This topic tells you what to configure to complete your Tanzu Supply Chain installation.
CautionTanzu Supply Chain is currently in beta and is not intended for production use. It is intended only for evaluation purposes for the next generation Supply Chain. For the current Supply Chain solution, see the Supply Chain Choreographer documentation.
After you install Tanzu Supply Chain, use Namespace Provisioner to configure service accounts and permissions.
VMware recommends that you use Namespace Provisioner to configure the following:
OCI Store configuration: Supply Chains persist data between stages by reading and writing to an OCI repository. The location of the OCI repository is configured by a Kubernetes Secret named oci-store
that exists within the developer namespace. Access to this repository is controlled by a Tekton annotated secret that can have any name with the tekton.dev/docker-0
annotation pointing to the OCI repository.
Permissions for the buildpack-build
component and Cluster Builders: You must add some additional permissions to use the buildpack-build
component to create images with Tanzu Build Service configured with ClusterBuilders
.
To use Namespace Provisioner to configure Tanzu Supply Chain:
Create a Secret
in the tap-install
namespace that has the location and credentials for the oci-store
by running:
cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: supply-chain-oci-store-credentials
namespace: tap-install
type: Opaque
stringData:
ocistore.yaml: |
tanzusupplychain:
ocistore:
username: REGISTRY-USERNAME
password: REGISTRY-PASSWORD
server: REGISTRY-SERVER
repository: REGISTRY-REPO
EOF
Configure Namespace Provisioner to use the accelerator sample. This creates the required resources for configuring oci-store
and buildpack-build
permissions. Update the namespace_provisioner
section of your tap-values.yaml
file as follows:
namespace_provisioner:
additional_sources:
- git:
ref: origin/main
subPath: ns-provisioner-samples/tanzu-supply-chain
url: https://github.com/vmware-tanzu/application-accelerator-samples.git
import_data_values_secrets:
- name: supply-chain-oci-store-credentials
namespace: tap-install
create_export: true
default_parameters:
supply_chain_service_account:
secrets:
- oci-store-credentials
Namespace Provisioner creates the required secrets and role bindings in your developer namespace.
To create developer namespaces run:
kubectl create namespace dev
kubectl label namespaces dev apps.tanzu.vmware.com/tap-ns=""
If you need to inject extra secrets, such as git-secret
, in the service account for all developer namespaces managed by Namespace Provisioner, update the namespace_provisioner
section of tap-values.yaml
as follows:
namespace_provisioner:
...
default_parameters:
supply_chain_service_account:
secrets:
# Add secrets here
- git-secret
For a single namespace using annotation, run:
kubectl annotate ns DEVELOPER-NAMESPACE param.nsp.tap/delivery_service_account.secrets='["git-secret"]'