Secrets in Tanzu Build Service

Page last updated:

Tanzu Build Service uses standard Kubernetes secrets to store credentials for registries and git based repositories. These credentials include the following:

  • Git credentials added to namespaces and projects
  • Registry credentials added to namespaces and projects
  • Registry credentials provided during installation

Encrypting Secrets at Rest

Because Tanzu Build Service uses standard Kubernetes secrets, administrators may configure the cluster to encrypt secrets at rest. For more information, see the following link: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/

Synchronizing Registry Secrets to Projects

Tanzu Build Service synchronizes the registry credentials provided during installation to all projects managed by the Build Service. This is required to support image configurations that use the Custom Cluster Builders, if the registry used by Tanzu Build Service is a private registry.

Synchronized secrets are attached to build pods as imagePullSecrets so that the Builder Image can be pulled at build time.

Managing Secret Synchronization

By default, the kp CLI only supports using Custom Cluster Builders in public registries or in a private registry that has imagePullSecrets synced to all namespaces. The section below describes the process to manage these synced secrets.

Currently, the kp CLI does not support adding and removing synchronized secrets. However, this may be achieved by using the kubectl CLI.

Start Synchronizing a Secret

To start synchronizing a secret to all projects managed by Tanzu Build Service, use kubectl to create a docker-registry (Dockercfg or DockerConfigJson) secret in the build-service namespace with the following label: io.pivotal.buildservice.sync=true.

Updating a Synchronized Secret

To update a secret and roll-out those changes to all projects, simply update the secret(s) with the io.pivotal.buildservice.sync=true label located in the build-service namespace.

Stop Synchronizing a Secret

To stop synchronizing a secret, delete the secret from the build-service namespace.