This blog was written by Bob Webster and Brad Bock.
VMware Tanzu Application Catalog is the enterprise version of Bitnami open source software, delivered privately for use in production environments. Today, we are excited to announce the release of a new feature called user-defined application customization. With this new capability, you can add application-specific post-build scripts into the Tanzu Application Catalog build process so your artifacts meet requirements such as installing certificates, adding plug-ins, or removing libraries or components from each container image.
Developers love Bitnami; IT and security teams love Tanzu Application Catalog
Developers have used Bitnami’s library of free and open source software for years as a trusted way to get started fast on software projects. Bitnami containers, Helm charts, and virtual machines have been deployed billions of times around the world and are loved for their ease of use, comprehensive documentation, and high-quality construction.
VMware Tanzu Application Catalog was created as a way for enterprise developers who know and love Bitnami open- source software packages to use them all the way to production. Security and IT organizations approve Tanzu Application Catalog open source software (OSS) containers and Helm charts for production because they come with a set of enterprise features that help meet compliance requirements:
- Many organizations require a specific Linux distribution for production. Tanzu Application Catalog lets you choose from a variety of the most popular distros.
- Organizations often need all their production software to be packaged on a specific “golden image” that they maintain in-house. Tanzu Application Catalog artifacts are built on customers’ own golden images, enabling a high degree of customization and specific hardening requirements to be applied across an entire library of software.
- New software supply chain security standards require that open source software packages come with an accounting of what is in them and verification that they haven’t been tampered with. Tanzu Application Catalog enables that with software bills of materials (SBoMs) and verifiable signatures with every container and Helm chart. We also supply Vulnerability Exploitability eXchange (VEX) metadata for our Photon OS-based containers that help eliminate false positives in CVE security scans.
- Organizations often need to deploy OSS applications across a variety of platforms, with confidence that the apps will work consistently on all of them. Every time an artifact in Tanzu Application Catalog is updated, it goes through extensive automated tests and verifications on multiple target platforms to enable proper functionality and performance on each one.
These features and others have enabled developers to use enterprise-ready containers and Helm charts that function exactly the same as the Bitnami versions they have already been using. The customization and enterprise features make it much easier to leverage the power of OSS in production.
However, customers told us they still faced friction when they needed to make app-specific customizations. In the past, many customers ran new builds on our containers that executed scripts to enable or disable features specific to each application (for example, if they needed to add TLS certificates or install application-specific plug-ins). While executing a new build to make such app-specific customizations was simple, it invalidated the signatures, SBoMs, and test results they received with the Tanzu Application Catalog artifacts.
Tanzu Application Catalog containers and Helm charts that are truly production ready
User-defined application customization enables you to receive your Tanzu Application Catalog containers in a finished, production-ready state with no modification needed. This means that even though your unique requirements are baked in, you can still get valid signatures, up-to-date SBoMs and VEX metadata, and evidence that they’ve passed Bitnami’s rigorous battery of functional tests against multiple target environments. Tanzu Application Catalog gives you the option of executing these scripts at several build lifecycle points, so customizations can be made at application levels.
Examples of user-defined application customizations in action
Here are some sample use cases that can be addressed with user-defined customizations.
Installing root CA certificates for applications requiring TLS
Many OSS applications provide a web user interface that relies on Transport Layer Security (TLS). Installing custom root and intermediate certificates is a requirement for many organizations when deploying OSS applications. The method of installing certificates is highly dependent on the application architecture. For example, in some cases, certificates can be installed at the base operating system level, but for applications employing a language runtime such as a Java Virtual Machine, certificates must be installed at the language runtime or application configuration level. User-defined customizations can address each of these installation scenarios.
Installing additional “customer standard” tools and plug-ins
Many organizations employ a standard toolkit of monitoring, management, and diagnostic tools across all components present in their environments. User-defined customizations enable the installation of tools at the OS and application levels.
Modifying the default application configuration to meet custom security requirements
For many customers, preconfigured security settings are not sufficient to meet their enterprise security requirements. User-defined customizations enable administrators to make additional OS and application changes to meet custom security requirements. For example, this might involve uninstalling OS packages and default application plug-ins or changing default application configurations to meet hardening requirements.
Registering customer package manager repositories
Many organizations maintain their own package repositories for OS and language packages. User-defined customizations can make it easy for administrators to add or remove repository registrations.
Learn more
If you are interested in learning more about Tanzu Application Catalog in general, check out the product webpage, Tech Zone page, technical documentation, and additional resources. If you would like to get in touch, contact us.
