Secrets in Tanzu Build Service
Page last updated:
Tanzu Build Service uses standard Kubernetes secrets to store credentials for registries and git based repositories. These credentials include the following:
- Git credentials added to namespaces and projects
- Registry credentials added to namespaces and projects
- Registry credentials provided during installation
Because Tanzu Build Service uses standard Kubernetes secrets, administrators may configure the cluster to encrypt secrets at rest. For more information, see the following link: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
Tanzu Build Service synchronizes the registry credentials provided during installation to all projects managed by the Build Service. This is required to support image configurations that use the Custom Cluster Builders, if the registry used by Tanzu Build Service is a private registry.
Synchronized secrets are attached to build pods as
imagePullSecrets so that the Builder Image can be pulled at build time.
By default, the
kp CLI only supports using Custom Cluster Builders in public registries or in a private registry that has imagePullSecrets synced to all namespaces. The section below describes the process to manage these synced secrets.
kp CLI does not support adding and removing synchronized secrets. However, this may be achieved by using the
To start synchronizing a secret to all projects managed by Tanzu Build Service, use
kubectl to create a docker-registry (Dockercfg or DockerConfigJson) secret in the
build-service namespace with the following label:
To update a secret and roll-out those changes to all projects, simply update the secret(s) with the
io.pivotal.buildservice.sync=true label located in the
To stop synchronizing a secret, delete the secret from the