 베타이기 때문일지 모른다.