Installing & Configuring Tanzu Build Services (TBS) 1.3 on Tanzu Kubernetes Grid Cluster (TKG) 1.4 and creating container image from Spring boot application

What is TBS?

Tanzu Build Service uses the open-source Cloud Native Buildpacks project to create container image out of application source code stored on git, blobstore or as code on a workstation.

TBS Basic Concept


An Image resource defines the source of application code, which build time environment and registry information to store the images. Here is sample Image resource:

kind: Image
  name: sample-binding-with-secret
    kind: ClusterBuilder
    name: default
      revision: 0eccc6c2f01d9f055087ebbf03526ed0623e014a
    - name: production-db-secret
      kind: Secret


A builder is an image that contains all the necessary depedencies to run a build. Builder consists of Buildpack and Stack .


A buildpack is a set of executables that inspects your app source code and create a plan to build and run your application. Buildpack mainly have two phases i.e. Detect and Build.


Stack consists two images i.e. Build Image and Run Image. Build Image is used to build the application image and Run Image is used to run the created application container image.


A ClusterStore serves as a repository for Cloud Native Buildpacks available for use in Builders.


A ClusterStack defines a pair of build and run OS images. Critical security vulnerabilities are addressed by building apps on the most up-to date stack.

Why TBS?

Here is why i think TBS can be really helpful for you as a developer.

  • No need to worry about container complexity
  • No need to write any logic to create application container image for the code you are writing
  • No need to worry about updating application container image after you update your application code
  • and many more…

So, at a high level, TBS can turn application source code into container image without writing any Dockerfile.

Installing & Configuring TBS 1.3 on TKG 1.4

In this section, i will describe the steps needed to install TBS 1.3 on a TKG Cluster running on AWS cloud.

Installation Pre-requirements

  • Kubernetes version 1.19 or later. In my case since it is TKG 1.4, so Kubernetes version is 1.21.2
  • Worker nodes in a TKG Cluster with minimum of 50GB ephemeral storage
  • Container Registry Access, In my case i am going to use Harbor registry that comes with TKG bundle
  • TKG Cluster with default storage class, You can validate the parameter of storage class by running kubectl describe sc
  • Carvel CLI tools (kapp,ytt,kbld,imgpkg) are installed. Imgpkg version should be 0.12.0 or higher
  • Accept EULA for the following products
  • Optional: Setup pivnet. This helps to download package easily from Tanzu network site. To install pivnet, you can refer the instructions from here I will be using pivnet commands in following steps.
    • If you are on ubuntu linux, you can follow below steps
    $ wget
    $ mv pivnet-linux-amd64-3.0.1 pivnet
    $ chmod 755 pivnet
    $ mv pivnet /usr/local/bin/
    $ pivnet login --api-token='Your API token from Tanzu Network'
  • Setup kp cli.
    • Download kp cli from Tanzu Network
    $ pivnet download-product-files --product-slug='build-service' --release-version='1.3.0' --product-file-id=1058206
    $ mv kp-linux-0.4.0 kp && chmod 755 kp &&  mv kp /usr/local/bin/
    $ kp version
  • Download and configure Docker CLI to autheticate with registries

Installation Steps

  • Login to VMware Tanzu Registry
$ docker login -u
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See

Login Succeeded

  • Login to Container registry that you will be using for TBS install, I am using Harbor.
$ docker login -u admin
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See

Login Succeeded

> Note: In you have self signed certificate for harbor registry, then you will see certificate error. So you can update the harbor ca certificate on your local system by running following command on ubuntu.

$ sudo cp CERTIFICATE.crt /usr/local/share/ca-certificate
$ update-ca-certificates
  • Run below commands to relocate image
# If you are using self signed certificate, mention the location as in below command
$ imgpkg copy -b "" --to-repo --registry-ca-cert-path /dinesh/ca.crt
copy | exporting 17 images...
copy | will export
copy | will export
copy | will export
copy | will export
copy | will export
copy | will export
copy | will export
copy | will export
copy | will export
copy | will export
copy | will export
copy | will export
copy | will export
copy | will export
copy | will export
copy | will export
copy | will export
copy | exported 17 images
copy | importing 17 images...

 443.45 MiB / 443.64 MiB [=================================================================================================================]  99.96% 15.31 MiB/s 28s

copy | done uploading images
copy | Warning: Skipped layer due to it being non-distributable. If you would like to include non-distributable layers, use the --include-non-distributable-layers flag

  • Pull image
$ imgpkg pull -b "" -o /tmp/bundle  --registry-ca-cert-path /dinesh/ca.crt 
ls -l /tmp/bundle/
Pulling bundle ''
  Extracting layer 'sha256:872d56ff2b8ef97689ecaa0901199d84e7f7ae55bfef3ad9c7effa14b02e6dfd' (1/1)

Locating image lock file images...
The bundle repo ( is hosting every image specified in the bundle's Images Lock file (.imgpkg/images.yml)


  • Trigger the install

$ ytt -f /tmp/bundle/values.yaml -f /tmp/bundle/config/ -f /dinesh/ca.crt -v kp_default_repository='' -v kp_default_repository_username='admin' -v kp_default_repository_password='admin123' -v pull_from_kp_default_repo=true -v tanzunet_username='' -v tanzunet_password='' | kbld -f /tmp/bundle/.imgpkg/images.yml -f- | kapp deploy -a tanzu-build-service -f- -y

# Note: Once this command is completed successfully, this means your TBS installation is done.

Validating TBS Installation

To validate the TBS installation, Run the following commands

  • Check the additional namespaces, you will notice that the build-service and kpack is created
$ k get ns
NAME                             STATUS   AGE
build-service                    Active   26h
cert-manager                     Active   21d
default                          Active   22d
kpack                            Active   26h
kube-node-lease                  Active   22d
kube-public                      Active   22d
kube-system                      Active   22d
pinniped-concierge               Active   22d
pinniped-supervisor              Active   22d
stacks-operator-system           Active   26h
tanzu-package-repo-global        Active   22d
tanzu-system-dashboards          Active   21d
tanzu-system-ingress             Active   21d
tanzu-system-monitoring          Active   21d
tanzu-system-registry            Active   30h
tanzu-system-service-discovery   Active   21d
tkg-system                       Active   22d
tkg-system-public                Active   22d
  • Validate the pods running inside build-service and kpack namespaces
$ k get po -n build-service
$ k get po -n kpack

# You should have all pods running
  • Verify the clusterbuilders
$ kp clusterbuilder list
NAME       READY    STACK                          IMAGE
base       false    io.buildpacks.stacks.bionic
default    false    io.buildpacks.stacks.bionic
full       false    io.buildpacks.stacks.bionic
tiny       false    io.paketo.stacks.tiny

> Note: In my case, it took around 5 mins to populate the clusterbuilders after TBS install. Now, We are good to create a container image.

Creating Application container image from source code

In this demonstration, I will be using my github repository where spring petclinic application source code is available and harbor registry to store the created application container image. You can also use github enterprise too. > In case you are using public github, then we dont need to create github secret, else secret is needed to access the github repository.

# Commands to create secret for github and registry.
$ kp secret create my-registry-creds --registry --registry-user admin --namespace default
$ kp secret create github-creds --git-url --git-user dineshtripathi30 -n default
  • Here is my github repo, where application code is available.

    Creating a container image using TBS

    • Run below command
    $ kp image create spring-petclinic --tag -n default --git --git-revision main --wait
    # Notice the output carefully and you will that it is running several steps like detect, analyze etc. and eventually image will be created.
    • List the image
      $ kp image list
      NAME                     READY      LATEST REASON    LATEST IMAGE                                                                                                            NAMESPACE
      spring-petclinic    Ready    CONFIG     default
  • You can go ahead and create a pod using this image.

That’s all folks in this post. Hopefully you will find this helpful.

Reference Links



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s