How to create a workload in development namespace after you deployed VMware Tanzu Application Platform (TAP) by using the AWS QuickStart
search cancel

How to create a workload in development namespace after you deployed VMware Tanzu Application Platform (TAP) by using the AWS QuickStart

book

Article ID: 297890

calendar_today

Updated On:

Products

VMware Tanzu Application Platform

Issue/Introduction

Prerequisites

  • You have successfully deployed Tanzu Application Platform (TAP) by using the AWS QuickStart guide
  • You confirmed that the app "tanzu-java-web-app-workload" is running normally under "tap-workload" namespace, which was created automatically with AWS QuickStart guide.
    • $ tanzu apps workload list -n tap-workload
    • $ tanzu apps workload get tanzu-java-web-app-workload -n tap-workload
  • You would like to create another "tanzu-java-web-app-workload" in a new development namespace for test purpose.


Environment

Product Version: 1.3

Resolution

What you need to do

  • In the Amazon Elastic Container Registry (ECR), manually create two repositories following below naming rule
    • <cloudformation id>/tap-supply-chain/<workload name>-<namespace name>
    • <cloudformation id>/tap-supply-chain/<workload name>-<namespace name>-bundle
      • For instance, If you would like to create a workload "tanzu-java-web-app-workload-molly" in namespace "mollyspace", then you might need to create below two repositories before creating a workload.
        • 52f...30b/tap-supply-chain/tanzu-java-web-app-workload-molly-mollyspace
        • 52f...30b/tap-supply-chain/tanzu-java-web-app-workload-molly-mollyspace-bundle
  • A default AWS Identity and Access Management (IAM) role named "TAPWorkloadIamRole-<cloudformation id>" will be created automatically with AWS QuickStart guide. However, currently the Trust relationships settings on TAPWorkloadIamRole is hardcoded to the tap-workload namespace service account. So you need to manually insert one line to add the SA for the dev namespace in the trusted entities. If you are using a namespace called "mollyspace", then the settings should look like below: 
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::30..26:oidc-provider/oidc.###.##-####-#.amazonaws.com/id/F7..EC"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.###.##-####-#.amazonaws.com/id/F7..EC:sub": [
                        "system:serviceaccount:tap-workload:default",
                        "system:serviceaccount:mollyspace:default"
                    ],
                    "oidc.###.##-####-#.amazonaws.com/id/F7..EC:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}
  • Finally you can connect to the Linux bastion host and run below commands to create a workload in the dev namespace. 
    $ export DEV_NAMESPACE_ARN=$(yq -r .repositories.workload.arn /home/ubuntu/tap-setup-scripts/src/inputs/user-input-values.yaml)
$ export DEVELOPER_NAMESPACE=mollyspace
$ kubectl -n $DEVELOPER_NAMESPACE annotate serviceaccount default eks.amazonaws.com/role-arn=$DEV_NAMESPACE_ARN --overwrite

$ export RESOURCES=/home/ubuntu/tap-setup-scripts/src/resources/
$ kubectl -n $DEVELOPER_NAMESPACE apply -f $RESOURCES/developer-namespace.yaml
$ kubectl -n $DEVELOPER_NAMESPACE apply -f $RESOURCES/pipeline.yaml
$ kubectl -n $DEVELOPER_NAMESPACE apply -f $RESOURCES/scan-policy.yaml

# Don't forget to change the workload name in the file
$ tanzu apps workload apply -f $RESOURCES/workload-aws.yaml -n mollyspace --yes
  • After the workload creation is initiated, you can use command watch tanzu apps workload get WORKLOAD_NAME to monitor the creation status.



Powered by Wolken Software