This topic describes how to install Tanzu Build Service from the Tanzu Application Platform (commonly known as TAP) package repository by using the Tanzu CLI.
Use this topic if you do not want to use a Tanzu Application Platform profile that includes Tanzu Build Service. The Full, Iterate, and Build profiles include Tanzu Build Service. For more information about profiles, see Components and installation profiles.
The following procedure might not include some configurations required for your environment. For advanced information about installing Tanzu Build Service, see the Tanzu Build Service documentation.
Before installing Tanzu Build Service:
Complete all prerequisites to install Tanzu Application Platform. For more information, see Prerequisites.
You must have access to a Docker registry that Tanzu Build Service can use to create builder images. Approximately 10 GB of registry space is required when using the full
dependencies.
Your Docker registry must be accessible with user name and password credentials.
The Cloud Native Buildpack Bill of Materials (CNB BOM) format has been removed.
To install Tanzu Build Service by using the Tanzu CLI:
Get the latest version of the Tanzu Build Service package by running:
tanzu package available list buildservice.tanzu.vmware.com --namespace tap-install
Gather the values schema by running:
tanzu package available get buildservice.tanzu.vmware.com/VERSION --values-schema --namespace tap-install
Where VERSION
is the version of the Tanzu Build Service package you retrieved earlier in this procedure.
Create the secret for the kp-default-repository
credentials using the tanzu
cli:
tanzu secret registry add kp-default-repository-creds \
--server "${REGISTRY-HOSTNAME}" \
--username "${REGISTRY-USERNAME}" \
--password "${REGISTRY-PASSWORD}" \
--namespace tap-install
Where: - REGISTRY-HOST
is the host name for the registry that contains your kp_default_repository
. For example: - Harbor has the form server: "my-harbor.io"
. - Docker Hub has the form server: "index.docker.io"
. - Google Cloud Registry has the form server: "gcr.io"
. - REGISTRY-USERNAME
and REGISTRY-PASSWORD
are the user name and password for the user that can write to the repository used in the following step. For Google Cloud Registry, use _json_key
as the user name and the contents of the service account JSON file for the password.
Create a tbs-values.yaml
file using the following template. If shared.image_registry.project_path
and shared.image_registry.secret
are configured in the tap-values.yaml
file, Tanzu Build Service inherits all three values in that section. This can be disabled by setting any of the following three values.
---
kp_default_repository: "REPO-NAME"
kp_default_repository_secret:
name: kp-default-repository-creds
namespace: tap-install
Where: - REPO-NAME
is a writable repository in your registry. Tanzu Build Service dependencies are written to this location. Examples: - Harbor has the form "my-harbor.io/my-project/build-service"
. - Docker Hub has the form "my-dockerhub-user/build-service"
or "index.docker.io/my-user/build-service"
. - Google Cloud Registry has the form "gcr.io/my-project/build-service"
.
If you are running on OpenShift, add kubernetes_distribution: openshift
to your tbs-values.yaml
file.
(Optional) Under the ca_cert_data
key in the tbs-values.yaml
file, provide a PEM-encoded CA certificate for Tanzu Build Service. This certificate is used for accessing the container image registry and is also provided to the build process.
NoteIf
shared.ca_cert_data
is configured in thetap-values.yaml
file, Tanzu Build Service inherits that value.Configuring
ca_cert_data
key in thetbs-values.yaml
file adds the CA certificates at build time. To add CA certificates to the built image, see Configure custom CA certificates for a single workload using service bindings.
For example:
---
kp_default_repository: "REPO-NAME"
kp_default_repository_secret:
name: kp-default-repository-creds
namespace: tap-install
ca_cert_data: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
(Optional) Tanzu Build Service is bootstrapped with the lite
set of dependencies. To configure full
dependencies, add the key-value pair exclude_dependencies: true
to your tbs-values.yaml
file. This is to exclude the default lite
dependencies from the installation. For example:
---
kp_default_repository: "REPO-NAME"
kp_default_repository_secret:
name: kp-default-repository-creds
namespace: tap-install
exclude_dependencies: true
For more information about the differences between full
and lite
dependencies, see About lite and full dependencies.
Install the Tanzu Build Service package by running:
tanzu package install tbs \
--package buildservice.tanzu.vmware.com \
--version VERSION \
--namespace tap-install \
--values-file tbs-values.yaml
Where VERSION
is the version of the Tanzu Build Service package you retrieved earlier.
For example:
$ tanzu package install tbs \
--package buildservice.tanzu.vmware.com \
--version 1.12.4 \
--namespace tap-install \
--values-file tbs-values.yaml
| Installing package 'buildservice.tanzu.vmware.com'
| Getting namespace 'tap-install'
| Getting package metadata for 'buildservice.tanzu.vmware.com'
| Creating service account 'tbs-tap-install-sa'
| Creating cluster admin role 'tbs-tap-install-cluster-role'
| Creating cluster role binding 'tbs-tap-install-cluster-rolebinding'
| Creating secret 'tbs-tap-install-values'
- Creating package resource
- Package install status: Reconciling
Added installed package 'tbs' in namespace 'tap-install'
(Optional) Verify the cluster builders that the Tanzu Build Service installation created by running:
tanzu package installed get tbs -n tap-install
If you configured full
dependencies in your tbs-values.yaml
file, install the full
dependencies by following the procedure in Install full dependencies.
Tanzu Build Service supports using AWS IAM roles to authenticate with Amazon Elastic Container Registry (ECR) on Amazon Elastic Kubernetes Service (EKS) clusters.
To use AWS IAM authentication:
Configure an AWS IAM role that has read and write access to the repository in the container image registry used when installing Tanzu Application Platform.
Use the following alternative configuration for tbs-values.yaml
:
Noteif you are installing Tanzu Build Service as part of a Tanzu Application Platform profile, you configure this in your
tap-values.yaml
file under thebuildservice
section.
---
kp_default_repository: "REPO-NAME"
kp_default_repository_aws_iam_role_arn: "IAM-ROLE-ARN"
Where:
REPO-NAME
is a writable repository in your registry. Tanzu Build Service dependencies are written to this location.IAM-ROLE-ARN
is the AWS IAM role Amazon Resource Name (ARN) for the role configured earlier in this procedure. For example, arn:aws:iam::xyz:role/my-install-role
.The developer namespace requires configuration for Tanzu Application Platform to use AWS IAM authentication for ECR. Configure an AWS IAM role that has read and write access to the registry for storing workload images.
Using the supply chain service account, add an annotation including the role ARN configured earlier by running:
kubectl annotate serviceaccount -n DEVELOPER-NAMESPACE SERVICE-ACCOUNT-NAME \
eks.amazonaws.com/role-arn=IAM-ROLE-ARN
Where:
DEVELOPER-NAMESPACE
is the namespace where workloads are created.SERVICE-ACCOUNT-NAME
is the supply chain service account. This is default
if unset.IAM-ROLE-ARN
is the AWS IAM role ARN for the role configured earlier. For example, arn:aws:iam::xyz:role/my-developer-role
.Apply this configuration by continuing the steps in Install the Tanzu Build Service package.
If you configured full
dependencies in your tbs-values.yaml
file, you must install the full
dependencies package. For a more information about lite
and full
dependencies, see About lite and full dependencies.
To install full
Tanzu Build Service dependencies:
Get the latest version of the Tanzu Application Platform package by running:
tanzu package available list tap.tanzu.vmware.com --namespace tap-install
If you have not done so already, you must exclude the default dependencies by adding the key-value pair exclude_dependencies: true
to your tap-values.yaml
file under the buildservice
section. For example:
buildservice:
exclude_dependencies: true
If you have not updated your Tanzu Application Platform package installation after adding the key-value pair exclude_dependencies: true
to your values file, perform the update by running:
tanzu package installed update tap --namespace tap-install --values-file VALUES-FILE
Where VALUES-FILE
is the path to the tap-values.yaml
file you edited earlier.
Relocate the Tanzu Build Service full
dependencies package repository by doing one of the following:
Relocate the images directly for online installation:
imgpkg copy \
-b tanzu.packages.broadcom.com/tanzu-application-platform/full-deps-package-repo:VERSION \
--to-repo ${INSTALL_REGISTRY_HOSTNAME}/full-deps-package-repo
Where VERSION
is the version of the Tanzu Application Platform package you retrieved earlier.
Relocate the images to an external storage device and then to the registry in the air-gapped environment:
imgpkg copy \
-b tanzu.packages.broadcom.com/tanzu-application-platform/full-deps-package-repo:VERSION \
--to-tar=full-deps-package-repo.tar
# move full-deps-package-repo.tar to environment with registry access
imgpkg copy \
--tar full-deps-package-repo.tar \
--to-repo=INSTALL-REGISTRY-HOSTNAME/TARGET-REPOSITORY/full-deps-package-repo
Where:
VERSION
is the version of the Tanzu Application Platform package you retrieved earlier.INSTALL-REGISTRY-HOSTNAME
is your container registry.TARGET-REPOSITORY
is your target repository.Add the Tanzu Build Service full
dependencies package repository by running:
tanzu package repository add full-deps-package-repo \
--url INSTALL-REGISTRY-HOSTNAME/TARGET-REPOSITORY/full-deps-package-repo:VERSION \
--namespace tap-install
Where:
INSTALL-REGISTRY-HOSTNAME
is your container registry.TARGET-REPOSITORY
is your target repository.VERSION
is the version of the Tanzu Application Platform package you retrieved earlier.Create a new tbs-full-deps-values.yaml
and copy the kp_default_repository
key-value pair from your tap-values.yaml
or tbs-values.yaml
:
---
kp_default_repository: "REPO-NAME"
kp_default_repository_secret:
name: kp-default-repository-creds
namespace: tap-install
Where REPO-NAME
is copied from the buildservice.kp_default_repository
field in your tap-values.yaml
or tbs-values.yaml
.
(Optional) Install the UBI builder.
The UBI builder uses Red Hat Universal Base Image (UBI) v8 for both build and run images. This builder only supports Java and Node.js. To install the UBI builder, add the key-value pair enable_ubi_builder: true
to your tbs-full-deps-values.yaml
.
---
enable_ubi_builder: true
(Optional) Install the Static builder.
The Static builder uses Ubuntu Jammy for both build images and a minimal static run image. This builder only supports Golang. To install the Static builder, add the key-value pair enable_static_builder: true
to your tbs-full-deps-values.yaml
.
---
enable_static_builder: true
Install the full
dependencies package by running:
tanzu package install full-deps \
--package full-deps.buildservice.tanzu.vmware.com \
--version "> 0.0.0" \
--namespace tap-install \
--values-file VALUES-FILE
Where VALUES-FILE
is the path to the tbs-full-deps-values.yaml
you created earlier.