Managing Secrets

Page last updated:

This topic describes managing Kubernetes secrets in VMware Tanzu Build Service.

Overview

VMware Tanzu Build Service uses Kubernetes secrets to manage credentials. To publish images to a registry, you must use a registry secret. To use source code stored in a private Git repository, you must use a Git secret.

Secrets are namespaced and can only be used for image configurations that exist in the same namespace. You can manage secrets with the kp CLI.

For more information about Kubernetes secrets, see Secrets in the Kubernetes documentation. For more information about secret synchronization, see Secrets in Tanzu Build Service.

Create Secrets

You can create secrets using the kp CLI and script them with environment variables.

Secrets are created in the Kubernetes current-context namespace, unless you specify a different namespace using the --namespace or -n flag. Kubernetes automatically adds these secrets to the default service account in the same namespace.

Note: The kp CLI does not validate the secret against the specified registry or Git at the time of secret creation. The kp CLI reports incorrect credentials as they are used during an image build.

Create a Docker Hub Registry Secret

You can create a Docker Hub registry secret using the --dockerhub flag.

To create a Docker Hub registry secret:

  1. Run:

    kp secret create DOCKER-HUB-CREDENTIALS \
      --dockerhub DOCKER-HUB-ID
    

    Where:

    • DOCKER-HUB-CREDENTIALS is the name you give your Docker Hub registry secret.
    • DOCKER-HUB-ID is your Docker Hub user ID.
  2. When prompted, enter your Docker Hub password. Alternatively, you can use the DOCKER_PASSWORD environment variable to bypass the password prompt.

The Docker Hub registry secret is stored as a kubernetes.io/dockerconfigjson secret.

Create a GCR Registry Secret

You can create a GCR registry secret using the --gcr flag.

To create a GCR registry secret:

  1. Run:

    kp secret create GCR-CREDENTIALS \
      --gcr /tmp/GCR-SERVICE-ACCOUNT.json
    

    Where:

    • GCR-CREDENTIALS is the name you give your GCR registry secret.
    • GCR-SERVICE-ACCOUNT is your GCR service account.

      Alternatively, you can use the GCR_SERVICE_ACCOUNT_PATH environment variable instead of the --gcr flag.

The GCR registry secret is stored as a kubernetes.io/dockerconfigjson secret.

Create an Artifactory, Harbor, or ACR Registry Secret

You can create an Artifactory, Harbor, or ACR secret using the --registry and --registry-user flags.

To create an Artifactory, Harbor, or ACR secret:

  1. Run:

    kp secret create REGISTRY-CREDENTIALS \
      --registry REGISTRY-URL \
      --registry-user REGISTRY-USER-ID
    

    Where:

    • REGISTRY-CREDENTIALS is the name you give your Artifactory, Harbor, or ACR registry secret.
    • REGISTRY-URL is the URL of the registry.
    • REGISTRY-USER-ID is your registry user ID.
  2. When prompted, enter your registry password. Alternatively, you can use the REGISTRY_PASSWORD environment variable to bypass the password prompt.

The Artifactory, Harbor, or ACR registry secret is stored as a kubernetes.io/dockerconfigjson secret.

Create a Git SSH Secret

You can create a Git SSH secret by specifying a Git user ID and private SSH key.

To create a Git SSH secret:

  1. Run:

    kp secret create GIT-SSH-CREDENTIALS \
      --git GIT-ID \
      --git-ssh-key /tmp/PRIVATE-SSH-KEY
    

    Where:

    • GIT-SSH-CREDENTIALS
    • GIT-ID is your Git user ID.
    • PRIVATE-SSH-KEY is your private SSH key. Alternatively, you can use the GIT_SSH_KEY_PATH environment variable instead of the --git-ssh-key flag.

The Git SSH secret is stored as a kubernetes.io/ssh-auth secret.

Create a Git Basic Auth Secret

You can create a Git basic auth secret by providing your Git username and password.

To create a Git basic auth secret:

  1. Run:

    kp secret create GIT-CREDENTIALS \
      --git GIT-REPOSITORY-URL \
      --git-user GIT-USERNAME
    

    Where:

    • GIT-CREDENTIALS is the name you give your Git basic auth secret.
    • GIT-REPOSITORY-URL is the URL of your Git repository.
    • GIT-USERNAME is your Git username.
  2. When prompted, enter your Git password. Alternatively, you can use the GIT_PASSWORD environment variable to bypass the password prompt.

The Git basic auth secret is stored as a kubernetes.io/basic-auth secret.

List Secrets

To list the names and the targets for your secrets:

  1. Run:

    kp secret list
    

    The command returns output similar to the following:

    NAME                   TARGET
    default-token-qrdbr
    docker-hub-creds       https://index.docker.io/v1/
    gcr-creds              gcr.io
    git-creds              https://github.com
    git-ssh-creds          git@github.com
    harbor-creds           registry.pivotal.io
    

    Unless you specify a namespace using the --namespace or -n flag, running the kp secret list command lists secrets for the Kubernetes current-context namespace. The default-token-xxxxx secret is the secret Kubernetes automatically adds to the default service account.

Delete Secrets

To delete secrets:

  1. Run:

    kp secret delete SECRET
    

    Where SECRET is the name of the secret you want to delete.

Unless you specify a namespace using the --namespace or -n flag, secrets are deleted from the Kubernetes current-context namespace.