Supply chains on Tanzu Application Platform

This topic describes the key concepts you need to know about supply chains and Continuous Integration/Continuous Delivery (CI/CD) on Tanzu Application Platform (commonly known as TAP).

What are supply chains

Supply chains provide a way of codifying all of the steps of your path to production, more commonly known as CI/CD. CI/CD is a method to frequently deliver applications by introducing automation into the stages of application development. The main concepts attributed to CI/CD are continuous integration, continuous delivery, and continuous deployment.

CI/CD is the method used by supply chains to deliver applications through automation. Tanzu Application Platform supply chains allow you to use CI/CD and add any other steps necessary for an application to reach production or a different environment, such as staging.

A simple path to production: CI to Security Scan to Build Image to Image Scan to CAB Approval to Deployment.

A path to production

A path to production allows you to create a unified access point for all of the tools required for your applications to reach a customer-facing environment. Instead of having four tools that are loosely coupled to each other, a path to production defines all four tools in a single, unified layer of abstraction. The path to production can be automated and repeatable between teams for applications at scale.

Typically tools cannot integrate with one another without scripting or webhooks. Whereas with a path to production, there is a unified automation tool to codify all the interactions between each of the tools. Supply chains that are used to codify the path to production for an organization are configurable. This allows their authors to add all of the steps of the path to production for their applications.

Available supply chains

Tanzu Application Platform provides three out of the box (OOTB) supply chains to work with the Tanzu Application Platform components. They include:

1: OOTB Basic (default)

The default OOTB Basic supply chain and its dependencies were installed on your cluster during the Tanzu Application Platform install. The following diagram and table provide a description of the supply chain and dependencies provided with Tanzu Application Platform.

The Source-to-URL chain: Watch Repo (Flux) to Build Image (TBS) to Apply Conventions to Deploy to Cluster (CNR).

Name Package Name Description Dependencies
Out of the Box Basic (Default - Installed during Installing Part 2) ootb-supply-chain-basic.tanzu.vmware.com This supply chain monitors a repository that is identified in the developer’s workload.yaml file. When any new commits are made to the application, the supply chain:
  • Creates a new image.
  • Applies any predefined conventions.
  • Deploys the application to the cluster.
  • Flux/Source Controller
  • Tanzu Build Service
  • Cartographer Conventions
  • Tekton
  • Cloud Native Runtimes
  • If using Service References:
    • Service Bindings
    • Services Toolkit

2: OOTB Testing

OOTB Testing supply chain runs a Tekton pipeline within the supply chain. The following diagram and table provide a description of the supply chain and dependencies provided with Tanzu Application Platform.

The Source-and-Test-to-URL chain: Watch Repo (Flux) to Test Code (Tekton) to Build Image (TBS) to Apply Conventions to Deploy to Cluster (CNR).

Name Package Name Description Dependencies
Out of the Box Testing ootb-supply-chain-testing.tanzu.vmware.com Out of the Box Testing contains all of the same elements as the Source to URL. It allows developers to specify a Tekton pipeline that runs as part of the CI step of the supply chain.
  • The application tests using the Tekton pipeline.
  • A new image is created.
  • Any predefined conventions are applied.
  • The application is deployed to the cluster.
All of the Source to URL dependencies

3: OOTB Testing+Scanning

OOTB Testing+Scanning supply chain includes integrations for secure scanning tools. The following diagram and table provide a description of the supply chain and dependencies provided with Tanzu Application Platform.

The Source-and-Test-to-URL chain: Watch Repo (Flux) to Test Code (Tekton) to Build Image (TBS) to Apply Conventions to Deploy to Cluster (CNR).

Name Package Name Description Dependencies
Out of the Box Testing and Scanning ootb-supply-chain-testing-scanning.tanzu.vmware.com Out of the Box Testing and Scanning contains all of the same elements as the Out of the Box Testing supply chain, and it also includes integrations with the secure scanning components of Tanzu Application Platform.
  • The application is tested using the provided Tekton pipeline.
  • (Optional) The application source code is scanned for vulnerabilities. For how to opt in, see Adding Source Scan to the Test and Scan Supply Chain.
  • A new image is created.
  • The image is scanned for vulnerabilities.
  • Any predefined conventions are applied.
  • The application deploys to the cluster.
All of the Source to URL dependencies, and:
  • The secure scanning components included with Tanzu Application Platform

Next steps

Apply what you have learned:

Or learn about:

check-circle-line exclamation-circle-line close-line
Scroll to top icon