Install the Tanzu Build Service dependencies

This topic tells you how to install the Tanzu Build Service (TBS) full dependencies on Tanzu Application Platform (commonly known as TAP).

Install full dependencies

Important

By default, Tanzu Build Service is installed with lite dependencies.

When installing Tanzu Build Service in an air-gapped environment, the lite dependencies are not available because they require Internet access. You must install the full dependencies.

To install full dependencies:

1. Get the latest version of the Tanzu Application Platform package by running:

   tanzu package available list tap.tanzu.vmware.com --namespace tap-install
   

2. If you have not done so already, you must exclude the default dependencies by adding the key-value pair exclude_dependencies: true to your tap-values.yaml file under the buildservice section. For example:

   buildservice:
     exclude_dependencies: true
   

3. If you have not updated your Tanzu Application Platform package installation after adding the key-value pair exclude_dependencies: true to your values file, perform the update by running:

   tanzu package installed update tap --namespace tap-install --values-file VALUES-FILE
   

   Where VALUES-FILE is the path to the tap-values.yaml file you edited earlier.

4. Relocate the Tanzu Build Service full dependencies package repository by doing one of the following:

   • Relocate the images directly for online installation:

     imgpkg copy \
       -b tanzu.packages.broadcom.com/tanzu-application-platform/full-deps-package-repo:VERSION \
       --to-repo ${INSTALL_REGISTRY_HOSTNAME}/full-deps-package-repo
     

     Where VERSION is the version of the Tanzu Application Platform package you retrieved earlier.

   • Relocate the images to an external storage device and then to the registry in the air-gapped environment:

     imgpkg copy \
       -b tanzu.packages.broadcom.com/tanzu-application-platform/full-deps-package-repo:VERSION \
       --to-tar=full-deps-package-repo.tar
     
     # move full-deps-package-repo.tar to environment with registry access
     imgpkg copy \
       --tar full-deps-package-repo.tar \
       --to-repo=INSTALL-REGISTRY-HOSTNAME/TARGET-REPOSITORY/full-deps-package-repo
     

     Where:

     • VERSION is the version of the Tanzu Application Platform package you retrieved earlier.
     • INSTALL-REGISTRY-HOSTNAME is your container registry.
     • TARGET-REPOSITORY is your target repository.

5. Add the Tanzu Build Service full dependencies package repository by running:

   tanzu package repository add full-deps-package-repo \
     --url INSTALL-REGISTRY-HOSTNAME/TARGET-REPOSITORY/full-deps-package-repo:VERSION \
     --namespace tap-install
   

   Where:

   • INSTALL-REGISTRY-HOSTNAME is your container registry.
   • TARGET-REPOSITORY is your target repository.
   • VERSION is the version of the Tanzu Application Platform package you retrieved earlier.

6. Create a new tbs-full-deps-values.yaml and copy the kp_default_repository key-value pair from your tap-values.yaml or tbs-values.yaml:

   ---
    kp_default_repository: "REPO-NAME"
    kp_default_repository_secret:
      name: kp-default-repository-creds
      namespace: tap-install
   

   Where REPO-NAME is copied from the buildservice.kp_default_repository field in your tap-values.yaml or tbs-values.yaml.

   1. (Optional) Install the UBI builder.

      The UBI builder uses Red Hat Universal Base Image (UBI) v8 for both build and run images. This builder only supports Java and Node.js. To install the UBI builder, add the key-value pair enable_ubi_builder: true to your tbs-full-deps-values.yaml.

      ---
      enable_ubi_builder: true
      

   2. (Optional) Install the Static builder.

      The Static builder uses Ubuntu Jammy for both build images and a minimal static run image. This builder only supports Golang. To install the Static builder, add the key-value pair enable_static_builder: true to your tbs-full-deps-values.yaml.

      ---
      enable_static_builder: true
      

7. Install the full dependencies package by running:

   tanzu package install full-deps \
     --package full-deps.buildservice.tanzu.vmware.com \
     --version "> 0.0.0" \
     --namespace tap-install \
     --values-file VALUES-FILE
   

   Where VALUES-FILE is the path to the tbs-full-deps-values.yaml you created earlier.

(Optional) Update dependencies out of band of Tanzu Application Platform releases

Tanzu Build Service dependencies might be upgraded between Tanzu Application Platform releases, for example, if a CVE is discovered in the OS (stack update) or language (buildpack update).

Automatic dependency updates enable your cluster to consume the stack and buildpack updates immediately instead of waiting for the next Tanzu Application Platform patch release to pull in the updated dependencies.

• Updates are provided through a separate package repository with available version lines for all supported Tanzu Application Platform minor versions.
• Within a version line, only patch versions are incremented to avoid breaking changes.
• You can customize the packages that you want the automatic dependency updater to update through your tap-values.yaml file or your full dependencies values.

Prerequisites: These steps assume a registry secret already exists in the cluster for accessing tanzu-build.packages.broadcom.com and your registry.

To enable automatic dependency updates:

1. Relocate the dependency updater package repository to the air-gapped container image registry:

   • If a machine with access to both the air-gapped registry and the internet is available, you can copy the images directly by running:

     imgpkg copy \
       -b tanzu-build.packages.broadcom.com/build-service-dependency-updater/package-repo:VERSION-CONSTRAINT \
       --to-repo INTERNAL-REPO
     

     Where:

     • VERSION-CONSTRAINT is the Tanzu Application Platform version in the form of MAJOR.MINOR.x. For example, 1.8.x.
     • INTERNAL-REPO is your repository in the air-gapped container image registry. Examples:
       • Harbor has the form MY-REGISTRY/REPO-NAME/tbs-dep-updater.
       • Docker Hub has the form MY-REGISTRY/tbs-dep-updater.
       • Google Cloud Registry has the form MY-REGISTRY/MY-PROJECT/REPO-NAME/tbs-dep-updater.

   • If you can only transfer the data using a physical external storage device:

     1. Copy the images into a .tar file from tanzu.packages.broadcom.com by running:

        imgpkg copy \
          -b tanzu-build.packages.broadcom.com/build-service-dependency-updater/package-repo:VERSION-CONSTRAINT \
          --to-tar dependency-updater-VERSION-CONSTRAINT.tar \
          --include-non-distributable-layers
        

        Where VERSION-CONSTRAINT is the Tanzu Application Platform version in the form of MAJOR.MINOR.x. For example, 1.8.x.

     2. Import the .tar files into the air-gapped container image registry by running:

        imgpkg copy \
          --tar dependency-updater-VERSION-CONSTRAINT.tar \
          --to-repo INTERNAL-REPO \
          --include-non-distributable-layers \
          --registry-ca-cert-path $REGISTRY_CA_PATH
        

        Where:

        • VERSION-CONSTRAINT is the Tanzu Application Platform version in the form of MAJOR.MINOR.x. For example, 1.8.x.
        • INTERNAL-REPO is your repository in the air-gapped container image registry. Examples:
          • Harbor has the form MY-REGISTRY/REPO-NAME/tbs-dep-updater.
          • Docker Hub has the form MY-REGISTRY/tbs-dep-updater.
          • Google Cloud Registry has the form MY-REGISTRY/MY-PROJECT/REPO-NAME/tbs-dep-updater.

2. Add the following to your tap-values.yaml file:

   buildservice:
     dependency_updates:
       allow: true
       scope: SCOPE
       include_packages: [""]
       exclude_packages: [""]
   

   Where:

   • SCOPE is the list of dependencies you want updated. The options are:
     • stacks-only (default): Only stacks and builders are updated. This addresses CVEs in the base image or operating system.
     • all: Stacks, builders, and buildpacks are updated. This addresses CVEs in the base image or operating system and CVEs in the language toolchain such as compilers, interpreters, and standard libraries.
     • custom: This list is empty by default. Use the include_packages key to add packages to be updated.

   Note

   You must update the Tanzu Application Platform package install and the Full Dependencies package install after changing the tap-values.yaml.

3. Add the Tanzu Build Service Dependency Updates package repository by running:

   kubectl apply -f - <<EOF
     apiVersion: packaging.carvel.dev/v1alpha1
     kind: PackageRepository
     metadata:
       name: tbs-dependencies-package-repository
       namespace: tap-install
     spec:
       fetch:
         imgpkgBundle:
           image: DEPENDENCY-UPDATER-PACKAGE-REPO
           tagSelection:
             semver:
               constraints: VERSION-CONSTRAINT
   EOF
   

   Where:

   • DEPENDENCY-UPDATER-PACKAGE-REPO is the location of the package repository. This is tanzu-build.packages.broadcom.com/build-service-dependency-updater/package-repo for online installs and the internal container image registry for air-gapped installs.
   • VERSION-CONSTRAINT is the Tanzu Application Platform version in the form of MAJOR.MINOR.x. For example, 1.8.x.

After completing this configuration, the repository you set with DEPENDENCY-UPDATER-PACKAGE-REPO will be polled for updates and any new releases will automatically be made available to the cluster.

Next steps

• Configure custom CAs for Tanzu Developer Portal