Secure Software Supply Chains and Developer Experience Charge VMware’s KubeCon Presence

October 20, 2022 Rita Manachi

Tools are only as good as how easily and effectively they are used. Though this is hardly a novel notion, it bears repeating, especially as the pace of open source innovation continues to get faster. In an environment where a thousand flowers are blooming, prescription becomes necessary for productivity, that is, as long as it does not stifle innovation. This is why toolchains and software supply chains at every level of the software development and delivery process are gaining attention. 

In enterprise software development, that means rethinking what tools your engineering teams access and how they access them. Today most of those tools are either available fully as open source, or based on open source technology.

Open source usage is pervasive with tech leaders increasingly willing to accept the risk associated with it in order to reap the benefits. Take the findings of the State of the Software Supply Chain: Open Source Edition 2022, presented by VMware. Of the almost 1,200 respondents, 90% said they are using open source software (OSS) in production. 

This is not to say that open source adoption does not have challenges. Without a programmatic approach, coupled with a lack of standardization, teams are left to manually track dependencies across many teams and a wide landscape of tools. Ultimately this increases toil and missed opportunities. This is where adopting GitOps is critical; however, GitOps alone will not solve your supply chain problems.

According to the same State of the Software Supply Chain study, packaging issues are pervasive and companies are longing for improvements in open source software packaging to improve security in their supply chains. While embracing GitOps can help improve security posture programmatically, we also need tailored toolchains at multiple levels of the software development and delivery process. Addressing it at the developer level is what the Carvel project aims to do. 

Tailored toolchains for the job

Recently accepted by the Cloud Native Computing Foundation (CNCF) as a sandbox project, Carvel is a composable packaging and delivery toolchain for developers. Following the Unix principle of combining tools that “do one thing well,” it provides a set of single-purpose tools in a customizable toolchain to ease building, configuring, and deploying applications to Kubernetes. Carvel allows users to utilize tools in combination with others in the Carvel toolchain, as well as those in the broader CNCF ecosystem. VMware is hosting multiple hands-on Carvel workshops at its booth at KubeCon North America, and whether you are attending KubeCon or not, if you want to see what the Carvel community is up to, join us in the #carvel channel on Kubernetes Slack. 

A curated developer experience couples security and innovation 

The ethos of VMware Tanzu and its flagship platforms (i.e., VMware Tanzu Application Service and VMware Tanzu Application Platform) is a secure path to production. Underscoring this ethos is a curated developer experience with access to open source innovation that also reduces toil and provides assurances regarding quality, security and provenance. 

With general availability of Tanzu Application Platform 1.3, VMware adds more capabilities to support a streamlined experience for app developers and operators on any Kubernetes environment. In addition to integration with more vulnerability scanners, Tanzu Application Platform 1.3 includes a monitoring dashboard, the value of which cannot be overstated. While vulnerability is important, it’s exponentially more useful when combined with inventory data through a software bill of materials (SBoM), and made available through an actionable UI. My colleague Kara Yimoyines will be addressing this issue at KubeCon during her talk, Vulnerability data is not enough: the case for an actionable UI, at Cloud Native SecurityCon, a co-located event at KubeCon North America.

Cloud Foundry Day brings the Cloud Foundry experience to Kubernetes

The Cloud Foundry-based VMware Tanzu Application Service released its 3.0 version in early October of 2022 including new capabilities for developers and operations teams that allow them to continuously deliver and run microservices across clouds. With Tanzu Application Service, teams responsible for development and delivery of applications get an automated path to production for custom code and a secure, highly available runtime. 

But perhaps even more exciting is the progress made to the Application Service Adapter for Tanzu Application Platform, based on Korifi, a community-lead project that brings the Cloud Foundry experience to Kubernetes. Currently in beta, the Service Adapter should move to general availability in late 2022 and will offer basic-level Cloud Foundry compatibilities for customers interested in trying out Kubernetes and Tanzu Application Platform, all without having to retool their developer toolchains. This year's Cloud Foundry Day, co-located with KubeCon North America, will include sessions about Korifi and another popular CNCF project, Cloud Native Buildpacks

For more on DevEx via Backstage 

Also happening in conjunction with KubeCon is BackstageCon. Open source technology built by Spotify, Backstage is front and center as the CNCF community embraces the idea that supporting rapid innovation does not have to come at the cost of security and compliance. Using Backstage for its developer portal component, Tanzu Application Platform seeks to deliver a curated open source experience enabling developers to get the tools they want and need quickly. 

VMware’s Valentina Alaria is making the case for a curated developer experience during her talk on October 24. Conversations with customers reveal that a unified interface for accessing a curated catalog of developer tools, services, templates, and APIs is critical for developer productivity. Valentina will share how VMware incorporates Backstage into its platform and why this enables developer velocity and makes for a happy team.

More ways to get involved

We recognize that the cloud native journey can be complicated and sometimes difficult; but it doesn’t have to be! Set up a free, one-hour, virtual consultation with a VMware Tanzu Labs designer, engineer, and product manager to talk through your ideas and make them a reality with practical advice.

Visit the Tanzu Developer Center for hands-on workshops on some of your favorite open source technologies, and visit us at the VMware booth at KubeCon for in-person workshops for CNCF technologies like Carvel, Knative, kpack and more. 

You can find more practical tips on building a Kubernetes platform that developers love, from implementing a secure software supply chain to treating your platform as a product and why, here.

About the Author

Rita Manachi

Rita Manachi is a product marketing manager at VMware Tanzu.

More Content by Rita Manachi
Cutting the Strings: Staying Lean in a SAFe Organization
Cutting the Strings: Staying Lean in a SAFe Organization

The Scaled Agile Framework (SAFe) has become near-ubiquitous in large organizations, but lean practitioners...

Viewing OpenTelemetry Metrics and Trace Data in Observability by Aria Operations for Applications
Viewing OpenTelemetry Metrics and Trace Data in Observability by Aria Operations for Applications

See how to get started with OpenTelemetry and Aria Operations for Applications in three simple steps—withou...

SpringOne 2024

Learn More