This topic tells you how to install and configure Tanzu Build Service (commonly known as TBS) with the Tanzu CLI and kapp controller.

Important

This installation method is now deprecated in favor of Installing using a profile.

Prerequisites

• Have a Kubernetes cluster v1.27 or later.

• Ensure that all worker nodes have at least 50 GB of ephemeral storage allocated to them.

  • To do this on vSphere with Tanzu, mount a 50 GB volume at /var/lib/containerd to the worker nodes in the TanzuKubernetesCluster resource that corresponds to your vSphere with Tanzu cluster. For information about configuring storage on worker nodes, see Cluster with Separate Disks and Storage Parameters.

• Have access to a container registry to install Tanzu Build Service and store application images.

  • Although the documentation references specific registries for the purpose of providing examples, any registry that adheres to the Docker Registry HTTP API V2 is supported.
  • If installing using the lite dependencies, VMware recommends 1 GB of registry storage.
  • If installing using the full dependencies, which are intended for production use and offline environments, VMware recommends 10 GB of available storage.
  • This registry space suggestion does not include the space used for application images built by Tanzu Build Service.

• Ensure your Kubernetes cluster is configured with a default StorageClass. If a default StorageClass is defined, 2 GB of cache is the default. PersistentVolumeClaims is used to cache build artifacts, which reduces the time of subsequent builds.

  For more information, see Persistent Volumes in the Kubernetes documentation. For information about defining a default StorageClass, see Changing the default StorageClass.

• Download Tanzu Cluster Essentials to install the imgpkg CLI tool and follow the README to install kapp controller.

• Install the Tanzu CLI. Only the package and secret plug-ins are required.

• Navigate to the following pages in VMware Tanzu Network and accept all EULAs highlighted in yellow.

  • Tanzu Build Service
  • Tanzu Build Service Dependencies
  • Buildpacks for VMware Tanzu
  • Stacks for VMware Tanzu

• To find the latest version, see VMware Tanzu Network.

• Download the kp CLI for your operating system from the VMware Tanzu Network. See the kp CLI help text. This installation procedure requires kp CLI v0.10.x with Tanzu Build Service v1.10.x.

• Download either the docker CLI or crane CLI for authentication with registries.

Note: Clusters running with Containerd v1.4.1, v1.5.6, and v1.5.7 are not compatible with Tanzu Build Service. Notably, Tanzu Kubernetes Grid v1.2.1 and Tanzu Kubernetes Grid Integrated Edition v1.13.0, v1.13.1 use these versions of Containerd, so a different version must be used.

Note: vSphere with Tanzu clusters running Kubernetes v1.20.0-v1.20.6 are not compatible with Tanzu Build Service.

Install Tanzu Build Service

1. Set up environment variables for use during the installation.

   export INSTALL_REGISTRY_HOSTNAME=<IMAGE-REGISTRY>
   export INSTALL_REPOSITORY=<IMAGE-REPOSITORY>
   export INSTALL_REGISTRY_USERNAME=<REGISTRY-USERNAME>
   export INSTALL_REGISTRY_PASSWORD=<REGISTRY-PASSWORD>
   export INSTALL_NAMESPACE=<INSTALL-NAMESPACE>
   export TANZUNET_REGISTRY_USERNAME=<TANZUNET_REGISTRY_USERNAME>
   export TANZUNET_REGISTRY_PASSWORD=<TANZUNET_REGISTRY_PASSWORD>
   export TBS_VERSION=<LATEST-TBS-VERSION>
   

   Where:

   • IMAGE-REGISTRY is the host name of the registry. If you are using Docker Hub as your registry, use the value https://index.docker.io/v1/.
   • IMAGE-REPOSITORY is the repository in your registry where you want to relocate images to.
     • Docker hub has the form my-dockerhub-username/build-service or index.docker.io/my-dockerhub-username/build-service.
     • gcr.io has the form gcr.io/my-project/build-service.
     • Harbor has the form my-harbor.io/my-project/build-service.
   • REGISTRY-USERNAME is the user name of the registry. You must be able to write to IMAGE-REPOSITORY with this credential. gcr.io expects _json_key.
   • REGISTRY-PASSWORD is the password of the registry. You must be able to write to IMAGE-REPOSITORY with this credential.
   • INSTALL-NAMESPACE is the namespace where all the packages will be installed. This namespace keeps the installation objects grouped together logically. (Ex. tbs-install)
   • TANZUNET_REGISTRY_USERNAME is the user name you use to access TanzuNet.
   • TANZUNET_REGISTRY_PASSWORD is the password you use to access TanzuNet.
     • For Google Cloud Registry, use the contents of the service account JSON key.
   • LATEST-TBS-VERSION is available from VMware Tanzu Network.

Relocate images to a registry

This procedure relocates images from the VMware Tanzu Network registry to an internal image registry through a local machine.

The local machine must have write access to the install registry.

1. Log in to the VMware Tanzu Network registry:

   • If using the docker CLI, run:

     docker login registry.tanzu.vmware.com
     

   • If using the crane CLI, run:

     crane auth login registry.tanzu.vmware.com
     

2. Log in to the image registry where you want to store the images:

   • If using the docker CLI, run:

     docker login ${INSTALL_REGISTRY_HOSTNAME}
     

   • If using the crane CLI, run:

     crane auth login ${INSTALL_REGISTRY_HOSTNAME}
     

3. Copy the Tanzu Build Service package repository to your registry with the Carvel tool imgpkg:

   imgpkg copy -b registry.tanzu.vmware.com/build-service/package-repo:$TBS_VERSION --to-repo=${INSTALL_REPOSITORY}
   

   For example:

   Docker Hub example

   imgpkg copy -b registry.tanzu.vmware.com/build-service/package-repo:$TBS_VERSION --to-repo=my-dockerhub-account/build-service
   

   GCR example

   imgpkg copy -b registry.tanzu.vmware.com/build-service/package-repo:$TBS_VERSION --to-repo=gcr.io/my-project/build-service
   

   Artifactory example

   imgpkg copy -b registry.tanzu.vmware.com/build-service/package-repo:$TBS_VERSION --to-repo=artifactory.com/my-project/build-service
   

   Harbor example

   imgpkg copy -b registry.tanzu.vmware.com/build-service/package-repo:$TBS_VERSION --to-repo=harbor.io/my-project/build-service
   

Installation

1. Create an installation namespace for deploying the package:

   kubectl create ns ${INSTALL_NAMESPACE}
   

2. Create a secret to pull in the package repository:

   tanzu secret registry add tbs-install-registry \
     --username ${INSTALL_REGISTRY_USERNAME} --password ${INSTALL_REGISTRY_PASSWORD} \
     --server ${INSTALL_REGISTRY_HOSTNAME} \
     --export-to-all-namespaces --yes --namespace ${INSTALL_NAMESPACE}
   

3. When leveraging automatic dependency updates, create the secret for the VMware Tanzu Network credentials using the Tanzu CLI:

   tanzu secret registry add tanzunet-creds \
    --server "registry.tanzu.vmware.com" \
    --username "${TANZUNET_REGISTRY_USERNAME}" \
    --password "${TANZUNET_REGISTRY_PASSWORD}" \
    --namespace ${INSTALL_NAMESPACE}
   

4. Add the Tanzu Build Service package repository to the cluster:

   tanzu package repository add tbs-repository \
       --url "${INSTALL_REPOSITORY}:${TBS_VERSION}" \
       --namespace ${INSTALL_NAMESPACE}
   

5. Get the status of the package repository (the status should be Reconcile succeeded):

   tanzu package repository get tbs-repository --namespace ${INSTALL_NAMESPACE}
   

6. Create a tbs-values.yml file by using the following sample as a guide. Keep this file for future use.

   ---
   kp_default_repository: <INSTALL_REPOSITORY>
   kp_default_repository_secret:
     name: tbs-install-registry
     namespace: <INSTALL_NAMESPACE>
   install_namespace: <INSTALL_NAMESPACE>
   ca_cert_data: <CA_CERT_CONTENTS> (optional)
   injected_sidecar_support: <INJECTED_SIDECAR_SUPPORT> (optional)
   generate_slsa_attestation: <GENERATE_SLSA_ATTESTATION> (optional)
   exclude_dependencies: false
   create_secret_exports: true
   dependency_updates:
     allow: true
     scope: "stacks-only"
     include_packages: [""]
     exclude_packages: [""]
   

   Note: This installs the lite dependencies with automatic stack updates enabled. If you plan to install the full dependencies later, set exclude_dependencies: true.

   Where:

   • INSTALL_REPOSITORY is a writable repository in your registry. Tanzu Build Service Dependencies are written to this location. Same value as used during relocation.

   • INSTALL_NAMESPACE is the namespace created above.

   • CA_CERT_CONTENTS must be provided when using a registry that is signed by a Custom Cert. This should be the value of the PEM-encoded CA certificate that will be used during the build time. For more information about adding CA certificate to the run image, see the FAQ.

   • (Optional) INJECTED_SIDECAR_SUPPORT use to enable support for Tanzu Service Mesh and Istio (Documentation).

   • (Optional) GENERATE_SLSA_ATTESTATION use to enable support for SLSA attestations.

7. Install the package:

   tanzu package install tbs -p buildservice.tanzu.vmware.com -v $TBS_VERSION -n ${INSTALL_NAMESPACE} --values-file tbs-values.yml --poll-timeout 30m
   

8. (Optional) To install the full dependencies, see Installing Full Dependencies later in this topic.

9. (Optional) To configure automatic dependency updates, see Updating Dependencies.

Additional configuration

1. You can add additional fields to the tbs-values.yml:

   • admin_users is a comma-separated list of users granted admin privileges.
   • admin_groups is a comma-separated list of groups granted admin privileges.
   • http_proxy is the HTTP proxy to use for network traffic.
   • https_proxy is the HTTPS proxy to use for network traffic.
   • no_proxy is a comma-separated list of host names, IP addresses, or IP address ranges in CIDR format. These must not use a proxy.

2. You can see the full values schema by running:

   tanzu package available get buildservice.tanzu.vmware.com/$TBS_VERSION --values-schema --namespace ${INSTALL_NAMESPACE}
   

Secret exports

As of Tanzu Build Service v1.13, the new field create_secret_exports is available in your tbs-values.yml file to activate or deactivate creating secret exports. In Tanzu Build Service v1.13, this flag defaults to true. VMware plans for this flag to default to false in a future release, and secret exports will no longer be created by default when installing the Tanzu Build Service package.

Previously, creating the secret exports caused problems when another component also needed the secret exported. You can now choose to export the secret to the required namespaces manually. You can export secrets to all namespaces but you are only required to export to the kpack, cert-injection-webhook, stacks-operator-system, and build-service namespaces.

Example SecretExport resource required for manual secret exports:

apiVersion: secretgen.carvel.dev/v1alpha1
kind: SecretExport
metadata:
  name: my-synced-secret
  namespace: build-service
spec:
  toNamespace: "kpack"

If you are using Tanzu Application Platform, this secret is already created and exported to all namespaces. There is no need to take any action.

Install the Full Dependencies for Tanzu Build Service

1. If you have not done so already, you must exclude the default dependencies by adding the key-value pair exclude_dependencies: true to your tbs-values.yaml. For example:

     exclude_dependencies: true
   

2. If you have not updated your Tanzu Build Service package installation after adding the key-value pair exclude_dependencies: true to your values file, perform the update by running:

   tanzu package installed update tbs --namespace ${INSTALL_NAMESPACE} --values-file VALUES-FILE
   

   Where VALUES-FILE is the path to the tbs-values.yaml file you edited earlier.

3. Relocate the Tanzu Build Service full dependencies package repository by doing one of the following:

   • Relocate the images directly for online installation:

     imgpkg copy \
       -b registry.tanzu.vmware.com/build-service/full-deps-package-repo:VERSION \
       --to-repo ${INSTALL_REGISTRY_HOSTNAME}/full-deps-package-repo
     

     Where VERSION is the version of the Tanzu Build Service you are installing.

   • Relocate the images to an external storage device and then to the registry in the air-gapped environment:

     imgpkg copy \
       -b registry.tanzu.vmware.com/build-service/full-deps-package-repo:VERSION \
       --to-tar=full-deps-package-repo.tar
     
     # move full-deps-package-repo.tar to environment with registry access
     imgpkg copy \
       --tar full-deps-package-repo.tar \
       --to-repo=INSTALL-REGISTRY-HOSTNAME/TARGET-REPOSITORY/full-deps-package-repo
     

     Where:

     • VERSION is the version of the Tanzu Build Service you are installing.
     • INSTALL-REGISTRY-HOSTNAME is your container registry.
     • TARGET-REPOSITORY is your target repository.

4. Add the Tanzu Build Service full dependencies package repository by running:

   tanzu package repository add full-deps-package-repo \
     --url INSTALL-REGISTRY-HOSTNAME/TARGET-REPOSITORY/full-deps-package-repo:VERSION \
     --namespace ${INSTALL_NAMESPACE}
   

   Where:

   • INSTALL-REGISTRY-HOSTNAME is your container registry.
   • TARGET-REPOSITORY is your target repository.
   • VERSION is the version of the Tanzu Application Platform package you retrieved earlier.

5. Create a new tbs-full-deps-values.yaml and copy the kp_default_repository key-value pair from your tbs-values.yaml:

   ---
    kp_default_repository: "REPO-NAME"
   

   Where REPO-NAME is copied from the kp_default_repository field in your tbs-values.yaml.

   1. (Optional) Install the UBI builder.

      The UBI builder uses Red Hat Universal Base Image (UBI) v8 for both build and run images. This builder only supports Java and Node.js. To install the UBI builder, add the key-value pair enable_ubi_builder: true to your tbs-full-deps-values.yaml.

      ---
      enable_ubi_builder: true
      

   2. (Optional) Install the Static builder.

      The Static builder uses Ubuntu Jammy for both build images and a minimal static run image. This builder only supports Golang. To install the Static builder, add the key-value pair enable_static_builder: true to your tbs-full-deps-values.yaml.

      ---
      enable_static_builder: true
      

6. Install the full dependencies package by running:

   tanzu package install full-deps \
     --package full-deps.buildservice.tanzu.vmware.com \
     --version "> 0.0.0" \
     --namespace ${INSTALL_NAMESPACE} \
     --values-file VALUES-FILE
   

   Where VALUES-FILE is the path to the tbs-full-deps-values.yaml you created earlier.

Using AWS IAM for Authentication with ECR

You can install Tanzu Build Service using AWS IAM roles for authentication with Amazon Elastic Container Registry (ECR) on Amazon Elastic Kubernetes Service (EKS) clusters.

There are two additional steps required:

1. Install Tanzu Build Service with AWS IAM for Authentication with ECR
2. Configure the build namespace for IAM Auth with ECR

Install Tanzu Build Service with AWS IAM for Authentication with ECR

To install with AWS IAM for Authentication with ECR:

1. Create a repository in ECR to use for the kp_default_repository.

2. Configure an AWS IAM role that has read and write access to the kp_default_repository and a trust policy for the EKS cluster. The minimum required permissions are found here.

3. Follow the Tanzu Build Service installation steps until the tbs-values.yml file.

4. In the tbs-values.yml file, replace the kp_default_repository_username and kp_default_repository_username or kp_default_repository_secret with the following line:

   ...
   kp_default_repository_aws_iam_role_arn: "INSTALL-IAM-ROLE-ARN"
   ...
   

   Where:

   • INSTALL-IAM-ROLE-ARN is the AWS IAM role Amazon Resource Name (ARN) for the role configured earlier. For example, arn:aws:iam::xyz:role/my-install-role.

Configure the build namespace for IAM Auth with ECR

Similar to configuring a secret in the build namespace for registry authentication, the build namespace requires configuration for Tanzu Build Service to use AWS IAM authentication for ECR in builds.

To configure the build namespace for IAM Auth with ECR:

1. Configure an AWS IAM role that has read and write access to the registry location to store build images.

2. For the service account used for Image resources, add an annotation including the role ARN configured earlier.

   kubectl annotate serviceaccount -n BUILD-NAMESPACE SERVICE-ACCOUNT-NAME \
   eks.amazonaws.com/role-arn=${BUILD-IAM-ROLE-ARN}
   

   Where:

   • BUILD-NAMESPACE is the name of your build namespace.
   • SERVICE-ACCOUNT-NAME is the service account used for Image resources. This is default if unset.
   • BUILD-IAM-ROLE-ARN is the AWS IAM role ARN for the role configured earlier. For example, arn:aws:iam::xyz:role/my-build-role.

3. Create an Image resource with this service account:

   kp image save my-ecr-image --tag 12345.ecr.com/my-repo --service-acount=SERVICE-ACCOUNT-NAME -n BUILD-NAMESPACE
   

Installing on Openshift

Installing Tanzu Build Service on Openshift requires some extra steps.

1. Follow the installation steps above, but when creating the tbs-values.yml add the following property:

   ---
   ...
   kubernetes_distribution: openshift
   ...
   

2. After installing, you must configure any namespaces that will have Image or Build resources. To do this you must configure RBAC for the service account used for Image resources (the default service account is used by default).

   Apply the following RoleBinding:

   ---
   apiVersion: rbac.authorization.k8s.io/v1
   kind: RoleBinding
   metadata:
     name: tbs-restricted-with-seccomp
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: system:tbs:scc:restricted-with-seccomp
   subjects:
   - kind: ServiceAccount
     namespace: <BUILD-NAMESPACE>
     name: <BUILD-SERVICE-ACCOUNT>
   

   Where:

   * `BUILD-NAMESPACE` is the namespace where Image and Build resources will be created.
   * `BUILD-SERVICE-ACCOUNT` is the service account used for Image resources (`default` by default).
   

Upgrading Tanzu Build Service

1. Relocate the new package repository:

   imgpkg copy -b registry.tanzu.vmware.com/build-service/package-repo:$NEW_TBS_VERSION --to-repo=${INSTALL_REPOSITORY}
   

2. Add the Tanzu Build Service package repository to the cluster:

   tanzu package repository add tbs-repository \
       --url "${INSTALL_REPOSITORY}:${NEW_TBS_VERSION}" \
       --namespace tbs-install
   

3. Install the package with the same tbs-values.yml file used during the initial installation:

   tanzu package installed update tbs -p buildservice.tanzu.vmware.com -v $NEW_TBS_VERSION -n tbs-install --values-file tbs-values.yml --poll-timeout 30m
   

Installing Tanzu Build Service (air-gapped)

Tanzu Build Service can be installed to a Kubernetes cluster and registry that are air-gapped from external traffic.

An air-gapped environment often uses an internal registry with a self-signed CA certificate. You need access to this CA certificate file to install Tanzu Build Service.

Note: If you are using a CA certificate that is trusted (for example, Lets Encrypt), you do not need the CA certificate file.

1. Set up environment variables for use during the installation.

   export INSTALL_REGISTRY_HOSTNAME=<IMAGE-REGISTRY>
   export INSTALL_REPOSITORY=<IMAGE-REPOSITORY>
   export INSTALL_REGISTRY_USERNAME=<REGISTRY-USERNAME>
   export INSTALL_REGISTRY_PASSWORD=<REGISTRY-PASSWORD>
   export TBS_VERSION=<LATEST-TBS-VERSION>
   

   Where:

   • IMAGE-REGISTRY is the host name of the private registry.
   • IMAGE-REPOSITORY is the repository in your registry where you want to relocate images to. Harbor has the form my-harbor.io/my-project/build-service
   • REGISTRY-USERNAME is the user name of the private registry. You must be able to write to IMAGE-REPOSITORY with this credential.
   • REGISTRY-PASSWORD is the password of the private registry. You must be able to write to IMAGE-REPOSITORY with this credential.
   • LATEST-TBS-VERSION is available from the VMware Tanzu Network.

   Note: The IMAGE-REPOSITORY must be the IMAGE-REGISTRY appended with the destination repository for the images. For example, IMAGE-REGISTRY/some-repo/build-service.
   

Relocate images to a registry (air-gapped)

This procedure relocates images from the VMware Tanzu Network registry to an internal image registry through local machine(s).

1. Log in to the VMware Tanzu Network registry:

   • If using the docker CLI, run:

     docker login registry.tanzu.vmware.com
     

   • If using the crane CLI, run:

     crane auth login registry.tanzu.vmware.com
     

2. Copy the Tanzu Build Service package repository to your local machine as a TAR with the Carvel tool imgpkg:

   imgpkg copy -b registry.tanzu.vmware.com/build-service/package-repo:$TBS_VERSION --to-tar=/tmp/tanzu-build-service.tar
   

3. Move the output file tanzu-build-service.tar to a machine that has access to the air-gapped environment. The machine must have write access to the internal registry.

4. Log in to the image registry where you want to store the images:

   • If using the docker CLI, run:

     docker login ${INSTALL_REGISTRY_HOSTNAME}
     

   • If using the crane CLI, run:

     crane auth login ${INSTALL_REGISTRY_HOSTNAME}
     

5. Copy the images from your local machine to the internal registry:

   imgpkg copy --tar /tmp/tanzu-build-service.tar \
     --to-repo=${INSTALL_REPOSITORY} \
     --registry-ca-cert-path <PATH-TO-CA>
   

   Where:

   PATH-TO-CA is the path to the registry CA certificate file.

   Artifactory example:

   imgpkg copy --tar /tmp/tanzu-build-service.tar \
   --to-repo=artifactory.com/my-project/build-service \
   --registry-ca-cert-path ca.crt
   

   Harbor example

   imgpkg copy --tar /tmp/tanzu-build-service.tar /
   --to-repo=harbor.io/my-project/build-service /
   --registry-ca-cert-path ca.crt
   

Installation (air-gapped)

1. Create a namespace called tbs-install for deploying the package by running:

   kubectl create ns tbs-install
   

   This namespace keeps the installation objects grouped together logically.

2. Add the Tanzu Build Service package repository to the cluster:

   tanzu package repository add tbs-repository \
       --url "${IMAGE-REPOSITORY}:${TBS_VERSION}" \
       --namespace tbs-install
   

3. Get the status of the package repository (the status should be Reconcile succeeded):

   tanzu package repository get tbs-repository --namespace tbs-install
   

4. Create a tbs-values.yml file by using the following sample as a guide. Keep this file for future use.

   ---
   kp_default_repository: $INSTALL_REPOSITORY
   kp_default_repository_username: $INSTALL_REGISTRY_USERNAME
   kp_default_repository_password: $INSTALL_REGISTRY_PASSWORD
   pull_from_kp_default_repo: true
   exclude_dependencies: true
   create_secret_exports: true
   ca_cert_data: <CA_CERT_CONTENTS>
   

   Where:

   • INSTALL_REPOSITORY is a writable repository in your internal registry. Tanzu Build Service Dependencies are written to this location. Same value as used during relocation.
   • INSTALL_REGISTRY_USERNAME is the internal registry username. Same value as used during relocation.
   • INSTALL_REGISTRY_PASSWORD is the internal registry password. Same value as used during relocation.
   • CA_CERT_CONTENTS must be provided when using registry that is signed by a Custom Cert. This is the value of the PEM-encoded CA certificate that will be used during the build time. For more information about adding CA certificate to the run image, see the FAQ.

Additional configuration

1. Additional fields can be added to tbs-values.yml.

   • admin_users is a comma-separated list of users who are granted admin privileges.
   • admin_groups is a comma-separated list of groups that are granted admin privileges.
   • http_proxy is the HTTP proxy to use for network traffic.
   • https_proxy is the HTTPS proxy to use for network traffic.
   • no_proxy is a comma-separated list of hostnames, IP addresses, or IP ranges in CIDR format that should not use a proxy.

2. You can see the full values schema by running:

   tanzu package available get buildservice.tanzu.vmware.com/$TBS_VERSION --values-schema --namespace tbs-install
   

3. Install the package:

   tanzu package install tbs -p buildservice.tanzu.vmware.com -v $TBS_VERSION -n tbs-install --values-file tbs-values.yml
   

Updating Tanzu Build Service Dependencies (air-gapped)

When running in an air-gapped environment, Tanzu Build Service cannot pull dependencies automatically. Dependencies must be imported manually as a part of the Tanzu Build Service installation.

Dependencies must be updated manually or automatically using CI/CD. For more information about keeping dependencies up to date in an offline environment, see Updating Build Service Dependencies.

Upgrading Tanzu Build Service (air-gapped)

1. Follow the relocation steps in Relocate images to a registry (air-gapped) and add a new TBS_VERSION.

2. Follow the installation steps in Installation, use the same tbs-values.yml file that was used for the initial installation.

   Re-importing dependencies is not required for upgrading Tanzu Build Service.

Uninstalling Tanzu Build Service

1. Uninstall the package:

   tanzu package installed delete tbs -n tbs-install -y
   

   Note: All Tanzu Build Service resources are deleted. Registry images created by Tanzu Build Service are not deleted.

2. To delete the Tanzu Build Service package repository:

   tanzu package repository delete tbs-repository --namespace tbs-install
   

Ensuring access to cluster builders

To use cluster builders, such as the ones installed with Tanzu Build Service, VMware suggests installing Tanzu Build Service to a repository accessible by the nodes in the Kubernetes cluster without credentials.

If you do not want to do this, see When to use Synchronized Secrets.

Ensuring the run image is readable

Build Service relies on the run image being publicly readable or readable with the registry credentials configured in a project/namespace for the builds to be executed successfully.

Identify the location of the run image:

kp clusterstack status <stack-name>

If the cluster stack run image is not public, create a registry secret in any namespace where images or builds are used:

kp secret create my-registry-creds --registry example-registry.io --registry-user my-registry-user --namespace build-namespace

For more details about secrets in Tanzu Build Service, see Managing Secrets

Next steps

Visit the Managing Images and Builds page to learn how to create and manage a new image.

Minimum AWS IAM permissions for ECR IAM auth

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ecr:PutImageTagMutability",
                "ecr:StartImageScan",
                "ecr:DescribeImageReplicationStatus",
                "ecr:ListTagsForResource",
                "ecr:UploadLayerPart",
                "ecr:BatchDeleteImage",
                "ecr:ListImages",
                "ecr:BatchGetRepositoryScanningConfiguration",
                "ecr:DeleteRepository",
                "ecr:CompleteLayerUpload",
                "ecr:TagResource",
                "ecr:DescribeRepositories",
                "ecr:BatchCheckLayerAvailability",
                "ecr:ReplicateImage",
                "ecr:GetLifecyclePolicy",
                "ecr:PutLifecyclePolicy",
                "ecr:DescribeImageScanFindings",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:PutImageScanningConfiguration",
                "ecr:GetDownloadUrlForLayer",
                "ecr:DeleteLifecyclePolicy",
                "ecr:PutImage",
                "ecr:UntagResource",
                "ecr:BatchGetImage",
                "ecr:DescribeImages",
                "ecr:StartLifecyclePolicyPreview",
                "ecr:InitiateLayerUpload",
                "ecr:GetRepositoryPolicy"
            ],
            "Resource": "<your repository>"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "ecr:GetRegistryPolicy",
                "ecr:BatchImportUpstreamImage",
                "ecr:CreateRepository",
                "ecr:DescribeRegistry",
                "ecr:DescribePullThroughCacheRules",
                "ecr:GetAuthorizationToken",
                "ecr:PutRegistryScanningConfiguration",
                "ecr:CreatePullThroughCacheRule",
                "ecr:DeletePullThroughCacheRule",
                "ecr:GetRegistryScanningConfiguration",
                "ecr:PutReplicationConfiguration"
            ],
            "Resource": "<your repository>"
        }
    ]
}