devops kubernetes products security Tanzu Application Platform

VMware Tanzu Application Platform 1.5 Offers Faster, More Secure Paths to Production

VMware Tanzu Application Platform is a single, end-to-end integrated platform solution that enables companies to build and deploy more software, more quickly and securely, through a rich set of developer tooling and pre-paved, customizable “golden paths” to production—all on any public cloud or on-premises Kubernetes cluster.

With Tanzu Application Platform 1.5, we’re building on our directives to streamline developer and platform engineering experiences, improve end-to-end intrinsic app security, support flexibility with your favorite tool integrations, and much more.

No more kubectl: a superior GitOps approach

The following updates to Tanzu Application Platform help further automate common developer and platform engineering tasks that have previously been manual and time-consuming.

Automated developer namespace provisioning

The initial release of the Namespace Provisioner component in Tanzu Application Platform 1.4 marked the beginning of a concerted effort to maximize efficiencies for platform engineers provisioning namespaced resources for their developers. Its welcome inception along with engagement by customers and their substantial feedback have led to several significant feature enhancements and optimizations that can alleviate even more burden from platform engineers, allowing them to focus their efforts on higher-order strategic endeavors.

Here are just a few highlights of the Namespace Provisioner improvements in Tanzu Application Platform 1.5:

  • Workflow for using Namespace Provisioner in GitOps mode is now fully supported.
  • By default, resource LimitRanges are set for all pods running within a provisioned namespace to mitigate resource contention between collocated apps.
    • The LimitRange defaults can be globally configured as needed via tap-values and/or on a per-namespace basis.
  • Platform engineers can now apply YAML Templating Tool (YTT) overlays to the resources created by the provisioner (for example, to enable scanners in air-gapped environments).
  • Platform engineers can reference private Git repositories for pulling their templated resources, without undue manual work.

Namespace Provisioner in controller mode

Namespace Provisioner in full GitOps mode

Simplified installation experience (beta)​

Tanzu Application Platform can now be powered by a GitOps-based installation process, currently available as a beta feature, that can eliminate the need for running multiple commands manually, and also reduces complexity. The GitOps methodology involves declaring a desired state of a system (typically in Git), and a reconciliation process that ensures that the actual system (e.g., Kubernetes cluster contents) converges to the desired state (in Kubernetes, typically done via a controller). Users installing Tanzu Application Platform are now able to drive change to their system by changing the desired state stored in a Git repository, bringing simplicity to the installation process by leveraging a customer’s existing tools.

Enhanced developer and platform engineering experiences

These new features in Tanzu Application Platform help developer and platform engineering teams create and reuse secure, golden paths to production, ensuring that best practices are shared and producing the best results.

Tanzu Activity Pane in Visual Studio Code

This panel shows expanded details about the workloads on the cluster, including supply chain status, deliverable status, and the running application status. You can now select the namespace(s) watched by the Tanzu Workloads panel directly from the panel itself. (It previously required you to use kubectl commands and change context.) Additionally, multiple namespaces can now be watched at the same time.

Tanzu Activity Panel in Visual Studio Code

Application bootstrapping experience in IntelliJ IDE

Developers who use IntelliJ for development can now create projects using Application Accelerators within IntelliJ. Until now, project creation experience was available only from Visual Studio Code IDE or from the Backstage-based browser GUI. By adding the same capability in IntelliJ, we are expanding the IDE coverage and meeting developers where they are.

Application bootstrapping provenance​

Developers can facilitate compliance with internal policies by using the curated Application Accelerators (templates) provided by their app team, which have already been deemed compliant with their internal best practices. Application owners can verify if applications are bootstrapped using the desired accelerators encoded with their internal best practices early in the development cycle. This way corrective action can be taken if necessary (in case desired accelerators were not used).

Application single sign-on (SSO) enhancements 

now enable authorization on applications. Applications can protect certain resources based on the authenticated user’s level of authorization. An application with protected resources can verify if the access token of the authenticated user contains the scopes to perform an action on a protected resource. Developers can now also enable SSO on browser-based public clients (e.g., single page applications).

Internal communication between application components

Developers can arrange for components of their applications to communicate with each other inside of their Tanzu Application Platform environments to get more efficient and secure communication pathways for their complex applications. Each Tanzu Application Platform workload gets a unique internal domain name system (DNS) name that resolves the same way across any application language and framework. Other applications in the environment can connect to them with that same name, even ones running outside of Tanzu Application Platform, making interoperation between app systems even easier and more consistent.

Reporting and insights

Tanzu Application Platform customers can choose to opt into telemetry reporting. These reports can give helpful information about adoption of Tanzu Application Platform within an organization, providing insight into what is running on the platform and how much users are consuming.

Trend of supply chains across clusters

Trend of total Tanzu Application Platform deployments for a given customer

Trend of workloads deployed on a given Tanzu Application Platform cluster and their status

End-to-end application security

A core tenet of the Tanzu Application Platform is to enable users with end-to-end intrinsic security of an application throughout its entire lifecycle. With Tanzu Application Platform 1.5, we continue to add enhancements to expand end-to-end security and visibility of security posture.

Tanzu Application Platform 1.5 offers the following new capabilities:

External Secrets Operator (beta) 

External Secrets Operator, currently available as a beta feature, enables enterprise users to use their existing secrets setup on an external secrets manager (e.g., Hashicorp Vault, AWS Secrets Manager, Azure Key Vault, etc.) to manage Tanzu Application Platform secrets. External Secrets Operator was packaged with Tanzu Application Platform 1.4 but with 1.5, the functionality has been extended to include a CLI plug-in. The CLI enables users to interface with External Secrets Operator, and in its first iteration

  • Lists secrets that are used in Tanzu Application Platform but stored in an external manager
  • Checks their status
  • Creates new Kubernetes secrets that link to a secret in an external provider

Together, External Secrets Operator and the new Tanzu CLI plug-in help simplify managing cluster secret(s) lifecycles in Tanzu Application Platform.


External Secrets Operator

Artifact metadata repository (AMR)

The artifact metadata repository starts the process of collecting detailed metadata about images as they flow through the supply chain. From the components of an image, to the vulnerabilities that exist for an image, to the run clusters the image is running—all will be stored in the artifact metadata repository. This provides a wealth of information that is otherwise difficult to cobble together without Tanzu Application Platform.

Transport layer security (TLS) configured out of the box

One key ingredient to delivering an intrinsically secure application is the ability to set up networking between clusters. Tanzu Application Platform runs with enhanced security because by default TLS is configured out of the box. Additionally, auto-configuration of Application Accelerators, App Live View, and API portal for VMware Tanzu can enable you to spend less time configuring, and more time using the platform to develop and deploy your applications.

Customizable security banners

Customizable security banners for the Tanzu Application Platform GUI can give a clear visual indication of the environment that developers are working on. By adding banners to the top and bottom of the screen, the environment is being defined based on the organization’s guardrails.

Customizable security banners for the Tanzu Application Platform GUI

Seamless Spring Boot application migration

Migrate existing Spring Boot apps to Tanzu Application Platform

Tanzu Application Platform now provides the runtime and Spring Cloud-enabled services on which existing Spring Boot applications rely. Whether you are running your Spring Boot applications on a server, public cloud, Azure Spring Apps, or Tanzu Application Service, you can now migrate it to Tanzu Application Platform without requiring code changes, and with little to no configuration changes.

Once on Tanzu Application Platform, development teams can take advantage of the consistent experience provided by Tanzu Application Platform services and integrated development environments (IDEs). VMware Spring Cloud Gateway for Kubernetes and Application Configuration Service for VMware Tanzu (an API equivalent service to Spring Cloud Config Server that integrates with Kubernetes natively) are available as packages that customers are entitled to install on a Tanzu Application Platform cluster.

Spring Cloud Gateway for Kubernetes added to Tanzu Application Platform

Spring Cloud Gateway for Kubernetes is a high-performance, distributed API gateway solution that is used in scaled, high-throughput environments. You can now install the Spring Cloud Gateway for Kubernetes operator—and associated custom resource definitions (CRD)—onto your Tanzu Application Platform clusters. Application development teams can then deploy their API gateway and route configurations dynamically to expose their APIs and apply any of the out-of-the-box route filters. To streamline deployments to multiple Tanzu Application Platform clusters, use Namespace Provisioner (mentioned earlier in this post) to set up a GitOps reconciliation loop with a location in your Git repository that represents the API gateway and application resources you want to deploy into a Kubernetes namespace. Exposing your APIs in an application developer-friendly way has never been easier from IDE to production. Learn more.

Application Configuration Service for VMware Tanzu added to Tanzu Application Platform

Application Configuration Service for VMware Tanzu provides a Kubernetes-native experience to enable the runtime Git-based configuration that existing Spring applications have previously leveraged via Spring Cloud Config Server, which has been an essential component in microservices architectures providing runtime configuration to Spring Boot applications. It achieved this by allowing configuration management to be hosted in Git repositories on different branches and folders that could be used to generate runtime configuration properties for applications. Application Configuration Service for VMware Tanzu is compatible with the existing Git repository configuration management approach, and filters runtime configuration for applications via configuration slices, which produces secrets and ConfigMaps.

Expanded Spring Boot 3 support

Tanzu Application Platform now has enhanced capabilities in support for Spring Boot 3​:

  • Iterate on Spring Boot 3-based apps leveraging developer tools for VS Code and IntelliJ in Tanzu Application Platform.
  • Access live information from Spring Boot 3-based apps via App Live View in the developer portal and VS Code.
  • Change log levels of Spring Boot 3-based apps via App Live View in the developer portal.
  • Employ out-of-the-box App Accelerators for Spring apps with support for Spring Boot 3.
  • Create a container image for Spring Boot 3 applications and generate the software bill of materials (SBoM) information with VMware Tanzu Build Service.
  • Apply the most effective conventions for Spring Boot 3 apps with Spring runtime conventions.

Tanzu Application Platform on public cloud​

With Tanzu Application Platform 1.5, we are continuing to improve ease of use on public clouds.

Tanzu Application Platform on AWS QuickStart, now for multicluster deployments

The newest release of Tanzu Application Platform on AWS QuickStart now also allows users to deploy in a multicluster architecture. With a few simple clicks, users can have access to a multicluster Tanzu Application Platform environment according to a reference architecture on AWS in as little as 90 minutes (including infrastructure setup time). This significantly reduces the installation time for Tanzu Application Platform on Amazon Elastic Kubernetes Service (Amazon EKS). Learn more.

​Azure DevOps Git repository support in Tanzu Application Platform supply chains

The out-of-the-box supply chains in Tanzu Application Platform now have full support for Azure Repos. This means that teams can use Azure Repos for both storing application source code and opening pull requests to promote applications between environments. This adds to our already existing support for GitHub and GitLab repositories.

Freedom in flexibility: even more out-of-the-box integrations

Enhanced modular capabilities of Tanzu Application Platform allow teams to swap in their preferred third-party tools​ across the path to production. In Tanzu Application Platform 1.5, we have shipped a simplified alpha user experience for integrating additional vulnerability scanners into supply chains. While the out-of-the-box options in vulnerability scanners continue to grow, this allows our customers and partners to more easily leverage their existing investments in scanning frameworks that are not included out of the box.

Additional modularity is achieved through a growing ecosystem of supported tools. Our new alpha integration with Aqua Trivy, an open source vulnerability scanner by Aqua Security, can enable users of Tanzu Application Platform to

  • Conduct source code and image scans in their supply chains using Aqua Trivy.
  • Block deployments with critical/high common vulnerabilities and exposures (CVEs) via policy enforcement.
  • Query/view the results from the metadata store/Tanzu Application Platform interfaces.

The Tanzu team is looking for early adopters to test drive both of these alpha offerings and provide feedback. If you are interested, simply get in touch with your Tanzu representative or contact us.

Meet us and learn more

Eager to learn more about Tanzu Application Platform or VMware Tanzu in general? Meet us this month at Kubecon Europe in Amsterdam and RSA in San Francisco. Check out our latest content, including webinars, eBooks, and more on the Tanzu Application Platform Tech Zone page.

This article may contain hyperlinks to non-VMware websites that are created and maintained by third parties who are solely responsible for the content on such websites.

Disclaimer: Please note that there are features in beta release and are not yet suitable for production use. We will be working hard over the next few months to iron out any remaining issues and stabilize the release.