DevSecOps in Practice with VMware Tanzu E-Book

DevSecOps in Practice with VMware Tanzu

Build, run, and manage secure multi-cloud apps at scale on Kubernetes with the Tanzu portfolio

Parth Pandit

Robert Hardt

BIRMINGHAM—MUMBAI

DevSecOps in Practice with VMware Tanzu

Copyright © 2022 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Rahul Nair

Publishing Product Manager: Surbhi Suman

Content Development Editor: Nihar Kapadia

Technical Editor: Shruthi Shetty

Copy Editor: Safis Editing

Book Project Manager: Neil D’mello

Proofreader: Safis Editing

Indexer: Pratik Shirodkar

Production Designer: Alishon Mendonca

Senior Marketing Coordinator: Nimisha Dua

First published: January 2023

Production reference: 1231222

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80324-134-0

www.packt.com

To my mother, Nayna Pandit, for instilling a strong foundation of knowledge in me in the early years of my life that helped me become who I am today. To my father, Gautam Pandit, for showing me how to be a constant learner and follow my passions. And finally, to Tejal, my wife, for her constant support in making sure I get the required time to follow these passions.

– Parth Pandit

To Mom and Dad, for instilling a love of learning and their unconditional love and support. To my beautiful wife, Lorelle, and our amazing daughter, Cassandra – thanks for giving me all those nights and weekends to make this book happen.

– Rob Hardt

Contributors

About the authors

Parth Pandit is a specialist in the area of modern application development using containers on Cloud Foundry and Kubernetes. He has over 20 years of experience in IT as a software developer and solutions architect. He has helped large global enterprises to develop, migrate, and run applications on public and private cloud platforms, and define their container platform strategies using Pivotal and VMware Tanzu products. He has been a speaker at several technology conferences. He writes technical blogs about the cloud and container technology space. Parth is a certified AWS Solutions Architect, CNCF Kubernetes Application Developer and Administrator, and Confluent-certified Kafka developer, and holds B.Sc. and M.Sc. degrees in computer science and applications.

I would like to thank my wife for her constant support during the long process of writing this book. I also want to thank my former manager at VMware, David Kramer, who encouraged me to write this book.

Robert Hardt is an enterprise software and DevSecOps professional. He has spent 16 years writing and architecting business-critical operations and supply chain software for the retail sector and then put that experience to use helping some of the world’s largest companies transform how they build and deliver software with Cloud Foundry, Kubernetes, and Tanzu software. He is a CNCF-certified Kubernetes Administrator and Certified Kubernetes Application Developer, as well as a popular speaker and writer on modern software and DevOps. Robert has a degree in music from the University of Rochester.

I would like first and foremost to thank my loving and patient wife for her continuing and endless forbearance as this book took shape. I’d also be remiss if I didn’t express my profound gratitude to Parth Pandit for including me in so many great adventures that I never would have taken on without his encouragement.

About the reviewers

Benoit Moussaud, Senior Solution Engineer at VMware Tanzu, has more than 25 years of enterprise IT experience, from the development to the global architecture of complex enterprise applications, and his focus is always on automation – first, on the dev side by being involved in the Apache Ant open source project, then continuous integration (as part of CI/CD), and then the DevOps space with application deployment and release orchestration, not only to manage traditional monolithic apps but also modern cloud- and container-native apps. As a speaker at many European conferences (France, Switzerland, Spain, Belgium, and Italy), he likes to share his point of view and get feedback. The tools are not an end in themselves: the human process is also essential: agility, continuous delivery, and DevOps are the methods and practices required.

I’d like to thank not only my family and friends who understand the time and commitment they take but also the open source community that improves the sharing of knowledge at scale.

Geetika Batra is a senior software engineer at VMware. She is part of Tanzu Kubernetes Grid and works on the Cluster API Provider vSphere, a provider orchestrator for the Cluster API, and is a speaker at international conferences (such as OpenStack). Geetika is a certified Kubernetes Administrator and an Outreachy alum. She has been involved in open source for a long time and has been a Linux Foundation program (LFX) mentor. She believes in advocating for open source and helping people kickstart their careers in open source and the IT industry.

First and foremost, I want to thank my husband, Geetansh Arora, for his continuous support while reviewing this book; he has constantly encouraged me throughout the journey. Second, I thank the authors for their effort in writing this book. Reviewing the book was very engaging. I also want to thank the open source communities that have taught me much. Lastly, I would like to thank my parents for all the hard work they do.

Table of Contents

Preface

Part 1 – Building Cloud-Native Applications on the Tanzu Platform

1

Understanding the Need to Move to a Cloud Platform

The challenges of running a software supply chain

The emergence of the cloud and containers

Containers

Kubernetes

Outcome-driven approach

The need for VMware Tanzu

Features, tools, benefits, and applications of VMware Tanzu

Build and develop

Run

Manage

Prerequisites

The Linux console and tools

Docker

Kubernetes

Workstation requirements and public cloud resources

Summary

2

Developing Cloud-Native Applications

The business needs addressed by App Accelerator

Technical requirements

Overview of App Accelerator

Getting started with App Accelerator

Exploring App Accelerator

Downloading, configuring, and running App Accelerator

Advanced topics on App Accelerator

Day-2 operations with App Accelerator

Cloud-native development frameworks under the Tanzu umbrella

The Spring Framework and Spring Boot

Steeltoe framework

Summary

3

Building Secure Container Images with Build Service

Technical requirements

Why Tanzu Build Service?

Increasing developer productivity

Reduction of bespoke automation

Standardization of container build process

Stronger security posture

Optimized network bandwidth and storage utilization

Unboxing Tanzu Build Service

Cloud-native buildpacks

kpack

VMware-provided components and features

Getting started with Tanzu Build Service

Prerequisites

Installation procedure

Verifying the installation

Common day-2 activities for Tanzu Build Service

Building application container images

Upgrading buildpacks and stacks

Managing images and builds

Configuring role-based access controls

Upgrading TBS to a newer version

Uninstalling TBS

Customizing buildpacks

Summary

4

Provisioning Backing Services for Applications

Technical requirements

Why VMware Application Catalog?

Using the right tool for the right purpose with the flexibility of choice

Enhanced security and transparency

What VMware Application Catalog is

The history of VMware Application Catalog

Components of VMware Application Catalog

The VAC management and consumption process

Getting started with VMware Application Catalog

Prerequisites

Creating a catalog on the VAC portal

Consuming VAC using Kubeapps

Common day-two activities with VAC

Inspecting catalog deliverables

Using the application catalog

Updating the application catalog

Summary

5

Defining and Managing Business APIs

Spring Cloud Gateway for Kubernetes and API Portal for VMware Tanzu – overview

Why Spring Cloud Gateway for Kubernetes?

Why API Portal for VMware Tanzu?

Technical requirements

Spring Cloud Gateway for Kubernetes – getting started

API Portal for VMware Tanzu – getting started

Spring Cloud Gateway for Kubernetes and API Portal for VMware Tanzu – real-world use case

Step 1 – cloning this book’s Git repository and navigating to the Animal Rescue application

Step 2 – configuring your Okta developer account to provide SSO for Animal Rescue

Step 3 – deploying the Animal Rescue application

Step 4 – (optional) viewing the Animal Rescue API’s OpenAPI 3.0 specification

Step 5 – (optional) connecting API Portal for VMware Tanzu with the Spring Cloud Gateway for Kubernetes OpenAPI endpoint

Common day-2 operations with Tanzu Application Accelerator

Updating an API’s route definition

Updating the API Portal package

Summary

Part 2 – Running Cloud-Native Applications on Tanzu

6

Managing Container Images with Harbor

Why Harbor?

Using Harbor for security

Using Harbor for operational control

Using Harbor for its extensibility

Unboxing Harbor

Architecture overview

Getting started with Harbor

Prerequisites

Installing Harbor

Validating the setup

Common day-2 operations with Harbor

Configuring a project in Harbor

Configuring image scanning for a project in Harbor

Preventing insecure images from being used in Harbor

Replicating images in Harbor

Configuring rule-based tag retention policies in Harbor

Summary

7

Orchestrating Containers across Clouds with Tanzu Kubernetes Grid

Why Tanzu Kubernetes Grid?

Multi-cloud application deployments

Open source alignment

Unboxing Tanzu Kubernetes Grid

Building blocks of Tanzu Kubernetes Grid

Important concepts of Tanzu Kubernetes Grid

Getting started with Tanzu Kubernetes Grid

Prerequisites

Configuring the bootstrap machine

Installing the management cluster

Creating a workload cluster

Common day-2 operations with Tanzu Kubernetes Grid

Scaling a Tanzu Kubernetes Grid cluster

Upgrading a Tanzu Kubernetes Grid cluster

Deleting a Tanzu Kubernetes Grid workload cluster

Deleting a Tanzu Kubernetes Grid foundation

Summary

8

Enhancing Developer Productivity with Tanzu Application Platform

Why should I use Tanzu Application Platform?

The building blocks of Tanzu Application Platform

Day 1 – installing and configuring Tanzu Application Platform

Prerequisites and technical requirements

Accepting end user license agreements

Relocating Tanzu Application Platform packages

Installing the Tanzu CLI and Tanzu Application Platform plugins

Installing Cluster Essentials

Setting up a developer namespace

Installing a package repository

Pulling down and formatting tap-values.yaml

Creating DNS records

Installing the VS Code developer tools

Day 2 – deploying applications to Tanzu Application Platform

Deploying workloads directly

Day 3 – common operational activities on Tanzu Application Platform

Securing running workloads with TAP GUI with TLS

Enabling testing and scanning

Next steps

Summary

Part 3 – Managing Modern Applications on the Tanzu Platform

9

Managing and Controlling Kubernetes Clusters with Tanzu Mission Control

Why TMC?

Challenges with Kubernetes

Getting started with TMC

Accessing the TMC portal

Registering a TKG management cluster on TMC

Registering a TKG management cluster on TMC

Creating a new workload cluster under a management cluster

Attaching an existing Kubernetes cluster with TMC

Creating a cluster group on TMC

Understanding Workspaces in TMC

Protecting cluster data using TMC

Applying governance policies to clusters using TMC

Configuring a security policy for a cluster group

Configuring an image registry policy for a Workspace

Configuring a deployment governance policy for a cluster group

Checking policy violation statuses across all clusters

Inspecting clusters for CIS benchmark compliance

Summary

10

Realizing Full-Stack Visibility with VMware Aria Operations for Applications

Why Aria?

Integrating (almost) anything

Getting full-stack visibility

Ingesting high-volume data in real time

Retaining full-fidelity data for a long time

Writing powerful data extraction queries

Getting SaaS benefits

Unboxing Aria

Supported data formats in Aria

Data integration architecture of Aria

Getting started with Aria

Setting up a trial account

Integrating a Kubernetes cluster for monitoring

Accessing the default Kubernetes dashboards

Accessing default Kubernetes alerts

Working with charts and dashboards

Creating new custom charts

Creating new custom dashboards

Customizing a default dashboard

Working with alerts

Creating alert targets

Defining a maintenance window

Creating new alerts

Inspecting firing alerts

Summary

11

Enabling Secure Inter-Service Communication with Tanzu Service Mesh

Why Tanzu Service Mesh?

Features and capabilities of Tanzu Service Mesh

How to get started with Tanzu Service Mesh

Onboarding Kubernetes clusters

Creating a Tanzu Service Mesh Global Namespace

Installing services

Accessing the application

Generating application traffic

How to perform key day-2 operations on Tanzu Service Mesh

Enabling service high availability

Defining and measuring SLOs

Other day-2 operations for further research

GSLB with NSX-T Advanced Load Balancer and Tanzu Service Mesh

NSX Advanced Load Balancer

Detour – GSLB without Tanzu Service Mesh

GSLB with NSX-ALB and Tanzu Service Mesh

Summary

12

Bringing It All Together

Tanzu adoption options

Tanzu Standard

Tanzu Application Platform (TAP)

VMware Tanzu for Kubernetes Operations

Tanzu Data Solutions

VMware Spring Runtime

Tanzu beyond this book

Tanzu Labs

Tanzu Application Service

Azure Spring Apps

Concourse

The end-to-end picture

Pros and cons of a single-vendor solution

Pros

Cons

The future of Kubernetes

What is next for Tanzu?

Summary

Appendix

Additional learning resources from VMware

Different ways to create a Kubernetes cluster

Creating Tanzu Kubernetes Grid clusters

Creating non-Tanzu Kubernetes clusters

Index

Other Books You May Enjoy

Preface

Running business applications in the form of microservices that are packaged in containers is the norm today. As per a survey done by Cloud Native Computing Foundation in 2021 (https://www.cncf.io/reports/cncf-annual-survey-2021/), around 80% of applications are deployed on Kubernetes. However, building containerized applications and production-grade Kubernetes platforms are some hard nuts to crack. Moreover, enterprises consider a multi-cloud deployment strategy that adds more operational complexities for different reasons. In this book, we will learn how different tools in the VMware Tanzu portfolio come together to solve the challenges of building, running, and managing modern applications on multi-cloud Kubernetes platforms.

We have divided this book into three logical parts in line with the application development life cycle. In the first part, we will review different tools that help build secure applications. In this part, we will also see how to containerize these applications and manage the APIs exposed by them. In the second part, we will dive deeper into the tools that help run these apps at scale. We will cover tools that will help manage container images and deploy Kubernetes platforms in multi-cloud setups. This section also covers deploying secure paths to production with supply chain choreography. In the last part of the book, we will see how to manage large Kubernetes deployments. This section covers a single pane of glass for monitoring, securing, and governing multi-cloud deployments.

Each chapter in this book covers one aspect of the modern application life cycle and the respective Tanzu tool(s) related to that aspect. These chapters describe the business case and its applicable challenges first – the why behind the tool(s). Then, they provide the required details for the applicable tool(s) at a high level – the what behind the tool(s). Finally, they cover the details on how to get started with them – the how behind the tool(s).

By the end of this book, you will have an in-depth understanding of the Tanzu platform and its capabilities to put DevSecOps into practice for your modern containerized apps.

Who this book is for

This book is for anyone who wants to know what VMware Tanzu is. The reader will learn about different security, operational, and developer productivity challenges that are addressed by this platform. The purpose of this book is to acquire a good level of understanding about this technology from a learning point of view. It is also aimed to help the reader to perform primary day-1 and day-2 operations on different tools for a hands-on experience. If you are a cloud or application architect, this book will help you understand the various capabilities these tools offer to decide how to or whether to include them in your solutions. If you are either a developer or a development lead, you will learn about different ways to improve developer productivity. If you are a security officer, you will find better ways to secure your cloud-native applications and Kubernetes platforms. Lastly, if you are a DevOps engineer or a cloud platform operator, you will learn how to work with these products for various operations around them.

This book can be read and understood by anyone with a couple of years of experience in the area of building and running modern applications. However, some experience with Kubernetes will help to relate the concepts and challenges better. Additionally, the reader should have some experience working with command-line interfaces (CLIs) to follow all the hands-on instructions.

What this book covers

Chapter 1, Understanding the Need to Move to a Cloud Platform, sets the context and provides a subject background all about modern applications for the reader.

Chapter 2, Developing Cloud-Native Applications, explains how to develop secure cloud-native applications using predefined application templates containing the required framework and the boilerplate code.

Chapter 3, Building Secure Container Images with Build Service, guides the reader on how to build secure container images in a fully automated manner from the application code or artifacts.

Chapter 4, Provisioning Backing Services for Applications, details how to build a catalog of popular open source tools so that their secure container images can be used as application backend services.

Chapter 5, Defining and Managing Business APIs, is all about how to build and manage secure application APIs.

Chapter 6, Managing Container Images with Harbor, provides instructions on how to store and manage container images with a private container image registry.

Chapter 7, Orchestrating Containers across Clouds with Tanzu Kubernetes Grid, unpacks the details of a multi-cloud Kubernetes platform.

Chapter 8, Enhancing Developer Productivity with Tanzu Application Platform, breaks down how to set up a secure supply chain of applications to build a rapid path to production.

Chapter 9, Managing and Controlling Kubernetes Clusters with Tanzu Mission Control, teaches the reader how to centrally manage a fleet of different flavors of Kubernetes clusters deployed in a multi-cloud environment.

Chapter 10, Realizing Full-Stack Visibility with VMware Aria Operations for Applications, demonstrates how to monitor multi-cloud deployed applications, their Kubernetes platforms, and the underlying infrastructure.

Chapter 11, Enabling Secure Inter-Service Communication with Tanzu Service Mesh, explores how to establish secure communication for microservices deployed on Kubernetes in a multi-cloud/multi-cluster setup.

Chapter 12, Bringing It All Together, summarizes the end-to-end picture of the technology landscape, along with some future predictions for the technologies involved.

To get the most out of this book

The barrier to entry for this book is very low. Anybody with some experience in application development and/or infrastructure operations could use this book to learn about what the Tanzu platform has to offer. However, the reader would get the most out of the book by having some familiarity with Kubernetes and containerized applications. To follow the hands-on instructions given in the book, the reader should also be familiar with CLI commands.

Software/hardware covered in the book

Operating system requirements

Tanzu Application Accelerator

Windows, macOS, or Linux

Tanzu Build Service

VMware Application Catalog

API portal for VMware Tanzu

Spring Cloud Gateway

Harbor

Tanzu Kubernetes Grid

Tanzu Application Platform

Tanzu Mission Control

VMware Aria Operations for Applications

Tanzu Service Mesh

The step-by-step instructions given in the book are performed on macOS systems. However, most instructions will work on either Linux or Windows machines without modifications.

If you are using the digital version of this book, we advise you to type the code yourself or access the code from the book’s GitHub repository (a link is available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code.

There are places in the book where we have used some sample applications and Kubernetes configurations. Readers may download them using the GitHub repository provided in the following section.

Download the example code files

You can download the example code files for this book from GitHub at https://github.com/PacktPublishing/DevSecOps-in-Practice-with-VMware-Tanzu. If there’s an update to the code, it will be updated in the GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://packt.link/xL5cm.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “From there, you can follow the instructions in README.md to run the app locally and deploy it to Kubernetes.”

A block of code is set as follows:

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

Any command-line input or output is written as follows:

Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “From the TAP GUI’s Create page, let’s click the Choose button underneath the Hello Fun Accelerator.”

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read DevSecOps in Practice with VMware Tanzu, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781803241340

Part 1 – Building Cloud-Native Applications on the Tanzu Platform

This part includes the details of different Tanzu tools that can be useful to enhance developer productivity and the security of the software supply chain for cloud-native application development.

This part of the book comprises the following chapters:

1

Understanding the Need to Move to a Cloud Platform

Welcome! If you have any connection to delivering software at scale in the enterprise, we hope this book will be beneficial to you. In this first chapter, we’ll establish the context in which a product such as VMware Tanzu could emerge. We’ll do this with a walk-through of the evolution of enterprise software over the last 20 years covering the major milestones, inflection points, and problems that surfaced along the way.

Then, once we have established the necessary context, we can give a 10,000-foot overview of Tanzu covering the tools, benefits, and features. And finally, we’ll set you up for success by covering some of the technical prerequisites you should have in place if you want to engage with any of the hands-on content in this book.

In this chapter, we will cover the following:

The challenges of running a software supply chain

VMware Tanzu is a modular software application platform that runs natively on multiple clouds and is geared toward important business outcomes such as developer productivity, operator efficiency, and security by default. If you are looking for a hands-on detailed treatment of VMware Tanzu, you won’t be disappointed.

However, before diving into the platform’s components, it may help to understand some history and background. If you’re reading this, there’s a good chance you participate in the coding, designing, architecting, operating, monitoring, or managing of software. However, you may not have considered that you are participating in a supply chain.

According to Adam Hayes in his Investopedia article, The Supply Chain: From Raw Materials to Order Fulfillment, a supply chain “refers to the network of organizations, people, activities, information and resources involved in delivering a product or service to a consumer.”

When a piece of software makes the journey from a developer’s workstation to an end user, that’s as much of a supply chain as when Red Bull and ramen noodles make the trek from raw ingredients to a production facility to a warehouse to the neighborhood grocery store.

Every supply chain has its own set of challenges, and software supply chains are no exception. Most software written today consists of libraries and frameworks containing millions of lines of open source software developed by people who are essentially anonymous and whose motivations are not entirely clear.

Much of that software changes hands many times as it moves from an open source repository to the developer, to source control, to building and packaging, to testing, to staging, and finally, to running in production. Furthermore, the infrastructure on which that software runs is often open source as well, with a worldwide community of hackers working to identify vulnerabilities in the operating systems, network protocol implementations, and utilities that make up the dial tone that your software runs on. This ecosystem presents an enormous surface area for bad things to happen.

For further reading on real-world examples of what can go wrong with software supply chains, I’d recommend a quick search of the web for the 2020 SolarWinds incident or the 2021 emergence of Log4Shell (CVE-2021-44228). The authors of this book, in their capacity as Tanzu solution engineers, have seen first-hand the impact software supply chain issues can have across the financial, government, telecom, retail, and entertainment sectors.

The emergence of the cloud and containers

Happily, the tech industry has begun to coalesce around some key technologies that have come a long way in addressing some of these concerns. The first is what is known colloquially as The Cloud. Enterprises with a big technology footprint began to realize that managing data centers and infrastructure was not the main focus of their business and could be done more efficiently by third parties for which those tasks were a core competency.

Rather than staff their own data centers and manage their own hardware, they could rent expertly managed and maintained technology infrastructure, and they could scale their capacity up and back down based on real-time business needs. This was a game-changer on many levels. One positive outcome of this shift was a universal raising of the bar with regard to vulnerable and out-of-date software on the internet. As vulnerabilities emerged, the cloud providers could make the right thing to do the easiest thing to do. Managed databases that handle their own operating system updates and object storage that is publicly inaccessible by default are two examples that come immediately to mind. Another outcome was a dramatic increase in deployment velocity as infrastructure management was taken off developers’ plates.

As The Cloud became ubiquitous in the world of enterprise software and infrastructure capacity became a commodity, this allowed some issues that were previously obscured by infrastructure concerns to take center stage. Developers could have something running perfectly in their development environment only to have it fall over in production. This problem became so common that it earned its own subgenre of programmer humor called It Works on My Machine.

Another of these issues was unused capacity. It had become so easy to stand up new server infrastructure, that app teams were standing up large (and expensive) fleets only to have them running nearly idle most of the time.

Containers

That brings us to the subject of containers. Many application teams would argue that they needed their own fleet of servers because they had a unique set of dependencies that needed to be installed on those servers, which conflicted with the libraries and utilities required by other apps that may want to share those servers. It was the happy confluence of two technical streams that solved this problem, allowing applications with vastly different sets of dependencies to run side by side on the same server without them even being aware of one another.

Container runtimes

The first stream was the concept of cgroups and kernel namespaces. These were abstractions that were built into the Linux kernel that gave a process some guarantee as to how much memory and processor capacity it would have available to it, as well as the illusion of its own process space, its own networking stack, and its own root filesystem, among other things.

Container packaging and distribution

The second was an API by which you could package up an entire Linux root filesystem, complete with its own unique dependencies, store it efficiently, unpack it on an arbitrary server, and run it in isolation from other processes that were running with their own root filesystems.

When combined, developers found that they could stand up a fleet of servers and run many heterogeneous applications safely on that single fleet, thereby using their cloud infrastructure much more efficiently.

Then, just as the move to the cloud exposed a new set of problems that would lead to the evolution of a container ecosystem, those containers created a new set of problems, which we’ll cover in the next section about Kubernetes.

Kubernetes

When containers caught on, they took off in a big way, but they were not the be-all-and-end-all solution developers had hoped for. A container runtime on a server often required big trade-offs between flexibility and security. Because the container runtime needed to work closely with the Linux kernel, users often required elevated permissions just to run their containers. Furthermore, there were multiple ways to run containers on a server, some of which were tightly coupled to specific cloud providers. Finally, while container runtimes let developers start up their applications, they varied widely in their support for things like persistent storage and networking, which often required manual configuration and customization.

These were the problems that Joe Beda, Craig McLuckie, and Brendan Burns at Google were trying to solve when they built Kubernetes. Rather than just a means of running containerized applications on a server, Kubernetes evolved into what Google Distinguished Developer Advocate Kelsey Hightower called ”a platform for building platforms.” Kubernetes offered many benefits over running containers directly on a server:

Many of us thought that perhaps Kubernetes was the technological advance that would finally solve all of our problems, but just as with each previous technology iteration, the solution to a particular set of problems simply exposes a new generation of problems.

As companies with large teams of developers began to onboard onto Kubernetes, these problems became increasingly pronounced. Here are some examples:

Alas, Kubernetes was not the panacea we had hoped it would be; rather, it was just another iteration of technology that moves the industry forward by solving one set of problems but inevitably surfacing a new set of problems. This is where the Tanzu team at VMware comes into the picture.

Outcome-driven approach

The Tanzu team at VMware came into existence just as Kubernetes was hitting its stride in the enterprise. VMware was poised for leadership in the space with the acquisition of Heptio, which brought deep Kubernetes knowledge and two of the original creators. It also acquired a well-honed philosophy of software delivery through the acquisition of Pivotal. The Tanzu team continues to deliver a thoughtful and nuanced Kubernetes-based application platform focused on meaningful business outcomes that were important to customers.

There is no doubt that many mature Tanzu customers were facing some of the problems with Kubernetes mentioned in the last section, but they were also focused on some key outcomes, such as the following:

These were the outcomes Tanzu set out to achieve for customers, and in the process, they would take on many of the issues people were running into with Kubernetes.

The Tanzu portfolio would take an outcome-driven approach to deliver an opinionated Kubernetes-based cloud-native application platform that was optimized for operator efficiency, developer productivity, seamless multi-cloud operation, and application security. That is the platform that we’ll cover in this book.

The need for VMware Tanzu

Companies with a large development footprint that were looking at or actively using Kubernetes faced two sources of resistance. First, they faced a myriad of problems running Kubernetes at scale across multiple teams. These are the problems listed at the end of the Kubernetes section of this chapter. Second, these teams were under pressure to use technology to deliver meaningful outcomes. This meant developers needed to be operating at their full potential with minimum friction, and operators needed to be able to scale across multiple teams with a unified set of tools. This is the outcome-driven approach described in the previous section. VMware Tanzu is a portfolio of tools geared specifically toward addressing both sets of needs for software teams.

This diagram highlights where VMware Tanzu fits both as the next iteration of software platforms on Kubernetes, as well as the integrated toolkit enabling world-class outcomes from software development, operations, and security engineers:

Figure 1.1 – VMware Tanzu in context

Now that we’ve established the context that prompted the creation of VMware Tanzu, we’re ready to describe the product itself.

Features, tools, benefits, and applications of VMware Tanzu

It is a combination of open source, proprietary, and Software as a Service (SaaS) offerings that work together to enable the outcomes that are important to software teams. These tools are tightly integrated and give developers a single toolset geared toward delivering important outcomes and running Kubernetes at scale. These tools and applications fall into three broad groups.

Build and develop

Tools that enable developers to efficiently and reliably develop and build software go in this group. This includes Application Accelerator for VMware Tanzu, VMware Tanzu Build Service, VMware Application Catalog, and API portal for VMware Tanzu.

Run

This group contains the tools and applications to efficiently deliver and run applications on an ongoing basis. It includes Harbor, Tanzu Kubernetes Grid, and Tanzu Application Platform.

Manage

The final group contains tools for the management of applications and the platform itself. It includes Tanzu Mission Control, VMware Aria operations for Applications, and Tanzu Service Mesh.

Prerequisites

Now that we’ve laid out the why and the what of VMware Tanzu, we’re ready to get our hands dirty solving some real-world problems. This book is geared toward software professionals, and there are some tools and concepts that this book assumes you know about. Don’t worry if you’re not strong across all of these areas as each chapter will walk you through step by step.

The Linux console and tools

You can follow along with most chapters in this book using a Windows machine, but experience dictates that things work much more smoothly if you use a Mac or a Linux workstation. There are numerous options available for Windows users, including virtual machines, dual-booting into Linux, or working from a cloud-based virtual machine. This book assumes you are comfortable with navigating a filesystem, finding and viewing files, and editing them with an editor such as Vim or nano.

Docker

This book is heavily geared toward containers. The primary way to interact with APIs that build and run containers is with the Docker CLI. You will need both a Docker daemon and the Docker CLI to work through some of the chapters in this book. It assumes that you are comfortable listing container images as well as running containers.

Kubernetes

Kubernetes is at the core of the Tanzu portfolio. This book assumes you can stand up a Kubernetes cluster locally or on a public cloud provider. It also assumes that you are comfortable with the kubectl CLI to interact with a Kubernetes cluster. Finally, you should be able to read YAML Kubernetes manifests.

Workstation requirements and public cloud resources

Some of the tools discussed in this book can be run locally on your workstation, while others are better suited to the public cloud. Others require only a web browser and a pre-existing Kubernetes cluster.

If you want to run Tanzu Kubernetes Grid locally, a minimum of 32 gigabytes of RAM is strongly recommended. You may find that other tools, such as Tanzu Application Platform or Harbor, run best on a Kubernetes cluster provided by a public cloud provider. I highly recommend using the providers’ built-in budgeting tools to make sure that you don’t rack up an unexpected bill.

Now that you know what you’ll need, I encourage you to find a topic of interest and dive in. All Packt books are organized with self-contained chapters so you can work through the book front-to-back or jump straight to the topics that interest you.

Summary

In this chapter, we gave a brief history of enterprise software and how its evolution set the stage for VMware Tanzu. Then, we gave a high-level overview of the Tanzu product itself. And finally, we covered some technical requirements to set you up for success in the hands-on exercises.

With all that in place, you’re free to jump to any chapter that piques your interest; they’re all self-contained and can be read on their own. Or, if you’re going in order, we’ll start at the beginning of the software development process. Application Accelerator for VMware Tanzu is a tool for bootstrapping a new application with all of the enterprise standards and approved libraries built in, giving you a more uniform portfolio of apps and preventing software teams from repeating past mistakes. Regardless of your approach to the book, we hope you enjoy the material, and we wish you great success putting it into practice.

2

Developing Cloud-Native Applications

A common problem across large enterprises is technology sprawl. When starting a new development endeavor, considerable day-0 cycles are wasted choosing the right technology and bad decisions can lead to ongoing operational headaches for many years.

This chapter will first focus on Application Accelerator for VMware Tanzu, or App Accelerator for short, a tool that addresses the day-0 problem of standing up a new project. It allows developers to pull down preconfigured application templates that already pass muster with enterprise architecture, have all the corporate security opinions and safeguards built in, include all the corporate standard libraries, use a corporate-standard format and layout, and allow for the configuration of common properties (Git repos, databases, API schemas, etc.)

Then, we’ll touch on a couple of development frameworks that currently make up a significant portion of software running in the enterprise: Spring Boot and .NET Core with Steeltoe.

In this chapter, we’re going to cover the following topics:

The business needs addressed by App Accelerator

Before we jump into the actual product installation, let’s take a moment to think about the life of an enterprise application developer. Let’s assume Cody is a developer in our organization.

Today, Cody has been tasked with kicking off a new service that is expected to generate significant revenue for the company. If we were to ask him to list a few of the things that could hamper his ability to deliver that service, we might get a list such as this:

As a software developer, maybe you relate to some of Cody’s concerns:

Figure 2.1 – Cody the developer

This is an enormous burden on Cody and even more so for a new developer onboarding onto a project. Much of this work must be repeated every time a new project gets created, it will inevitably result in configuration drift as different developers interpret standards differently, and it constitutes a considerable expenditure of time and effort before a single line of value-delivering code gets written.

Now, let’s shift our perspective to that of an enterprise architect. Let’s call her Alana. She’s tasked with optimizing the time to value for developers, setting the technical direction, and creating and enforcing a set of standards that balances consistency and security with developer productivity and satisfaction. She has a very similar list of hindrances that prevent her from maximizing her developers’ performance:

If you’re focused more on the Ops in DevOps, perhaps some of Alana’s concerns in this visualization resonate with you:

Figure 2.2 – Alana, our enterprise architect

Now that we know why we’re here, let’s dig into the details of App Accelerator and start addressing Cody’s and Alana’s pain points.

Technical requirements

App Accelerator is a subcomponent of Tanzu Application Platform (TAP), which is covered in Chapter 8, Enhancing Developer Productivity with Tanzu Application Platform. To get started with App Accelerator, we’ll first need to install a Kubernetes cluster and then layer TAP over that. You’re free to use whichever Kubernetes distribution you prefer. If you’d like some guidance around standing up a cluster, the appendix at the end of the book gives several options for getting Kubernetes up and running.

Once you have a running Kubernetes cluster, you’ll need to jump briefly to Chapter 8, Enhancing Developer Productivity with Tanzu Application Platform, where we walk through the installation of TAP. That chapter walks through a more complex end-to-end use case, while this chapter focuses solely on the Application Accelerator component.

Depending on your Kubernetes cluster, your TAP GUI may be at a local address such as http://localhost:8081, or possibly at an ingress domain you set up such as http://tap-gui.example.com.

When you open a browser to the TAP GUI, you should see something similar to this screenshot:

Figure 2.3 – Screenshot of the Tanzu Application Platform GUI

When you click on the Create link in the left-hand menu bar, you’ll see the default application accelerators that ship with the TAP GUI:

Figure 2.4 – Screenshot of the empty Create section

Congratulations! If you’ve made it this far, you are ready to start using App Accelerator!

Overview of App Accelerator

App Accelerator is a tool that Alana uses to provide Cody and his peers with a vetted, approved, preconfigured jumping-off point in their language or framework of choice. With App Accelerator, Alana can handle repetitive, low-value tasks such as choosing a technology and ensuring its interoperability and compatibility with other apps and enterprise standards. This frees up Cody and his developer peers to deliver business value with great software.

App Accelerator consists of several APIs and interfaces geared specifically to either Alana the architect’s or Cody the coder’s persona:

Figure 2.5 – App Accelerator architecture

Alana starts with a Git repo containing the skeleton of a project. In addition to boilerplate code, pre-approved libraries, and standardized documentation and testing structure, this project contains a special YAML file called, by convention, accelerator.yaml. This file contains the details of how consumers of the template application (called an accelerator) can customize the app template. Running inside Alana and Cody’s Kubernetes cluster is a controller for a Custom Resource Definition (CRD), accelerator.apps.tanzu.vmware.com/v1alpha1. Alana deploys an instance of the accelerator custom resource, and the controller becomes aware of Alana’s Git repo, making it available to Cody:

Figure 2.6 – Accelerator CRDs

App Accelerator presents a different view to Cody. He opens up a UI containing details of all of the accelerators available to him. Alana has provided a wide array of languages and frameworks to give developers the flexibility to use the right tool for the job without having to reinvent the wheel with regard to choosing libraries, ensuring compatibility, and navigating the maze of corporate governance.

Cody can search by tags and preview the contents of the various accelerators. Many accelerators will prompt Cody for certain inputs and customize the project accordingly. This is done via the Template Engine component in the preceding architectural diagram. App Accelerator provides a rich set of transformations so that a small piece of input from Cody, what sort of database do you want to use?, for example, can result in complex configuration options and libraries being preconfigured. The idea is to abstract as much complexity as possible away from the developer to maximize reuse and developer productivity.

Now that we understand how App Accelerator works, let’s get started with our own installation.

Getting started with App Accelerator

If you worked through the Technical Requirements section at the beginning of this chapter, you should have a running instance of Tanzu Application Platform and you're ready to begin exploring App Accelerator.

Exploring App Accelerator

When we installed App Accelerator, we got a set of out-of-the-box accelerators that enable developers to hit the ground running with enterprise-ready application templates, like the ones shown as follows:

Figure 2.7 – Application accelerators installed

You can click on the CHOOSE button for any of these accelerators and you’ll navigate to a page where you can supply any of the required parameters, as well as explore the project template and preview its files. Once you’ve chosen the accelerator that meets your needs, you can fill in the required parameters and click on Next Step and Create. At that point, you’ll be able to download a ZIP file containing the beginnings of your next great app with all your company’s conventions and best practices baked in!

Downloading, configuring, and running App Accelerator

From the TAP GUI’s Create page, let’s click on the CHOOSE button underneath the Hello Fun accelerator. Let’s change the name to hello-fun-tanzu-devsecops and make sure Kubernetes deployment and service is selected under deploymentType. Then, we click Next Step | Create | Download Zip File. This will download a ZIP file that you can unzip, run locally, and deploy to your Kubernetes cluster.

Use your favorite zip tool to unzip the archive and then open the project in your favorite IDE. From there, you can follow the instructions in README.md to run the app locally and deploy it to Kubernetes.

Once you are comfortable downloading, configuring, and running the accelerator, you’re ready to move to some more advanced tasks and topics.

Advanced topics on App Accelerator

Let’s say you’re one of the aforementioned enterprise architects or security engineers who wants to delight your developer colleagues with a panoply of choices from the latest and greatest technologies while baking in all your hard-learned lessons around tech longevity, best practices, and security. How would you go about creating your own app accelerator? Let’s do that next. Let’s implement a custom app accelerator.

Let’s start by logging into GitHub and forking this book’s GitHub project. Visit https://github.com/PacktPublishing/DevSecOps-in-Practice-with-VMware-Tanzu and click Fork. Now, you have your own copy of the code repo in your GitHub account. Your copy of the App Accelerator is located at https://github.com/<your-username>/DevSecOps-in-Practice-with-VMware-Tanzu/tree/main/chapter-02/openapi-accelerator.

This accelerator takes as input an OpenAPI 3.0 specification. It then outputs a project capable of building an entire API skeleton around that specification and a SwaggerUI frontend to test it out with. How’s that for best practices?

Once you’ve forked the accelerator project, let’s tell the controller running in Kubernetes that we have another app accelerator that we’d like to make available. Let’s clone the accelerator locally:

Next, navigate to the project and open the chapter-02/openapi-accelerator/accelerator-k8s-resource.yaml file in a text editor. Modify the spec.git.url (highlighted) property to point to your fork of the project, as shown in the following screenshot:

Figure 2.8 – accelerator-k8s-resource.yaml (point it to your fork of the Git repo)

Then, you can tell the App Accelerator controller about your new accelerator by applying accelerator-k8s-resource.yaml:

Now, you should be able to return to the TAP GUI’s Create page, refresh it, and see your OpenAPI 3.0 Spring Boot accelerator ready to go:

Figure 2.9 – Custom OpenAPI 3.0 Spring Boot accelerator in the TAP GUI

From here, you could use the accelerator to generate a Spring Boot project customized with your own OpenApi 3.0 specification:

Figure 2.10 – Exploring our accelerator after plugging in a custom API spec

Figure 2.11 – Our custom OpenAPI 3.0 API in Swagger UI

And voila! With a simple download, we have a fully functional REST API and Swagger UI ready for us to start implementing business logic. We can start delivering value immediately because all our corporate governance, libraries, and opinions are conveniently baked into the project from its inception.

Congratulations! If you’ve made it this far, you’ve put pre-vetted, pre-audited, secure software frameworks in front of your developers, allowing them to skip over the tedious administrative work and get right down to delivering real value with their software.

However, the software is always changing and a software framework that was last week’s up-to-date, rock-solid building block is this week’s Critical Vulnerability and Exposure (CVE).

Let’s move on to some day-2 operations now and look at how we keep our app accelerators patched and up to date.

Day-2 operations with App Accelerator

In software development, getting something deployed into production is often the easy part. Keeping that software up to date and patched with minimal user disruption is where most of your time will be spent. App Accelerator was designed with day 2 in mind.

As it turns out, the component versions in our OpenAPI application accelerator have already gone out of date. Let’s quickly update and patch our accelerator.

First, let’s find our local copy of the openapi-accelerator project. Open build.gradle in your favorite editor. Notice the org.springframework.boot and org.openapi.generator dependencies are not the most recent and could therefore contain bugs or even known vulnerabilities. Notice that org.springframework.boot is at 2.5.6 and org.openapi.generator is at 5.2.1:

Figure 2.12 – Our build.gradle file with out-of-date versions of Spring Boot and OpenAPI Generator

First, let’s visit https://start.spring.io to find out what the latest release version of Spring Boot is. At the time of writing, it’s 2.6.2:

Figure 2.13 – Latest Spring Boot version from start.spring.io

We can also grab the latest version of the openapi plugin from https://plugins.gradle.org/plugin/org.openapi.generator. As you can see in the following screenshot, it’s 5.3.1 at the time of writing:

Figure 2.14 – The latest release version of the org.openapi.generator plugin (5.3.1)

Now that we have our up-to-date version numbers, let’s update our build.grade file:

Figure 2.15 – Updating the plugins block in build.gradle with the latest versions

Then, we simply git-push our updated accelerator and after a few minutes, we can explore it in the UI and see our updated dependencies. Anyone who uses this accelerator in the future will get the latest versions of the openapi plugin and Spring Boot.

Now, it’s time to switch gears. App Accelerator can help you get off to a great start in any number of popular development frameworks, but what are those frameworks? Are some better suited than others for the enterprise? The next section will cover two development frameworks especially well-suited to enterprise applications.

Cloud-native development frameworks under the Tanzu umbrella

As mentioned in previous sections and chapters, the Tanzu portfolio didn’t materialize out of thin air. Rather, it is the thoughtful natural expression of many years of work and has helped some of the world’s largest and most notable companies cultivate their software competency. One outcome of that experience is learning which development frameworks maximize developer productivity while minimizing toil, tedium, and bad practice.

At this point, we’ve successfully deployed, updated, downloaded, and implemented a simple API based on an application accelerator. Our example used Spring Boot. How did we arrive at Spring Boot as the underlying application framework for our API?

The Spring Framework and Spring Boot

The framework of choice for many of the most successful Tanzu customers has been the Spring Framework. This is proven by the millions of applications started with Spring Initializr at https://start.spring.io, and enterprise surveys such as the Snyk JVM Ecosystem Report 2020 showing fully 60% of the enterprise running Spring Boot (https://snyk.io/blog/spring-dominates-the-java-ecosystem-with-60-using-it-for-their-main-applications/).

Here’s a screenshot showing some of the things Spring gives you right out of the box:

Figure 2.16 – What Spring can do (spring.io)

The Spring Framework is very flexible in how it can be deployed. Spring Boot