Managing Secrets

Page last updated:

This section describes how to manage docker image registry secrets and git secrets with build service

A registry secret is needed to publish images to a registry. A git secret is needed to utilize source code stored in private git repository.

All secrets are created within a project and will be available to all images within the project.

See Secrets in Tanzu Build Service for more information about secrets in Tanzu Build Service.

Managing Image Registries for a Project

To allow Build Service to push images to a private registry, you must add the registry credentials to the project that manages the image configuration.

Associating an Image Registry with a Project

To associate an image registry and image registry credentials with a project:

  1. Target the project/namespace with which you want to associate the registry by running:

    pb project target PROJECT-NAME
    

    Where PROJECT-NAME is the name of the project/namespace that should be configured with a secret.

  2. Create a YAML file with the image registry location and credentials. Enter the following variables:

    registry: REGISTRY-DOMAIN
    username: REGISTRY-USERNAME
    password: REGISTRY-PASSWORD
    

    Where:

    • REGISTRY-DOMAIN is the domain for the registry. Use the following guidance to complete the registry field, depending on your image registry:
      • Docker Hub: Enter https://index.docker.io/v1/.
      • GCR: Enter gcr.io.
      • Harbor: Enter the domain that is specific to your deployment of the registry.
      • Artifactory: Enter the domain that is specific to your deployment of the registry
    • REGISTRY-USERNAME and REGISTRY-PASSWORD are the username and password of the image registry, respectively. You can include only one password for an image registry in the credentials YAML file.
  3. Apply the image registry YAML file by running:

    pb secrets registry apply -f PATH-TO-REGISTRY-CREDENTIALS-YAML
    

    Where PATH-TO-REGISTRY-CREDENTIALS-YAML is the local path to the YAML file that you created in the previous step.

Changing Image Registry Association and Credentials

To update the registry association and credentials for a project:

  1. Modify the variables in your image registry YAML file.

    • To change the project the registry is associated with, modify project.
    • To change the registry associated with the project, modify registry.
    • To change the credentials for the registry, modify username and password.
  2. Apply the image registry file by running:

    pb secrets registry apply -f PATH-TO-REGISTRY-CREDENTIALS-YAML
    

    Where PATH-TO-REGISTRY-CREDENTIALS-YAML is the local path to the YAML file that you created in the previous section.

Deleting Image Registry Credentials

To delete registry credentials from a project:

pb secrets registry delete gcr.io

Note: The pb 0.1.0 cli has a known issue where secret delete will fail with a permission error

As a workaround you can delete a secret with kubectl:

  1. Find the secret name, In the describe output you should see your secret name prefixed with: “pb”. kubectl describe serviceaccount default
  2. Delete the secret. kubectl describe serviceaccount default
  3. Delete the secret reference in the serviceAccount. kubectl describe serviceaccount default

Managing Git Repositories for a Project

To allow Build Service to execute builds against app source code in a private Git repository, you must add the Git username and password to the project that manages the source code.

As you apply YAML files that associate a Git repository and Git repository credentials, the pb CLI provides feedback indicating whether or not the commands succeeded.

Associating a Git Repository with a Project

To associate a Git repository and Git repository credentials with a project/namespace:

Note: If your git repository uses an access token, you can specify the token in the below password field. For more information, see Creating a personal access token for the command line in the GitHub documentation.

  1. Create a YAML file with the Git repository location and credentials. Enter the following variables:
  • If using username and password:

    repository: GIT-REPOSITORY
    username: GIT-USERNAME
    password: GIT-PASSWORD or TOKEN
    

    Where:

    • GIT-REPOSITORY is the URL of the GitHub repository.
    • GIT-USERNAME is the Git username used to access the GitHub repository.
    • GIT-PASSWORD or TOKEN is the password or access token used to access the GitHub repository.
  • If using ssh credentials:

    repository: GIT-REPOSITORY
    sshKey: SSH-KEY
    

    Where:

    • GIT-REPOSITORY is the URL of the GitHub repository.
    • SSH-KEY is the value of the ssh key needed to access the git repository

Apply the Git repository file running:

pb secrets git apply -f PATH-TO-REPOSITORY-CREDENTIALS-YAML-FILE

Where PATH-TO-REPOSITORY-CREDENTIALS-YAML-FILE is the local path to the YAML file that you created in the previous step.

Changing Git Repository Association and Credentials

To update the Git repository and credentials:

  1. Modify the variables in your Git repository YAML file.

    • To change the Git repository, modify repository.
    • To change the credentials for the Git repository, modify username and password.
  2. Apply the Git repository credentials file by running:

    pb secrets git apply -f PATH-TO-REPOSITORY-CREDENTIALS-YAML-FILE
    

    Where PATH-TO-REPOSITORY-CREDENTIALS-YAML-FILE is the local path to the YAML file that you created in the previous step.

Deleting Git Repository Credentials

To delete Git credentials from a project/namespace:

pb secrets git delete github.com

Note: The pb 0.1.0 cli has a known issue where secret delete will fail with a permission error

As a workaround you can delete a secret with kubectl:

  1. Find the secret name, In the describe output you should see your secret name prefixed with: “pb”. kubectl describe serviceaccount default
  2. Delete the secret. kubectl describe serviceaccount default
  3. Delete the secret reference in the serviceAccount. kubectl describe serviceaccount default