This topic tells you how to install Build profile cluster by using a reduced values file.
Before installing the Build profile, follow all the steps in Install View cluster.
The following is the YAML file sample for the build-profile:
profile: build
ceip_policy_disclosed: FALSE-OR-TRUE-VALUE # Installation fails if this is not set to true. Not a string.
shared:
ingress_domain: "INGRESS-DOMAIN"
kubernetes_distribution: "openshift" # To be passed only for OpenShift. Defaults to "".
kubernetes_version: "K8S-VERSION"
image_registry:
project_path: "SERVER-NAME/REPO-NAME" # To be used by Build Service by appending "/buildservice" and used by Supply chain by appending "/workloads".
secret:
name: "KP-DEFAULT-REPO-SECRET"
namespace: "KP-DEFAULT-REPO-SECRET-NAMESPACE"
ca_cert_data: | # To be passed if using custom certificates.
-----BEGIN CERTIFICATE-----
MIIFXzCCA0egAwIBAgIJAJYm37SFocjlMA0GCSqGSIb3DQEBDQUAMEY...
-----END CERTIFICATE-----
# The above shared keys can be overridden in the below section.
buildservice:
# Takes the value from the shared section by default, but can be overridden by setting a different value.
kp_default_repository: "KP-DEFAULT-REPO"
kp_default_repository_secret:
name: "KP-DEFAULT-REPO-SECRET"
namespace: "KP-DEFAULT-REPO-SECRET-NAMESPACE"
supply_chain: testing_scanning
ootb_supply_chain_testing_scanning: # Optional if the corresponding shared keys are provided.
source:
credentials_secret: "GIT-SOURCE-CREDENTIAL-SECRET-NAME" # (Optional) Defaults to "".
registry:
server: "SERVER-NAME"
repository: "REPO-NAME"
gitops:
credentials_secret: "GITOPS-CREDENTIAL-SECRET-NAME" # (Optional) Defaults to "".
tap_telemetry:
customer_entitlement_account_number: "CUSTOMER-ENTITLEMENT-ACCOUNT-NUMBER" # (Optional) Identify data for creating Tanzu Application Platform usage reports.
app_scanning:
amr:
url: https://amr-graphql.VIEW-CLUSTER-INGRESS-DOMAIN # AMR GraphQL location at the View profile cluster.
accessToken: "AMR-GRAPHQL-READ-ACCESS-TOKEN"
scanning:
metadataStore:
exports:
ca:
pem: |
"METADATA STORE CA" # (Optional) Defaults to "".
auth:
token: METADATA STORE AUTHENTICATION TOKEN
amr:
observer:
auth:
kubernetes_service_accounts:
enable: true
cloudevent_handler:
endpoint: https://amr-cloudevent-handler.VIEW-CLUSTER-INGRESS-DOMAIN # AMR CloudEvent Handler location at the View profile cluster.
ca_cert_data: |
"AMR-CLOUDEVENT-HANDLER-CA"
ImportantInstalling Grype by using
tap-values.yaml
as follows is deprecated in v1.6 and will be removed in v1.8:grype: targetImagePullSecret: "TARGET-REGISTRY-CREDENTIALS-SECRET"
You can install Grype by using Namespace Provisioner instead.
Where:
K8S-VERSION
is the Kubernetes version used by your OpenShift cluster. It must be in the form of 1.23.x
or 1.24.x
, where x
stands for the patch version. Examples:
1.23.3
.1.24.1
.KP-DEFAULT-REPO
is a writable repository in your registry. The Tanzu Build Service dependencies are written to this location. Examples:
kp_default_repository: "my-harbor.io/my-project/build-service"
kp_default_repository: "my-dockerhub-user/build-service"
or kp_default_repository: "index.docker.io/my-user/build-service"
kp_default_repository: "gcr.io/my-project/build-service"
KP-DEFAULT-REPO-SECRET
is the secret with user credentials that can write to KP-DEFAULT-REPO
. You can docker push
to this location with this credential.
kp_default_repository_username: _json_key
.registry-credentials
secret created earlier.KP-DEFAULT-REPO-SECRET-NAMESPACE
is the namespace where KP-DEFAULT-REPO-SECRET
is created.SERVER-NAME
is the host name of the registry server. Examples:
server: "my-harbor.io"
.server: "index.docker.io"
.server: "gcr.io"
.REPO-NAME
is where workload images are stored in the registry. Images are written to SERVER-NAME/REPO-NAME/workload-name
. Examples:
repository: "my-project/supply-chain"
.repository: "my-dockerhub-user"
.repository: "my-project/supply-chain"
.GIT-SOURCE-CREDENTIAL-SECRET-NAME
is the name of the Kubernetes secret in the developer namespace that supplies the Git credentials for the supply chain to fetch source code from. See Git authentication for more information.GITOPS-CREDENTIAL-SECRET-NAME
is the name of the Kubernetes secret in the developer namespace that supplies the Git credentials for the supply chain to push configuration to. See Git authentication for more information.MY-DEV-NAMESPACE
is the name of the developer namespace. SCST - Scan deploys the ScanTemplates
there. This allows the scanning feature to run in this namespace.TARGET-REGISTRY-CREDENTIALS-SECRET
is the name of the Secret that contains the credentials to pull an image from the registry for scanning.CUSTOMER-ENTITLEMENT-ACCOUNT-NUMBER
(optional) refers to the Entitlement Account Number (EAN), which is a unique identifier VMware assigns to its customers. Tanzu Application Platform telemetry uses this number to identify data that belongs to a particular customers and prepare usage reports.VIEW-CLUSTER-INGRESS-DOMAIN
is the subdomain you set up on the View profile cluster. This matches the shared.ingress_domain
on the View profile cluster.AMR-GRAPHQL-READ-ACCESS-TOKEN
is the read access token. For more information about how to obtain the token, see AMR GraphQL querying.AMR-CLOUDEVENT-HANDLER-CA
contains the AMR CloudEvent Handler CA data. For more information about configuring the amr
portion of the values file, see Set up multicluster AMR.When you install Tanzu Application Platform, it is bootstrapped with the lite
set of dependencies, including buildpacks and stacks, for application builds. For more information about buildpacks, see the VMware Tanzu Buildpacks Documentation. You can find the buildpack and stack artifacts installed with Tanzu Application Platform on the Broadcom Support Portal under VMware Tanzu Build Service Dependencies. You can update the dependencies by upgrading Tanzu Application Platform to the latest patch.
See Set up multicluster Supply Chain Security Tools (SCST) - Scan 1.0 for more information about the value settings of grype.metadataStore
.
You must set the scanning.metadatastore.url
to an empty string if you’re installing Grype Scanner v1.2.0 and later or Snyk Scanner to deactivate the embedded SCST - Store integration.
If you use custom CA certificates, you must provide one or more PEM-encoded CA certificates under the ca_cert_data
key. If you configured shared.ca_cert_data
, Tanzu Application Platform component packages inherit that value by default.