Before installing the Build profile, follow all the steps in Install View cluster.
The following is the YAML file sample for the build-profile:
profile: build
ceip_policy_disclosed: FALSE-OR-TRUE-VALUE # Installation fails if this is not set to true. Not a string.
shared:
ingress_domain: "INGRESS-DOMAIN"
kubernetes_distribution: "openshift" # To be passed only for Openshift. Defaults to "".
kubernetes_version: "K8S-VERSION"
image_registry:
project_path: "SERVER-NAME/REPO-NAME" # To be used by Build Service by appending "/buildservice" and used by Supply chain by appending "/workloads".
secret:
name: "KP-DEFAULT-REPO-SECRET"
namespace: "KP-DEFAULT-REPO-SECRET-NAMESPACE"
ca_cert_data: | # To be passed if using custom certificates.
-----BEGIN CERTIFICATE-----
MIIFXzCCA0egAwIBAgIJAJYm37SFocjlMA0GCSqGSIb3DQEBDQUAMEY...
-----END CERTIFICATE-----
# The above shared keys can be overridden in the below section.
buildservice:
# Takes the value from the shared section by default, but can be overridden by setting a different value.
kp_default_repository: "KP-DEFAULT-REPO"
kp_default_repository_secret:
name: "KP-DEFAULT-REPO-SECRET"
namespace: "KP-DEFAULT-REPO-SECRET-NAMESPACE"
supply_chain: testing_scanning
ootb_supply_chain_testing_scanning: # Optional if the corresponding shared keys are provided.
registry:
server: "SERVER-NAME"
repository: "REPO-NAME"
gitops:
ssh_secret: "SSH-SECRET-KEY" # (Optional) Defaults to "".
grype:
namespace: "MY-DEV-NAMESPACE" # (Optional) Defaults to default namespace.
targetImagePullSecret: "TARGET-REGISTRY-CREDENTIALS-SECRET"
metadataStore:
url: METADATA-STORE-URL-ON-VIEW-CLUSTER
caSecret:
name: store-ca-cert
importFromNamespace: metadata-store-secrets
authSecret:
name: store-auth-token
importFromNamespace: metadata-store-secrets
scanning:
metadataStore:
url: "" # Configuration is moved, so set this string to empty.
tap_telemetry:
customer_entitlement_account_number: "CUSTOMER-ENTITLEMENT-ACCOUNT-NUMBER" # (Optional) Identify data for creating Tanzu Application Platform usage reports.Where:
K8S-VERSIONis the Kubernetes version used by your OpenShift cluster. It must be in the form of1.23.xor1.24.x, wherexstands for the patch version. Examples:- Red Hat OpenShift Container Platform v4.10 uses the Kubernetes version
1.23.3. - Red Hat OpenShift Container Platform v4.11 uses the Kubernetes version
1.24.1.
- Red Hat OpenShift Container Platform v4.10 uses the Kubernetes version
KP-DEFAULT-REPOis a writable repository in your registry. The Tanzu Build Service dependencies are written to this location. Examples:- Harbor has the form
kp_default_repository: "my-harbor.io/my-project/build-service" - Docker Hub has the form
kp_default_repository: "my-dockerhub-user/build-service"orkp_default_repository: "index.docker.io/my-user/build-service" - Google Cloud Registry has the form
kp_default_repository: "gcr.io/my-project/build-service" - For Google Cloud Registry, use the contents of the service account JSON file.
- Harbor has the form
KP-DEFAULT-REPO-SECRETis the user name that can write toKP-DEFAULT-REPO. You candocker pushto this location with this credential.- For Google Cloud Registry, use
kp_default_repository_username: _json_key. - You must create the secret before the installation. For example, you can use the
registry-credentialssecret created earlier.
- For Google Cloud Registry, use
KP-DEFAULT-REPO-SECRET-NAMESPACEis the namespace whereKP-DEFAULT-REPO-SECRETis created.SERVER-NAMEis the host name of the registry server. Examples:- Harbor has the form
server: "my-harbor.io". - Docker Hub has the form
server: "index.docker.io". - Google Cloud Registry has the form
server: "gcr.io".
- Harbor has the form
REPO-NAMEis where workload images are stored in the registry. Images are written toSERVER-NAME/REPO-NAME/workload-name. Examples:- Harbor has the form
repository: "my-project/supply-chain". - Docker Hub has the form
repository: "my-dockerhub-user". - Google Cloud Registry has the form
repository: "my-project/supply-chain".
- Harbor has the form
SSH-SECRET-KEYis the SSH secret key in the developer namespace for the supply chain to fetch source code from and push configuration to. See Git authentication for more information.METADATA-STORE-URL-ON-VIEW-CLUSTERis the URL of the Supply Chain Security Tools (SCST) - Store deployed on the View cluster. For example,https://metadata-store.example.comMY-DEV-NAMESPACEis the name of the developer namespace. SCST - Scan deploys theScanTemplatesthere. This allows the scanning feature to run in this namespace.TARGET-REGISTRY-CREDENTIALS-SECRETis the name of the Secret that contains the credentials to pull an image from the registry for scanning.CUSTOMER-ENTITLEMENT-ACCOUNT-NUMBER(optional) refers to the Entitlement Account Number (EAN), which is a unique identifier VMware assigns to its customers. Tanzu Application Platform telemetry uses this number to identify data that belongs to a particular customers and prepare usage reports. See the Tanzu Kubernetes Grid documentation for more information about identifying the Entitlement Account Number.
When you install Tanzu Application Platform, it is bootstrapped with the lite
set of dependencies, including buildpacks and stacks, for application builds.
For more information about buildpacks, see the VMware Tanzu Buildpacks Documentation.
You can find the buildpack and stack artifacts installed with Tanzu Application Platform
on Tanzu Network.
You can update the dependencies by upgrading Tanzu Application Platform to the latest patch.
See Multicluster setup for more information about the value settings of grype.metadataStore.
You must set the scanning.metadatastore.url to an empty string if you're installing Grype Scanner v1.2.0 and later or Snyk Scanner to deactivate the embedded SCST - Store integration.
If you use custom CA certificates, you must provide one or more PEM-encoded CA certificates under the ca_cert_data key. If you configured shared.ca_cert_data, Tanzu Application Platform component packages inherit that value by default.