This topic describes how to install Tanzu Application Platform packages from the Tanzu Application Platform package repository.
Before installing the packages, ensure you have:
- Completed the Prerequisites.
- Configured and verified the cluster.
- Accepted Tanzu Application Platform EULA and installed Tanzu CLI with any required plug-ins.
VMware recommends relocating the images from VMware Tanzu Network registry to your own container image registry before attempting installation. If you don't relocate the images, Tanzu Application Platform will depend on VMware Tanzu Network for continued operation, and VMware Tanzu Network offers no uptime guarantees. The option to skip relocation is documented for evaluation and proof-of-concept only.
The supported registries are Harbor, Azure Container Registry, Google Container Registry, and Quay.io. See the following documentation for a registry to learn how to set it up:
To relocate images from the VMware Tanzu Network registry to your registry:
-
Log in to your image registry by running:
docker login MY-REGISTRYWhere
MY-REGISTRYis your own container registry. -
Log in to the VMware Tanzu Network registry with your VMware Tanzu Network credentials by running:
docker login registry.tanzu.vmware.com -
Set up environment variables for installation use by running:
export INSTALL_REGISTRY_USERNAME=MY-REGISTRY-USER export INSTALL_REGISTRY_PASSWORD=MY-REGISTRY-PASSWORD export INSTALL_REGISTRY_HOSTNAME=MY-REGISTRY export TAP_VERSION=VERSION-NUMBER
Where:
MY-REGISTRY-USERis the user with write access toMY-REGISTRY.MY-REGISTRY-PASSWORDis the password forMY-REGISTRY-USER.MY-REGISTRYis your own container registry.VERSION-NUMBERis your Tanzu Application Platform version. For example,{{ vars.tap_version }}.
-
Relocate the images with the Carvel tool imgpkg by running:
imgpkg copy -b registry.tanzu.vmware.com/tanzu-application-platform/tap-packages:${TAP_VERSION} --to-repo ${INSTALL_REGISTRY_HOSTNAME}/TARGET-REPOSITORY/tap-packagesWhere
TARGET-REPOSITORYis your target repository, a folder/repository onMY-REGISTRYthat serves as the location for the installation files for Tanzu Application Platform. -
Create a namespace called
tap-installfor deploying any component packages by running:kubectl create ns tap-installThis namespace keeps the objects grouped together logically.
-
Create a registry secret by running:
tanzu secret registry add tap-registry \ --username ${INSTALL_REGISTRY_USERNAME} --password ${INSTALL_REGISTRY_PASSWORD} \ --server ${INSTALL_REGISTRY_HOSTNAME} \ --export-to-all-namespaces --yes --namespace tap-install
-
Add the Tanzu Application Platform package repository to the cluster by running:
tanzu package repository add tanzu-tap-repository \ --url ${INSTALL_REGISTRY_HOSTNAME}/TARGET-REPOSITORY/tap-packages:$TAP_VERSION \ --namespace tap-install
Where:
$TAP_VERSIONis the Tanzu Application Platform version environment variable you defined earlier.TARGET-REPOSITORYis the necessary repository.
-
Get the status of the Tanzu Application Platform package repository, and ensure the status updates to
Reconcile succeededby running:tanzu package repository get tanzu-tap-repository --namespace tap-installFor example:
$ tanzu package repository get tanzu-tap-repository --namespace tap-install - Retrieving repository tap... NAME: tanzu-tap-repository VERSION: 16253001 REPOSITORY: tapmdc.azurecr.io/mdc/1.0.2/tap-packages TAG: 1.0.2 STATUS: Reconcile succeeded REASON:
Note: The
VERSIONandTAGnumbers differ from the earlier example if you are on Tanzu Application Platform v1.0.2 or earlier. -
List the available packages by running:
tanzu package available list --namespace tap-installFor example:
$ tanzu package available list --namespace tap-install / Retrieving available packages... NAME DISPLAY-NAME SHORT-DESCRIPTION accelerator.apps.tanzu.vmware.com Application Accelerator for VMware Tanzu Used to create new projects and configurations. api-portal.tanzu.vmware.com API portal A unified user interface to enable search, discovery and try-out of API endpoints at ease. backend.appliveview.tanzu.vmware.com Application Live View for VMware Tanzu App for monitoring and troubleshooting running apps connector.appliveview.tanzu.vmware.com Application Live View Connector for VMware Tanzu App for discovering and registering running apps conventions.appliveview.tanzu.vmware.com Application Live View Conventions for VMware Tanzu Application Live View convention server buildservice.tanzu.vmware.com Tanzu Build Service Tanzu Build Service enables the building and automation of containerized software workflows securely and at scale. cartographer.tanzu.vmware.com Cartographer Kubernetes native Supply Chain Choreographer. cnrs.tanzu.vmware.com Cloud Native Runtimes Cloud Native Runtimes is a serverless runtime based on Knative controller.conventions.apps.tanzu.vmware.com Convention Service for VMware Tanzu Convention Service enables app operators to consistently apply desired runtime configurations to fleets of workloads. controller.source.apps.tanzu.vmware.com Tanzu Source Controller Tanzu Source Controller enables workload create/update from source code. developer-conventions.tanzu.vmware.com Tanzu App Platform Developer Conventions Developer Conventions grype.scanning.apps.tanzu.vmware.com Grype Scanner for Supply Chain Security Tools - Scan Default scan templates using Anchore Grype image-policy-webhook.signing.apps.tanzu.vmware.com Image Policy Webhook The Image Policy Webhook allows platform operators to define a policy that will use cosign to verify signatures of container images learningcenter.tanzu.vmware.com Learning Center for Tanzu Application Platform Guided technical workshops ootb-supply-chain-basic.tanzu.vmware.com Tanzu App Platform Out of The Box Supply Chain Basic Out of The Box Supply Chain Basic. ootb-supply-chain-testing-scanning.tanzu.vmware.com Tanzu App Platform Out of The Box Supply Chain with Testing and Scanning Out of The Box Supply Chain with Testing and Scanning. ootb-supply-chain-testing.tanzu.vmware.com Tanzu App Platform Out of The Box Supply Chain with Testing Out of The Box Supply Chain with Testing. ootb-templates.tanzu.vmware.com Tanzu App Platform Out of The Box Templates Out of The Box Templates. scanning.apps.tanzu.vmware.com Supply Chain Security Tools - Scan Scan for vulnerabilities and enforce policies directly within Kubernetes native Supply Chains. metadata-store.apps.tanzu.vmware.com Tanzu Supply Chain Security Tools - Store The Metadata Store enables saving and querying image, package, and vulnerability data. service-bindings.labs.vmware.com Service Bindings for Kubernetes Service Bindings for Kubernetes implements the Service Binding Specification. services-toolkit.tanzu.vmware.com Services Toolkit The Services Toolkit enables the management, lifecycle, discoverability and connectivity of Service Resources (databases, message queues, DNS records, etc.). spring-boot-conventions.tanzu.vmware.com Tanzu Spring Boot Conventions Server Default Spring Boot convention server. sso.apps.tanzu.vmware.com AppSSO Application Single Sign-On for Tanzu tap-gui.tanzu.vmware.com Tanzu Application Platform GUI web app graphical user interface for Tanzu Application Platform tap.tanzu.vmware.com Tanzu Application Platform Package to install a set of TAP components to get you started based on your use case. workshops.learningcenter.tanzu.vmware.com Workshop Building Tutorial Workshop Building Tutorial
The tap.tanzu.vmware.com package installs predefined sets of packages based on your profile settings.
This is done by using the package manager installed by Tanzu Cluster Essentials.
For more information about profiles, see About Tanzu Application Platform components and profiles.
To prepare to install a profile:
-
List version information for the package by running:
tanzu package available list tap.tanzu.vmware.com --namespace tap-install -
Create a
tap-values.yamlfile by using the Full Profile sample in the following section as a guide. These samples have the minimum configuration required to deploy Tanzu Application Platform. The sample values file contains the necessary defaults for:- The meta-package, or parent Tanzu Application Platform package.
- Subordinate packages, or individual child packages.
Important: Keep the values file for future configuration use.
-
Proceed to the View possible configuration settings for your package section.
The following is the YAML file sample for the full-profile:
profile: full
shared:
ingress_domain: INGRESS-DOMAIN
ceip_policy_disclosed: FALSE-OR-TRUE-VALUE # Installation fails if this is not set to true. Not a string.
buildservice:
kp_default_repository: "KP-DEFAULT-REPO"
kp_default_repository_username: "KP-DEFAULT-REPO-USERNAME"
kp_default_repository_password: "KP-DEFAULT-REPO-PASSWORD"
supply_chain: basic
ootb_supply_chain_basic:
registry:
server: "SERVER-NAME"
repository: "REPO-NAME"
gitops:
ssh_secret: "SSH-SECRET-KEY"
tap_gui:
service_type: ClusterIP
app_config:
app:
baseUrl: http://tap-gui.INGRESS-DOMAIN
catalog:
locations:
- type: url
target: https://GIT-CATALOG-URL/catalog-info.yaml
backend:
baseUrl: http://tap-gui.INGRESS-DOMAIN
cors:
origin: http://tap-gui.INGRESS-DOMAIN
metadata_store:
ns_for_export_app_cert: "MY-DEV-NAMESPACE"
app_service_type: ClusterIP
scanning:
metadataStore:
url: "" # Disable embedded integration since it's deprecated
grype:
namespace: "MY-DEV-NAMESPACE" # (optional) Defaults to default namespace.
targetImagePullSecret: "TARGET-REGISTRY-CREDENTIALS-SECRET"
metadataStore:
url: "METADATA-STORE-URL" # (optional) Defaults to "https://metadata-store-app.metadata-store.svc.cluster.local:8443"
caSecret:
name: "CA-SECRET-NAME" # (optional) Defaults to "app-tls-cert"
importFromNamespace: "SECRET-NAMESPACE" # (optional) Defaults to "metadata-store"
authSecret: # (optional) Defaults all values to empty. Only for multicluster
name: "TOKEN-SECRET-NAME"
importFromNamespace: "SECRET-NAMESPACE"Where:
KP-DEFAULT-REPOis a writable repository in your registry. Tanzu Build Service dependencies are written to this location. Examples:- Harbor has the form
kp_default_repository: "my-harbor.io/my-project/build-service". - Dockerhub has the form
kp_default_repository: "my-dockerhub-user/build-service"orkp_default_repository: "index.docker.io/my-user/build-service". - Google Cloud Registry has the form
kp_default_repository: "gcr.io/my-project/build-service".
- Harbor has the form
KP-DEFAULT-REPO-USERNAMEis the user name that can write toKP-DEFAULT-REPO. You candocker pushto this location with this credential.- For Google Cloud Registry, use
kp_default_repository_username: _json_key.
- For Google Cloud Registry, use
KP-DEFAULT-REPO-PASSWORDis the password for the user that can write toKP-DEFAULT-REPO. You candocker pushto this location with this credential. You can also configure this credential by using a secret reference. See Install Tanzu Build Service for details.- For Google Cloud Registry, use the contents of the service account JSON file.
SERVER-NAMEis the host name of the registry server. Examples:- Harbor has the form
server: "my-harbor.io". - Dockerhub has the form
server: "index.docker.io". - Google Cloud Registry has the form
server: "gcr.io".
- Harbor has the form
REPO-NAMEis where workload images are stored in the registry. Images are written toSERVER-NAME/REPO-NAME/workload-name. Examples:- Harbor has the form
repository: "my-project/supply-chain". - Dockerhub has the form
repository: "my-dockerhub-user". - Google Cloud Registry has the form
repository: "my-project/supply-chain".
- Harbor has the form
SSH-SECRET-KEYis the SSH secret key in the developer namespace for the supply chain to fetch source code from and push configuration to.INGRESS-DOMAINis the subdomain for the host name that you point at thetanzu-shared-ingressservice's External IP address.GIT-CATALOG-URLis the path to thecatalog-info.yamlcatalog definition file. You can download either a blank or populated catalog file from the Tanzu Application Platform product page. Otherwise, you can use a Backstage-compliant catalog you've already built and posted on the Git infrastructure.MY-DEV-NAMESPACEis the namespace where you want to deploy theScanTemplates. This is the namespace where the scanning feature runs.TARGET-REGISTRY-CREDENTIALS-SECRETis the name of the secret that contains the credentials to pull an image from the registry for scanning.METADATA-STORE-URLis the base URL where the Supply Chain Security Tools (SCST) - Store deployment can be reached, for example,https://metadata-store-app.metadata-store.svc.cluster.local:8443.CA-SECRET-NAMEis the name of the secret containing the ca.crt to connect to the SCST - Store deployment.SECRET-NAMESPACEis the namespace where SCST - Store is deployed, if you are using a single cluster. If you are using multicluster, it is where the connection secrets were created.TOKEN-SECRET-NAMEis the name of the secret containing the authentication token to connect to the SCST - Store deployment when installed in a different cluster, if you are using multicluster. If built images are pushed to the same registry as the Tanzu Application Platform images, this can reuse thetap-registrysecret created in Add the Tanzu Application Platform package repository as described earlier.
The Light profile is deprecated. Although existing values files might still refer to the Light profile, VMware recommends to migrate to one of the new profiles described in Install your Tanzu Application Platform profile by following the procedures in Migrate Tanzu Application Platform profiles.
To view possible configuration settings for a package, run:
tanzu package available get tap.tanzu.vmware.com/$TAP_VERSION --values-schema --namespace tap-installWhere $TAP_VERSION is the Tanzu Application Platform version environment variable
you defined earlier.
Note: The
tap.tanzu.vmware.compackage does not show all configuration settings for packages it plans to install. The package only shows top-level keys. You can view individual package configuration settings with the sametanzu package available getcommand. For example, usetanzu package available get -n tap-install cnrs.tanzu.vmware.com/$TAP_VERSION --values-schemafor Cloud Native Runtimes.
profile: full
# ...
# For example, CNRs specific values go under its name
cnrs:
provider: local
# For example, App Accelerator specific values go under its name
accelerator:
server:
service_type: "ClusterIP"The following table summarizes the top-level keys used for package-specific configuration within your tap-values.yaml.
| Package | Top-level Key |
|---|---|
| see table below | shared |
| API portal | api_portal |
| Application Accelerator | accelerator |
| Application Live View | appliveview |
| Application Live View Connector | appliveview_connector |
| Application Live View Conventions | appliveview-conventions |
| Cartographer | cartographer |
| Cloud Native Runtimes | cnrs |
| Convention Controller | convention_controller |
| Source Controller | source_controller |
| Supply Chain | supply_chain |
| Supply Chain Basic | ootb_supply_chain_basic |
| Supply Chain Testing | ootb_supply_chain_testing |
| Supply Chain Testing Scanning | ootb_supply_chain_testing_scanning |
| Supply Chain Security Tools - Scan | scanning |
| Supply Chain Security Tools - Scan (Grype Scanner) | grype |
| Supply Chain Security Tools - Store | metadata_store |
| Image Policy Webhook | image_policy_webhook |
| Build Service | buildservice |
| Tanzu Application Platform GUI | tap_gui |
| Learning Center | learningcenter |
Shared Keys define values that configure multiple packages. These keys are defined under the shared Top-level Key, as summarized in the following table:
| Shared Key | Used By | Description |
|---|---|---|
ca_cert_data |
convention_controller, source_controller |
Optional: PEM Encoded certificate data to trust TLS connections with a private CA. |
For information about package-specific configuration, see Installing individual packages.
When you install a profile that includes Tanzu Build Service,
Tanzu Application Platform is installed with the lite set of dependencies.
These dependencies consist of buildpacks
and stacks
required for application builds.
The lite set of dependencies do not contain all buildpacks and stacks.
To use all buildpacks and stacks, you must install the full dependencies.
For more information about the differences between lite and full dependencies, see
About lite and full dependencies.
To configure full dependencies, add the key-value pair
exclude_dependencies: true to your tap-values.yaml file under the buildservice section.
For example:
buildservice:
kp_default_repository: "KP-DEFAULT-REPO"
kp_default_repository_username: "KP-DEFAULT-REPO-USERNAME"
kp_default_repository_password: "KP-DEFAULT-REPO-PASSWORD"
exclude_dependencies: trueAfter configuring full dependencies, you must install the dependencies after
you have finished installing your Tanzu Application Platform package.
See Install the full dependencies package for more information.
Follow these steps to install the Tanzu Application Platform package:
-
Install the package by running:
tanzu package install tap -p tap.tanzu.vmware.com -v $TAP_VERSION --values-file tap-values.yaml -n tap-installWhere
$TAP_VERSIONis the Tanzu Application Platform version environment variable you defined earlier. -
Verify the package install by running:
tanzu package installed get tap -n tap-installThis can take 5-10 minutes because it installs several packages on your cluster.
-
Verify that the necessary packages in the profile are installed by running:
tanzu package installed list -A -
If you configured
fulldependencies in yourtbs-values.yamlfile, install thefulldependencies by following the procedure in Install full dependencies.
After installing the Full profile on your cluster, you can install the Tanzu Developer Tools for VS Code Extension to help you develop against it. For instructions, see Installing Tanzu Developer Tools for VS Code.
If you configured full dependencies in your tap-values.yaml file in
Configure your profile with full dependencies earlier,
you must install the full dependencies package.
For more information about the differences between lite and full dependencies, see
About lite and full dependencies.
To install the full dependencies package:
-
If you have not done so already, add the key-value pair
exclude_dependencies: trueto yourtap-values.yamlfile under thebuildservicesection. For example:buildservice: kp_default_repository: "KP-DEFAULT-REPO" kp_default_repository_username: "KP-DEFAULT-REPO-USERNAME" kp_default_repository_password: "KP-DEFAULT-REPO-PASSWORD" exclude_dependencies: true ...
-
Get the latest version of the
buildservicepackage by running:tanzu package available list buildservice.tanzu.vmware.com --namespace tap-install -
Relocate the Tanzu Build Service full dependencies package repository by running:
imgpkg copy -b registry.tanzu.vmware.com/tanzu-application-platform/full-tbs-deps-package-repo:VERSION \ --to-repo ${INSTALL_REGISTRY_HOSTNAME}/TARGET-REPOSITORY/tbs-full-deps
Where:
VERSIONis the version of thebuildservicepackage you retrieved in the previous step.TARGET-REPOSITORYis your target repository.
-
Add the Tanzu Build Service full dependencies package repository by running:
tanzu package repository add tbs-full-deps-repository \ --url ${INSTALL_REGISTRY_HOSTNAME}/TARGET-REPOSITORY/tbs-full-deps:VERSION \ --namespace tap-install
Where:
VERSIONis the version of thebuildservicepackage you retrieved earlier.TARGET-REPOSITORYis your target repository.
-
Install the full dependencies package by running:
tanzu package install full-tbs-deps -p full-tbs-deps.tanzu.vmware.com -v VERSION -n tap-installWhere
VERSIONis the version of thebuildservicepackage you retrieved earlier.
This section only applies when you use Tanzu Application Platform to deploy its own shared Contour ingress controller in tanzu-system-ingress. It is not applicable when you use your existing ingress.
You can share this ingress across Cloud Native Runtimes (cnrs), Tanzu Application Platform GUI (tap_gui), and Learning Center (learningcenter).
By default, Contour uses NodePort as the service type. To set the service type to LoadBalancer, add the following to your tap-values.yaml:
contour:
envoy:
service:
type: LoadBalancerIf you use AWS, the preceding section creates a classic LoadBalancer.
To use the Network LoadBalancer instead of the classic LoadBalancer for ingress, add the
following to your tap-values.yaml:
contour:
infrastructure_provider: aws
envoy:
service:
aws:
LBType: nlbTo access Tanzu Application Platform GUI, you can use the host name that you configured earlier. This host name is pointed at the shared ingress. To configure LoadBalancer for Tanzu Application Platform GUI, see Accessing Tanzu Application Platform GUI.
You're now ready to start using Tanzu Application Platform GUI. Proceed to the Getting Started topic or the Tanzu Application Platform GUI - Catalog Operations topic.
To exclude packages from a Tanzu Application Platform profile:
-
Find the full subordinate (child) package name:
tanzu package available list --namespace tap-install -
Update your
tap-valuesfile with a section listing the exclusions:profile: PROFILE-VALUE excluded_packages: - tap-gui.tanzu.vmware.com - service-bindings.lab.vmware.com
Important: If you exclude a package after performing a profile installation including that package, you cannot see the accurate package states immediately after running
tap package installed list -n tap-install. Also, you can break package dependencies by removing a package. Allow 20 minutes to verify that all packages have reconciled correctly while troubleshooting.