Tanzu Application Platform

​CODE1222LV

and Crossplane
A Match Made in Cloud
Heaven

​Scott Rosenberg
​Lead Architect, CTO Office - TeraSky

#vmwareexplore #CODE1222LV
Who Am I

​Name: Scott Rosenberg

​Age: 29

​From: Israel

​GitHub Handle: @vrabbi

​Twitter: @vrabbi_il

​Tech Interests: Kubernetes, Cloud, and Automation

​VMware Products: Aria, vSphere, NSX, TKG, TBS, TAP, TMC

​Upstream Kubernetes Involvement: CAPV, Kubeapps, Pinniped,

Carvel, TCE, SIG-Windows
​Personal Blog: https://vrabbi.cloud

​#vExpert2023 #TanzuVanguard

Confidential │ © VMware, Inc. 2

Agenda ​Tanzu Application Platform
​General Overview

​Service Consumption In TAP

​General Overview

​Crossplane
​General Overview

​The Art Of What Is Possible

​What can we do today

​Future Looking
​What We Can Expect In The Future

​Summary

Confidential │ © VMware, Inc. 3

Tanzu Application Platform
General Overview

Confidential │ © VMware, Inc. 4

 Unlock developer
productivity

Tanzu
Application Secure the path to production
Platform
An app-aware platform for a
better developer experience on
Kubernetes
Coordinate the work of
dev and ops

Confidential │ © VMware, Inc. 5

Open Source at its Core
Everyone benefits from more innovative, interoperable, scalable and secure solutions
Tanzu Application
Platform is backed by
some of the most mature
and popular open-source
projects available today
Confidential │ © VMware, Inc.
Backstage
Garnering 100+ adaptors Backstage has gained tremendous traction by helping
organizations build self-service developer portals
Carvel
Developers build, deploy, and manage their own apps and package them so
they are more easily distributable
Buildpacks
Easily and securely build and maintain container images without the need for
Dockerfiles
​And many more….
Building open-source software and
contributing to communities is at the core
of VMware’s engineering spirit 6
Tanzu Application Platform
Streamlined end-to-end DevSecOps experience – secure & scalable on any Kubernetes

DEV SEC OPS

Learn
(Learning Center)
Discover Iterate Debug Test and Build Scan, Sign Deploy Run
and Start (IDE Plugin + (IDE Plugin + (Pipeline Service + and Store (App Delivery) (CNR)
Dev Tooling) App Live View) Build Service)
(API Portal + (Pipeline Service +
App Accelerator) Build Service)
Observe At Scale
7
Confidential │ © VMware, Inc.
 ​ OOTB Paths to production for easy onboarding
and most general use cases
​ Meets developers where they are comfortable
with IDE Plugins, Backstage, and Git
integrations
​ Easily extensible to integrate your own tooling
and opinions
​ Full end to end supply chain visibility
​ Security is integrated at every step, in a non-
intrusive, yet extremely valuable manner
​ Built using industry standard tooling and best
practices
​ Constantly evolving to help solve the issues you
will encounter before they even arise

Confidential │ © VMware, Inc. 8

Service Consumption In TAP
General Overview

Confidential │ © VMware, Inc. 9

 What Are We Trying To Solve?

❓ DB

Service
Application
Developers
Messaging Operations

Application Service

Caching

How do we ensure the application and service are

linked?

Confidential │ © VMware, Inc. 10

Multiple Abstraction Layers
Four Levels of Service Consumption for different use cases…

Level 3 Level 4
Level 1 Level 2
ClassClaims with ClassClaims with
Direct Bindings Resource Claims
Pooled Classes Provisioner Classes

Confidential │ © VMware, Inc. 11

 How does STK Work? Level 1
Level 1: Direct Bindings Direct Bindings

I need to know specifically which

resource name, group, version etc
Namespace to claim.
Application
Developers

I have to manually provision the

services and make sure resource
details are available to the App
Dev.
Service
Platform Operations
Engineering

Application Service Service and Application exists in

the same namespace, giving me
isolation between teams.

Platform
name: rmq-policy
Manually
Engineering
namespace: my-rmq-namespace
Provision
group: rabbitmq.com
Services
Claim kind: RabbitmqCluster

Pro’s ✅ Quick to setup, Low number of

Objects

Con’s Poor separation of concerns

Application Service between Dev and Ops.
Developers Operations

Confidential │ © VMware, Inc. 12

 How does STK Work?
Level 2: Resource Claims Level 2:
Resource Claims

I need to know specifically which

resource name, group, version etc
App Namespace Service Namespace to claim.

Application
Developers

I have to manually provision the

services and make sure resource
details are available to the App
Dev.
Service
Platform Operations
Engineering

Service Service and Application exists in

Application separate namespaces, giving me
better scalability and resilience.

Platform
name: rmq-policy
Manually
Engineering
namespace: my-rmq-namespace
Provision
group: rabbitmq.com
Services
Claim kind: RabbitmqCluster

Pro’s ✅ Better separation of concerns

with Dev & Ops

Con’s Need to ensure App Dev is aware

Application Service of specific resources.
Developers Operations

Confidential │ © VMware, Inc. 13

 How does STK Work?
Level 3: Class Claim with Pooled Classes Level 3:
ClassClaims with Pooled Classes

I am able to claim a higher level

resource without needing to
App Namespace Service Namespace know specific details.
Application
Developers

I have to manually provision the

services, but i can allow those
resources to be pooled and the
class claim will manage which
resource is claimed.
Service
Platform Operations
Engineering

Application Service Service and Application exists in

separate namespaces, giving me
better scalability and resilience.

Platform
name:rmq-class Manually Resources
Engineering
Provision can be
Services pooled
Claim

Pro’s ✅ Allows the developer to quickly

consume services

Con’s Involves initial setup from the

Application Service service ops teams
Developers Operations

Confidential │ © VMware, Inc. 14

 How does STK Work? Level 4:

Level 4: Class Claim with Provisioner Classes ClassClaims with Dynamic

Provisioned Classes

I am able to claim a higher level

resource without needing to
know specific details.
App Namespace Service Namespace
Application
Developers

The service is dynamically

provisioned at the point the class
claim is made, meaning I don’t
need to pre-provision.
Service
Platform Operations
Engineering

Service and Application exists in

Application Service separate namespaces, giving me
better scalability and resilience.

Platform
name:rmq-class Manually Resources
Engineering
Provision are
Services Dynamically
Claim Provisioned
Even faster to get started with
Pro’s ✅ the service with dynamic
provisioning

Con’s Larger overhead required to

Application Service manage longer term.
Developers Operations

Confidential │ © VMware, Inc. 15

Crossplane
General Overview

Confidential │ © VMware, Inc. 16

What Is Crossplane?
• Framework for building cloud native control planes
• No need to write any code
• Cloud providers have been managing their infrastructure with control planes for years
• Crossplane helps you build your own - with your own opinions
• Extensible backend to manage any infrastructure in any environment
• Configurable frontend to expose declarative APIs (abstractions) for developer self-service

Confidential │ © VMware, Inc. 17

The Basics
• Managed Resources

Confidential │ © VMware, Inc. 18

Managed Resources Example: AWS

Networking
Databases
Kubernetes Clusters
IAM
VMs
Message Queues
https://marketplace.upbound.io/providers/upbound/provider-aws/latest
Caches
Certificates
…and much more…
Confidential │ © VMware, Inc. 19
Managed Resources

apiVersion: s3.aws.crossplane.io/v1beta1
kind: Bucket
metadata:
name: crossplane-deepdive-demo-bucket
spec:
forProvider:
acl: private
locationConstraint: eu-west-1
paymentConfiguration:
payer: BucketOwner
versioningConfiguration:
status: Enabled
tagging:
tagSet:
- key: Name
value:
CrossplaneDee
pDiveDemoBuck
et
Confidential │ © VMware, Inc. 20
 Managed Resource Reconciliation
● Controllers reconcile Managed Resources wit h cloud
provider and on-prem APIs (e.g., GCP, AWS, or any API)

Kubernetes Cluster
apiVer: aws/v1
kind:RDS
apply
spec:
api- w atches RDS
storage:30GB
engine: mysql server
RDS controller AW S
API

Confidential │ © VMware, Inc. 21

Build your own Platform API

● Assemble granular resources. E.g. from multiple clouds.

● Expose as higher level self-service API for your app teams
○ Compose GKE, NodePool, Network, Subnetwork
○ Offer as a single Cluster resource (API) w i t h limited config
for developers to self-service
● Hide infrastructure complexity and include policy
guardrails
● All w it h K8s API - compatible wit h kubectl, GitOps, etc.
● No code required, it’s all declarative

Confidential │ © VMware, Inc. 22

Build your own Platform API

XRD
Composite Resource Definition
RDS Instance
Claim
Composition
DB Subnet

Security Group

Configuration

Confidential │ © VMware, Inc. 23

Composite Resources First we create Composite Resource
Definition (XRD) to declare our
custom platform API
apiVersion: apiextensions.crossplane.io/v1
kind: CompositeResourceDefinition
metadata:
name: xpostgresqlinstances.database.example.org
spec:
group:
database.example.org
names:
kind: xpostgresqlinstances
plural: Custom API Group
XPostgreSQLInstance
versions:
- name: v1alpha1
served: true
referenceable: true Standard openAPIV3
schema: Schema
openAPIV3Schema:
type: object
properties:

Confidential │ © VMware, Inc. 24

Compositions
Then we define
Composition which
implements XRD
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: xpostgresqlinstances.aws.database.example.org
spec: XRD reference
writeConnectionSecretsToNamespace: crossplane-
system compositeTypeRef:
apiVersion:
database.example.org/v1alpha1 kind:
XPostgreSQLInstance
resources:
- name: parametergroup
base:
apiVersion: rds.aws.crossplane.io/v1alpha1
kind: DBParameterGroup List of Managed
Resources to Compose
Confidential │ © VMware, Inc. 25
Patches Patches enable propagation
of data from Composite Resource (XR)
down to composed Managed
Resources (MR)

patches:
- fromFieldPath: "spec.nodes.count"
Copy of value from XR
toFieldPath: "spec.forProvider.scalingConfig.desiredSize" spec down to MR spec
- fromFieldPath: "spec.nodes.size"

toFieldPath: "spec.forProvider.instanceTypes[0]" transforms:

- type: map
map:
manipulate the config
small: t2.small
data
medium: t3.medium
large: m5.large

Confidential │ © VMware, Inc. 26

Extending Crossplane
• Providers & Configurations

Confidential │ © VMware, Inc. 27

Current Extension Points
● Crossplane is a highly extensible framework
● Providers
○ You can build a provider to manage anything w i t h an API
○ CRUD operations for cloud resources, on-prem services, etc.
● Configurations
○ Compose resources from providers
○ Define your control plane’s declarative APIs and abstractions
○ These are w h a t your devs see - it’s how they consume the offerings of
your control plane
● Both are Crossplane packages / opinionated OCI Images.
Confidential │ © VMware, Inc. 28
Crossplane Ecosystem
Currently in The Upbound Marketplace We can find:
• 323 Official Providers
• 39 Community Providers
• 25 Public Configurations

Confidential │ © VMware, Inc. 29

Marketplace
for all Extensions
Open for everyone

Confidential │ © VMware, Inc. 30

Resource Relationships

Claim - Namespace Scope Claim

compositeRef Reconciler
finalizer.apiextensions.cro
ssplane.io

claimRef
Composite - Cluster Scope Composite

Reconciler
composite.apiextensions.crosspl
ownerRef ownerRef ane.io
Composite Composite

ownerRef ownerRef ownerRef ownerRef Managed

MR MR MR MR
Reconciler
finalizer.managedresource.crossplane.io

Confidential │ © VMware, Inc. 31

The Art Of What Is Possible
What can we do today

Confidential │ © VMware, Inc. 32

OOTB Bitnami Services
Great For Getting Started and Dev Environments

• TAP includes a few OOTB Crossplane base offerings

• These are based on Bitnami helm charts
• Supports not only Bitnami OSS but also VAC helm charts
• Supported services are:
• PostgreSQL
• MySQL
• Redis
• RabbitMQ
• Kafka
• MongoDB

Confidential │ © VMware, Inc. 33

Managing AWS data service from Kubernetes

​Managing AWS data services with Crossplane

​Crossplane creates custom resources in Kubernetes that allow us to manage any AWS resource as a Kubernetes
resource
​We can bind together multiple resources into a single API exposing
a capability
• An example is an Amazon RDS instance, where we may want to create an RDS instance, security groups, subnets, IAM
roles, and so on

Confidential │ © VMware, Inc.

What this looks like: Service operator

apiVersion: bindable.database.example.org/v1alpha1
​Creating the RDS instance kind: PostgreSQLInstance
metadata:
• $ kubectl apply –f psql-rds.yaml name: rds-postgres-db
namespace: default
spec:
parameters:
storageGB: 20
compositionSelector:
matchLabels:
provider: aws
vpc: default
publishConnectionDetailsTo:
name: rds-postgres-db
metadata:
labels:
services.apps.tanzu.vmware.com/class: rds-postgres

Confidential │ © VMware, Inc.

What this looks like: App operator

• Listing available instances

$ tanzu services claimable list --class rds-postgres

NAME NAMESPACE API KIND API GROUP/VERSION

rds-postgres-db default Secret v1

• Claiming the RDS instance

$ tanzu service claim create rds-claim \
--resource-name rds-postgres-db \
--resource-kind Secret \
--resource-api-version v1

36
Confidential │ © VMware, Inc.
What this looks like: App developer

​Connecting the RDS instance to its workload imperatively

tanzu apps workload create my-workload \

--git-repo https://github.com/sample-accelerators/spring-petclinic \
--git-branch main \
--type web \
--app spring-petclinic \
--env SPRING_PROFILES_ACTIVE=postgres \
--service-ref db=services.apps.tanzu.vmware.com/v1alpha1:ResourceClaim:rds-claim

Confidential │ © VMware, Inc.

What this looks like: App developer
apiVersion: carto.run/v1alpha1
kind: Workload
​Connecting the RDS metadata:
labels:
instance to its workload app.kubernetes.io/part-of: spring-petclinic
declaratively apps.tanzu.vmware.com/workload-type: web
name: my-workload
namespace: ns1
spec:
env:
- name: SPRING_PROFILES_ACTIVE
value: postgres
serviceClaims:
- name: db
ref:
apiVersion: services.apps.tanzu.vmware.com/v1alpha1
kind: ResourceClaim
name: rds-claim
source:
git:
ref:
branch: main
url: https://github.com/sample-accelerators/spring-petclinic

Confidential │ © VMware, Inc.

Key AWS services with built-in binding definitions in Spring
​Amazon Keyspaces (for Apache Cassandra)
​Couchbase
​OpenSearch
​Amazon RDS
​Amazon S3
​Amazon DynamoDB
​Amazon Managed Streaming for Apache Kafka (Amazon MSK)
​Amazon DocumentDB
​Amazon MemoryDB for Redis and Amazon ElastiCache
​Amazon MQ for RabbitMQ

Confidential │ © VMware, Inc.

Abstracting The Implementation Across Clusters

Confidential │ © VMware, Inc.

Future Looking
What We Can Expect In The Future

Confidential │ © VMware, Inc. 41

What We Can Expect In The Future

• More OOTB Services

• Not only Helm base services but also public cloud offerings
• More Configurable OOTB Services
• UI For building service offerings
• UI for consuming service offerings
• Possible Integration with Upbound SaaS Control Plane

Confidential │ © VMware, Inc. 42

Summary

Confidential │ © VMware, Inc. 43

Summary

 TAP and Crossplane can be used together to provide the ultimate Developer Experience
 Both TAP and Crossplane follow a Declarative model based on Kubernetes custom resources making them easy to
integrate
 Crossplane can be used in TAP not just for Service bindings but also for use cases like auto creation of ECR repos using a
tool like Kyverno
 Crossplane unlocks great features and TAP wraps them up in a more user friendly and consumable manner

Confidential │ © VMware, Inc. 44

Additional Resources
 Services Toolkit Docs -
https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.6/tap/services-toolkit-about.html
 Sample Compositions and Cluster Instance Classes - https://github.com/vrabbi-tap/tap-custom-cluster-instance-classes
 Crossplane Docs - https://docs.crossplane.io/
 Upbound Marketplace - https://marketplace.upbound.io/
 TAP With ECR, Repo Auto Creation - https://vrabbi.cloud/post/tap-with-ecr-crossplane-and-kyverno-to-the-rescue/
 Webinar Explaining TAP and Crossplane With Demo -
https://resources.upbound.io/all-content/achieve-a-fully-automated-devops-experience-with-universal-crossplane-and-vm
ware-tanzu-application-platform

Confidential │ © VMware, Inc. 45

Please take
your survey.

46
Thank You

47