Skip to content

Latest commit

 

History

History
134 lines (92 loc) · 5.35 KB

create-supply-chain-workload.hbs.md

File metadata and controls

134 lines (92 loc) · 5.35 KB
Raw

Create a Workload from the Supply Chain

This topic tells you how to create and apply a workload from a Supply Chain, how to observe a workload, and how to verify the scanning performed in a workload.

Define a workload

This section tells you how to create a workload from an existing Supply Chain that was created by using SCST - Scan 2.0 and one of the following:

You can define a workload in YAML or use the Tanzu Workload CLI plug-in.

Using YAML : Run:

```yaml
kind: KIND
apiVersion: API-VERSION
metadata:
  name: WORKLOAD-NAME
spec:
  registry:
    repository: REGISTRY-REPOSITORY
    server: REGISTRY-SERVER
  source:
    git:
      branch: GIT-BRANCH
      url: GIT-URL
    subPath: GIT-SUBPATH
```

Where:

- `KIND` is the kind defined in the [Trivy Supply Chain Component](create-supply-chain-with-app-scanning.hbs.md#scan-2.0-and-trivy) or [Custom Scanning Component](create-supply-chain-with-app-scanning.hbs.md#scan-2.0-and-custom-scanning). The kind can be found in the supplychain YAML in the supplychains directory.
- `API-VERSION` is defined in the [Create a Supply Chain with SCST - Scan 2.0 and Trivy Supply Chain Component](create-supply-chain-with-app-scanning.hbs.md#create-a-supply-chain-with-scst---scan-20-and-trivy-supply-chain-component) or [Create Supply Chain with SCST - Scan 2.0 and Custom Scanning Component](create-supply-chain-with-app-scanning.hbs.md#create-supply-chain-with-scst---scan-20-and-custom-scanning-component). `API-VERSION` is the `group` and `version` found in the supplychain YAML in the supplychains directory.
- `REGISTRY-REPOSITORY` is the registry repository used for the scan results location.
- `REGISTRY-SERVER` is the registry server used for the scan results location.
- `GIT-URL` is the Git repository URL to clone from for the source component.
- `GIT-BRANCH` is the Git branch reference to watch for the new source.
- `GIT-SUBPATH` is the path where the source code is located.

For more information about any of the `GIT-*` values, see [Source Git Provider](../../supply-chain/reference/catalog/about.hbs.md#source-git-provider).

Using Tanzu Workload CLI plug-in : Run:

```console
tanzu workload generate NAME --kind KIND
```

Where `KIND` is the kind API resource defined in the [Trivy Supply Chain Component](create-supply-chain-with-app-scanning.hbs.md#scan-2.0-and-trivy) or [Custom Scanning Component](create-supply-chain-with-app-scanning.hbs.md#scan-2.0-and-custom-scanning).

This renders a sample workload YAML that you can configure and put in a `workload.yaml`.

Create a workload

Using the workload.yaml created in the previous section, create the workload:

tanzu workload create --file workload.yaml --namespace DEV-NAMESPACE

Where DEV-NAMESPACE is the same namespace where the intended workload will be.

Observe a workload

This section shows you how to use the Tanzu Workload CLI plug-in to observe a workload.

  1. List workloads in the cluster by running:

    tanzu workload list -n DEV-NAMESPACE

    Where DEV-NAMESPACE is the namespace where the workload is.

    Example output:

    $ tanzu workload list -n grype-app-scanning-catalog

Listing workloads from all namespaces

  NAMESPACE                   NAME                         KIND                  VERSION   AGE
  grype-app-scanning-catalog  golang-app-grype-test  grypescs.example.com  v1alpha1  35m

🔎 To see more details about a workload, use 'tanzu workload get workload-name --kind workload-kind'

  2. View workload details by running:

    tanzu workload get Sample WORKLOAD-NAME

    Example output:

    $ tanzu workload get golang-app-grype-test  -n grype-app-scanning-catalog
📡 Overview
  name:       golang-app-grype-test
  kind:       grypescs.example.com/golang-app-grype-test
  namespace:  grype-app-scanning-catalog
  age:        37m

🏃 Runs:
  ID                                     STATUS     DURATION  AGE
  golang-app-grype-test-run-btlvx  Succeeded  4m13s     37m

🔎 To view a run information, use 'tanzu workload run get run-id'

    For more information, How to observe the Runs of your Workload.

Check the workload scan results

Get the ImageVulnerabilityScan name by looking in the namespace it was created in:

kubectl get ivs -n DEV-NAMESPACE

Example output:

NAMESPACE                    NAME                          SUCCEEDED   REASON      AGE
dev-namespace                golang-app-test-123-bbrpz     True        Succeeded   4m52s

For information about how to retrieve scan results by using the ImageVulnerabilityScan name, see Retrieve scan results.

For more information about how to create a workload, see Work with Workloads.