I recently had the chance to film the above What is/How to video on software supply chain choreography with Zach Robinson and James Rawlings, two of the excellent folks working on VMware’s Tanzu Application Platform.

With Tanzu Application Platform (which went GA earlier this year), VMware aims to address what my colleague Stephen has coined the Developer Experience Gap: the disjointed experience that results when tools and processes are cobbled together with the technical equivalent of duct tape and baling wire. Another component of the DevX Gap: the overwhelming number of choices developers often face when piecing together different parts of their toolchains. The supply chain choreography functionality of Tanzu Application Platform–which is powered by the open source Cartographer project–is designed to help address these issues as they pertain to the Kubernetes landscape.

What is a supply chain?

As Zach explains during our conversation, cobbling together the tools and tech required to get an app into production often requires a lot of assembly.

And while the visuals are great at getting the point across, I imagine the number of choices and categories looking more like (but not limited to) all the pieces that constitute the CNCF Landscape.

In this context, a supply chain pieces together a curated selection of tools and technologies needed to get software into production, thereby taking care of the assembling part.

Zach is careful to note that conceptually the job to be done of a supply chain is not new, as we see what are essentially supply chains pieced together in, say, CI or CD pipelines. What Cartographer offers (and Tanzu Application Platform leverages) is a standardized way to piece together all these components and make them available to developers in an easily consumable way (no small feat when dealing with Kubernetes). And of course CI and CD processes are part of the deal. While Tanzu Application Platform offers a default supply chain out-of-the-box, an organization can swap pieces in and out as it sees fit, even creating different supply chains to best suit different types of apps.

Orchestration vs. choreography

We also look at the difference between choreography and orchestration (a term that is probably more familiar to anyone steeped in cloud-native parlance, as we talk about Kubernetes and container orchestration all the time).
While this post explains the difference more fully, to sum up: with orchestration, all communication goes through the orchestrator (thereby creating a potential single point of failure), whereas choreography involves different components potentially communicating with each other.

In this case I love the metaphors involved, as in dance the purpose of choreography is to allow multiple dancers to coordinate with each other without any real-time instruction (whereas I have a hard time imagining the same happening with an orchestra that finds itself without a conductor).

Supply chain choreography roles (and a demo)

Cartographer was designed with a separation of roles in mind, with DevOps, Platform, and/or SecOps teams tasked with defining supply chains and thereby curating and creating guardrails around some of the tools and tech that app developers use.

This arrangement means that concerns such as compliance and security are handled by teams that have expertise in these areas, leaving developers to focus on ideating and building their apps per se. Developers do have to define some aspects of their application through an abstraction known as a workload.

James does an excellent job explaining both of these roles (and how Cartographer works within Tanzu Application Platform) in his demo. And while I think the entire video is worth watching, you can jump directly to the start of the demo here.

Related Resources

Tanzu:

• The Tanzu Application Platform landing page
• More from the Tanzu team on Software Supply Chain Choreography

On Security:

• From the Tanzu blog: Secure Your Software Supply Chain with New VMware Tanzu Application Platform Capabilities
• An webinar from VMware and RedMonk on “No YOLO Ops: Securing the Software Supply Chain”
• An excellent post from Rachel Stephens: Developer Experience Is Security

Cartographer:

• The Cartographer Project Page
• Jump to the Cartographer documentation
• Cartographer on Twitter
• Link to joining the Kubernetes Slack (check out the #cartographer channel)

 

Disclosure: VMware is a RedMonk client; the video discussed in this post was sponsored by VMware (but this post was not).