Synced-Secrets in Tanzu Build Service

Page last updated:

When to use Synchronized Secrets

To enable the use of Cluster Builders from private registries, a Secret with registry credentials must exist in the namespace of the Image using that Cluster Builder.

You can configure this secret manually for each namespace, but Tanzu Build Service provides functionality to synchronize secrets across namespaces to simplify this process.

This feature is applicable in the following cases:

  • You have installed Tanzu Build Service to a private registry and do not wish to make Cluster Builders imported by kp publicly readable.
  • You have used kp to create a Cluster Builder in a private registry and do not wish to make it publicly readable.

Synchronized secrets are attached to build pods as imagePullSecrets so that the Cluster Builder Image can be pulled at build time.

Note: Synchronizing secrets with write access is not recommended. Instead, create and synchronize read-only secrets. A synced secret is not created during installation because the credentials provided for installation must be writable.

Managing Secret Synchronization

Currently, the kp CLI does not support adding and removing synchronized secrets. However, this may be achieved by using the kubectl CLI.

Create a Synchronized Secret

To start synchronizing a secret to all namespaces with builds, use kubectl to create a docker-registry (Dockercfg or DockerConfigJson) secret in the build-service namespace with the following label: com.vmware.tanzu.buildservice.sync=true.

Example Secret:

apiVersion: v1
data:
  .dockerconfigjson: <SECRET DATA>
kind: Secret
metadata:
  labels:
    com.vmware.tanzu.buildservice.sync: "true"
  name: my-synced-secret
  namespace: build-service
type: kubernetes.io/dockerconfigjson

Example configuration steps:

# Remove current local docker config
rm ~/.docker/config.json

# Login locally with READ-ONLY creds
docker login my-registry.io -u <read-only-user> -p <read-only-password>

# Create kubernetes Secret
cat <<EOF | kubectl apply -f-
apiVersion: v1
data:
  .dockerconfigjson: $(cat ~/.docker/config.json | base64)
kind: Secret
metadata:
  labels:
    com.vmware.tanzu.buildservice.sync: "true"
  name: my-synced-secret
  namespace: build-service
type: kubernetes.io/dockerconfigjson
EOF

Update a Synchronized Secret

To update a secret and roll-out those changes to all namespaces that use Builds, simply update the secret(s) with the com.vmware.tanzu.buildservice.sync=true label located in the build-service namespace.

Stop Synchronizing a Secret

To stop synchronizing a secret, delete the secret from the build-service namespace or remove the com.vmware.tanzu.buildservice.sync=true label from the secret located in the build-service namespace.