Configure Tanzu Supply Chain

This topic tells you what to configure to complete your Tanzu Supply Chain installation.

Caution

Tanzu Supply Chain is currently in beta and is not intended for production use. It is intended only for evaluation purposes for the next generation Supply Chain. For the current Supply Chain solution, see the Supply Chain Choreographer documentation.

After you install Tanzu Supply Chain, use Namespace Provisioner to configure service accounts and permissions.

VMware recommends that you use Namespace Provisioner to configure the following:

  • OCI Store configuration: Supply Chains persist data between stages by reading and writing to an OCI repository. The location of the OCI repository is configured by a Kubernetes Secret named oci-store that exists within the developer namespace. Access to this repository is controlled by a Tekton annotated secret that can have any name with the tekton.dev/docker-0 annotation pointing to the OCI repository.

  • Permissions for the buildpack-build component and Cluster Builders: You must add some additional permissions to use the buildpack-build component to create images with Tanzu Build Service configured with ClusterBuilders.

Configure Tanzu Supply Chain by using Namespace Provisioner

To use Namespace Provisioner to configure Tanzu Supply Chain:

  1. Create a Secret in the tap-install namespace that has the location and credentials for the oci-store by running:

    cat << EOF | kubectl apply -f -
    apiVersion: v1
    kind: Secret
    metadata:
     name: supply-chain-oci-store-credentials
     namespace: tap-install
    type: Opaque
    stringData:
     ocistore.yaml: |
       tanzusupplychain:
         ocistore:
           username: REGISTRY-USERNAME
           password: REGISTRY-PASSWORD
           server: REGISTRY-SERVER
           repository: REGISTRY-REPO
    EOF
    
  2. Configure Namespace Provisioner to use the accelerator sample. This creates the required resources for configuring oci-store and buildpack-build permissions. Update the namespace_provisioner section of your tap-values.yaml file as follows:

    namespace_provisioner:
      additional_sources:
      - git:
          ref: origin/main
          subPath: ns-provisioner-samples/tanzu-supply-chain
          url: https://github.com/vmware-tanzu/application-accelerator-samples.git
      import_data_values_secrets:
      - name: supply-chain-oci-store-credentials
        namespace: tap-install
        create_export: true
      default_parameters:
        supply_chain_service_account:
          secrets:
          - oci-store-credentials
    

    Namespace Provisioner creates the required secrets and role bindings in your developer namespace.

Create developer namespaces

To create developer namespaces run:

kubectl create namespace dev
kubectl label namespaces dev apps.tanzu.vmware.com/tap-ns=""

Configure Namespace Provisioner to support custom Supply Chains

If you need to inject extra secrets, such as git-secret, in the service account for all developer namespaces managed by Namespace Provisioner, update the namespace_provisioner section of tap-values.yaml as follows:

namespace_provisioner:
  ...
  default_parameters:
    supply_chain_service_account:
      secrets:
      # Add secrets here
      - git-secret

For a single namespace using annotation, run:

kubectl annotate ns DEVELOPER-NAMESPACE param.nsp.tap/delivery_service_account.secrets='["git-secret"]'
check-circle-line exclamation-circle-line close-line
Scroll to top icon