Tanzu Platform 10 is a complete package of solutions and provides everything you need to build application development environments, develop applications, and push those applications to production quickly, consistently, scalable, and securely.
The solutions that are included in Tanzu Platform 10 are depicted in the diagram on the right.
One of the solutions that is included in Tanzu Platform 10, is Tanzu Application Catalog.
Tanzu Application Catalog is the enterprise version of Bitnami packages continuously maintained and verifiably tested for use in production environments. These enterprise packages can be customized to meet organization’s internal policies and come with extensive metadata for risk assessment: CVEs scanning reports, SBoM, and VEX documents.
Tanzu Application Catalog Capabilities
Maybe you and use Bitnami to consume images for you favourite OSS solutions, well Tanzu Application Catalog (TAC) is the next step and the Enterprise version and comes with additional capabilities, including:
- Standardize the use of open source software, while accelerating the time to market for you OSS apps.
- Automate LCM of OSS apps, including adding, patching, updating and retiring OSS apps.
- Improve the security and compliance posture of your OSS apps.
As you can see, Tanzu Application Catalog adds a lot of capabilities to OSS Bitnami images and takes care of a lot of things you would normally be doing in a manual way.
Originally TAC was only available in a per-artifact licensing model, with the introduction of Tanzu Platform TAC is now included in this package and one of the solutions you can deploy with Tanzu Platform (both for Cloud Foundry and Kubernetes).
How does TAC work?
TAC builds your OSS app images, for the platform(s) you’re running with the customizations you require. These OSS apps will be built, packages, tested, maintained and delivered to your private repository/registry. This sounds a bit similar to what Bitnami is offering, however TAC goes a couple of steps further:
- TAC provides support for a broad range of trusted, pre-packaged OSS applications that are continuously maintained.
- There’s out-of-the-box support for different base images, that are used as the underlying layer/starting point for your application(s). You can also build your own base images.
- TAC builds the images you need on-demand and pushes the image to one of the supported registries.
- As part of the build process an antivirus and CVE scan as executed and an SBOM is generated.
- All information about the build is captured in so-called Build Time Reports.
To get a better understanding of TAC, let’s have a look at how to build an actual application. The process to build an application is quite straight forward.
Configure a registry
Before we get started, you need to configure a registry where your image will be pushed to:
As you can see there are different registries available, I’m using Azure Container Registry (ACR) in this case. Provide the details and wait until the registry becomes available:
In the default setup TAC will use a push the image the your repo, so that means that the TAC cloud service needs to be able to connect to your repo. An ingress IP for your TAC repo will be provided, so a firewall can be configured with the appropriate rules.
It’s also possible to configure a two step process of a newly created image, that allows you to pull an image instead of pushing it. This setup is very beneficial in a scenario where you have an air gapped environment with a registry that cannot be internet connected.
Add a new application
Now let’s setup a first application, for this choose Applications and choose “Add New Applications”. You
You now have two options for creating a New Application:
- Basic – This is a bitnami image and identical two what you can do with OSS Bitnami.
- Custom – Unleash the true power and create your own customized image.
We will of course proceed with a custom image here. In the next step you need to select if you want to a create a container or virtual machines, and select the base image you want to use. There’s broad support for different image formats, and you can even add your own custom base image.
The next step is to add the application, in this example I’m selecting Nginx Open Source. You can either create a container image to direct pull out of the registry and deploy to Docker/Kubernetes, or you can create a Helm chart. In that case you have to install the Helm chart to your platform of choice.
Now it’s time to select the registry where you want to store the artifact, in this example this is our NEMEA registry. Before you can push the image, you need to give your request a name.
After you’ve completed the wizard, the build process will commence. This can take up to an hour, so might need to wait a while. You can track progress under Applications and then My Requests. When the build of your artifact is finished, I will show up under the list under “My Applications”. The image will also show up on your registry:
Explore your image
Let’s now explore the image, initially you will get overview of application packages that are part of the image, (Exploitable) vulnerabilities and licenses found in your image.
Note the “Exploitable” checkbox being checked, some vulnerabilities are detected but apparently they’re not exploitable. More info on detected vulnerabilities, used packages and can be found in their respective tabs. I personally like the Graph View, that gives you a nice overview of the packages and the relations to other packages.
Scrolling further down gives you an overview of Antivirus/CVE Scan Results, the SBOM, information about the build process, why this build was triggered and more. You can also download the Docker file that was used to build the container. The available information is provided under “Validation Reports” and “Build Time Reports”.
Consume & customize the container
The container you’ve created is hosted on the registry you’ve selected earlier. There are various ways to consume the container, either through Docker or Kubernetes (or as a Helm chart in case you selected that option).
In case of Kubernetes you can include the container in your YAML definition. If you’ve selected a VM based image, you can download the OVA and deploy it to VMware vSphere (or another OVA compatible virtualization layer).
Tanzu Application Catalog allows to customize the container so it suits your the specific needs for your organization. Customization is done through a customization.tar.gz and allows you to:
- Install custom certificates.
- Install additional custoom tools and/or plugins (for example monitoring agents).
- Adding a organization specific configuration for the app(s) that are running in the container.
The process to build, test and implement a customization is detailled in the documentation here.
That’s it for now, I hope this gives you an idea of the value of TAC and provides you a basic understanding how to get started. If you want to learn more, feel free to reach out to me on LinkedIN.