Install Tanzu Application Platform package and profiles on AWS

This topic tells you how to install Tanzu Application Platform (commonly known as TAP) packages from your Tanzu Application Platform package repository on to AWS.

Before installing the packages, ensure you have:

Completed the Prerequisites.
Created AWS Resources.
Installed Tanzu CLI with any required plug-ins.
Installed Cluster Essentials for Tanzu.

Relocate images to a registry

Before installation, you must relocate the Tanzu Application Platform images from tanzu.packages.broadcom.com to your own container image registry.

This section describes how to relocate images to the tap-images repository created in Amazon Elastic Container Registry (ECR). See Creating AWS Resources for more information.

To relocate images from tanzu.packages.broadcom.com to the ECR registry:

Retrieve your Broadcom registry API token:
1. Sign in to the Broadcom Support Portal.
2. Go to Tanzu Application Platform (TAP) and expand the VMware Tanzu Application Platform dropdown.
3. Click the Token Download icon next to the Tanzu Application Platform version you want to download.
4. Follow the instructions in the dialog box. Save the token as a variable named MY_BROADCOM_SUPPORT_ACCESS_TOKEN. For example:
```
export MY_BROADCOM_SUPPORT_ACCESS_TOKEN=API-TOKEN
```
  Where API-TOKEN is your token from the Broadcom Support Portal.

Set up environment variables for installation use by running:

export AWS_ACCOUNT_ID=MY-AWS-ACCOUNT-ID
export AWS_REGION=TARGET-AWS-REGION

# Set tanzu.packages.broadcom.com as the source registry to copy the Tanzu Application Platform packages from.
export IMGPKG_REGISTRY_HOSTNAME_0=tanzu.packages.broadcom.com
export IMGPKG_REGISTRY_USERNAME_0=MY-BROADCOM-SUPPORT-USERNAME
export IMGPKG_REGISTRY_PASSWORD_0=$MY_BROADCOM_SUPPORT_ACCESS_TOKEN

# The user’s registry for copying the Tanzu Application Platform package to.
export IMGPKG_REGISTRY_HOSTNAME_1=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com
export IMGPKG_REGISTRY_USERNAME_1=AWS
export IMGPKG_REGISTRY_PASSWORD_1=`aws ecr get-login-password --region $AWS_REGION`
# These environment variables starting with IMGPKG_* are used by the imgpkg command only.

# The registry from which the Tanzu Application Platform package is retrieved.
export INSTALL_REGISTRY_HOSTNAME=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com
export TAP_VERSION=VERSION-NUMBER
export INSTALL_REPO=tap-images

Where:

MY-AWS-ACCOUNT-ID is the account ID you deploy Tanzu Application Platform in. No dashes and must be in the format 012345678901.
TARGET-AWS-REGION is the region you deploy the Tanzu Application Platform to.
MY-BROADCOM-SUPPORT-USERNAME is the user with access to the images in tanzu.packages.broadcom.com.
VERSION-NUMBER is your Tanzu Application Platform version. For example, 1.8.5

Install the Carvel tool imgpkg CLI.

Relocate the images with the imgpkg CLI by running:

imgpkg copy --concurrency 1 -b tanzu.packages.broadcom.com/tanzu-application-platform/tap-packages:${TAP_VERSION} --to-repo ${INSTALL_REGISTRY_HOSTNAME}/${INSTALL_REPO}

Add the Tanzu Application Platform package repository

Tanzu CLI packages are available on repositories. Adding the Tanzu Application Platform package repository makes Tanzu Application Platform and its packages available for installation.

To add the Tanzu Application Platform package repository to your cluster:

Create a namespace called tap-install for deploying any component packages by running:
```
kubectl create ns tap-install
```
This namespace keeps the objects grouped together logically.

(Optional) If you haven’t relocated the images to ECR, create a secret to your registry by running:

tanzu secret registry add tap-registry \
  --username ${INSTALL_REGISTRY_USERNAME} --password ${INSTALL_REGISTRY_PASSWORD} \
  --server ${INSTALL_REGISTRY_HOSTNAME} \
  --export-to-all-namespaces --yes --namespace tap-install

Add the Tanzu Application Platform package repository to the cluster by running:

tanzu package repository add tanzu-tap-repository \
  --url ${INSTALL_REGISTRY_HOSTNAME}/${INSTALL_REPO}:${TAP_VERSION} \
  --namespace tap-install

Get the status of the Tanzu Application Platform package repository, and ensure the status updates to Reconcile succeeded by running:

tanzu package repository get tanzu-tap-repository --namespace tap-install

For example:

$ tanzu package repository get tanzu-tap-repository --namespace tap-install
- Retrieving repository tap...
NAME:          tanzu-tap-repository
VERSION:       16253001
REPOSITORY:    123456789012.dkr.ecr.us-west-2.amazonaws.com/tap-images
TAG:           1.8.5
STATUS:        Reconcile succeeded
REASON:

List the available packages by running:

tanzu package available list --namespace tap-install

For example:

$ tanzu package available list --namespace tap-install
  NAME                                                 DISPLAY-NAME
  accelerator.apps.tanzu.vmware.com                    Application Accelerator for VMware Tanzu
  amr-observer.apps.tanzu.vmware.com                   Supply Chain Security Tools - AMR Observer
  api-portal.tanzu.vmware.com                          API portal
  apis.apps.tanzu.vmware.com                           API Auto Registration for VMware Tanzu
  apiserver.appliveview.tanzu.vmware.com               Application Live View ApiServer for VMware Tanzu
  app-scanning.apps.tanzu.vmware.com                   SCST - Scan 2.0
  application-configuration-service.tanzu.vmware.com   Application Configuration Service
  backend.appliveview.tanzu.vmware.com                 Application Live View for VMware Tanzu
  base-jammy-builder-lite.buildpacks.tanzu.vmware.com  base-jammy-builder-lite
  base-jammy-stack-lite.buildpacks.tanzu.vmware.com    base-jammy-stack
  bitnami.services.tanzu.vmware.com                    bitnami-services
  buildservice.tanzu.vmware.com                        Tanzu Build Service
  carbonblack.scanning.apps.tanzu.vmware.com           VMware Carbon Black for Supply Chain Security Tools - Scan
  cartographer.tanzu.vmware.com                        Cartographer
  cnrs.tanzu.vmware.com                                Cloud Native Runtimes
  connector.appliveview.tanzu.vmware.com               Application Live View Connector for VMware Tanzu
  controller.source.apps.tanzu.vmware.com              Tanzu Source Controller
  conventions.appliveview.tanzu.vmware.com             Application Live View Conventions for VMware Tanzu
  crossplane.tanzu.vmware.com                          crossplane
  developer-conventions.tanzu.vmware.com               Tanzu App Platform Developer Conventions
  dotnet-core-lite.buildpacks.tanzu.vmware.com         dotnet-core-lite
  external-secrets.apps.tanzu.vmware.com               External Secrets Operator
  fluxcd.source.controller.tanzu.vmware.com            Flux Source Controller
  go-lite.buildpacks.tanzu.vmware.com                  go-lite
  grype.scanning.apps.tanzu.vmware.com                 Grype for Supply Chain Security Tools - Scan
  java-lite.buildpacks.tanzu.vmware.com                java-lite
  java-native-image-lite.buildpacks.tanzu.vmware.com   java-native-image-lite
  local-source-proxy.apps.tanzu.vmware.com             Local Source Proxy
  metadata-store.apps.tanzu.vmware.com                 Supply Chain Security Tools - Store
  namespace-provisioner.apps.tanzu.vmware.com          Namespace Provisioner
  nodejs-lite.buildpacks.tanzu.vmware.com              nodejs-lite
  ootb-delivery-basic.tanzu.vmware.com                 Tanzu App Platform Out of The Box Delivery Basic
  ootb-supply-chain-basic.tanzu.vmware.com             Tanzu App Platform Out of The Box Supply Chain Basic
  ootb-supply-chain-testing-scanning.tanzu.vmware.com  Tanzu App Platform Out of The Box Supply Chain with Testing and Scanning
  ootb-supply-chain-testing.tanzu.vmware.com           Tanzu App Platform Out of The Box Supply Chain with Testing
  ootb-templates.tanzu.vmware.com                      Tanzu App Platform Out of The Box Templates
  policy.apps.tanzu.vmware.com                         Supply Chain Security Tools - Policy Controller
  python-lite.buildpacks.tanzu.vmware.com              python-lite
  ruby-lite.buildpacks.tanzu.vmware.com                ruby-lite
  scanning.apps.tanzu.vmware.com                       Supply Chain Security Tools - Scan
  service-bindings.labs.vmware.com                     Service Bindings for Kubernetes
  services-toolkit.tanzu.vmware.com                    Services Toolkit
  snyk.scanning.apps.tanzu.vmware.com                  Snyk for Supply Chain Security Tools - Scan
  spring-boot-conventions.tanzu.vmware.com             Tanzu Spring Boot Conventions Server
  spring-cloud-gateway.tanzu.vmware.com                Spring Cloud Gateway
  sso.apps.tanzu.vmware.com                            AppSSO
  tap-auth.tanzu.vmware.com                            Default roles for Tanzu Application Platform
  tap-gui.tanzu.vmware.com                             Tanzu Developer Portal
  tap-telemetry.tanzu.vmware.com                       Telemetry Collector for Tanzu Application Platform
  tap.tanzu.vmware.com                                 Tanzu Application Platform
  tekton.tanzu.vmware.com                              Tekton Pipelines
  tpb.tanzu.vmware.com                                 Tanzu Portal Builder
  web-servers-lite.buildpacks.tanzu.vmware.com         web-servers-lite

Install your Tanzu Application Platform profile

The tap.tanzu.vmware.com package installs predefined sets of packages based on your profile settings. This is done by using the package manager installed by Tanzu Cluster Essentials.

For more information about profiles, see Components and installation profiles.

To prepare to install a profile:

List version information for the package by running:

tanzu package available list tap.tanzu.vmware.com --namespace tap-install

Create a tap-values.yaml file by using the Full Profile (AWS), which contains the minimum configurations required to deploy Tanzu Application Platform on AWS. The sample values file contains the necessary defaults for:
- The meta-package, or parent Tanzu Application Platform package.
- Subordinate packages, or individual child packages.
Keep the values file for future configuration use.

Note
tap-values.yaml is set as a Kubernetes secret, which provides secure means to read credentials for Tanzu Application Platform components.
View possible configuration settings for your package

Full profile (AWS)

The following command generates the YAML file sample for the full-profile on AWS by using the ECR repositories you created earlier. The profile: field takes full as the default value, but you can also set it to iterate, build, run, or view. Refer to Install multicluster Tanzu Application Platform profiles for more information.

cat << EOF > tap-values.yaml
shared:
  ingress_domain: "INGRESS-DOMAIN"

ceip_policy_disclosed: true

# The above keys are minimum numbers of entries needed in tap-values.yaml to get a functioning TAP Full profile installation.

# Below are the keys which may have default values set, but can be overridden.

profile: full # Can take iterate, build, run, view.

supply_chain: basic # Can take testing, testing_scanning.

ootb_supply_chain_basic: # Based on supply_chain set above, can be changed to ootb_supply_chain_testing, ootb_supply_chain_testing_scanning.
  registry:
    server: ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com
    # The prefix of the ECR repository.  Workloads will need
    # two repositories created:
    #
    # tanzu-application-platform/<workloadname>-<namespace>
    # tanzu-application-platform/<workloadname>-<namespace>-bundle
    repository: tanzu-application-platform

contour:
  envoy:
    service:
      type: LoadBalancer # This is set by default, but can be overridden by setting a different value.

buildservice:
  kp_default_repository: ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/tap-build-service
  # Enable the build service k8s service account to bind to the AWS IAM Role
  kp_default_repository_aws_iam_role_arn: "arn:aws:iam::${AWS_ACCOUNT_ID}:role/tap-build-service"

local_source_proxy:
  # Takes the value from the project_path under the image_registry section of shared by default, but can be overridden by setting a different value.
  repository: "EXTERNAL-REGISTRY-FOR-LOCAL-SOURCE"
  push_secret:
    # When set to true, the secret mentioned in this section is automatically exported to Local Source Proxy's namespace.
    name: "EXTERNAL-REGISTRY-FOR-LOCAL-SOURCE-SECRET"
    namespace: "EXTERNAL-REGISTRY-FOR-LOCAL-SOURCE-SECRET-NAMESPACE"
    # When set to true, the secret mentioned in this section is automatically exported to Local Source Proxy's namespace.
    create_export: true

ootb_templates:
  # Enable the config writer service to use cloud based iaas authentication
  # which are retrieved from the developer namespace service account by
  # default
  iaas_auth: true

tap_gui:
  app_config:
    auth:
      allowGuestAccess: true  # This allows unauthenticated users to log in to your portal. If you want to deactivate it, make sure you configure an alternative auth provider.
    catalog:
      locations:
        - type: url
          target: https://GIT-CATALOG-URL/catalog-info.yaml

metadata_store:
  ns_for_export_app_cert: "MY-DEV-NAMESPACE" # Verify this namespace is available within your cluster before initiating the Tanzu Application Platform installation.
  app_service_type: ClusterIP # Defaults to LoadBalancer. If shared.ingress_domain is set earlier, this must be set to ClusterIP.

namespace_provisioner:
  aws_iam_role_arn: "arn:aws:iam::${AWS_ACCOUNT_ID}:role/tap-workload"

tap_telemetry:
  customer_entitlement_account_number: "CUSTOMER-ENTITLEMENT-ACCOUNT-NUMBER" # (Optional) Identify data for creating Tanzu Application Platform usage reports.
EOF

Where:

INGRESS-DOMAIN is the subdomain for the host name that you point at the tanzu-shared-ingress service’s External IP address.
kp_default_repository_aws_iam_role_arn is the ARN that was created to write to the ECR repository for the build service. This value is generated by the script, but you can modify it manually.
namspace_provisioner.aws_iam_role_arn is the ARN that was created to write to the ECR repository for workloads. This value is generated by the script, but you can modify it manually.
EXTERNAL-REGISTRY-FOR-LOCAL-SOURCE is where the developer’s local source is uploaded when using Tanzu CLI to use Local Source Proxy for workload creation.

If an AWS ECR registry is being used, ensure that the repository already exists. AWS ECR expects the repository path to already exist. This destination is represented as REGISTRY-SERVER/REPOSITORY-PATH. For more information, see Install Local Source Proxy.
EXTERNAL-REGISTRY-FOR-LOCAL-SOURCE-SECRET is the name of the secret with credentials that allow pushing to the EXTERNAL-REGISTRY-FOR-LOCAL-SOURCE repository.
EXTERNAL-REGISTRY-FOR-LOCAL-SOURCE-SECRET-NAMESPACE is the namespace in which EXTERNAL-REGISTRY-FOR-LOCAL-SOURCE-SECRET is available.
GIT-CATALOG-URL is the path to the catalog-info.yaml catalog definition file. You can download either a blank or populated catalog file from the Broadcom Support Portal (file name Tanzu Application Platform Developer Portal Blank Catalog or Tanzu Application Platform Developer Portal Yelb Catalog). Otherwise, you can use a Backstage-compliant catalog you’ve already built and posted on the Git infrastructure.
MY-DEV-NAMESPACE is the name of the developer namespace. SCST - Store exports secrets to the namespace, and SCST - Scan deploys the ScanTemplates there. This allows the scanning feature to run in this namespace. If there are multiple developer namespaces, use ns_for_export_app_cert: "*" to export the SCST - Store CA certificate to all namespaces.
CUSTOMER-ENTITLEMENT-ACCOUNT-NUMBER (optional) refers to the Entitlement Account Number (EAN), which is a unique identifier VMware assigns to its customers. Tanzu Application Platform telemetry uses this number to identify data that belongs to a particular customers and prepare usage reports.

For AWS, the default settings creates a classic LoadBalancer. To use the Network LoadBalancer instead of the classic LoadBalancer for ingress, add the following to your tap-values.yaml:

contour:
  infrastructure_provider: aws
  envoy:
    service:
      aws:
        LBType: nlb

(Optional) Additional Build Service configurations

The following tasks are optional during the Tanzu Application Platform installation process:

(Optional) Configure your profile with full dependencies
(Optional) Configure your profile with the Jammy stack only

(Optional) Configure your profile with full dependencies

When you install a profile that includes Tanzu Build Service, Tanzu Application Platform is installed with the lite set of dependencies. These dependencies consist of buildpacks and stacks required for application builds.

The lite set of dependencies do not contain all buildpacks and stacks. To use all buildpacks and stacks, you must install the full dependencies. For more information about the differences between lite and full dependencies, see About lite and full dependencies.

To configure full dependencies, add the key-value pair exclude_dependencies: true to your tap-values.yaml file under the buildservice section. For example:

buildservice:
  kp_default_repository: ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/tap-build-service
  exclude_dependencies: true

After configuring full dependencies, you must install the dependencies after you have finished installing your Tanzu Application Platform package. See Install the full dependencies package for more information.

Tanzu Application Platform v1.8.5 supports building applications with Ubuntu v22.04 (Jammy).

Install your Tanzu Application Platform package

Follow these steps to install the Tanzu Application Platform package:

Install the package by running:

tanzu package install tap -p tap.tanzu.vmware.com -v ${TAP_VERSION} --values-file tap-values.yaml -n tap-install

Verify the package install by running:
```
tanzu package installed get tap -n tap-install
```
This can take 5-10 minutes because it installs several packages on your cluster.
Verify that the necessary packages in the profile are installed by running:
```
tanzu package installed list -A
```
If you configured full dependencies in your tbs-values.yaml file, install the full dependencies by following the procedure in Install full dependencies.

After installing the Full profile on your cluster, you can install the Tanzu Developer Tools for VS Code Extension to help you develop against it. For instructions, see Install Tanzu Developer Tools for your VS Code.

Note
You can run the following command after reconfiguring the profile to reinstall the Tanzu Application Platform:

tanzu package installed update tap -p tap.tanzu.vmware.com -v ${TAP_VERSION}  --values-file tap-values.yaml -n tap-install

Install the full dependencies package

If you configured full dependencies in your tap-values.yaml file in Configure your profile with full dependencies earlier, you must install the full dependencies package.

Create an ECR repository for Tanzu Build Service full dependencies by running:

aws ecr create-repository --repository-name full-deps --region ${AWS_REGION}

(Optional) If you have an existing installation of the full dependencies package from a version earlier than Tanzu Application Platform v1.8.5, you must uninstall the full dependencies package and remove the package repository:
1. Uninstall the package:
```
tanzu package installed delete full-tbs-deps -n tap-install
```
2. Remove the package repository:
```
tanzu package repository delete tbs-full-deps-repository -n tap-install
```
Important
The package and repository names might differ depending on your installation configurations.
Get the latest version of the Tanzu Application Platform package by running:
```
tanzu package available list tap.tanzu.vmware.com --namespace tap-install
```
If you have not done so already, you must exclude the default dependencies by adding the key-value pair exclude_dependencies: true to your tap-values.yaml file under the buildservice section. For example:
```
buildservice:
  exclude_dependencies: true
```
If you have not updated your Tanzu Application Platform package installation after adding the key-value pair exclude_dependencies: true to your values file, perform the update by running:
```
tanzu package installed update tap --namespace tap-install --values-file VALUES-FILE
```
Where VALUES-FILE is the path to the tap-values.yaml file you edited earlier.
Relocate the Tanzu Build Service full dependencies package repository by doing one of the following:
- Relocate the images directly for online installation:
```
imgpkg copy \
  -b tanzu.packages.broadcom.com/tanzu-application-platform/full-deps-package-repo:VERSION \
  --to-repo ${INSTALL_REGISTRY_HOSTNAME}/full-deps-package-repo
```
  Where VERSION is the version of the Tanzu Application Platform package you retrieved earlier.
- Relocate the images to an external storage device and then to the registry in the air-gapped environment:
```
imgpkg copy \
  -b tanzu.packages.broadcom.com/tanzu-application-platform/full-deps-package-repo:VERSION \
  --to-tar=full-deps-package-repo.tar

# move full-deps-package-repo.tar to environment with registry access
imgpkg copy \
  --tar full-deps-package-repo.tar \
  --to-repo=INSTALL-REGISTRY-HOSTNAME/TARGET-REPOSITORY/full-deps-package-repo
```
  Where:
  - VERSION is the version of the Tanzu Application Platform package you retrieved earlier.
  - INSTALL-REGISTRY-HOSTNAME is your container registry.
  - TARGET-REPOSITORY is your target repository.
Add the Tanzu Build Service full dependencies package repository by running:
```
tanzu package repository add full-deps-package-repo \
  --url INSTALL-REGISTRY-HOSTNAME/TARGET-REPOSITORY/full-deps-package-repo:VERSION \
  --namespace tap-install
```
Where:
- INSTALL-REGISTRY-HOSTNAME is your container registry.
- TARGET-REPOSITORY is your target repository.
- VERSION is the version of the Tanzu Application Platform package you retrieved earlier.
Create a new tbs-full-deps-values.yaml and copy the kp_default_repository key-value pair from your tap-values.yaml or tbs-values.yaml:
```
---
 kp_default_repository: "REPO-NAME"
 kp_default_repository_secret:
   name: kp-default-repository-creds
   namespace: tap-install
```
Where REPO-NAME is copied from the buildservice.kp_default_repository field in your tap-values.yaml or tbs-values.yaml.
1. (Optional) Install the UBI builder.
  
  The UBI builder uses Red Hat Universal Base Image (UBI) v8 for both build and run images. This builder only supports Java and Node.js. To install the UBI builder, add the key-value pair enable_ubi_builder: true to your tbs-full-deps-values.yaml.
```
---
enable_ubi_builder: true
```
2. (Optional) Install the Static builder.
  
  The Static builder uses Ubuntu Jammy for both build images and a minimal static run image. This builder only supports Golang. To install the Static builder, add the key-value pair enable_static_builder: true to your tbs-full-deps-values.yaml.
```
---
enable_static_builder: true
```

Install the full dependencies package by running:

tanzu package install full-deps \
  --package full-deps.buildservice.tanzu.vmware.com \
  --version "> 0.0.0" \
  --namespace tap-install \
  --values-file VALUES-FILE

Where VALUES-FILE is the path to the tbs-full-deps-values.yaml you created earlier.

For more information about the differences between lite and full dependencies, see About lite and full dependencies.

Access Tanzu Developer Portal

To access Tanzu Developer Portal, you can use the host name that you configured earlier. This host name is pointed at the shared ingress. To configure LoadBalancer for Tanzu Developer Portal, see Access Tanzu Developer Portal.

You’re now ready to start using Tanzu Developer Portal. Proceed to the Getting Started topic or the Tanzu Developer Portal - Catalog Operations topic.

Exclude packages from a Tanzu Application Platform profile

To exclude packages from a Tanzu Application Platform profile:

Find the full subordinate (child) package name:

tanzu package available list --namespace tap-install

Update your tap-values file with a section listing the exclusions:

profile: PROFILE-VALUE
excluded_packages:
  - tap-gui.tanzu.vmware.com
  - service-bindings.lab.vmware.com

Important
If you exclude a package after performing a profile installation including that package, you cannot see the accurate package states immediately after running tap package installed list -n tap-install. Also, you can break package dependencies by removing a package. Allow 20 minutes to verify that all packages have reconciled correctly while troubleshooting.