Getting started with VMware Tanzu Application Catalog

This guide will walk you through getting started with VMware Tanzu Application Catalog (Tanzu Application Catalog) environment.

In addition, you will learn how to consume the Tanzu Application Catalog content in the following ways:

  • Consume the Tanzu Application Catalog artifacts in your local machine via Docker or Helm CLI
  • Consume the Tanzu Application Catalog artifacts through Google Container Registry
  • Consume the Tanzu Application Catalog artifacts through a private repository: Harbor

Enterprises can consume and deploy trusted and updated applications from a catalog tailored to their needs. This catalog is distributed through a private repository to internal customers.

How Tanzu Application Catalog does work

What to do first

Ensure:

To get started with Tanzu Application Catalog, follow the steps as explained in the sections below:

  1. Sign into Tanzu Application Catalog

    • Browse the Library page

  2. Browse Tanzu Application Catalog

  3. Create custom catalogs

  4. Consume Tanzu Application Catalog artifacts

  5. Delete applications from your catalog

Sign into Tanzu Application Catalog

Go to Tanzu Application Catalog and sign in using your VMware Account.

Tanzu Application Catalog login page

Browse the Library page

In the left navigation pane, click “Library”. A list of all the applications available on Tanzu Application Catalog appears.

In the Library page, you can use the “Search the library” filter to search for specific software components, format, architecture, base image, application category, security verifications, and license. List of all containers, Helm charts, VMs, or both based on your filter criteria available on Tanzu Application Catalog are displayed.

To get more information on any of the applications listed in the library, click “Details”. In the resulting screen, you will see the following information:

Library Details

  • Latest version: Refers to the latest version of the container images, Helm charts, and virtual machines.
  • Base Image: Indicates the different base images available for this application depending on the format.
  • Format: Format serves as a standardized way to package, distribute, and deploy software components with Tanzu Application Catalog packages applications in the form of container images, Helm charts, and virtual machines.
  • Architecture: Tanzu Application Catalog distributes its artifacts in either AMD64, ARM64 or both architectures.
  • Security Verification: Checks whether Helm charts are compliant with security standards, including validation for air-gapped environments, FIPS, non-root configuration for containers, and adherence to Pod Security Standards (PSA enforced) through the Pod Security admission controller.
  • CVE summary: Displays a summary of all the Common Vulnerabilities and Exposures (CVEs) classified by severity: critical, high, medium or low. This provides vital insights into potential vulnerabilities. It also enhances security awareness, aids in risk management, ensures compliance before users add applications to the catalog. CVE summary is only displayed for container images and virtual machines. By being aware of the CVEs associated with each base image and version, users can make informed decisions before adding applications into the catalog. For more information, see FAQs.

Browse Tanzu Application Catalog

Tanzu Application Catalog has an extensive collection of continuously maintained and tested container images and Helm charts.

Note

The actions you can perform after you log in are based on the roles assigned to your account. There are two types of roles:

  1. App Catalog Admin: This role allows a user to manage the catalog and see all the information regarding it. A user with this role can create application requests and manage base images and registries.
  2. App Catalog User: This role allows a user to see data through the catalog but not make any changes to it. They can’t perform application requests or manage registries and base images.

To view which role is assigned to you:

  1. In your VMWare Cloud Services account, on the Cloud Services Console toolbar, click your user name and select “My Account”.
  2. Click the “My Roles” tab.
  3. Under Service Roles expand Tanzu Application Catalog to view the type of role assigned to you.

To browse the Tanzu Application Catalog:

  1. After signing into Tanzu Application Catalog, from the left navigation page, click “Applications”.

    A list of all the applications available on Tanzu Application Catalog display along with the following information in graphs and tabular format: * Application releases: This is the number of new application versions that have been built, verified, and delivered into your registry or registries per day. * Vulnerabilities addressed by continuous update: The number of vulnerabilities that we have patched every day by releasing those updates into your registries. This number also includes future patches that upstream providers have officially committed to delivering. * Application packages: Shows the top package manager contributions to your OSS ecosystem to give you a sense of your reliance on and exposure to various open source ecosystems.

    Tanzu Application Catalog overview

  2. Click on individual artifacts to see information specific to each application. These applications are continuously updated, so that you can consume them for development and deployment. Each application contains the following graphs:

    • Number of packages ordered by type
    • Total number of CVEs: In the case of Photon images, TAC removes the CVEs that do not affect the application itself (VEX document associated)
    • Total number of different licenses

Browse Containers

To browse the extensive list of container images available on Tanzu Application Catalog, on the left pane, click the Container Image filter. List of all the container images available on Tanzu Application Catalog is displayed with the following information:

  • Base image
  • Container image version
  • Release status of the container
  • Date of the most recent release

  • “Details” link to view more information associated with that container image

    Container general information

    If a container has more than one released version, then all the versions are displayed.

    Container branches version

You can use the following filters to search the container of your choice in the catalog:

  • By Type
  • By Status
  • By Operating System

The following image shows the catalog filtered by type, status, and operating system:

Container catalog filtered by operating system

You can view the following information when you click “Details” next to an application:

  • Name of the container and whether the image is a part of a Helm chart
  • Status of the release
  • Image References:
    • Digest: Repository URL where the image is stored
    • Container tags: use these tags to run your container

  • Build Time Reports: Click “Download” to save a copy of the available reports in your local machine. There are four types of reports for containers:

    • Asset Specification
    • Test Results
    • Antivirus Scan Result
    • CVE Scan Result, in both scanner-native and CVRF formats

    Container detail

    Note

    https://MY_REGISTRY/ is a placeholder. Replace it with the URL of the private registry where your catalog is located.

Browse Helm Charts

To browse the extensive list of Helm charts available on Tanzu Application Catalog, on the left pane, click the Helm Chart filter. List of all the Helm charts available on Tanzu Application Catalog is displayed with the following information:

  • Base image
  • Chart version
  • Status of chart’s release
  • Date of the latest release
  • Dependencies: container image included in the chart and its related information such as status, base image, and release version

  • “Details” link to view more information associated with that chart or its container image

    Helm chart General Information

You can use the following filters to search the Helm charts of your choice in the catalog:

  • By type
  • By status
  • By operating system

The following image shows the catalog filtered by type, status, and operating system:

Helm charts catalog filtered by status

You can view the following information when you click “Details” next to a Helm chart:

  • Name of the Helm chart and if it has any container image as a dependency
  • Status of the release
  • Release information: commands to install the chart
  • Chart information: digest, name, version, and repository URL
  • Build Time Reports: Click “Download” to save a copy of the available reports in your local machine. There are two types of reports for charts:
    • Asset Specification
    • Test Results

  • Dependencies: Container image included in the chart and its related information such as status, base image and release version

    Helm chart detail

    You can inspect the chart dependencies by clicking the container image. You will see the information related to that container, showing a tag indicating that the selected container is a part of a Helm chart:

    Helm chart container dependencies

Create custom catalogs

Tanzu Application Catalog provides you with the option of creating your own custom catalog. To create a custom catalog:

  1. In the left navigation pane, click “Applications”.

  2. In the “My Applications” page, click “ADD NEW APPLICATIONS”.

    Request new applications The “Add New Applications” page display.

    Add new applications

  3. Add new applications to Tanzu Application Catalog using either the Basic or Custom configuration. To know more about the configuration, see Configuration Select one configuration, and then click “NEXT”.

    Note

    By choosing the “Basic” configuration you can get the applications from the community edition of Bitnami Application Catalog in your private repository.

  4. You can deploy Tanzu Application Catalog on Kubernetes or virtual machine platforms. Select one of the following platforms, the associated base image options, and then click “NEXT”:
    Important

    If you choose Basic configuration, you cannot select the VMware supported base image.

“Kubernetes” option

If you are deploying Tanzu Application Catalog on Kubernetes, click on the “Kubernetes” tile.

Select base image

A list of all the VMware supported base images for Kubernetes appears. Select a base image from the list.

Important

You can select the base image only if you have chosen Custom configuration in step 3. If you select the “Custom Base Image” option, a list of all the custom base images that you would have added previously will appear. Select a base image from the list and then click “NEXT”. If you wish to add a new custom base image, then follow these instructions:

  1. In the left navigation pane, click “Base Images”.

    The “Base Images” page appears.

  2. On the “Add New Image” tile, click “ADD”.

  3. In the “Add Custom Base Image” dialog, do the following and then click “ADD”:

    • Provide a name and description for the base image.

      • Select a registry that you have added to Tanzu Application Catalog.

        Note

        If you have not yet created any registry or if you do not want choose the existing registries and wish to add a new registry, see Adding a new Registry.

      • Enter the location or path to the base image in the chosen registry you configured previously. For example, base-images/debian:buster or just debian:buster depending on the registry URL you previously configured. If you don’t specify a version, then Tanzu Application Catalog considers the latest version.
      • Select an operating system for the base image.

      The base image that you added appears in the “My Custom Base Images” section.

      Add Custom Base Image

“Virtual Machines” option

Select base image

If you are deploying Tanzu Application Catalog on virtual machines, click on the “Virtual Machines” tile.

Note

Virtual machine image is provided in OVA format. Also, You can select the base image only if you have chosen Custom configuration in Step 3.

  1. Select the applications for your catalog and then click “NEXT”.

    Select applications

    The “Active Artifacts” counter, below the application list, displays the number of artifacts selected, total number of artifacts eligible for your subscription quota, and the number of artifacts remaining in your subscription quota.

    Example At the time of adding a new application, your subscription entitles you to 25 artifacts. As you have already consumed five artifacts the Active Artifacts counter displays “25 (20 left)”. If you select five more applications from the list the Active Artifacts counter would display “25 (15 left)”.

    Note

    You will not be able to select an application in the following scenarios: - Application is not compatible with the base image that you have selected. - Application is already part of your catalog.

    Active Artifacts counter

  2. Then, you will see a list of all the registries you have previously added. Select the registry or registries from the list where you want to push the applications and click “NEXT”. To add a registry, see the section Adding a new registry.

    Selecting registries After your request is processed, all the applications and their updates will be pushed to the registry or registries you have selected in the previous step.

    Notes If you have not yet created any registry or if you do not want to choose the existing registries and want to add a new registry, see Adding a new Registry. Tanzu Application Catalog supports Google Container Registry, Google Artifact Registry, Azure Container Registry, Amazon Elastic Container Registry, Harbor, JFrog Container Registry, GitHub Container Registry, and Nexus Container Registry. Enter the configuration details based on your storage registry provider.

  3. (Optional) Provide an appropriate name and description for your request and then click “NEXT”.

    Add name and description

  4. Review the summary of your request, make appropriate changes if required and, then click “SUBMIT”.

    A message appears confirming that your new application request has been successfully submitted.

    Note

    It may take up to two weeks to review and process your request. You can monitor the status of your request in the “My Requests” tab. It displays the list of all the requests you have submitted along with the status. It also displays the statistics of your active artifacts and requests. You can view the details by clicking the arrow next to each request.

    Application request status

After your request is processed, the application appears in the “My Applications” tab. It also shows the list of registries used for each request.

Consume Tanzu Application Catalog artifacts

Tanzu Application Catalog builds trusted and continuously maintained content that can be consumed in the following ways:

  • In your local machine via Docker or Helm CLI
  • Through Google Container Registry
  • Through a private repository: Harbor

Consume the Tanzu Application Catalog Artifacts in your local machine

Tip For more information, see Consume Tanzu Application Catalog Helm charts in your local machine.

In this scenario, we will describe how to push the content to your local machine using the Docker or the Helm CLI depending on the type of content you want to use.

To run a container from Tanzu Application Catalog:

  1. Navigate to a catalog and click the “Details” link of the container you want to run.
  2. Copy any of the links you will find under the “Container Tags” section, depending on the base OS image you want to run.

  3. Execute the docker run command followed by the container tag you selected. The below command is an example of how to download and run the container image for Chartmuseum (replace the example registry URL shown with the corresponding URL for your Tanzu Application Catalog container registry):

    docker run gcr.io/myregistry/path/containers/photon-4/tomcat:10.1-photon-4

To run a Helm chart from Tanzu Application Catalog:

  1. Navigate to a catalog and click the “Details” link of the chart you want to deploy.

  2. Copy the commands you will find in the “Helm Install” section and execute them in a terminal window on the machine you have your Kubernetes cluster running.

    Install Helm chart

Consume the Tanzu Application Catalog artifacts through Google Container Registry

The Tanzu Application Catalog that you are accessing automatically pushes the content of the container catalogs to Google Container Registry (GCR), so it is very easy to check and manage a container image from the Google Cloud platform user interface.

  1. Navigate to a container catalog and click the “Details” link of the container image you want to check.

  2. Copy the URL you will find under the “Digest” section.

    Containers URL

    • Log in to Google Cloud Platform if you aren’t, open a new tab of your browser and paste the URL in the navigation bar. You will be redirected to the Google Container Registry. You will see all the information related to the container image you selected:

      Container Registry

  3. To pull the image, click “Show Pull Command”, copy the commands and paste them into a terminal window or in the Google Cloud Shell.

    Pull container image from Google Container Registry

Consume the Tanzu Application Catalog artifacts through a private repository: Harbor

Tip For more information, see Consume Tanzu Application Catalog Images using a Private Harbor Registry.

Delete applications from your catalog

If you are no longer using an application, you can delete it from your catalog. This decreases the active artifacts consumption in your subscription.

When you delete an application, it will be greyed out and marked as deleted in your catalog. Tanzu Application Catalog stops releasing new updates to the deleted application in your catalog. After two months from the date of deletion, the application will be marked as archived and moved to the “Archived” tab.

To delete applications from your catalog:

  1. Go to “Applications”. In the “My Requests” tab, click “DELETE APPLICATIONS”.

    The Delete Application page appears.

  2. Select the applications that you want to delete from your catalog and then click “DELETE APPLICATIONS”.

    Note

    The “Used” count in the Active Artifacts counter changes for each application that you select for deletion.

    A message appears prompting if you really want to delete the selected applications.

    Confirm Deletion

  3. Click “CONFIRM”.

    A message appears confirming that your request for deleting the applications has been submitted.

  4. Click “GO TO MY APPLICATIONS”.

    The “My Applications” tab is displayed. The “Release Status” of the applications that you deleted appears as “Deleting” and the “Released At” value will be “Stopped updates”. After two months, the deleted applications will no longer be listed in the “My Applications” tab. They will be moved to the “Archived” tab.

    Deleted Application Status

Adding a new registry

To add a new registry:

  1. In the left navigation pane, click “Registries”.

    1. In the “Registries” page that appears, click “Add Registry” tile.

    2. In the “Add Registry” dialog, provide the following information and click “ADD”:

      • Provider
      • Name
      • Description
      • Registry URL
      • Username
      • Egress IP(s)
      Note

      The Egress IP(s) field appears only if your registry that trying to configure is either GCR or Harbor.

    3. The Tanzu Application Catalog validates the registry you are trying configure. After successful validation, a message appears confirming that your request to add a new registry has been successfully submitted.

    4. Click “OK”.

      The newly added registry appears in the “My Registries” section.

Google Container Registry (GCR)

To add GCR, do the following:

  • Ensure that you have enabled the container registry in GCR. For more information, see Enabling and disabling the service.

  • Enter the following configuration details:

    Field Description
    Provider Select the “Google Container Registry (GCR)” option.
    Name Enter a name.
    Description Enter a description.
    Registry URL Enter the path to the GCR registry appended with https://. For example, https://gcr.io/myvacregistry. This corresponds to the base URL where the GCR instance resides. VAC pushes all the requested assets to this GCR instance. The registry URL contains the path to the repository. In GCR, repositories are created on the fly while pushing the subscribed assets for the first time.
    Credentials (JSON) Copy and paste the contents of the Credentials.JSON file generated by GCR in the service account as shown in the image below. For more information on how to generate credentials in GCR, see JSON key file.

    Add Google Contain Registry

Google Artifact Registry (GAR)

To add GAR, do the following:

  • Ensure that you have enabled the container registry in GAR. For more information, see Enabling and disabling the service.

  • Enter the following configuration details:

    Field Description
    Provider Select the “Google Artifact Registry (GAR)” option.
    Name Enter a name.
    Description Enter a description.
    Registry URL Enter the path to the GAR registry appended with https://. For example, https://us-east4-docker.pkg.dev/my-registry. This corresponds to the base URL where the GAR instance resides. VAC pushes all the requested assets to this GAR instance. The registry URL contains the path to the repository. In GAR, repositories are created on the fly while pushing the subscribed assets for the first time.
    Credentials (JSON) Copy and paste the contents of the Credentials.JSON file generated by GAR in the service account as shown in the image below. For more information on how to generate credentials in GAR, see JSON key file.

    Add Google Artifact Registry

Azure Container Registry

To add Azure Container Registry, do the following:

  • Ensure that you have created an Azure container registry. For more information on how to create a registry, see Create an Azure container registry using the Azure portal.

  • Enter the following configuration details:

    Field Description
    Provider Select the “Azure Container Registry” option.
    Name Enter a name.
    Description Enter a description.
    Registry URL Enter the Azure login server path appended with https://. For example, https://myvacregistry.azurecr.io. This corresponds to the base URL where the Azure Container Registry instance resides. VAC pushes all the requested assets to this Azure container registry. The registry URL contains the path to the repository. In the Azure Container Registry, the repositories are created on the fly while pushing the subscribed assets for the first time.
    Access Key Enter the username that corresponds to the username generated on the Azure portal. It is recommended to provide the registry access by generating a service principal with read and write access. For more information on how to generate service principal object, see Azure Container Registry authentication with service principals.
    Password Enter the password that corresponds to the password generated on the Azure portal. It is recommended to provide registry access by generating a service principal with read and write access. For more information on how to generate service principal object, see Azure Container Registry authentication with service principals.

    Add Azure Container Registry

Amazon Elastic Container Registry

To add Amazon Elastic Container Registry, do the following:

  • Ensure that you have created an IAM user with enough permissions to push and pull artifacts to the registry.

  • Enter the following configuration details:

    Field Description
    Provider Select the “Amazon Elastic Container Registry” option.
    Name Enter a name.
    Description Enter a description.
    Registry URL Enter the Amazon ECR login server path appended with https://. For example, https://456981234946.dkr.ecr.us-east-1.amazonaws.com. This corresponds to the base URL where the Amazon Elastic Container Registry instance resides. VAC pushes all the requested assets to this Amazon container registry. The registry URL contains the path to the repository. In the Amazon Elastic Container Registry, the repositories are created on the fly while pushing the subscribed assets for the first time.
    Access Key ID Enter the Access Key ID created on the AWS portal. It is recommended to provide the registry access by generating an IAM user with read and write access. For more information on how to configure ECR access , see Identity and Access Management for Amazon Elastic Container Registry.
    Secret Access Key Enter the Secret Access Key on the AWS portal. It is recommended to provide registry access by generating an IAM user with read and write access. For more information on how to configure ECR access, see Identity and Access Management for Amazon Elastic Container Registry.

    Add Amazon Elastic Container Registry

Harbor

To add a Harbor registry, do the following:

  • Ensure that you have created a project in Harbor. For more information on how to create a project, see Create Projects.

  • Enter the following configuration details:

    Field Description
    Provider Select the “Harbor” option.
    Name Enter a name.
    Description Enter a description.
    Registry URL Enter the path to the Harbor project appended with https://. For example, https:\\MY_REGISTRY\goharbor.io\myproject. This corresponds to the base URL where the Harbor project instance resides. VAC pushes all the requested assets to this Harbor project. The registry URL contains the path to the repository. In Harbor, the repositories are created on the fly while pushing the subscribed assets for the first time.
    Access Key Enter the username that corresponds to the username generated on the Harbor portal. It is recommended to provide registry access by generating a robot account with read and write access. For more information on robot accounts, see Create Project Robot Accounts.
    Password Enter the password that corresponds to the password generated on the Harbor portal. It is recommended to provide registry access by generating a robot account with read and write access. For more information on robot accounts, see Create Project Robot Accounts.

    Add Harbor Container Registry

JFrog Container Registry (JCR)

To add a JFrog Container Registry, do the following:

  • Ensure that you have created an JFrog Container Registry. For more information on how to create a registry, see Getting Started With Artifactory as a Docker Registry.

  • Enter the following configuration details:

    Field Description
    Provider Select the “JFrog Container Registry (JCR)” option.
    Name Enter a name.
    Description Enter a description.
    Registry URL Enter the path to the JCR registry appended with https://. For example, https://myvacregistry-docker-local.artifactory.acme.com (the URL may vary depending on if the artifactory instance is on cloud or on-self-hosted). This corresponds to the base URL where the JCR instance resides. VAC pushes all the requested assets to this JCR instance. The registry URL contains path to the repository. In JCR, repositories are created on the fly while pushing the subscribed assets for the first time.
    Username Enter the username that corresponds to the username generated on the JCR portal.
    Password Enter the password that corresponds to the password generated on the JCR portal.

    Add JFrog Container Registry

GitHub Container Registry (GHCR)

To add a GitHub Container Registry, do the following:

  • Ensure that you have enabled the container registry in GHCR. For more information, see Working with the Container Registry.

  • Enter the following configuration details:

    Field Description
    Provider Select the “GitHub Container Registry” option.
    Name Enter a name.
    Description Enter a description.
    Registry URL Enter the GHCR login server path appended with https://. For example, https://ghcr.io/mygithubaccount. This corresponds to the base URL where the GitHub Container Registry instance resides. VAC pushes all the requested assets to this GitHub Container registry. The registry URL contains the path to the repository.
    Username Enter the username of your GitHub account. (It could be an org, an enterprise or a user).
    Password Provide the Personal Access Token with write packages permission. For more information on how to generate Personal Access Token, see Authenticating with a personal access token (classic).

    Add GitHub Container Registry

Nexus Container Registry

To add Nexus Registry, do the following:

  • Ensure that you have created a Nexus container registry with “Strict Content Type Validation” disabled. For more information on how to create a registry, see Adding Hosted Repository for Docker

  • Enter the following configuration details:

    Field Description
    Provider Select the “Nexus Repository Manager” option.
    Name Enter a name.
    Description Enter a description.
    Registry URL Enter the Nexus Docker Repository path appended with https://. For example, https://mynexus.repository.example.com/repository/myrepository. This corresponds to the base URL where the Nexus registry resides. Tanzu Application Catalog pushes all the requested assets to this registry.
    Username Enter the username that corresponds to the username generated on the Nexus portal. It is recommended to provide registry access by generating a robot account with read and write access. For more information on how to generate robot account, see Managing users.
    Password Enter the Personal Access Token with write packages permission. For more information on how to create tokens based on a user, see Security Setup with User Tokens.

    Add Nexus Container Registry

Obtain registry credentials

Before using the Tanzu Application Catalog, it is necessary to obtain credentials for the Tanzu Application Catalog registry. These credentials allow you to access the registry, and pull the container images and Helm charts. Follow these steps:

  1. On the left navigation pane, click “Registries”.
  2. Under My Registry tab, click on “DETAILS” of the newly added registry.
  3. In the “Registry Credentials” tab, click “GENERATE NEW CREDENTIALS”.

  4. In the resulting dialog box, enter a description for the new credentials. Click “GENERATE THE NEW CREDENTIALS”. The credentials are generated and displayed.

    Note the username and token, or click “Download as JSON file” to download them as a JSON file. The default name of the file that is downloaded is called ‘_json_key.json’.

    For a cluster to use the registry, it must have a secret that contains the registry key that was created: For example, to create a secret called ‘mydockercfg’ run the following commands:

    kubectl create secret docker-registry mydockercfg
n ----docker-server "HOSTED_REGISTRY_URL"
n --docker-username "_json_key"
n --docker-password="$(cat _json_key.json)"

    When deploying deploying a helm chart, it’s necessary to instruct the pods to pull images using the registry secret. This is done by setting the imagePullSecrets value in the helm command. For example, if you want to deploy Apache from your VMware registry using a secret named mydockercfg, use the following commands:

    helm install oci://HOSTED_REGISTRY/charts/photon-4/apache --version 11.0.10 --generate-name --set "global.imagePullSecrets[0]=mydockercfg"
Note

These credentials will not be displayed again, so ensure that you download or copy them to a secure location, as you will need them in subsequent steps.

Summary

After going through this section with your account, you should be able to see the catalog examples that we have built, how to view the anti-virus and CVE results, and how to consume the artifacts that are in the Tanzu Application Catalog.

For a customized experience for testing, contact VMware sales representative. They will work with you to create a POC that includes your target format, base image, and applications of your choice.

Useful links

check-circle-line exclamation-circle-line close-line
Scroll to top icon