Managing Secrets

Page last updated:

Overview

VMware Tanzu Build Service uses Kubernetes secrets to manage credentials.

  • To publish images to a Registry, you must use a Registry secret.
  • To use source code stored in a private Git repository, you must use a Git secret.

Secrets are namespaced and can only be used for image configurations that exist in the same namespace. For more information about Kubernetes secrets, see Secrets in the Kubernetes documentation.

For more information about secret synchronization, see the Secret Synchronization page.

You can manage secrets with the kp CLI. The help text is published here.

$ kp secret
Secret Commands

Usage:
  kp secret [command]

Available Commands:
  create      Create a secret configuration
  delete      Delete secret
  list        List secrets

Flags:
  -h, --help   help for secret

Use "kp secret [command] --help" for more information about a command.

Note: These docs assume kp cli v0.2.* from TBS release v1.1.*. If a feature is not working, you may need to upgrade your cli.

Create Secrets

You can create secrets using the kp CLI and script them with environment variables.

Secrets are created in the Kubernetes current-context namespace, unless you specify a different namespace using the --namespace or -n flag. Kubernetes automatically adds these secrets to the default service account in the same namespace.

Note: The kp CLI does not validate the secret against the specified registry or Git at the time of secret creation. Incorrect credentials will be reported as they are used during an image build.

Create a Docker Hub Registry Secret

You can create a Docker Hub registry secret using the --dockerhub flag.

kp secret create SECRET-NAME --dockerhub DOCKER-HUB-ID

Where:

  • SECRET-NAME is the name you give your secret.
  • DOCKER-HUB-ID is your Docker Hub user ID.

When prompted, enter your Docker Hub password. Alternatively, you can use the DOCKER_PASSWORD environment variable to bypass the password prompt.

The Docker Hub registry secret is stored as a kubernetes.io/dockerconfigjson secret.

Examples:

$ kp secret create secret1 --dockerhub my-dockerhub-id
dockerhub password:
"secret1" created

$ DOCKER_PASSWORD="my-password" kp secret create secret2 --dockerhub my-dockerhub-id
"secret2" created

Create a GCR Registry Secret

You can create a GCR registry secret using the --gcr flag.

kp secret create SECRET-NAME --gcr GCR-SERVICE-ACCOUNT-PATH

Where:

  • SECRET-NAME is the name you give your secret.
  • GCR-SERVICE-ACCOUNT-PATH is the path to your GCR service account json file.

Alternatively use the GCR_SERVICE_ACCOUNT_PATH environment variable instead of the --gcr flag.

The GCR registry secret is stored as a kubernetes.io/dockerconfigjson secret.

Examples:

$ kp secret create secret1 --gcr /tmp/my-gcr-service-account.json
"secret1" created

$ GCR_SERVICE_ACCOUNT_PATH="/tmp/my-gcr-service-account.json" kp secret create secret2
"secret2" created

Create an Artifactory, Harbor, or ACR Registry Secret

You can create an Artifactory, Harbor, or ACR secret using the --registry and --registry-user flags.

kp secret create SECRET-NAME --registry REGISTRY-URL --registry-user REGISTRY-USER-ID

Where:

  • SECRET-NAME is the name you give your secret.
  • REGISTRY-URL is the URL of the registry. This should only be the domain for the registry and should not contain folders or projects. Example: registry.io and not registry.io/project.
  • REGISTRY-USER-ID is your registry user ID.

When prompted, enter your registry password. Alternatively, you can use the REGISTRY_PASSWORD environment variable to bypass the password prompt.

The Artifactory, Harbor, or ACR registry secret is stored as a kubernetes.io/dockerconfigjson secret.

Examples:

$ kp secret create secret1 \
  --registry registry.pivotal.io \
  --registry-user someuser@pivotal.io
registry password:
"secret1" created

$ REGISTRY_PASSWORD="my-password" kp secret create secret2 \
  --registry registry.pivotal.io \
  --registry-user someuser@pivotal.io
"secret2" created

Create a Git SSH Secret

You can create a Git SSH secret by specifying a Git SSH URL and private SSH key.

kp secret create SECRET-NAME --git-url GIT-SSH-URL --git-ssh-key PRIVATE-SSH-KEY-PATH

Where:

  • SECRET-NAME is the name you give your secret.
  • GIT-SSH-URL is the Git SSH domain URL. This is not the full repository URL. For example, value should be git@github.com for GitHub.
  • PRIVATE-SSH-KEY-PATH is the path to your private SSH key.

Alternatively, use the GIT_SSH_KEY_PATH environment variable instead of the --git-ssh-key flag.

The Git SSH secret is stored as a kubernetes.io/ssh-auth secret.

Examples:

$ kp secret create secret1 \
  --git-url git@github.com \
  --git-ssh-key /tmp/private-repo-git-deploy-key
"secret1" created

$ GIT_SSH_KEY_PATH="/tmp/private-repo-git-deploy-key" kp secret create secret2 \
  --git-url git@github.com \
"secret2" created

Create a Git Basic Auth Secret

You can create a Git basic auth secret by providing your Git username and password

kp secret create SECRET-NAME --git-url GIT-DOMAIN-URL --git-user GIT-USERNAME

Where:

  • SECRET-NAME is the name you give your secret.
  • GIT-DOMAIN-URL is the Git domain url. This is not the full repository url. For example, value should be https://github.com for GitHub.
  • GIT-USERNAME is your Git username.

When prompted, enter your Git password. Alternatively, you can use the GIT_PASSWORD environment variable to bypass the password prompt.

The Git basic auth secret is stored as a kubernetes.io/basic-auth secret.

Examples:

$ kp secret create secret1 \
  --git-url https://github.com \
  --git-user someone@vmware.com
git password:
"secret1" created

$ GIT_PASSWORD="my-password" kp secret create secret2 \
  --git-url https://github.com \
  --git-user someone@vmware.com
"secret2" created

List Secrets

To list the names and the targets for your secrets:

kp secret list

Unless you specify a namespace using the --namespace or -n flag, running the kp secret list command lists secrets for the Kubernetes current-context namespace.

Example:

$ kp secret list
NAME                   TARGET
default-token-qrdbr
docker-hub-creds       https://index.docker.io/v1/
gcr-creds              gcr.io
git-creds              https://github.com
git-ssh-creds          git@github.com
harbor-creds           registry.pivotal.io

The default-token-xxxxx secret is automatically added to the default service account by Kubernetes

Delete Secrets

To delete secrets:

kp secret delete SECRET-NAME

Where SECRET-NAME is the name of the secret you want to delete.

Unless you specify a namespace using the --namespace or -n flag, secrets are deleted from the Kubernetes current-context namespace. There is no confirmation required from the user.

Encrypting Secrets at Rest

Because Tanzu Build Service uses standard Kubernetes secrets, administrators may configure the cluster to encrypt secrets at rest. For more information, see the following link: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/