Installing & Configuring Tanzu Build Services (TBS) 1.3 on Tanzu Kubernetes Grid Cluster (TKG) 1.4 and creating container image from Spring boot application

What is TBS?

Tanzu Build Service uses the open-source Cloud Native Buildpacks project to create container image out of application source code stored on git, blobstore or as code on a workstation.

TBS Basic Concept

Image

An Image resource defines the source of application code, which build time environment and registry information to store the images. Here is sample Image resource:

apiVersion: kpack.io/v1alpha2
kind: Image
metadata:
  name: sample-binding-with-secret
spec:
  tag: my-registry.com/repo
  builder:
    kind: ClusterBuilder
    name: default
  source:
    git:
      url: https://github.com/buildpack/sample-java-app.git
      revision: 0eccc6c2f01d9f055087ebbf03526ed0623e014a
  build:
    services:
    - name: production-db-secret
      kind: Secret

Builder

A builder is an image that contains all the necessary depedencies to run a build. Builder consists of Buildpack and Stack .

Buildpack

A buildpack is a set of executables that inspects your app source code and create a plan to build and run your application. Buildpack mainly have two phases i.e. Detect and Build.

Stack

Stack consists two images i.e. Build Image and Run Image. Build Image is used to build the application image and Run Image is used to run the created application container image.

ClusterStore

A ClusterStore serves as a repository for Cloud Native Buildpacks available for use in Builders.

ClusterStack

A ClusterStack defines a pair of build and run OS images. Critical security vulnerabilities are addressed by building apps on the most up-to date stack.

Why TBS?

Here is why i think TBS can be really helpful for you as a developer.

  • No need to worry about container complexity
  • No need to write any logic to create application container image for the code you are writing
  • No need to worry about updating application container image after you update your application code
  • and many more…

So, at a high level, TBS can turn application source code into container image without writing any Dockerfile.

Installing & Configuring TBS 1.3 on TKG 1.4

In this section, i will describe the steps needed to install TBS 1.3 on a TKG Cluster running on AWS cloud.

Installation Pre-requirements

  • Kubernetes version 1.19 or later. In my case since it is TKG 1.4, so Kubernetes version is 1.21.2
  • Worker nodes in a TKG Cluster with minimum of 50GB ephemeral storage
  • Container Registry Access, In my case i am going to use Harbor registry that comes with TKG bundle
  • TKG Cluster with default storage class, You can validate the parameter of storage class by running kubectl describe sc
  • Carvel CLI tools (kapp,ytt,kbld,imgpkg) are installed. Imgpkg version should be 0.12.0 or higher
  • Accept EULA for the following products
  • Optional: Setup pivnet. This helps to download package easily from Tanzu network site. To install pivnet, you can refer the instructions from here https://github.com/pivotal-cf/pivnet-cli. I will be using pivnet commands in following steps.
    • If you are on ubuntu linux, you can follow below steps
    $ wget https://github.com/pivotal-cf/pivnet-cli/releases/download/v3.0.1/pivnet-linux-amd64-3.0.1
    $ mv pivnet-linux-amd64-3.0.1 pivnet
    $ chmod 755 pivnet
    $ mv pivnet /usr/local/bin/
    $ pivnet login --api-token='Your API token from Tanzu Network'
    
  • Setup kp cli.
    • Download kp cli from Tanzu Network
    $ pivnet download-product-files --product-slug='build-service' --release-version='1.3.0' --product-file-id=1058206
    $ mv kp-linux-0.4.0 kp && chmod 755 kp &&  mv kp /usr/local/bin/
    $ kp version
    
  • Download and configure Docker CLI to autheticate with registries

Installation Steps

  • Login to VMware Tanzu Registry
$ docker login registry.tanzu.vmware.com -u dinesh.tripathi30@gmail.com
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

  • Login to Container registry that you will be using for TBS install, I am using Harbor.
$ docker login harbor.demo.com -u admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

> Note: In you have self signed certificate for harbor registry, then you will see certificate error. So you can update the harbor ca certificate on your local system by running following command on ubuntu.

$ sudo cp CERTIFICATE.crt /usr/local/share/ca-certificate
$ update-ca-certificates
  • Run below commands to relocate image
# If you are using self signed certificate, mention the location as in below command
$ imgpkg copy -b "registry.tanzu.vmware.com/build-service/bundle:1.3.0" --to-repo harbor.demo.com/tbs-tkgaws/tbs --registry-ca-cert-path /dinesh/ca.crt
copy | exporting 17 images...
copy | will export registry.tanzu.vmware.com/build-service/bundle@sha256:0e64239d34119c1b8140d457a238050751360617d8e8b64703d8b7b4f944054a
copy | will export registry.tanzu.vmware.com/build-service/cert-injection-webhook@sha256:b868ab96d68046fe8cd6dc8a5b60908fbb933b5fb91a9acea9c3343afb4275e5
copy | will export registry.tanzu.vmware.com/build-service/dependency-updater@sha256:f7f12379f7260eba45c006680d89255bda5b399e5271c885bfdd488751e59759
copy | will export registry.tanzu.vmware.com/build-service/kpack-build-init-windows@sha256:85016da585421ec403f268f098dc0aac7efd60067f68c332c89d9a1047eb2826
copy | will export registry.tanzu.vmware.com/build-service/kpack-build-init@sha256:838e8f1ad7be81e8dab637259882f9c4daea70c42771264f96be4b57303d85f2
copy | will export registry.tanzu.vmware.com/build-service/kpack-completion-windows@sha256:a9016cbfc0eb67984c52583007b2d6484807b62a9c29523a97107ddec65e54eb
copy | will export registry.tanzu.vmware.com/build-service/kpack-completion@sha256:765dafb0bb1503ef2f9d2deb33b476b14c85023e5952f1eeb46a983feca595c6
copy | will export registry.tanzu.vmware.com/build-service/kpack-controller@sha256:caed60cee646e0be2b950738dd6809809de2af5154b6d29dfb4c8c5dd00d0bc2
copy | will export registry.tanzu.vmware.com/build-service/kpack-lifecycle@sha256:312ad396210295e41d37ba040ba27d379c2f34d1cafdc26dd83c27d25b2ee5af
copy | will export registry.tanzu.vmware.com/build-service/kpack-rebase@sha256:75fd552532d306577956ce5e4b726a85bef0e39f31ce9688d1facea174fca54d
copy | will export registry.tanzu.vmware.com/build-service/kpack-webhook@sha256:e87844efec21a8495c622c667fe0cf7ec08a39aa062c08da3a213ffc1009a598
copy | will export registry.tanzu.vmware.com/build-service/secret-syncer@sha256:178086053e28d718b8ee1af6c1430760b9738f40d7c4fbfcc4480d6d39f5017d
copy | will export registry.tanzu.vmware.com/build-service/setup-ca-certs@sha256:9db5f18f469e8bdf0e3cac33035549d7f2993abaa28efbd56a5cf44ebb627f13
copy | will export registry.tanzu.vmware.com/build-service/sleeper@sha256:0c2d7d84a71b3c690883e6f7d04f6120496bd5f599fbca1a610472e159050409
copy | will export registry.tanzu.vmware.com/build-service/smart-warmer@sha256:4d865b7f4c10c1099ae9648a64e6e7da097d0a375551e8fd2ef80a6d1fc50176
copy | will export registry.tanzu.vmware.com/build-service/stackify@sha256:f1f4c8af69422a3cc752dc821087cd36dbe6e8d282d85b5b42d2f704c39f3de3
copy | will export registry.tanzu.vmware.com/build-service/stacks-operator@sha256:666d55e2d850d20617bf1db28b232c9c4fd683dd1e8e4eab5ba978ca76f94091
copy | exported 17 images
copy | importing 17 images...

 443.45 MiB / 443.64 MiB [=================================================================================================================]  99.96% 15.31 MiB/s 28s

copy | done uploading images
copy | Warning: Skipped layer due to it being non-distributable. If you would like to include non-distributable layers, use the --include-non-distributable-layers flag
Succeeded

  • Pull image
$ imgpkg pull -b "harbor.demo.com/tbs-tkgaws/tbs:1.3.0" -o /tmp/bundle  --registry-ca-cert-path /dinesh/ca.crt 
ls -l /tmp/bundle/
Pulling bundle 'harbor.demo.com/tbs-tkgaws/tbs@sha256:0e64239d34119c1b8140d457a238050751360617d8e8b64703d8b7b4f944054a'
  Extracting layer 'sha256:872d56ff2b8ef97689ecaa0901199d84e7f7ae55bfef3ad9c7effa14b02e6dfd' (1/1)

Locating image lock file images...
The bundle repo (harbor.demo.com/tbs-tkgaws/tbs) is hosting every image specified in the bundle's Images Lock file (.imgpkg/images.yml)

Succeeded

  • Trigger the install

$ ytt -f /tmp/bundle/values.yaml -f /tmp/bundle/config/ -f /dinesh/ca.crt -v kp_default_repository='harbor.demo.com/tbs-tkgaws/tbs' -v kp_default_repository_username='admin' -v kp_default_repository_password='admin123' -v pull_from_kp_default_repo=true -v tanzunet_username='dinesh.tripathi30@gmail.com' -v tanzunet_password='' | kbld -f /tmp/bundle/.imgpkg/images.yml -f- | kapp deploy -a tanzu-build-service -f- -y

# Note: Once this command is completed successfully, this means your TBS installation is done.

Validating TBS Installation

To validate the TBS installation, Run the following commands

  • Check the additional namespaces, you will notice that the build-service and kpack is created
$ k get ns
NAME                             STATUS   AGE
build-service                    Active   26h
cert-manager                     Active   21d
default                          Active   22d
kpack                            Active   26h
kube-node-lease                  Active   22d
kube-public                      Active   22d
kube-system                      Active   22d
pinniped-concierge               Active   22d
pinniped-supervisor              Active   22d
stacks-operator-system           Active   26h
tanzu-package-repo-global        Active   22d
tanzu-system-dashboards          Active   21d
tanzu-system-ingress             Active   21d
tanzu-system-monitoring          Active   21d
tanzu-system-registry            Active   30h
tanzu-system-service-discovery   Active   21d
tkg-system                       Active   22d
tkg-system-public                Active   22d
  • Validate the pods running inside build-service and kpack namespaces
$ k get po -n build-service
$ k get po -n kpack

# You should have all pods running
  • Verify the clusterbuilders
$ kp clusterbuilder list
NAME       READY    STACK                          IMAGE
base       false    io.buildpacks.stacks.bionic    harbor.demo.com/tbs-tkgaws/tbs:clusterbuilder-base@sha256:5d33077956ff13f4b96813cfa46b65f9119b24aa0da009f8befe73483090a6fd
default    false    io.buildpacks.stacks.bionic    harbor.demo.com/tbs-tkgaws/tbs:clusterbuilder-default@sha256:5d33077956ff13f4b96813cfa46b65f9119b24aa0da009f8befe73483090a6fd
full       false    io.buildpacks.stacks.bionic    harbor.demo.com/tbs-tkgaws/tbs:clusterbuilder-full@sha256:ab0069a8da8f962e8bf3b1ad3182ed55dc8d141e97bb08086edc34ac40039dfd
tiny       false    io.paketo.stacks.tiny          harbor.demo.com/tbs-tkgaws/tbs:clusterbuilder-tiny@sha256:8d0ec50153211798dfdc24aa878bffd44529115847a56c167b7c34a32123600a

> Note: In my case, it took around 5 mins to populate the clusterbuilders after TBS install. Now, We are good to create a container image.

Creating Application container image from source code

In this demonstration, I will be using my github repository where spring petclinic application source code is available and harbor registry to store the created application container image. You can also use github enterprise too. > In case you are using public github, then we dont need to create github secret, else secret is needed to access the github repository.

# Commands to create secret for github and registry.
$ kp secret create my-registry-creds --registry harbor.demo.com --registry-user admin --namespace default
$ kp secret create github-creds --git-url https://github.com --git-user dineshtripathi30 -n default
  • Here is my github repo, where application code is available. https://github.com/dineshtripathi30/spring-petclinic

    Creating a container image using TBS

    • Run below command
    $ kp image create spring-petclinic --tag harbor.demo.com/tbs-demo/spring-petclinic:latest -n default --git https://github.com/dineshtripathi30/spring-petclinic.git --git-revision main --wait
    
    # Notice the output carefully and you will that it is running several steps like detect, analyze etc. and eventually image will be created.
    
    • List the image
      $ kp image list
      NAME                     READY      LATEST REASON    LATEST IMAGE                                                                                                            NAMESPACE
      spring-petclinic    Ready    CONFIG           harbor.demo.com/tbs-demo/spring-petclinic@sha256:4b7fa6da07f295f4ed6bba669062468ef1ffe11595c6a72be5a9aa610a03e213    default
    
    
  • You can go ahead and create a pod using this image.

That’s all folks in this post. Hopefully you will find this helpful.

Reference Links

TBS Doc

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s