Updating Build Service Dependencies

Page last updated:

Keeping applications up-to-date with the latest dependency patches is a core feature of Tanzu Build Service. Updates to dependencies will be propagated to application images. The resources that account for these patches are:

  • ClusterStacks - Update a ClusterStack to patch operating system packages.
  • ClusterStores - Update a ClusterStore to patch the Cloud Native Buildpacks used to build your applications.

You can use the kp CLI to update any resource. The help text is published here.

Note: These docs assume kp cli v0.2.* from TBS release v1.1.*. If a feature is not working, you may need to upgrade your cli.

Updating Dependencies

Automatically Update Dependencies

Tanzu Build Service 1.2 ships with a dependency updater that can update ClusterStacks, ClusterStores, ClusterBuilders, and the CNB Lifecycle from TanzuNet automatically. Enabling this feature will keep Images up to date with the latest security patches and fixes.

You can run kubectl get TanzuNetDependencyUpdater -A to check if you have a TanzuNetDependencyUpdater set up already. If you have one, there is nothing you need to do to manage your dependencies in TBS.

If you would like to enable this feature after install, you can create the following resources:

  1. A secret with you TanzuNet credentials (kp secret create dependency-updater-secret --registry registry.pivotal.io --registry-user <TANZUNET_USERNAME>) in the namespace where you would like your dependency updater to be in.
  2. A service account that contains that secret. (If the secret was created using kp, it will automatically be added to the default service account in that namespace.
  3. A TanzuNetDependencyUpdater resource:
---
apiVersion: buildservice.tanzu.vmware.com/v1alpha1
kind: TanzuNetDependencyUpdater
metadata:
  name: dependency-updater
  namespace: <NAMESPACE>
spec:
  serviceAccountName: <SERVICE-ACCOUNT>
  productSlug: tbs-dependencies
  checkEvery: 1m
  • The productSlug field corresponds to the product name in TanzuNet
  • The checkEvery field is the frequency that the updater will check for new descriptor file releases
  • The serviceAccountName field is the name of the service accoutn from step 2

Bulk Update

Note: If you want to be alerted when a new descriptor file is published, we recommend using an RSS reader and watching the Tanzu Build Service Dependencies TanzuNet feed for updates https://network.pivotal.io/rss

The Bulk Update workflow can update all dependencies (ClusterStacks, ClusterStores and ClusterBuilders) in Tanzu Build Service using the kp import command.

  1. Download the Dependency Descriptor file (descriptor-<version>.yaml) from the latest release on the Tanzu Build Service Dependencies page on Tanzu Network.

Note: You can see all of the buildpackages versions that will be imported by looking at the `buildpackage-versions-.yaml` file from the [Tanzu Build Service Dependencies](https://network.pivotal.io/products/tbs-dependencies/) release.

  1. Use the kp CLI
kp import -f descriptor-<version>.yaml

The following ClusterStacks will be updated with the latest Operating System patches: base, default, full, and tiny.

The following ClusterStore will be updated with the latest Cloud Native Buildpacks: default

Using the --show-changes flag will give a summary of the resource changes for the import. You will also be asked to confirm the import. Confirmation can be skipped with --force.

Cluster Stacks Update

This section described how to update individual cluster stacks. This provides a more fine-grained way to patch operating system packages.

New stack versions will be provided on the Tanzu Build Service Dependencies page on Tanzu Network.

To update specific cluster stacks, go to the latest release of the Tanzu Build Service Dependencies page on Tanzu Network to find the image references and their <sha256> sums. Example commands will be provided on this page.

Use the following kp CLI commands to update the desired stack:

kp clusterstack update base \
  --build-image registry.pivotal.io/tbs-dependencies/build-base@<sha256> \
  --run-image registry.pivotal.io/tbs-dependencies/run-base@<sha256>

kp clusterstack update default \
  --build-image registry.pivotal.io/tbs-dependencies/build-full@<sha256> \
  --run-image registry.pivotal.io/tbs-dependencies/run-full@<sha256>

kp clusterstack update full \
  --build-image registry.pivotal.io/tbs-dependencies/build-full@<sha256> \
  --run-image registry.pivotal.io/tbs-dependencies/run-full@<sha256>

kp clusterstack update tiny \
  --build-image registry.pivotal.io/tbs-dependencies/build-tiny@<sha256> \
  --run-image registry.pivotal.io/tbs-dependencies/run-tiny@<sha256>

Note: Both build and run images need to be provided to update the stack.

The updated ClusterStack can be viewed with the following command:

kp clusterstack status <stack-name>

Example output

$ kp clusterstack status tiny
Status:         Ready
Id:             io.paketo.stacks.tiny
Run Image:      gcr.io/build-service-dev/test/run@sha256:34b01fd9a3745fcaa345f8993938291c931f7977cc2bee78ed377da2edc55e3d
Build Image:    gcr.io/build-service-dev/test/build@sha256:5288d9c5b7cf7068d07b5a184f3ec2f124fbc5842401b8b23c74485c4d2ba23a

Cluster Store Update

ClusterStores contain all of the buildpackages (one or more packaged Cloud Native Buildpacks) to be used by Builders to build application images.

You can update Cloud Native Buildpacks in Tanzu Build Service by adding new buildpackage versions to the store.

To list the buildpackages available in a store:

kp clusterstore status <store-name>

Example output

$ kp clusterstore status default
Status:    Ready

BUILDPACKAGE ID                 VERSION    HOMEPAGE
paketo-buildpacks/procfile      1.4.0      https://github.com/paketo-buildpacks/procfile
tanzu-buildpacks/dotnet-core    0.0.3
tanzu-buildpacks/go             1.0.5
tanzu-buildpacks/httpd          0.0.38
tanzu-buildpacks/java           2.5.0      https://github.com/pivotal-cf/tanzu-java
tanzu-buildpacks/nginx          0.0.45
tanzu-buildpacks/nodejs         1.1.0
tanzu-buildpacks/php            0.0.3

To show a complete list of all buildpacks available in a store:

kp clusterstore status <store-name> --verbose

Update a store with one or more buildpackages with:

kp clusterstore add <store-name> -b <buildpackage-image1> -b <buildpackage-image2>

Note: Any number of buildpackages can be added to a store at a time with multiple `-b` flags.

Updating Buildpacks From Tanzu Network

New Cloud Native Buildpacks (packaged as buildpackages) will be available on Tanzu Network and should be uploaded to a Tanzu Build Service to keep application images patched.

New versions of the Java, NodeJS, and Go buildpacks will be released on their respective Tanzu Network pages: Java, NodeJS and Go. New versions of all other buildpacks will be released on the Tanzu Build Service Dependencies page.

Here is a list of how to update each buildpack that is included with Tanzu Build Service by default:

kp clusterstore add default -b registry.pivotal.io/tanzu-java-buildpack/java:<version>
kp clusterstore add default -b registry.pivotal.io/tanzu-nodejs-buildpack/nodejs:<version>
kp clusterstore add default -b registry.pivotal.io/tanzu-go-buildpack/go:<version>
kp clusterstore add default -b registry.pivotal.io/tbs-dependencies/tanzu-buildpacks_dotnet-core:<version>
kp clusterstore add default -b registry.pivotal.io/tbs-dependencies/tanzu-buildpacks_php:<version>
kp clusterstore add default -b registry.pivotal.io/tbs-dependencies/tanzu-buildpacks_nginx:<version>
kp clusterstore add default -b registry.pivotal.io/tbs-dependencies/tanzu-buildpacks_httpd:<version>
kp clusterstore add default -b registry.pivotal.io/tbs-dependencies/paketo-buildpacks_procfile:<version>

Additionally, multiple buildpackages can be added to Build Service by passing multiple image references:

kp clusterstore add <store-name> \
  -b registry.pivotal.io/buildpacakge-1 \
  -b registry.pivotal.io/buildpackage-2 \
  -b registry.pivotal.io/buildpackage-3

Offline Update of Dependencies

The stack images and buildpacks used by build service can be updated by first downloading those images and saving them as a .tar file. This file can be provided to the kp CLI to import to Tanzu Build Service.

  1. Download the Dependency Descriptor file (descriptor-<version>.yaml) from the latest release on the Tanzu Build Service Dependencies page on Tanzu Network.

  2. Download the kp CLI for your operating system from the latest release on the Tanzu Build Service page.

  3. Download the kbld CLI for your operating system from the latest release on the kbld page.

  4. Download the dependency images for Tanzu Build Service to your local machine with kbld:

    docker login registry.pivotal.io
    
    kbld package -f descriptor-<version>.yaml \
        --output /tmp/packaged-dependencies.tar
    
  5. Move the output file packaged-dependencies.tar to a machine that has access to the “offline” environment

  6. Upload the dependency images to the internal registry used to deploy Tanzu Build Service:

    docker login <build-service-registry>
    
    kbld unpackage -f descriptor-<version>.yaml \
      --input /tmp/packaged-dependencies.tar \
      --repository <IMAGE-REPOSITORY> \
      --lock-output /tmp/dependencies-relocated.lock
    

    Where IMAGE-REPOSITORY is the repository used to install Tanzu Build Service. This should be the same value as IMAGE-REPOSITORY used in the Installation Steps.

  7. Now that dependencies are relocated to the internal registry, you can use the following command to update the necessary resources:

    kbld -f descriptor-<version>.yaml -f /tmp/dependencies-relocated.lock | kp import -f -