Tanzu Build Service is a product that automates the creation, management and updating of container images based on the Cloud Native Buildpacks OSS project.
At a high level, Tanzu Build Service:
- Builds OCI-compliant container images from source code (mostly Git repos).
- Keeps those image up-to-date when there are changes in the app source code and/or update to the base images or dependencies.
- Is a replacement of using Dockerfiles to create containers (using Cloud Native Buildpacks).
Some of the advantages of TBS is that you need Dockerfiles to manage your containers, TBS will keep images automatically patched, you have a standard way of building OCI container and TBS integrates with any CI/CD solution. Tanzu Build Service utilizes Tanzu Buildpacks to build the containers. The Tanzu Build Packs uses OSS Paketo Buildpacks (a Cloud Foundry project) to turn application source code into container images.
Tanzu Build Service is running as an application on Kubernetes – in these series of posts (part 1, part 2 to be published) I will guide you through the process of installing Tanzu Build Service and build your first OCI container. At time of writing the most recent version of Tanzu Build Service is 1.13.
To get started with Tanzu Build Service, you would need a few things:
- A jumpbox/workstation (I’m using a Ubuntu 24.04.2 LTS for this) that is running the following tooling:
- A Kubernetes cluster, v1.27 or newer is required. Note that your nodes need to have a 50 GB volume available at /var/lib/containerd.
- The Kubernetes cluster should have the Cluster Essentials for VMware Tanzu installed on it.
- A container registry, I’m using Harbor in this example. You would need 1 GB for the lite dependencies, or 10 GB for full dependencies (this is for offline environments). Additional space is required for the containers you’re building.
Get your jumpbox/workstation ready
Use a Linux or Mac based jumphost/workstation, I’m using Ubuntu 24.04.2 LTS as a jumpbox.
Instal Tanzu CLI
For APT based systems, you can use the following script to install Tanzu CLI:
sudo apt update sudo apt install -y ca-certificates curl gpg sudo mkdir -p /etc/apt/keyrings curl -fsSL https://storage.googleapis.com/tanzu-cli-installer-packages/keys/TANZU-PACKAGING-GPG-RSA-KEY.gpg | sudo gpg --dearmor -o /etc/apt/keyrings/tanzu-archive-keyring.gpg echo "deb [signed-by=/etc/apt/keyrings/tanzu-archive-keyring.gpg] https://storage.googleapis.com/tanzu-cli-installer-packages/apt tanzu-cli-jessie main" | sudo tee /etc/apt/sources.list.d/tanzu.list sudo apt update sudo apt install -y tanzu-cli
You can check if Tanzu CLI is working with
tanzu version
Install the following plugins:
tanzu plugin install secret --target kubernetes tanzu plugin install package --target kubernetes
Install kp cli
Download kp cli from Broadcom Support Portal, make it executable and copy it to your path. KP cli is available as part of Tanzu Build Sevice.
chmod u+x kp-linux-amd64-0.13.0 sudo mv kp-linux-amd64-0.13.0 /usr/local/bin/kp
Install Docker CLI
Install Docker CLI to your workstation, for Ubuntu the process is like this:
# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
We only need Docker CLI and we don’t need the actual Docker runtime:
sudo apt-get install docker-ce-cli
Install Cluster Essentials on Kubernetes
The process for installing Cluster Essentials is described here. To download the software you’ll need a valid subscription and export an Access Token to your workstation. Note that the Support Portal is displaying an incorrect value for the environment variable. MY-BROADCOM-SUPPORT-ACCESS-TOKEN instead of MY_BROADCOM_SUPPORT_ACCESS_TOKEN, you should create an environment variable with underscores in it (no hyphens).
export MY_BROADCOM_SUPPORT_ACCESS_TOKEN=API-TOKEN
Agree to the terms and conditions and download Cluster Essentials for your OS, for my Ubuntu workstation I’ll need tanzu-cluster-essentials-linux-amd64-1.10.1.tgz. Other downloads for other OSes are available as well, there’s a slight difference in het installation process.
Now unpack the file:
mkdir $HOME/tanzu-cluster-essentials tar -xvf DOWNLOADED-CLUSTER-ESSENTIALS-BUNDLE -C $HOME/tanzu-cluster-essentials
And you’re ready to install Cluster Essentials
export INSTALL_BUNDLE=cluster-essentials.packages.broadcom.com/tanzu-cluster-essentials/<BUNDLENAME@SHA>
export INSTALL_REGISTRY_HOSTNAME=cluster-essentials.packages.broadcom.com
export INSTALL_REGISTRY_USERNAME=BROADCOM-REGISTRY-USERNAME
export INSTALL_REGISTRY_PASSWORD=${MY_BROADCOM_SUPPORT_ACCESS_TOKEN}
cd $HOME/tanzu-cluster-essentials
./install.sh --yes
(I’m am assuming we’re using signed/trusted certificates here)
The easiest way to get the <BUNDLENAME@SHA> image name is to download the tanzu-cluster-essentials-bundle-1.11.0.lock.yml file from Broadcom support portal. 
This file contains the image name:
After running install.sh, also copy these two tools to your $PATH:
sudo cp $HOME/tanzu-cluster-essentials/kapp /usr/local/bin/kapp sudo cp $HOME/tanzu-cluster-essentials/imgpkg /usr/local/bin/imgpkg
Install Tanzu Build Service
Now it’s time to get started with the actual TBS installation. First we need to logon to your own registry (the Harbor registry in my case), as well as the Broadcom registry.
docker login MY-REGISTRY docker login tanzu.packages.broadcom.com
A ~/.docker/config.json is created that will be populated with the logon credentials for these two registries. These credentials can be used by imgpkg.
Now use
imgpkg tag list -i tanzu.packages.broadcom.com/tanzu-application-platform/tap-packages | grep -v sha | sort -V
to query for available (the latest) version of Tanzu Application Platform – this the package that will be used to deploy Tanzu Build Service.
We need to set a few environment variables, note that these are the details of your private registry (e.g. Harbor):
export INSTALL_REGISTRY_USERNAME=<MY-REGISTRY-USER> export INSTALL_REGISTRY_PASSWORD=<MY-REGISTRY-PASSWORD> export INSTALL_REGISTRY_HOSTNAME=<MY-REGISTRY> export INSTALL_REPO=<TARGET-REPOSITORY> export TAP_VERSION=<VERSION-NUMBER>
The <TARGET-REPOSITORY> on your container registry, the <VERSION-NUMBER> is coming from the previously executed imgpkg command, currently this is 1.12.2.
Now we can run the imgpkg command to copy the installation files form the Broadcom registry to the local registry
imgpkg copy -b tanzu.packages.broadcom.com/tanzu-application-platform/tap-packages:${TAP_VERSION} --to-repo ${INSTALL_REGISTRY_HOSTNAME}/${INSTALL_REPO}/tap-packages
Create tap-install namespace
kubectl create ns tap-install
Add a secret that is hold your private registry logon details.
tanzu secret registry add tap-registry --username ${INSTALL_REGISTRY_USERNAME} --password ${INSTALL_REGISTRY_PASSWORD} --server ${INSTALL_REGISTRY_HOSTNAME} --export-to-all-namespaces yes --namespace tap-install
Now add the repository to the tap-install namespace.
tanzu package repository add tanzu-tap-repository --url ${INSTALL_REGISTRY_HOSTNAME}/${INSTALL_REPO}/tap-packages:$TAP_VERSION --namespace tap-install
And check if it’s reconciled.
tanzu package repository get tanzu-tap-repository --namespace tap-install
Add a second secret, this is a secret that Build Service will use for building images and retrieving buildpacks. This could be the same as the registry where you’ve copied the TBS (TAP) file to.
export KP_DEFAULT_REPOSITORY_USERNAME=<MY-REGISTRY-USER>
export KP_DEFAULT_REPOSITORY_PASSWORD=<MY-REGISTRY-PASSWORD>
tanzu secret registry add kp-default-repository --username ${KP_DEFAULT_REPOSITORY_USERNAME} --password ${KP_DEFAULT_REPOSITORY_PASSWORD} --server ${REGISTRY_HOSTNAME} --yes --namespace tap-install
And we need to create a secret that contains the credentials to logon to the Broadcom registry:
export BROADCOM_SUPPORT_ACCESS_USERNAME=<email-to-logon-to-broadcom-support-portal> export BROADCOM_SUPPORT_ACCESS_TOKEN=<access-token>
The access token you get by clicking the green shield in the Support Portal (it’s the same as the API-TOKEN we’ve used previously).
Now create the secret:
tanzu secret registry add tanzunet-registry --username ${BROADCOM_SUPPORT_ACCESS_USERNAME} --password ${BROADCOM_SUPPORT_ACCESS_TOKEN} --server "tanzu.packages.broadcom.com" --yes --namespace tap-install
We need to create a tbs-values.yaml for the installation. Mine looks like this:
ceip_policy_disclosed: true
profile: buildservice
buildservice:
kp_default_repository: '/tbs/build-service'
kp_default_repository_secret:
name: kp-default-repository
namespace: tap-install
exclude_dependencies: true
And now finaly we can install Tanzu Build Service:
tanzu package install tap -p tap.tanzu.vmware.com -v $TAP_VERSION --values-file tbs-values.yaml -n tap-install
And verify the installation with:
tanzu package installed get tap -n tap-install
TBS Lite or Full dependencies?
For Tanzu Build Service you can choose to install full or lite dependencies, the difference is explained here.
Because I’m installing the full dependencies (exclude_dependencies: true) I need to go through a few extra steps. First we need to copy the full dependencies package to your registry:
imgpkg copy -b tanzu.packages.broadcom.com/tanzu-application-platform/full-deps-package-repo:VERSION --to-repo ${INSTALL_REGISTRY_HOSTNAME}/full-deps-package-repo
Add the dependency package to the tap-install namespace:
tanzu package repository add full-deps-package-repo --url INSTALL-REGISTRY-HOSTNAME/TARGET-REPOSITORY/full-deps-package-repo:VERSION --namespace tap-install
Copy your original tap-values.yaml to a tbs- full-deps-values.yaml file and only keep this in the file:
kp_default_repository: '/tbs/build-service' kp_default_repository_secret: name: kp-default-repository namespace: tap-install
And now do the actual installation:
tanzu package install full-deps --package full-deps.buildservice.tanzu.vmware.com --version <VERSION> --namespace tap-install --values-file tbs- full-deps-values.yaml
Now check what is being installed with:
tanzu package installed list -n tap-install
Check the available Stacks, Buildpacks and Builders
You can use the kp CLI to check available ClusterStacks, ClusterBuildpacks and ClusterBuilders.
kp clusterstack list kp clusterbuildpack list kp clusterbuilder list
Update Tanzu Build Service Dependencies
You can choose to automatically update your dependencies (Stack, Buildpacks and Builders), as described here.
We need to update the tbs-values.yaml file first:
ceip_policy_disclosed: true
profile: buildservice
buildservice:
kp_default_repository: '/tbs/build-service'
kp_default_repository_secret:
name: kp-default-repository
namespace: tap-install
exclude_dependencies: true
dependency_updates:
allow: true
scope: all
include_packages: [""]
exclude_packages: [""]
Scope can either be stacks-only, all or a customer configuration. Now update the configuration of your TBS installation using
tanzu package installed update tap –namespace tap-install –values-file tbs-values.yaml
We need to create an additional secret:
tanzu secret registry add tanzunet-creds –server “tanzu-build.packages.broadcom.com” –username “${BROADCOM_SUPPORT_ACCESS_USERNAME}” –password “${BROADCOM_SUPPORT_ACCESS_TOKEN}” –namespace tap-install –export-to-all-namespaces
And run:
kubectl apply -f - <<EOF
apiVersion: packaging.carvel.dev/v1alpha1
kind: PackageRepository
metadata:
name: tbs-dependencies-package-repository
namespace: tap-install
spec:
fetch:
imgpkgBundle:
image: tanzu-build.packages.broadcom.com/build-service-dependency-updater/package-repo
tagSelection:
semver:
constraints: "1.12.2"
EOF
Where 1.12.2 is the TBS/TAP version number you’re using.
This concludes part 1, in part 2 we will create an image and build an actual container….so stay tuned!
){kind=link}