Install Tanzu Application Platform package and profiles on Azure

This topic tells you how to install Tanzu Application Platform (commonly known as TAP) packages from your Tanzu Application Platform package repository on to Azure.

Before installing the packages, ensure you have:

Relocate images to a registry

Before installation, you must relocate the Tanzu Application Platform images from tanzu.packages.broadcom.com to your own container image registry.

The supported registries are Harbor, Azure Container Registry, Google Container Registry, and Quay.io. See the following documentation to learn how to set up your container image registry:

To relocate images from tanzu.packages.broadcom.com to your registry:

  1. Retrieve your Broadcom registry API token:

    1. Sign in to the Broadcom Support Portal.

    2. Go to Tanzu Application Platform (TAP) and expand the VMware Tanzu Application Platform dropdown.

    3. Click the Token Download icon next to the Tanzu Application Platform version you want to download.

      Screenshot of the Tanzu Application Platform download page in the Broadcom Support Portal
with the Token Download icon highlighted.

    4. Follow the instructions in the dialog box. Save the token as a variable named MY_BROADCOM_SUPPORT_ACCESS_TOKEN. For example:

      export MY_BROADCOM_SUPPORT_ACCESS_TOKEN=API-TOKEN
      

      Where API-TOKEN is your token from the Broadcom Support Portal.

  2. Set up environment variables for installation use by running:

    # Set tanzu.packages.broadcom.com as the source registry to copy the Tanzu Application Platform packages from.
    export IMGPKG_REGISTRY_HOSTNAME_0=tanzu.packages.broadcom.com
    export IMGPKG_REGISTRY_USERNAME_0=MY-BROADCOM-SUPPORT-USERNAME
    export IMGPKG_REGISTRY_PASSWORD_0=$MY_BROADCOM_SUPPORT_ACCESS_TOKEN
    
    # The user’s registry for copying the Tanzu Application Platform package to.
    export IMGPKG_REGISTRY_HOSTNAME_1=$REGISTRY_NAME.azurecr.io
    export IMGPKG_REGISTRY_USERNAME_1=$REGISTRY_NAME
    export IMGPKG_REGISTRY_PASSWORD_1=REGISTRY-PASSWORD
    # These environment variables starting with IMGPKG_* are used by the imgpkg command only.
    
    # The registry from which the Tanzu Application Platform package is retrieved.
    export INSTALL_REGISTRY_HOSTNAME=$REGISTRY_NAME.azurecr.io
    export TAP_VERSION=VERSION-NUMBER
    export INSTALL_REPO=tapimages
    

    Where:

    • MY-BROADCOM-SUPPORT-USERNAME is the user with access to the images in tanzu.packages.broadcom.com.
    • REGISTRY-PASSWORD is the password for your Azure container registry.
    • VERSION-NUMBER is your Tanzu Application Platform version. For example, 1.7.11.
  3. Install the Carvel tool imgpkg CLI.

  4. Relocate the images with the imgpkg CLI by running:

    imgpkg copy --concurrency 1 -b ${IMGPKG_REGISTRY_HOSTNAME_0}/tanzu-application-platform/tap-packages:${TAP_VERSION} --to-repo ${IMGPKG_REGISTRY_HOSTNAME_1}/${INSTALL_REPO}
    

Add the Tanzu Application Platform package repository

Tanzu CLI packages are available through repositories. Adding the Tanzu Application Platform package repository makes Tanzu Application Platform and its packages available for installation.

To add the Tanzu Application Platform package repository to your cluster:

  1. Create a namespace called tap-install for deploying any component packages by running:

    kubectl create ns tap-install
    

    This namespace keeps the objects grouped together logically.

  2. Create a registry secret for tanzu.packages.broadcom.com registry by running:

    tanzu secret registry add tap-registry \
    --username ${INSTALL_REGISTRY_USERNAME} --password ${INSTALL_REGISTRY_PASSWORD} \
    --server ${INSTALL_REGISTRY_HOSTNAME} \
    --export-to-all-namespaces --yes --namespace tap-install
    tanzu secret registry list --namespace tap-install
    
  3. Add the Tanzu Application Platform package repository to the cluster by running:

    tanzu package repository add tanzu-tap-repository \
      --url ${INSTALL_REGISTRY_HOSTNAME}/full-deps-package-repo
      --namespace tap-install
    
  4. Get the status of the Tanzu Application Platform package repository, and ensure the status updates to Reconcile succeeded by running:

    tanzu package repository get tanzu-tap-repository --namespace tap-install
    

    For example:

    $ tanzu package repository get tanzu-tap-repository --namespace tap-install
    - Retrieving repository tap...
    NAME:          tanzu-tap-repository
    VERSION:       16253001
    REPOSITORY:    123456789012.dkr.acr.us-east.azure.com/tap-images
    TAG:           1.7.11
    STATUS:        Reconcile succeeded
    REASON:
    
    Note

    The VERSION and TAG numbers differ from the earlier example if you are on Tanzu Application Platform v1.0.2 or earlier.

  5. List the available packages by running:

    tanzu package available list --namespace tap-install
    

    For example:

    $ tanzu package available list --namespace tap-install
    / Retrieving available packages...
      NAME                                                 DISPLAY-NAME                                                              SHORT-DESCRIPTION
      accelerator.apps.tanzu.vmware.com                    Application Accelerator for VMware Tanzu                                  Used to create new projects and configurations.
      api-portal.tanzu.vmware.com                          API portal                                                                A unified user interface for API discovery and exploration at scale.
      apis.apps.tanzu.vmware.com                           API Auto Registration for VMware Tanzu                                    A TAP component to automatically register API exposing workloads as API entities
                                                                                                                                     in TAP GUI.
      backend.appliveview.tanzu.vmware.com                 Application Live View for VMware Tanzu                                    App for monitoring and troubleshooting running apps
      buildservice.tanzu.vmware.com                        Tanzu Build Service                                                       Tanzu Build Service enables the building and automation of containerized
                                                                                                                                     software workflows securely and at scale.
      carbonblack.scanning.apps.tanzu.vmware.com           VMware Carbon Black for Supply Chain Security Tools - Scan                Default scan templates using VMware Carbon Black
      cartographer.tanzu.vmware.com                        Cartographer                                                              Kubernetes native Supply Chain Choreographer.
      cnrs.tanzu.vmware.com                                Cloud Native Runtimes                                                     Cloud Native Runtimes is a serverless runtime based on Knative
      connector.appliveview.tanzu.vmware.com               Application Live View Connector for VMware Tanzu                          App for discovering and registering running apps
      controller.source.apps.tanzu.vmware.com              Tanzu Source Controller                                                   Tanzu Source Controller enables workload create/update from source code.
      conventions.appliveview.tanzu.vmware.com             Application Live View Conventions for VMware Tanzu                        Application Live View convention server
      developer-conventions.tanzu.vmware.com               Tanzu App Platform Developer Conventions                                  Developer Conventions
      external-secrets.apps.tanzu.vmware.com               External Secrets Operator                                                 External Secrets Operator is a Kubernetes operator that integrates external
                                                                                                                                     secret management systems.
      fluxcd.source.controller.tanzu.vmware.com            Flux Source Controller                                                    The source-controller is a Kubernetes operator, specialised in artifacts
                                                                                                                                     acquisition from external sources such as Git, Helm repositories and S3 buckets.
      grype.scanning.apps.tanzu.vmware.com                 Grype for Supply Chain Security Tools - Scan                              Default scan templates using Anchore Grype
      metadata-store.apps.tanzu.vmware.com                 Supply Chain Security Tools - Store                                       Post SBoMs and query for image, package, and vulnerability metadata.
      namespace-provisioner.apps.tanzu.vmware.com          Namespace Provisioner                                                     Automatic Provisioning of Developer Namespaces.
      ootb-delivery-basic.tanzu.vmware.com                 Tanzu App Platform Out of The Box Delivery Basic                          Out of The Box Delivery Basic.
      ootb-supply-chain-basic.tanzu.vmware.com             Tanzu App Platform Out of The Box Supply Chain Basic                      Out of The Box Supply Chain Basic.
      ootb-supply-chain-testing-scanning.tanzu.vmware.com  Tanzu App Platform Out of The Box Supply Chain with Testing and Scanning  Out of The Box Supply Chain with Testing and Scanning.
      ootb-supply-chain-testing.tanzu.vmware.com           Tanzu App Platform Out of The Box Supply Chain with Testing               Out of The Box Supply Chain with Testing.
      ootb-templates.tanzu.vmware.com                      Tanzu App Platform Out of The Box Templates                               Out of The Box Templates.
      policy.apps.tanzu.vmware.com                         Supply Chain Security Tools - Policy Controller                           Policy Controller enables defining of a policy to restrict unsigned container
                                                                                                                                     images.
      scanning.apps.tanzu.vmware.com                       Supply Chain Security Tools - Scan                                        Scan for vulnerabilities and enforce policies directly within Kubernetes native
                                                                                                                                     Supply Chains.
      service-bindings.labs.vmware.com                     Service Bindings for Kubernetes                                           Service Bindings for Kubernetes implements the Service Binding Specification.
      services-toolkit.tanzu.vmware.com                    Services Toolkit                                                          The Services Toolkit enables the management, lifecycle, discoverability and
                                                                                                                                     connectivity of Service Resources (databases, message queues, DNS records,
                                                                                                                                     etc.).
      snyk.scanning.apps.tanzu.vmware.com                  Snyk for Supply Chain Security Tools - Scan                               Default scan templates using Snyk
      spring-boot-conventions.tanzu.vmware.com             Tanzu Spring Boot Conventions Server                                      Default Spring Boot convention server.
      sso.apps.tanzu.vmware.com                            AppSSO                                                                    Application Single Sign-On for Tanzu
      tap-auth.tanzu.vmware.com                            Default roles for Tanzu Application Platform                              Default roles for Tanzu Application Platform
      tap-gui.tanzu.vmware.com                             Tanzu Developer Portal                                            web app graphical user interface for Tanzu Application Platform
      tap-telemetry.tanzu.vmware.com                       Telemetry Collector for Tanzu Application Platform                        Tanzu Application Platform Telemetry
      tap.tanzu.vmware.com                                 Tanzu Application Platform                                                Package to install a set of TAP components to get you started based on your use
                                                                                                                                     case.
      tekton.tanzu.vmware.com                              Tekton Pipelines                                                          Tekton Pipelines is a framework for creating CI/CD systems.
    

Install your Tanzu Application Platform profile

The tap.tanzu.vmware.com package installs predefined sets of packages based on your profile settings by using the package manager installed by Tanzu Cluster Essentials. For more information about profiles, see Components and installation profiles.

Some components use kpack and require a repository to publish artifacts to. This registry does not have to be the same registry used for installing the Tanzu Application Platform packages. To create a registry secret and add it to a developer namespace, run:

export KP_REGISTRY_USERNAME=YOUR-USERNAME
export KP_REGISTRY_PASSWORD=YOUR-PASSWORD
export KP_REGISTRY_HOSTNAME=YOUR-HOSTNAME

echo $KP_REGISTRY_USERNAME
echo $KP_REGISTRY_PASSWORD
echo $KP_REGISTRY_HOSTNAME

docker login $KP_REGISTRY_HOSTNAME -u $KP_REGISTRY_USERNAME -p $KP_REGISTRY_PASSWORD

export YOUR_NAMESPACE=mydev-ns

echo $YOUR_NAMESPACE

kubectl create ns $YOUR_NAMESPACE

tanzu secret registry add registry-credentials --server $KP_REGISTRY_HOSTNAME --username $KP_REGISTRY_USERNAME --password $KP_REGISTRY_PASSWORD --namespace $YOUR_NAMESPACE

kubectl get secret registry-credentials  -o jsonpath='{.data.\.dockerconfigjson}'  -n $YOUR_NAMESPACE| base64 --decode

To prepare to install a profile:

  1. List version information for the package by running:

    tanzu package available list tap.tanzu.vmware.com --namespace tap-install
    
  2. Create a tap-values.yaml file by using the Full Profile (Azure), which contains the minimum configurations required to deploy Tanzu Application Platform on Azure. The sample values file contains the necessary defaults for:

    • The meta-package, or parent Tanzu Application Platform package.
    • Subordinate packages, or individual child packages.

    Keep the values file for future configuration use.

    Note

    tap-values.yaml is set as a Kubernetes secret, which provides secure means to read credentials for the Tanzu Application Platform components.

  3. View possible configuration settings for your package

Full profile (Azure)

The following is the YAML file sample for the full-profile on Azure by using the ACR repositories you created earlier. The profile: field takes full as the default value, but you can also set it to iterate, build, run, or view. See Install multicluster Tanzu Application Platform profiles for more information.

cat << EOF > tap-values.yaml
shared:
  ingress_domain: YOUR_DOMAIN
  ingress_issuer: CLUSTER_ISSUER # use "" to disable SSL

  image_registry:
    project_path: ${KP_REGISTRY_HOSTNAME}/tap
    secret:
      name: registry-credentials
      namespace: ${YOUR_NAMESPACE}

ceip_policy_disclosed: true
profile: full # Can take iterate, build, run, view.

supply_chain: basic # Can take testing, testing_scanning.

ootb_templates:
  iaas_auth: true

ootb_supply_chain_basic:
  registry: # (Optional) Takes the value from the project_path under the shared.image_registry section by default, but you can override it by setting different values.
    server: ${KP_REGISTRY_HOSTNAME}
    repository: tap-apps
  gitops:
    ssh_secret: ""

contour:
  envoy:
    service:
      type: LoadBalancer

buildservice:
  # (Optional) Takes the value from the project_path under the shared.image_registry section by default, but you can override it by setting a different value.
  kp_default_repository: ${KP_REGISTRY_HOSTNAME}/buildservice
  kp_default_repository_secret:
    name: registry-credentials
    namespace: ${YOUR_NAMESPACE}

local_source_proxy:
  # (Optional) Takes the value from the project_path under the shared.image_registry section by default, but you can override it by setting a different value.
  repository: "EXTERNAL-REGISTRY-FOR-LOCAL-SOURCE"
  push_secret:
    name: "EXTERNAL-REGISTRY-FOR-LOCAL-SOURCE-SECRET"
    namespace: "EXTERNAL-REGISTRY-FOR-LOCAL-SOURCE-SECRET-NAMESPACE"
    create_export: true  # When set to true, the secret mentioned in this section is automatically exported to Local Source Proxy's namespace.

ootb_delivery_basic:
  service_account: default

tap_gui:
  app_config:
    auth:
      allowGuestAccess: true

metadata_store:
  app_service_type: ClusterIP
  ns_for_export_app_cert: ${YOUR_NAMESPACE}

accelerator:
  server:
    service_type: "ClusterIP"

EOF

Where:

  • YOUR_DOMAIN is the subdomain for the host name that you point at the tanzu-shared-ingress service’s External IP address.
    Note

    You can update this field when knowing the external IP address of the ingress after the initial install of Tanzu Application Platform.

  • CLUSTER_ISSUER is the name of the deployed ClusterIssuer to enable TLS on your ingress domain. You can disable TLS by using an empty string "".
  • YOUR_NAMESPACE is the environment variable you defined earlier to describe the name of the developer namespace. Supply Chain Security Tools - Store exports secrets to the namespace, and Supply Chain Security Tools - Scan deploys the ScanTemplates there. This allows the scanning feature to run in this namespace. If there are multiple developer namespaces, use ns_for_export_app_cert: "*" to export the Supply Chain Security Tools - Store CA certificate to all namespaces.
  • EXTERNAL-REGISTRY-FOR-LOCAL-SOURCE is where the developer’s local source is uploaded when using Tanzu CLI to use Local Source Proxy for workload creation.
  • EXTERNAL-REGISTRY-FOR-LOCAL-SOURCE-SECRET is the name of the secret with credentials that allow pushing to the EXTERNAL-REGISTRY-FOR-LOCAL-SOURCE repository.
  • EXTERNAL-REGISTRY-FOR-LOCAL-SOURCE-SECRET-NAMESPACE is the namespace in which EXTERNAL-REGISTRY-FOR-LOCAL-SOURCE-SECRET is available.
Important

Installing Grype by using tap-values.yaml as follows is deprecated in v1.6 and will be removed in v1.8:

grype:
  targetImagePullSecret: registry-credentials

You can install Grype by using Namespace Provisioner instead.

(Optional) Configure your profile with full dependencies

When you install a profile that includes Tanzu Build Service, Tanzu Application Platform is installed with the lite set of dependencies. These dependencies consist of buildpacks and stacks required for application builds.

The lite set of dependencies do not contain all buildpacks and stacks. To use all buildpacks and stacks, you must install the full dependencies. For more information about the differences between lite and full dependencies, see About lite and full dependencies.

To configure full dependencies, add the key-value pair exclude_dependencies: true to your tap-values.yaml file under the buildservice section. For example:

buildservice:
  kp_default_repository: "KP-DEFAULT-REPO"
  kp_default_repository_secret: # Takes the value from the shared section by default, but can be overridden by setting a different value.
    name: "KP-DEFAULT-REPO-SECRET"
    namespace: "KP-DEFAULT-REPO-SECRET-NAMESPACE"
  exclude_dependencies: true

After configuring full dependencies, you must install the dependencies after you have finished installing your Tanzu Application Platform package. See Install the full dependencies package for more information.

Tanzu Application Platform v1.6.1 supports building applications with Ubuntu v22.04 (Jammy).

Install your Tanzu Application Platform package

Follow these steps to install the Tanzu Application Platform package:

  1. Install the package by running:

    tanzu package install tap -p tap.tanzu.vmware.com -v $TAP_VERSION --values-file tap-values.yaml -n tap-install
    
  2. Verify the package install by running:

    tanzu package installed get tap -n tap-install
    

    This can take 5-10 minutes because it installs several packages on your cluster.

  3. Verify that the necessary packages in the profile are installed by running:

    tanzu package installed list -A
    
  4. If you configured full dependencies in your tbs-values.yaml file, install the full dependencies by following the procedure in Install full dependencies.

After installing the Full profile on your cluster, you can install the Tanzu Developer Tools for VS Code Extension to help you develop against it. For more information, see Install Tanzu Developer Tools for your VS Code.

Install the full dependencies package

If you configured full dependencies in your tap-values.yaml file in Configure your profile with full dependencies earlier, you must install the full dependencies package.

For more information about the differences between lite and full dependencies, see About lite and full dependencies.

To install the full dependencies package:

  1. To execute a clean install of the full dependencies, you must exclude the default dependencies by adding the key-value pair exclude_dependencies: true to your tap-values.yaml file under the buildservice section. For example:

    buildservice:
      kp_default_repository: ${KP_REGISTRY_HOSTNAME}.azurecr.io/{$REPOSITORY_NAME}
      exclude_dependencies: true
    ...
    
  2. Get the latest version of the tap package by running:

    tanzu package available list tap.tanzu.vmware.com --namespace tap-install
    
  3. Relocate the Tanzu Build Service full dependencies package repository by running:

    imgpkg copy -b tanzu.packages.broadcom.com/tanzu-application-platform/full-deps-package-repo:VERSION \
      --to-repo ${INSTALL_REGISTRY_HOSTNAME}/full-deps-package-repo
    

    Where VERSION is the version of the tap package you retrieved in the previous step.

  4. Add the Tanzu Build Service full dependencies package repository by running:

    tanzu package repository add full-deps-package-repo \
      --url ${INSTALL_REGISTRY_HOSTNAME}/${INSTALL_REPO}/full-deps-package-repo:VERSION \
      --namespace tap-install
    

    Where VERSION is the version of the tap package you retrieved earlier.

  5. Install the full dependencies package by running:

    tanzu package install full-deps -p full-deps.buildservice.tanzu.vmware.com -v "> 0.0.0" -n tap-install --values-file PATH-TO-TAP-VALUES-FILE
    

Access Tanzu Developer Portal

You can use the host name configured in Access Tanzu Developer Portal to access Tanzu Developer Portal. This host name is pointed at the shared ingress.

You’re now ready to start using Tanzu Developer Portal. Proceed to the Getting Started topic or the Tanzu Developer Portal - Catalog Operations topic.

Next steps

check-circle-line exclamation-circle-line close-line
Scroll to top icon