Managing Secrets
Page last updated:
This topic describes managing Kubernetes secrets in VMware Tanzu Build Service.
Overview
VMware Tanzu Build Service uses Kubernetes secrets to manage credentials. To publish images to a registry, you must use a registry secret. To use source code stored in a private Git repository, you must use a Git secret.
Secrets are namespaced and can only be used for image configurations that exist in the same namespace. You can manage secrets with the kp
CLI.
For more information about Kubernetes secrets, see Secrets in the Kubernetes documentation. For more information about secret synchronization, see Secrets in Tanzu Build Service.
Create Secrets
You can create secrets using the kp
CLI and script them with environment variables.
Secrets are created in the Kubernetes current-context
namespace, unless you specify a different namespace using the --namespace
or -n
flag. Kubernetes automatically adds these secrets to the default
service account in the same namespace.
Note: The kp
CLI does not validate the secret against the specified registry or Git at the time of secret creation. The kp
CLI reports incorrect credentials as they are used during an image build.
Create a Docker Hub Registry Secret
You can create a Docker Hub registry secret using the --dockerhub
flag.
To create a Docker Hub registry secret:
Run:
kp secret create DOCKER-HUB-CREDENTIALS \ --dockerhub DOCKER-HUB-ID
Where:
DOCKER-HUB-CREDENTIALS
is the name you give your Docker Hub registry secret.DOCKER-HUB-ID
is your Docker Hub user ID.
When prompted, enter your Docker Hub password. Alternatively, you can use the
DOCKER_PASSWORD
environment variable to bypass the password prompt.
The Docker Hub registry secret is stored as a kubernetes.io/dockerconfigjson
secret.
Create a GCR Registry Secret
You can create a GCR registry secret using the --gcr
flag.
To create a GCR registry secret:
Run:
kp secret create GCR-CREDENTIALS \ --gcr /tmp/GCR-SERVICE-ACCOUNT.json
Where:
GCR-CREDENTIALS
is the name you give your GCR registry secret.GCR-SERVICE-ACCOUNT
is your GCR service account.
Alternatively, you can use theGCR_SERVICE_ACCOUNT_PATH
environment variable instead of the--gcr
flag.
The GCR registry secret is stored as a kubernetes.io/dockerconfigjson
secret.
Create an Artifactory, Harbor, or ACR Registry Secret
You can create an Artifactory, Harbor, or ACR secret using the --registry
and --registry-user
flags.
To create an Artifactory, Harbor, or ACR secret:
Run:
kp secret create REGISTRY-CREDENTIALS \ --registry REGISTRY-URL \ --registry-user REGISTRY-USER-ID
Where:
REGISTRY-CREDENTIALS
is the name you give your Artifactory, Harbor, or ACR registry secret.REGISTRY-URL
is the URL of the registry.REGISTRY-USER-ID
is your registry user ID.
When prompted, enter your registry password. Alternatively, you can use the
REGISTRY_PASSWORD
environment variable to bypass the password prompt.
The Artifactory, Harbor, or ACR registry secret is stored as a kubernetes.io/dockerconfigjson
secret.
Create a Git SSH Secret
You can create a Git SSH secret by specifying a Git user ID and private SSH key.
To create a Git SSH secret:
Run:
kp secret create GIT-SSH-CREDENTIALS \ --git GIT-ID \ --git-ssh-key /tmp/PRIVATE-SSH-KEY
Where:
GIT-SSH-CREDENTIALS
GIT-ID
is your Git user ID.PRIVATE-SSH-KEY
is your private SSH key. Alternatively, you can use theGIT_SSH_KEY_PATH
environment variable instead of the--git-ssh-key
flag.
The Git SSH secret is stored as a kubernetes.io/ssh-auth
secret.
Create a Git Basic Auth Secret
You can create a Git basic auth secret by providing your Git username and password.
To create a Git basic auth secret:
Run:
kp secret create GIT-CREDENTIALS \ --git GIT-REPOSITORY-URL \ --git-user GIT-USERNAME
Where:
GIT-CREDENTIALS
is the name you give your Git basic auth secret.GIT-REPOSITORY-URL
is the URL of your Git repository.GIT-USERNAME
is your Git username.
When prompted, enter your Git password. Alternatively, you can use the
GIT_PASSWORD
environment variable to bypass the password prompt.
The Git basic auth secret is stored as a kubernetes.io/basic-auth
secret.
List Secrets
To list the names and the targets for your secrets:
Run:
kp secret list
The command returns output similar to the following:
NAME TARGET default-token-qrdbr docker-hub-creds https://index.docker.io/v1/ gcr-creds gcr.io git-creds https://github.com git-ssh-creds git@github.com harbor-creds registry.pivotal.io
Unless you specify a namespace using the
--namespace
or-n
flag, running thekp secret list
command lists secrets for the Kubernetescurrent-context
namespace. Thedefault-token-xxxxx
secret is the secret Kubernetes automatically adds to thedefault
service account.
Delete Secrets
To delete secrets:
Run:
kp secret delete SECRET
Where
SECRET
is the name of the secret you want to delete.
Unless you specify a namespace using the --namespace
or -n
flag, secrets are deleted from the Kubernetes current-context
namespace.