buildpacks ci/cd containers devops products security Tanzu Build Service tutorials

Accelerate Your Container Adoption with VMware Tanzu Build Service 1.1

Building containers securely, reliably, and consistently at scale is a daunting task. Yet, it’s an imperative for organizations embracing the rapid delivery of high-quality software. This is the scenario addressed by VMware Tanzu Build Service, which can help any enterprise IT group build and update containers automatically. And it’s flexible enough to slot right into any incumbent CI/CD toolchain.

We’ve seen significant interest in the product since its launch. In the subsequent months, we’ve also received lots of user feedback. Much of this feedback is reflected in VMware Tanzu Build Service 1.1, now generally available, which adds image signing capabilities, CLI enhancements, and beta support for Windows to accelerate containerization at scale. Here’s a quick rundown of the release highlights, viewed through a DevSecOps lens:

Features developers will love:

  • Support for Windows containers (beta)

  • VMware Tanzu .NET Core Buildpack is now GA

Features security teams will love:

  • Support for “signed” container images

  • FIPS-compliant stack

Features platform operators will love:

  • Ability to add libraries to the curated base OS image (or bring your own)

  • kp CLI enhancements to help manage images at scale, and make informed image promotion and deployment decisions

Let’s dive deeper into each of these new capabilities.

Features application developers will love

Tanzu Build Service enables developers to spend more time coding by automating both the build and all subsequent updates. We are now bringing this automated code-to-container workflow to the Windows platform with the following features.

Support for Windows containers (beta*)

Want to containerize your .NET Framework apps? With beta support for Windows workloads, .NET developers can now experiment with Tanzu Build Service in dev/test environments. (This beta capability is good news for operators as well; life gets easier when you use the same build technologies for apps that run Windows and Linux.) 

As part of this beta feature, we now have a buildpack for the .NET Framework, and a stack based on Microsoft Windows Server Core. Developers can provide a pre-published ASP.NET application and Tanzu Build Service will take care of both, building a container image and pushing it to a registry of your choice. Here’s the beta version to try out!

VMware Tanzu .NET Core Buildpack is now GA

Continuing with the .NET theme, the .NET Core Buildpack for VMware Tanzu, previously beta, graduates to GA with this release. This buildpack includes runtimes for all supported versions of .NET: 2.x, 3.x, and the recently released .NET 5.0. The new buildpack also supports several types of applications, including those authored with Visual Basic. Developers have the freedom to build containers in a way that works best for them: using source code, with build artifacts like framework-dependent deployments/executables, or from self-contained executables. 

Features security teams will love

Tanzu Build Service makes security an integral part of the container lifecycle with comprehensive, baked-in metadata stamped on every container. There are multiple new additions to further boost your container security posture. 

Support for “signed” container images

We’ve all read news stories about software supply chain vulnerabilities. Reducing your risk in this area is core to the value of Tanzu Build Service.

In this release, we offer additional hardening of the build pipeline. Tanzu Build Service now supports image signing via Docker Notary V1 framework integration. You can configure your desired signing keys as a Kubernetes secret in your team’s namespace. Then simply point to the Notary server deployment and reference the secret that contains the signing key during image configuration. Each subsequent build (or rebase associated with that image configuration) will be signed with the specified key. During deployment, these signatures can be used to verify the authenticity of origin. 

DevSecOps teams can now gain more control and greater assurance that tamper-free images from trusted sources are in production so that the next time they have a compliance conversation with their CISO, they can be especially confident about their supply chain!

FIPS-compliant stack

If your base OS image needs to be Federal Information Processing Standards (FIPS)-certified, you’re in luck. This release provides a new stack image based on Ubuntu 18.04 (Bionic Beaver) that is FIPS 140-2-compliant. To request access to the FIPS 140-2-compliant stack, reach out to your Tanzu account representative.

Features platform operators will love

Tanzu Build Service simplifies Day 2 operations by automating the operational toil associated with building and maintaining containers at scale. Here are some of the things that make it simpler for operators to centrally manage containers across the fleet.  

Ability to add libraries to the curated base OS image (or bring your own) 

Want to build containers on top of your own curated, “golden” OS image? With Tanzu Build Service 1.1., you can seamlessly import your “golden” base OS to the container build cycle.

All of the existing functionality—custom metadata additions, dependency tracking, and policy attributes—is applicable to this imported OS image. Need to customize the curated open source stack images maintained by VMware Tanzu? Go for it! Add a library or a package of your choice, and slot it into the container image. This release offers stack customizations for Ubuntu 18.04 (Bionic Beaver).

kp CLI enhancements to help manage images at scale, and make informed image promotion and deployment decisions

Keeping containers patched and “healthy” is key to your future success. Tanzu Build Service tracks the various dependencies to build a healthy container image, but with the mechanics of getting it to production. The kp CLI is a simple, intuitive way to keep tabs on your build pipeline. In order to make it easier for DevSecOps teams to manage container builds at scale, we have introduced the following enhancements to the CLI:

  • Filter images by build reason – Troubleshoot faster with the ability to traverse container images at scale. Engineers can now validate rollouts and verify that all the intended containers were rebased or rebuilt successfully.

  • Display delta between two container builds – You’ll find it easy to find answers to questions like: What changes are present in a deploy-ready version? Does it have the latest commit and desired buildpack version? Discovering what changed between any two versions of a container image can be done with a simple CLI command.

  • Summarize changes for import of new dependencies – Listing the changes imported via a dependency is now a breeze. Easily track the latest buildpack and stacks to keep production build systems up to date. This guards against accidental changes as well as any surprises from dependency updates.

  • Generate a K8 YAML file for all Tanzu Build Service resources – This feature makes it seamless to orchestrate Build Service resources in a GitOps workflow.

Get started today 

Are you already a Tanzu Build Service customer? Then upgrade to Tanzu Build Service 1.1 to take advantage of all these new capabilities. Be sure to read the release notes.

Or are you new to Tanzu Build Service? If so, download an evaluation copy of Tanzu Build Service. Check out our product page and the comprehensive documentation.

And for the journey beyond building containers, check out our new VMware Tanzu Advanced Edition. This full-stack, modular platform includes Tanzu Build Service plus a whole lot more, making it possible to build and operationalize containers and secure your software supply chain from end to end. 

*Note that there is no commitment or obligation that beta features will become generally available.

This article may contain hyperlinks to non-VMware websites that are created and maintained by third parties who are solely responsible for the content on such websites.