Install Tanzu Application Platform package and profiles
This topic tells you how to install Tanzu Application Platform (commonly known as TAP) packages from your Tanzu Application Platform package repository.
Before installing the packages, ensure you have:
- Completed the Prerequisites.
- Configured and verified the cluster.
- Installed Tanzu CLI with any required plug-ins.
Relocate images to a registry
Before installation, you must relocate the Tanzu Application Platform images from tanzu.packages.broadcom.com to your own container image registry.
The supported registries are Harbor, Azure Container Registry, Google Container Registry, and Quay.io. See the following documentation to learn how to set up your container image registry:
To relocate images from tanzu.packages.broadcom.com to your registry:
-
Retrieve your Broadcom registry API token:
-
Sign in to the Broadcom Support Portal.
-
Go to Tanzu Application Platform (TAP) and expand the VMware Tanzu Application Platform dropdown.
-
Click the Token Download icon next to the Tanzu Application Platform version you want to download.
-
Follow the instructions in the dialog box. Save the token as a variable named
MY_BROADCOM_SUPPORT_ACCESS_TOKEN. For example:export MY_BROADCOM_SUPPORT_ACCESS_TOKEN=API-TOKENWhere
API-TOKENis your token from the Broadcom Support Portal.
-
-
Set up the environment variables required for installation by running:
# Set tanzu.packages.broadcom.com as the source registry to copy the Tanzu Application Platform packages from. export IMGPKG_REGISTRY_HOSTNAME_0=tanzu.packages.broadcom.com export IMGPKG_REGISTRY_USERNAME_0=MY-BROADCOM-SUPPORT-USERNAME export IMGPKG_REGISTRY_PASSWORD_0=${MY_BROADCOM_SUPPORT_ACCESS_TOKEN} # The user’s registry for copying the Tanzu Application Platform package to. export IMGPKG_REGISTRY_HOSTNAME_1=MY-REGISTRY export IMGPKG_REGISTRY_USERNAME_1=MY-REGISTRY-USER export IMGPKG_REGISTRY_PASSWORD_1=MY-REGISTRY-PASSWORD # These environment variables starting with IMGPKG_* are used by the imgpkg command only. # The registry from which the Tanzu Application Platform package is retrieved. export INSTALL_REGISTRY_USERNAME="${IMGPKG_REGISTRY_USERNAME_1}" export INSTALL_REGISTRY_PASSWORD="${IMGPKG_REGISTRY_PASSWORD_1}" export INSTALL_REGISTRY_HOSTNAME="${IMGPKG_REGISTRY_HOSTNAME_1}" export TAP_VERSION=VERSION-NUMBER export INSTALL_REPO=TARGET-REPOSITORY # The user’s registry used by Tanzu Application Platform to store built images and the Tanzu Build Service dependencies. These credentials must have write permission. export MY_REGISTRY_USERNAME="${IMGPKG_REGISTRY_USERNAME_1}" export MY_REGISTRY_PASSWORD="${IMGPKG_REGISTRY_PASSWORD_1}" export MY_REGISTRY_HOSTNAME="${IMGPKG_REGISTRY_HOSTNAME_1}"Where:
MY-BROADCOM-SUPPORT-USERNAMEis the user with access to the images intanzu.packages.broadcom.com.MY-REGISTRYis your own container registry.MY-REGISTRY-USERis the user with write access toMY-REGISTRY.MY-REGISTRY-PASSWORDis the password forMY-REGISTRY-USER.VERSION-NUMBERis your Tanzu Application Platform version. For example,1.10.1.TARGET-REPOSITORYis your target repository. This is a folder or repository onMY-REGISTRYthat serves as the location for the Tanzu Application Platform installation files.
VMware recommends using a JSON key file to authenticate with Google Container Registry. In this case, the value of
INSTALL_REGISTRY_USERNAMEis_json_keyand the value ofINSTALL_REGISTRY_PASSWORDis the content of the JSON key file. For more information about how to generate the JSON key file, see Google Container Registry documentation. -
Install the Carvel tool imgpkg CLI.
To query for the available versions of Tanzu Application Platform on
tanzu.packages.broadcom.com, run:imgpkg tag list -i tanzu.packages.broadcom.com/tanzu-application-platform/tap-packages | sort -V -
Relocate the images with the
imgpkgCLI by running:imgpkg copy -b tanzu.packages.broadcom.com/tanzu-application-platform/tap-packages:${TAP_VERSION} --to-repo ${INSTALL_REGISTRY_HOSTNAME}/${INSTALL_REPO}/tap-packages
Add the Tanzu Application Platform package repository
Tanzu CLI packages are available through repositories. Adding the Tanzu Application Platform package repository makes Tanzu Application Platform and its packages available for installation.
# The user’s registry used by Tanzu Application Platform to store built images and the Tanzu Build Service dependencies. These credentials must have write permission.
export MY_REGISTRY_USERNAME=MY-REGISTRY-USERNAME
export MY_REGISTRY_PASSWORD=MY-REGISTRY-PASSWORD
export MY_REGISTRY_HOSTNAME=MY-REGISTRY
Where:
MY-REGISTRY-USERNAMEis the user with write access to your container registry.MY-REGISTRY-PASSWORDis the password forMY-REGISTRY-USERNAME.MY-REGISTRYis your own container registry.
To add the Tanzu Application Platform package repository to your cluster:
-
Create a namespace called
tap-installfor deploying any component packages by running:kubectl create ns tap-installThis namespace keeps the objects grouped together logically.
-
Create a registry secret by running:
tanzu secret registry add tap-registry \ --username ${INSTALL_REGISTRY_USERNAME} --password ${INSTALL_REGISTRY_PASSWORD} \ --server ${INSTALL_REGISTRY_HOSTNAME} \ --export-to-all-namespaces --yes --namespace tap-install -
Create a secret for accessing the user’s registry by running:
tanzu secret registry add registry-credentials \ --server ${MY_REGISTRY_HOSTNAME} \ --username ${MY_REGISTRY_USERNAME} \ --password ${MY_REGISTRY_PASSWORD} \ --namespace tap-install \ --export-to-all-namespaces \ --yes -
Add the Tanzu Application Platform package repository to the cluster by running:
tanzu package repository add tanzu-tap-repository \ --url ${INSTALL_REGISTRY_HOSTNAME}/${INSTALL_REPO}/tap-packages:$TAP_VERSION \ --namespace tap-install -
Get the status of the Tanzu Application Platform package repository, and ensure the status updates to
Reconcile succeededby running:tanzu package repository get tanzu-tap-repository --namespace tap-installFor example:
$ tanzu package repository get tanzu-tap-repository --namespace tap-install - Retrieving repository tap... NAME: tanzu-tap-repository VERSION: 16253001 REPOSITORY: tapmdc.azurecr.io/mdc/1.4.0/tap-packages TAG: 1.10.1 STATUS: Reconcile succeeded REASON:Note
The
VERSIONandTAGnumbers differ from the earlier example if you are on Tanzu Application Platform v1.0.2 or earlier. -
List the available packages by running:
tanzu package available list --namespace tap-installFor example:
$ tanzu package available list --namespace tap-install / Retrieving available packages... NAME DISPLAY-NAME SHORT-DESCRIPTION accelerator.apps.tanzu.vmware.com Application Accelerator for VMware Tanzu Used to create new projects and configurations. api-portal.tanzu.vmware.com API portal A unified user interface for API discovery and exploration at scale. apis.apps.tanzu.vmware.com API Auto Registration for VMware Tanzu A TAP component to automatically register API exposing workloads as API entities in TAP GUI. backend.appliveview.tanzu.vmware.com Application Live View for VMware Tanzu App for monitoring and troubleshooting running apps buildservice.tanzu.vmware.com Tanzu Build Service Tanzu Build Service enables the building and automation of containerized software workflows securely and at scale. carbonblack.scanning.apps.tanzu.vmware.com VMware Carbon Black for Supply Chain Security Tools - Scan Default scan templates using VMware Carbon Black cartographer.conventions.apps.tanzu.vmware.com Convention Service for VMware Tanzu Convention Service enables app operators to consistently apply desired runtime configurations to fleets of workloads. cartographer.tanzu.vmware.com Cartographer Kubernetes native Supply Chain Choreographer. cnrs.tanzu.vmware.com Cloud Native Runtimes Cloud Native Runtimes is a serverless runtime based on Knative connector.appliveview.tanzu.vmware.com Application Live View Connector for VMware Tanzu App for discovering and registering running apps controller.source.apps.tanzu.vmware.com Tanzu Source Controller Tanzu Source Controller enables workload create/update from source code. conventions.appliveview.tanzu.vmware.com Application Live View Conventions for VMware Tanzu Application Live View convention server developer-conventions.tanzu.vmware.com Tanzu App Platform Developer Conventions Developer Conventions external-secrets.apps.tanzu.vmware.com External Secrets Operator External Secrets Operator is a Kubernetes operator that integrates external secret management systems. fluxcd-source-controller.tanzu.vmware.com Flux Source Controller The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, Helm repositories and S3 buckets. grype.scanning.apps.tanzu.vmware.com Grype for Supply Chain Security Tools - Scan Default scan templates using Anchore Grype metadata-store.apps.tanzu.vmware.com Supply Chain Security Tools - Store Post SBoMs and query for image, package, and vulnerability metadata. namespace-provisioner.apps.tanzu.vmware.com Namespace Provisioner Automatic Provisioning of Developer Namespaces. ootb-delivery-basic.tanzu.vmware.com Tanzu App Platform Out of The Box Delivery Basic Out of The Box Delivery Basic. ootb-supply-chain-basic.tanzu.vmware.com Tanzu App Platform Out of The Box Supply Chain Basic Out of The Box Supply Chain Basic. ootb-supply-chain-testing-scanning.tanzu.vmware.com Tanzu App Platform Out of The Box Supply Chain with Testing and Scanning Out of The Box Supply Chain with Testing and Scanning. ootb-supply-chain-testing.tanzu.vmware.com Tanzu App Platform Out of The Box Supply Chain with Testing Out of The Box Supply Chain with Testing. ootb-templates.tanzu.vmware.com Tanzu App Platform Out of The Box Templates Out of The Box Templates. policy.apps.tanzu.vmware.com Supply Chain Security Tools - Policy Controller Policy Controller enables defining of a policy to restrict unsigned container images. scanning.apps.tanzu.vmware.com Supply Chain Security Tools - Scan Scan for vulnerabilities and enforce policies directly within Kubernetes native Supply Chains. service-bindings.labs.vmware.com Service Bindings for Kubernetes Service Bindings for Kubernetes implements the Service Binding Specification. services-toolkit.tanzu.vmware.com Services Toolkit The Services Toolkit enables the management, lifecycle, discoverability and connectivity of Service Resources (databases, message queues, DNS records, etc.). snyk.scanning.apps.tanzu.vmware.com Snyk for Supply Chain Security Tools - Scan Default scan templates using Snyk spring-boot-conventions.tanzu.vmware.com Tanzu Spring Boot Conventions Server Default Spring Boot convention server. sso.apps.tanzu.vmware.com AppSSO Application Single Sign-On for Tanzu tap-auth.tanzu.vmware.com Default roles for Tanzu Application Platform Default roles for Tanzu Application Platform tap-gui.tanzu.vmware.com Tanzu Developer Portal web app graphical user interface for Tanzu Application Platform tap-telemetry.tanzu.vmware.com Telemetry Collector for Tanzu Application Platform Tanzu Application Platform Telemetry tap.tanzu.vmware.com Tanzu Application Platform Package to install a set of TAP components to get you started based on your use case. tekton.tanzu.vmware.com Tekton Pipelines Tekton Pipelines is a framework for creating CI/CD systems.
Install your Tanzu Application Platform profile
The tap.tanzu.vmware.com package installs predefined sets of packages based on your profile settings. This is done by using the package manager installed by Tanzu Cluster Essentials.
For more information about profiles, see Components and installation profiles.
To prepare to install a profile:
-
List version information for the package by running:
tanzu package available list tap.tanzu.vmware.com --namespace tap-install -
Create a
tap-values.yamlfile by using the Full Profile sample in the following section as a guide. These samples have the minimum configuration required to deploy Tanzu Application Platform. The sample values file contains the necessary defaults for:- The meta-package, or parent Tanzu Application Platform package.
- Subordinate packages, or individual child packages.
Keep the values file for future configuration use.
Note
tap-values.yamlis set as a Kubernetes secret, which provides secure means to read credentials for Tanzu Application Platform components. - View possible configuration settings for your package
Full profile
The following is the YAML file sample for the full-profile. The profile: field takes full as the default value, but you can also set it to iterate, build, run or view. Refer to Install multicluster Tanzu Application Platform profiles for more information.
shared:
ingress_domain: "INGRESS-DOMAIN"
ingress_issuer: # Optional, can denote a cert-manager.io/v1/ClusterIssuer of your choice. Defaults to "tap-ingress-selfsigned".
image_registry:
project_path: "SERVER-NAME/REPO-NAME"
secret:
name: "KP-DEFAULT-REPO-SECRET"
namespace: "KP-DEFAULT-REPO-SECRET-NAMESPACE"
kubernetes_distribution: "K8S-DISTRO" # Only required if the distribution is OpenShift and must be used with the following kubernetes_version key.
kubernetes_version: "K8S-VERSION" # Required regardless of distribution when Kubernetes version is 1.25 or later.
ca_cert_data: | # To be passed if using custom certificates.
-----BEGIN CERTIFICATE-----
MIIFXzCCA0egAwIBAgIJAJYm37SFocjlMA0GCSqGSIb3DQEBDQUAMEY...
-----END CERTIFICATE-----
ceip_policy_disclosed: FALSE-OR-TRUE-VALUE # Installation fails if this is not set to true. Not a string.
#The above keys are minimum numbers of entries needed in tap-values.yaml to get a functioning TAP Full profile installation.
#Below are the keys which may have default values set, but can be overridden.
profile: full # Can take iterate, build, run, view.
supply_chain: basic # Can take testing, testing_scanning.
ootb_supply_chain_basic: # Based on supply_chain set above, can be changed to ootb_supply_chain_testing, ootb_supply_chain_testing_scanning.
source:
credentials_secret: "GIT-SOURCE-CREDENTIAL-SECRET-NAME" # (Optional) Defaults to "".
registry:
server: "SERVER-NAME" # Takes the value from the shared section by default, but can be overridden by setting a different value.
repository: "REPO-NAME" # Takes the value from the shared section by default, but can be overridden by setting a different value.
gitops:
credentials_secret: "GITOPS-CREDENTIAL-SECRET-NAME" # (Optional) Defaults to "".
contour:
envoy:
service:
type: LoadBalancer # This is set by default, but can be overridden by setting a different value.
buildservice:
# Takes the value from the shared section by default, but can be overridden by setting a different value.
kp_default_repository: "KP-DEFAULT-REPO"
kp_default_repository_secret: # Takes the value from the shared section above by default, but can be overridden by setting a different value.
name: "KP-DEFAULT-REPO-SECRET"
namespace: "KP-DEFAULT-REPO-SECRET-NAMESPACE"
local_source_proxy:
# Takes the value from the project_path under the image_registry section of shared by default, but can be overridden by setting a different value.
repository: "EXTERNAL-REGISTRY-FOR-LOCAL-SOURCE"
push_secret:
# When set to true, the secret mentioned in this section is automatically exported to Local Source Proxy's namespace.
name: "EXTERNAL-REGISTRY-FOR-LOCAL-SOURCE-SECRET"
namespace: "EXTERNAL-REGISTRY-FOR-LOCAL-SOURCE-SECRET-NAMESPACE"
# When set to true, the secret mentioned in this section is automatically exported to Local Source Proxy's namespace.
create_export: true
tap_gui:
metadataStoreAutoconfiguration: true # Creates a service account, the Kubernetes control plane token and the requisite app_config block to enable communications between Tanzu Developer Portal and SCST - Store.
app_config:
auth:
allowGuestAccess: true # This allows unauthenticated users to log in to your portal. If you want to deactivate it, make sure you configure an alternative auth provider.
catalog:
locations:
- type: url
target: https://GIT-CATALOG-URL/catalog-info.yaml
metadata_store:
ns_for_export_app_cert: "MY-DEV-NAMESPACE" # Verify this namespace is available within your cluster before initiating the Tanzu Application Platform installation.
app_service_type: ClusterIP # Defaults to LoadBalancer. If shared.ingress_domain is set earlier, this must be set to ClusterIP.
policy:
tuf_enabled: false # By default, TUF initialization and keyless verification are deactivated.
tap_telemetry:
customer_entitlement_account_number: "CUSTOMER-ENTITLEMENT-ACCOUNT-NUMBER" # (Optional) Identify data for creating the Tanzu Application Platform usage reports.
ImportantThe profile installation no longer includes Grype out of the box. Instead, you can use Namespace Provisioner to install Grype. Namespace Provisioner still uses Grype values to configure the scanner:
grype: targetImagePullSecret: "TARGET-REGISTRY-CREDENTIALS-SECRET"
Where:
-
INGRESS-DOMAINis the subdomain for the host name that you point at thetanzu-shared-ingressservice’s External IP address. It is not required to know the External IP address or set up the DNS record while installing. Installing the Tanzu Application Platform package creates thetanzu-shared-ingressand its External IP address. You can create the DNS record after completing the installation. -
KP-DEFAULT-REPOis a writable repository in your registry. Tanzu Build Service dependencies are written to this location. Examples:- Harbor has the form
kp_default_repository: "my-harbor.io/my-project/build-service". - Docker Hub has the form
kp_default_repository: "my-dockerhub-user/build-service"orkp_default_repository: "index.docker.io/my-user/build-service". - Google Cloud Registry has the form
kp_default_repository: "gcr.io/my-project/build-service".
- Harbor has the form
-
KP-DEFAULT-REPO-SECRETis the secret with user credentials that can write toKP-DEFAULT-REPO. You candocker pushto this location with this credential.- You can create a secret configured with a valid registry credential with a name and namespace of your choice. For Google Cloud Registry, use
kp_default_repository_username: _json_key. - You must create the secret before the installation. For example, you can use the
registry-credentialssecret created earlier.
- You can create a secret configured with a valid registry credential with a name and namespace of your choice. For Google Cloud Registry, use
-
KP-DEFAULT-REPO-SECRET-NAMESPACEis the namespace whereKP-DEFAULT-REPO-SECRETis created.- You must create the namespace before the installation. For example, you can use the
tap-installnamespace created earlier.
- You must create the namespace before the installation. For example, you can use the
-
K8S-DISTRO(optional) is the type of Kubernetes infrastructure in use. It is only required if the distribution is OpenShift and must be used in coordination withkubernetes_version. Supported value:openshift. -
K8S-VERSION(optional) is the Kubernetes version in use. You can use it independently or in coordination withkubernetes_distribution. For example,1.24.x, wherexis the Kubernetes patch version. -
SERVER-NAMEis the host name of the registry server. Examples:- Harbor has the form
server: "my-harbor.io". - Docker Hub has the form
server: "index.docker.io". - Google Cloud Registry has the form
server: "gcr.io".
- Harbor has the form
-
REPO-NAMEis where workload images are stored in the registry. If this key is passed through the shared section earlier and AWS ECR registry is used, you must ensure that theSERVER-NAME/REPO-NAME/buildserviceandSERVER-NAME/REPO-NAME/workloadsexist. AWS ECR expects the paths to be pre-created. Images are written toSERVER-NAME/REPO-NAME/workload-name. Examples:- Harbor has the form
repository: "my-project/supply-chain". - Docker Hub has the form
repository: "my-dockerhub-user". - Google Cloud Registry has the form
repository: "my-project/supply-chain".
- Harbor has the form
-
EXTERNAL-REGISTRY-FOR-LOCAL-SOURCEis where the developer’s local source is uploaded when using Tanzu CLI to use Local Source Proxy for workload creation.If an AWS ECR registry is being used, ensure that the repository already exists. AWS ECR expects the repository path to already exist. This destination is represented as
REGISTRY-SERVER/REPOSITORY-PATH. For more information, see Install Local Source Proxy. -
EXTERNAL-REGISTRY-FOR-LOCAL-SOURCE-SECRETis the name of the secret with credentials that allow pushing to theEXTERNAL-REGISTRY-FOR-LOCAL-SOURCErepository. -
EXTERNAL-REGISTRY-FOR-LOCAL-SOURCE-SECRET-NAMESPACEis the namespace in whichEXTERNAL-REGISTRY-FOR-LOCAL-SOURCE-SECRETis available. -
GIT-SOURCE-CREDENTIAL-SECRET-NAMEis the name of the Kubernetes secret in the developer namespace that supplies the Git credentials for the supply chain to fetch source code from. This field is only required if you use a private repository. See Git authentication for more information. -
GITOPS-CREDENTIAL-SECRET-NAMEis the name of the Kubernetes secret in the developer namespace that supplies the Git credentials for the supply chain to push configuration to. See Git authentication for more information. -
GIT-CATALOG-URLis the path to thecatalog-info.yamlcatalog definition file. You can download either a blank or populated catalog file from the Broadcom Support Portal (file name Tanzu Application Platform Developer Portal Blank Catalog or Tanzu Application Platform Developer Portal Yelb Catalog). Otherwise, you can use a Backstage-compliant catalog you’ve already built and posted on the Git infrastructure. -
MY-DEV-NAMESPACEis the name of the developer namespace. SCST - Store exports secrets to the namespace, and SCST - Scan deploys theScanTemplatesthere. This allows the scanning feature to run in this namespace. If there are multiple developer namespaces, usens_for_export_app_cert: "*"to export the SCST - Store CA certificate to all namespaces. To install Grype in multiple namespaces, use a namespace provisioner. For more information, see Namespace Provisioner. -
TARGET-REGISTRY-CREDENTIALS-SECRETis the name of the secret that contains the credentials to pull an image from the registry for scanning. -
CUSTOMER-ENTITLEMENT-ACCOUNT-NUMBER(optional) refers to the Entitlement Account Number (EAN), which is a unique identifier VMware assigns to its customers. Tanzu Application Platform telemetry uses this number to identify data that belongs to a particular customers and prepare usage reports.
If you use custom CA certificates, you must provide one or more PEM-encoded CA certificates under the ca_cert_data key. If you configured shared.ca_cert_data, Tanzu Application Platform component packages inherit that value by default.
If you use AWS, the default settings creates a classic LoadBalancer. To use the Network LoadBalancer instead of the classic LoadBalancer for ingress, add the following to your tap-values.yaml:
contour:
infrastructure_provider: aws
envoy:
service:
aws:
LBType: nlb
CEIP policy disclosure
Tanzu Application Platform is part of VMware’s CEIP program where data is collected to help improve the customer experience. By setting ceip_policy_disclosed to true (not a string), you acknowledge the program is disclosed to you and you are aware data collection is happening. This field must be set for the installation to be completed.
See Opt out of telemetry collection for more information.
(Optional) Configure your profile with full dependencies
When you install a profile that includes Tanzu Build Service, Tanzu Application Platform is installed with the lite set of dependencies. These dependencies consist of buildpacks and stacks required for application builds.
The lite set of dependencies do not contain all buildpacks and stacks. To use all buildpacks and stacks, you must install the full dependencies. For more information about the differences between lite and full dependencies, see About lite and full dependencies.
To configure full dependencies, add the key-value pair exclude_dependencies: true to your tap-values.yaml file under the buildservice section. For example:
buildservice:
kp_default_repository: "KP-DEFAULT-REPO"
kp_default_repository_secret: # Takes the value from the shared section by default, but can be overridden by setting a different value.
name: "KP-DEFAULT-REPO-SECRET"
namespace: "KP-DEFAULT-REPO-SECRET-NAMESPACE"
exclude_dependencies: true
After configuring full dependencies, you must install the dependencies after you have finished installing your Tanzu Application Platform package. See Install the full dependencies package for more information.
Tanzu Application Platform v1.6.1 and later supports building applications with Ubuntu v22.04 (Jammy).
(Optional) Configure your profile with automatic dependency updates
Tanzu Build Service dependencies might be upgraded between Tanzu Application Platform releases, for example, if a CVE is discovered in the OS (stack update) or language (buildpack update).
Automatic dependency updates enable your cluster to consume the stack and buildpack updates immediately instead of waiting for the next Tanzu Application Platform patch release to pull in the updated dependencies.
- Updates are provided through a separate package repository with available version lines for all supported Tanzu Application Platform minor versions.
- Within a version line, only patch versions are incremented to avoid breaking changes.
- You can customize the packages that you want the automatic dependency updater to update through your
tap-values.yamlfile or your full dependencies values.
Prerequisites: These steps assume a registry secret already exists in the cluster for accessing tanzu-build.packages.broadcom.com and your registry.
To enable automatic dependency updates:
-
Add the following to your
tap-values.yamlfile:buildservice: dependency_updates: allow: true scope: SCOPE include_packages: [""] exclude_packages: [""]Where:
SCOPEis the list of dependencies you want updated. The options are:stacks-only(default): Only stacks and builders are updated. This addresses CVEs in the base image or operating system.all: Stacks, builders, and buildpacks are updated. This addresses CVEs in the base image or operating system and CVEs in the language toolchain such as compilers, interpreters, and standard libraries.custom: This list is empty by default. Use theinclude_packageskey to add packages to be updated.
Note
You must update the Tanzu Application Platform package install and the Full Dependencies package install after changing the
tap-values.yaml. -
Add the Tanzu Build Service Dependency Updates package repository by running:
kubectl apply -f - <<EOF apiVersion: packaging.carvel.dev/v1alpha1 kind: PackageRepository metadata: name: tbs-dependencies-package-repository namespace: tap-install spec: fetch: imgpkgBundle: image: DEPENDENCY-UPDATER-PACKAGE-REPO tagSelection: semver: constraints: VERSION-CONSTRAINT EOFWhere:
DEPENDENCY-UPDATER-PACKAGE-REPOis the location of the package repository. This istanzu-build.packages.broadcom.com/build-service-dependency-updater/package-repofor online installs and the internal container image registry for air-gapped installs.VERSION-CONSTRAINTis the Tanzu Application Platform version in the form ofMAJOR.MINOR.x. For example,1.8.x.
After completing this configuration, the repository you set with DEPENDENCY-UPDATER-PACKAGE-REPO will be polled for updates and any new releases will automatically be made available to the cluster.
(Optional) Override the default retention behavior for Crossplane CRDs
By default, the crossplane.tanzu.vmware.com package is configured to retain all Crossplane CRDs, providers, and managed resources when the package is uninstalled. This is in the interest of caution in relation to accidental deletion of stateful data.
You can configure Tanzu Application Platform to delete Crossplane resources to avoid orphaned resources. To do so, update the tap-values.yaml as follows:
# tap-values.yaml
crossplane:
orphan_resources: false
Install your Tanzu Application Platform package
Follow these steps to install the Tanzu Application Platform package:
-
Install the package by running:
tanzu package install tap -p tap.tanzu.vmware.com -v $TAP_VERSION --values-file tap-values.yaml -n tap-install -
Verify the package install by running:
tanzu package installed get tap -n tap-installThis can take 5-10 minutes because it installs several packages on your cluster.
-
Verify that the necessary packages in the profile are installed by running:
tanzu package installed list -A -
If you configured
fulldependencies in yourtap-values.yamlfile, install thefulldependencies by following the procedure in Install full dependencies.
ImportantAfter installing the full profile on your cluster, you must set up developer namespaces. Otherwise, creating a workload, a Knative service or other Tanzu Application Platform packages fails. For more information, see Set up developer namespaces to use your installed packages.
You can run the following command after reconfiguring the profile to reinstall the Tanzu Application Platform:
tanzu package installed update tap -p tap.tanzu.vmware.com -v $TAP_VERSION --values-file tap-values.yaml -n tap-install
Install the full dependencies package
If you configured full dependencies in your tap-values.yaml file in Configure your profile with full dependencies earlier, you must install the full dependencies package.
-
(Optional) If you have an existing installation of the full dependencies package from a version earlier than Tanzu Application Platform v1.6.1, you must uninstall the full dependencies package and remove the package repository:
Uninstall the package:
tanzu package installed delete full-tbs-deps -n tap-installRemove the package repository:
tanzu package repository delete tbs-full-deps-repository -n tap-install -
Get the latest version of the Tanzu Application Platform package by running:
tanzu package available list tap.tanzu.vmware.com --namespace tap-install -
If you have not done so already, you must exclude the default dependencies by adding the key-value pair
exclude_dependencies: trueto yourtap-values.yamlfile under thebuildservicesection. For example:buildservice: exclude_dependencies: true -
If you have not updated your Tanzu Application Platform package installation after adding the key-value pair
exclude_dependencies: trueto your values file, perform the update by running:tanzu package installed update tap --namespace tap-install --values-file VALUES-FILEWhere
VALUES-FILEis the path to thetap-values.yamlfile you edited earlier. -
Relocate the Tanzu Build Service
fulldependencies package repository by doing one of the following:-
Relocate the images directly for online installation:
imgpkg copy \ -b tanzu.packages.broadcom.com/tanzu-application-platform/full-deps-package-repo:VERSION \ --to-repo ${INSTALL_REGISTRY_HOSTNAME}/full-deps-package-repoWhere
VERSIONis the version of the Tanzu Application Platform package you retrieved earlier. -
Relocate the images to an external storage device and then to the registry in the air-gapped environment:
imgpkg copy \ -b tanzu.packages.broadcom.com/tanzu-application-platform/full-deps-package-repo:VERSION \ --to-tar=full-deps-package-repo.tar # move full-deps-package-repo.tar to environment with registry access imgpkg copy \ --tar full-deps-package-repo.tar \ --to-repo=INSTALL-REGISTRY-HOSTNAME/TARGET-REPOSITORY/full-deps-package-repoWhere:
VERSIONis the version of the Tanzu Application Platform package you retrieved earlier.INSTALL-REGISTRY-HOSTNAMEis your container registry.TARGET-REPOSITORYis your target repository.
-
-
Add the Tanzu Build Service
fulldependencies package repository by running:tanzu package repository add full-deps-package-repo \ --url INSTALL-REGISTRY-HOSTNAME/TARGET-REPOSITORY/full-deps-package-repo:VERSION \ --namespace tap-installWhere:
INSTALL-REGISTRY-HOSTNAMEis your container registry.TARGET-REPOSITORYis your target repository.VERSIONis the version of the Tanzu Application Platform package you retrieved earlier.
-
Create a new
tbs-full-deps-values.yamland copy thekp_default_repositorykey-value pair from yourtap-values.yamlortbs-values.yaml:--- kp_default_repository: "REPO-NAME" kp_default_repository_secret: name: kp-default-repository-creds namespace: tap-installWhere
REPO-NAMEis copied from thebuildservice.kp_default_repositoryfield in yourtap-values.yamlortbs-values.yaml.-
(Optional) Install the UBI builder.
The UBI builder uses Red Hat Universal Base Image (UBI) v8 for both build and run images. This builder only supports Java and Node.js. To install the UBI builder, add the key-value pair
enable_ubi_builder: trueto yourtbs-full-deps-values.yaml.--- enable_ubi_builder: true -
(Optional) Install the Static builder.
The Static builder uses Ubuntu Jammy for both build images and a minimal static run image. This builder only supports Golang. To install the Static builder, add the key-value pair
enable_static_builder: trueto yourtbs-full-deps-values.yaml.--- enable_static_builder: true
-
-
Install the
fulldependencies package by running:tanzu package install full-deps \ --package full-deps.buildservice.tanzu.vmware.com \ --version "> 0.0.0" \ --namespace tap-install \ --values-file VALUES-FILEWhere
VALUES-FILEis the path to thetbs-full-deps-values.yamlyou created earlier.
For more information about the differences between lite and full dependencies, see About lite and full dependencies.
Access Tanzu Developer Portal
To access Tanzu Developer Portal, you can use the host name that you configured earlier. This host name is pointed at the shared ingress. To configure LoadBalancer for Tanzu Developer Portal, see Access Tanzu Developer Portal.
You’re now ready to start using Tanzu Developer Portal. Proceed to the Getting Started topic or the Tanzu Developer Portal - Catalog Operations topic.
Exclude packages from a Tanzu Application Platform profile
To exclude packages from a Tanzu Application Platform profile:
-
Find the full subordinate (child) package name:
tanzu package available list --namespace tap-install -
Update your
tap-valuesfile with a section listing the exclusions:profile: PROFILE-VALUE excluded_packages: - tap-gui.tanzu.vmware.com - service-bindings.lab.vmware.com
ImportantIf you exclude a package after performing a profile installation including that package, you cannot see the accurate package states immediately after running
tap package installed list -n tap-install. Also, you can break package dependencies by removing a package. Allow 20 minutes to verify that all packages have reconciled correctly while troubleshooting.
Next steps
