Configure Tanzu Supply Chain

This topic tells you what to configure to complete your Tanzu Supply Chain installation.

Caution

Tanzu Supply Chain is currently in beta and is not intended for production use. It is intended only for evaluation purposes for the next generation Supply Chain. For the current Supply Chain solution, see the Supply Chain Choreographer documentation.

After you install Tanzu Supply Chain, use Namespace Provisioner to configure service accounts and permissions.

VMware recommends that you use Namespace Provisioner to configure the following:

• OCI Store configuration: Supply Chains persist data between stages by reading and writing to an OCI repository. The location of the OCI repository is configured by a Kubernetes Secret named oci-store that exists within the developer namespace. Access to this repository is controlled by a Tekton annotated secret that can have any name with the tekton.dev/docker-0 annotation pointing to the OCI repository.

• Permissions for the buildpack-build component and Cluster Builders: You must add some additional permissions to use the buildpack-build component to create images with Tanzu Build Service configured with ClusterBuilders.

Configure Tanzu Supply Chain by using Namespace Provisioner

To use Namespace Provisioner to configure Tanzu Supply Chain:

1. Create a Secret in the tap-install namespace that has the location and credentials for the oci-store by running:

   cat << EOF | kubectl apply -f -
   apiVersion: v1
   kind: Secret
   metadata:
    name: supply-chain-oci-store-credentials
    namespace: tap-install
   type: Opaque
   stringData:
    ocistore.yaml: |
      tanzusupplychain:
        ocistore:
          username: REGISTRY-USERNAME
          password: REGISTRY-PASSWORD
          server: REGISTRY-SERVER
          repository: REGISTRY-REPO
   EOF
   

2. Configure Namespace Provisioner to use the accelerator sample. This creates the required resources for configuring oci-store and buildpack-build permissions. Update the namespace_provisioner section of your tap-values.yaml file as follows:

   namespace_provisioner:
     additional_sources:
     - git:
         ref: origin/main
         subPath: ns-provisioner-samples/tanzu-supply-chain
         url: https://github.com/vmware-tanzu/application-accelerator-samples.git
     import_data_values_secrets:
     - name: supply-chain-oci-store-credentials
       namespace: tap-install
       create_export: true
     default_parameters:
       supply_chain_service_account:
         secrets:
         - oci-store-credentials
   

   Namespace Provisioner creates the required secrets and role bindings in your developer namespace.

Create developer namespaces

To create developer namespaces run:

kubectl create namespace dev
kubectl label namespaces dev apps.tanzu.vmware.com/tap-ns=""

Configure Namespace Provisioner to support custom Supply Chains

If you need to inject extra secrets, such as git-secret, in the service account for all developer namespaces managed by Namespace Provisioner, update the namespace_provisioner section of tap-values.yaml as follows:

namespace_provisioner:
  ...
  default_parameters:
    supply_chain_service_account:
      secrets:
      # Add secrets here
      - git-secret

For a single namespace using annotation, run:

kubectl annotate ns DEVELOPER-NAMESPACE param.nsp.tap/delivery_service_account.secrets='["git-secret"]'