Copying Tanzu Standard and Inspection Images

After you have successfully installed Tanzu Mission Control Self-Managed, copy the Tanzu Standard package and the third-party Sonobouy inspection scan images to your private image registry.

The Tanzu Standard package and the Sonobouy inspection scan images are not required for using and operating TMC Self-Managed. However, they are required for the following capabilities:

• Deploy packages from the Tanzu Standard package repository to managed clusters.
• Deploy Istio packages to managed clusters.
• Perform Conformance and Lite inspections on managed clusters.

Copy Tanzu Standard package repository images

To use the catalog features of Tanzu Mission Control, you must have a local copy of the images in your private image registry. Use the imgpkg tool from Carvel to copy the Tanzu Standard package repository with the tag v2024.5.16 into your private image registry.

The command looks something like this:

imgpkg copy --registry-ca-cert-path=ca.crt \
-b extensions.aws-usw2.tmc-dev.cloud.vmware.com/packages/standard/repo:v2024.5.16\
--to-repo ${PRIVATE_IMAGE_REGISTRY}/${TMC_PROJECT}/498533941640.dkr.ecr.us-west-2.amazonaws.com/packages/standard/repo

In the command:

• --registry-ca-cert-path=ca.crt is the private image registry certificate you require to upload the image bundle. Replace ca.crt with the name of your certificate file. This is optional if the bootstrap machine has the ca.crt already in its local trust store.
• PRIVATE_IMAGE_REGISTRY/TMC_PROJECT identifies your private image registry and the project you used for installing Tanzu Mission Control Self-Managed.
• 498533941640.dkr.ecr.us-west-2.amazonaws.com is the hard-coded repository name. It must be entered as shown.
• If your private image registry requires authentication, provide the host name, user name, and password using the following environment variables:

  IMGPKG_REGISTRY_HOSTNAME_0
  IMGPKG_REGISTRY_USERNAME_0
  IMGPKG_REGISTRY_PASSWORD_0
  

Copy Istio package repository images

To deploy Istio packages to your cluster using the catalog features of Tanzu Mission Control, you must have a local copy of the images in your private image registry. (This procedure is similar to that for copying Tanzu Standard package repository images.)

Use the imgpkg tool from Carvel to copy the Istio packages with the tag 1.22.0-tanzu.1 into your private image registry.

The command looks something like this:

imgpkg copy --registry-ca-cert-path=ca.crt \
-b extensions.aws-usw2.tmc-dev.cloud.vmware.com/packages/istio-oss-packages:1.22.0-tanzu.1 \
--to-repo ${PRIVATE_IMAGE_REGISTRY}/${TMC_PROJECT}/packages/istio-oss-packages

In the command:

• --registry-ca-cert-path=ca.crt is the private image registry certificate you require to upload the image bundle. Replace ca.crt with the name of your certificate file. This is optional if the bootstrap machine has the ca.crt already in its local trust store.
• PRIVATE_IMAGE_REGISTRY/TMC_PROJECT identifies your private image registry and the project you used for installing Tanzu Mission Control Self-Managed.
• packages/istio-oss-packages identifies the path to the Istio packages in your local repository. You can customize this to the path of your choice.
• If your private image registry requires authentication, provide the host name, user name, and password using the following environment variables:

  IMGPKG_REGISTRY_HOSTNAME_0
  IMGPKG_REGISTRY_USERNAME_0
  IMGPKG_REGISTRY_PASSWORD_0
  

Copy Sonobuoy inspection scan images

The Conformance and Lite inspection types use third-party images to run the scans. The third-party images are not included as part of the installation package for Tanzu Mission Control Self-Managed. You must copy the third-party images to your private image registry to run the scans successfully. The Conformance and Lite inspection types not required for CIS inspections.

Use the bash script provided in Script to copy inspection images to make the images available from your private image registry.

Optionally, you can use the following environment variables:

• LATEST_RELEASE can be found at https://github.com/vmware-tanzu/sonobuoy/releases
• VERSION is derived from the tagged version on https://github.com/vmware-tanzu/sonobuoy/releases
• CUSTOM_REGISTRY identifies your private registry
• DOCKER_PROXY identifies your docker proxy, if you are using one

The bash script covers the latest patches for each major release from Kubernetes version 1.19 to 1.24. To use the bash script, copy the images into the provided container registry:

1. Copy the contents provided in Script to copy inspection images into a file called install_images.sh.

2. Make sure the file is runnable.

   chmod +x install_images.sh
   

3. Run the script.

   ./install_images.sh
   

Because some images require authentication, you will see errors while pushing those images. You can ignore the errors. Those images are not used as part of Conformance inspections. For more information about the errors and the sonobuoy commands used in this script, see the Sonobuoy documentation at https://sonobuoy.io/docs/v0.56.12/airgap/#sonobuoy-image.

List of inspection images

The following is a list of inspection images required to perform Conformance and Lite scans on clusters running Kubernetes version 1.23 and later versions.

docker.io/alpine/socat:1.7.4.3-r0
gcr.io/authenticated-image-pulling/alpine:3.7
gcr.io/authenticated-image-pulling/windows-nanoserver:v1
gcr.io/k8s-authenticated-test/agnhost:2.6
invalid.registry.k8s.io/invalid/alpine:3.1
mcr.microsoft.com/windows:1809
registry.k8s.io/build-image/distroless-iptables:v0.2.3
registry.k8s.io/cloud-provider-gcp/gcp-compute-persistent-disk-csi-driver:v1.2.2
registry.k8s.io/cloud-provider-gcp/gcp-compute-persistent-disk-csi-driver:v1.4.0
registry.k8s.io/conformance:v1.27.1
registry.k8s.io/e2e-test-images/agnhost:2.43
registry.k8s.io/e2e-test-images/apparmor-loader:1.4
registry.k8s.io/e2e-test-images/busybox:1.29-2
registry.k8s.io/e2e-test-images/busybox:1.29-4
registry.k8s.io/e2e-test-images/cuda-vector-add:1.0
registry.k8s.io/e2e-test-images/cuda-vector-add:2.2
registry.k8s.io/e2e-test-images/glusterdynamic-provisioner:v1.3
registry.k8s.io/e2e-test-images/httpd:2.4.38-4
registry.k8s.io/e2e-test-images/httpd:2.4.39-4
registry.k8s.io/e2e-test-images/ipc-utils:1.3
registry.k8s.io/e2e-test-images/jessie-dnsutils:1.7
registry.k8s.io/e2e-test-images/kitten:1.7
registry.k8s.io/e2e-test-images/nautilus:1.7
registry.k8s.io/e2e-test-images/nginx:1.14-4
registry.k8s.io/e2e-test-images/nginx:1.15-4
registry.k8s.io/e2e-test-images/node-perf/npb-ep:1.2
registry.k8s.io/e2e-test-images/node-perf/npb-is:1.2
registry.k8s.io/e2e-test-images/node-perf/tf-wide-deep:1.3
registry.k8s.io/e2e-test-images/nonewprivs:1.3
registry.k8s.io/e2e-test-images/nonroot:1.4
registry.k8s.io/e2e-test-images/perl:5.26
registry.k8s.io/e2e-test-images/redis:5.0.5-3
registry.k8s.io/e2e-test-images/regression-issue-74839:1.2
registry.k8s.io/e2e-test-images/resource-consumer:1.13
registry.k8s.io/e2e-test-images/sample-apiserver:1.17.7
registry.k8s.io/e2e-test-images/volume/gluster:1.3
registry.k8s.io/e2e-test-images/volume/iscsi:2.3
registry.k8s.io/e2e-test-images/volume/nfs:1.3
registry.k8s.io/e2e-test-images/volume/rbd:1.0.4
registry.k8s.io/etcd:3.5.7-0
registry.k8s.io/pause:3.9
registry.k8s.io/prometheus-dummy-exporter:v0.1.0
registry.k8s.io/prometheus-to-sd:v0.5.0
registry.k8s.io/sd-dummy-exporter:v0.2.0
registry.k8s.io/sig-storage/csi-attacher:v4.0.0
registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.7.0
registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1
registry.k8s.io/sig-storage/csi-provisioner:v3.4.0
registry.k8s.io/sig-storage/csi-resizer:v1.6.0
registry.k8s.io/sig-storage/csi-snapshotter:v5.0.1
registry.k8s.io/sig-storage/csi-snapshotter:v6.1.0
registry.k8s.io/sig-storage/hello-populator:v1.0.1
registry.k8s.io/sig-storage/hostpathplugin:v1.11.0
registry.k8s.io/sig-storage/hostpathplugin:v1.9.0
registry.k8s.io/sig-storage/livenessprobe:v2.7.0
registry.k8s.io/sig-storage/nfs-provisioner:v3.0.1
registry.k8s.io/sig-storage/volume-data-source-validator:v1.0.0
sonobuoy/sonobuoy:v0.56.16
sonobuoy/systemd-logs:v0.4

Script to copy inspection images

Use the following script to copy the latest inspection images.

#!/bin/bash

VERSION=${1:-"v0.56.16"}
LATEST_RELEASE=${2:-"sonobuoy_0.56.16_linux_amd64.tar.gz"}
CUSTOM_REGISTRY=${3:-"harbor.tanzu.io:8443"}
DOCKER_PROXY=${4:-"harbor.tanzu.io:8443/dockerhub-proxy-cache"} # optional argument
CUSTOM_TMC_REPO="${CUSTOM_REGISTRY}/tmc/498533941640.dkr.ecr.us-west-2.amazonaws.com"

# https://kubernetes.io/releases/patch-releases/
k8s_versions=(v1.27.1)

wget "https://github.com/vmware-tanzu/sonobuoy/releases/download/${VERSION}/${LATEST_RELEASE}"
tar -xvf ${LATEST_RELEASE}

for i in "${k8s_versions[@]}"
do
   echo "================CHECKING K8S: $i=======================" 
   ./sonobuoy images list --kubernetes-version $i > images_$i.txt

   while read image
   do
   echo "================CHECKING IMAGE: $image=================="
   base=$(basename "$image")
   output=${image#*/*}

   if [[ $image == *"docker"* && -n $DOCKER_PROXY ]];
   then
       docker pull $DOCKER_PROXY/$output
       docker tag $DOCKER_PROXY/$output ${CUSTOM_TMC_REPO}/extensions/inspection-images/$base
   else
       docker pull $image
       docker tag $image ${CUSTOM_TMC_REPO}/extensions/inspection-images/$base
   fi

   docker push ${CUSTOM_TMC_REPO}/extensions/inspection-images/$base
   echo "===================PUSHING: ${CUSTOM_TMC_REPO}/extensions/inspection-images/$base ==========="
   done < images_$i.txt
done

# not part of sonobuoy image list, install manually, update these as images are found
docker pull k8s.gcr.io/e2e-test-images/agnhost:2.31
docker pull k8s.gcr.io/pause:3.9
docker pull registry.k8s.io/e2e-test-images/volume/gluster:1.3
docker pull registry.k8s.io/e2e-test-images/volume/nfs:1.3
docker tag registry.k8s.io/e2e-test-images/volume/gluster:1.3 ${CUSTOM_TMC_REPO}/extensions/inspection-images/volume/gluster:1.3
docker tag registry.k8s.io/e2e-test-images/volume/nfs:1.3 ${CUSTOM_TMC_REPO}/extensions/inspection-images/volume/nfs:1.3
docker tag k8s.gcr.io/e2e-test-images/agnhost:2.31 ${CUSTOM_TMC_REPO}/extensions/inspection-images/agnhost:2.31
docker tag k8s.gcr.io/pause:3.9 ${CUSTOM_TMC_REPO}/extensions/inspection-images/pause:3.9
docker push ${CUSTOM_TMC_REPO}/extensions/inspection-images/agnhost:2.31
docker push ${CUSTOM_TMC_REPO}/extensions/inspection-images/pause:3.9
docker push ${CUSTOM_TMC_REPO}/extensions/inspection-images/volume/gluster:1.3
docker push ${CUSTOM_TMC_REPO}/extensions/inspection-images/volume/nfs:1.3

# clean up text files and sonobuoy tar
rm images_*
rm sonobuoy_*