This topic tells you how to manage your Tanzu Build Service (commonly known as TBS) secrets.

Overview

VMware Tanzu Build Service uses Kubernetes secrets to manage credentials.

  • To publish images to a Registry, you must use a Registry secret.
  • To use source code stored in a private Git repository, you must use a Git secret.

Secrets are namespaced and can only be used for image configurations that exist in the same namespace. For more information about Kubernetes secrets, see Secrets in the Kubernetes documentation.

For more information about secret synchronization, see the Secret Synchronization page.

You can manage secrets with the kp CLI. For more information, see the help text on GitHub.

$ kp secret
Secret Commands

Usage:
  kp secret [command]

Available Commands:
  create      Create a secret configuration
  delete      Delete secret
  list        List secrets

Flags:
  -h, --help   help for secret

Use "kp secret [command] --help" for more information about a command.

Note: These docs assume you are using kp CLI v0.10.x with Tanzu Build Service v1.10.x. If a feature is not working, you might need to upgrade your CLI.

Create Secrets

You can create secrets using the kp CLI and script them with environment variables.

Secrets are created in the Kubernetes current-context namespace, unless you specify a different namespace using the --namespace or -n flag. Kubernetes automatically adds these secrets to the default service account in the same namespace.

Note: The kp CLI does not validate the secret against the specified registry or Git at the time of secret creation. Incorrect credentials are reported as they are used during an image build.

Create a Docker Hub registry secret

You can create a Docker Hub registry secret using the --dockerhub flag.

kp secret create SECRET-NAME --dockerhub DOCKER-HUB-ID

Where:

  • SECRET-NAME is the name you give your secret.
  • DOCKER-HUB-ID is your Docker Hub user ID.

When prompted, enter your Docker Hub password. Alternatively, you can use the DOCKER_PASSWORD environment variable to bypass the password prompt.

The Docker Hub registry secret is stored as a kubernetes.io/dockerconfigjson secret.

For example:

$ kp secret create secret1 --dockerhub my-dockerhub-id
dockerhub password:
"secret1" created

$ DOCKER_PASSWORD="my-password" kp secret create secret2 --dockerhub my-dockerhub-id
"secret2" created

Create a GCR registry secret

You can create a GCR registry secret by using the --gcr flag.

kp secret create SECRET-NAME --gcr GCR-SERVICE-ACCOUNT-PATH

Where:

  • SECRET-NAME is the name you give your secret.
  • GCR-SERVICE-ACCOUNT-PATH is the path to your GCR service account JSON file.

Alternatively, use the GCR_SERVICE_ACCOUNT_PATH environment variable instead of the --gcr flag.

The GCR registry secret is stored as a kubernetes.io/dockerconfigjson secret.

For example:

$ kp secret create secret1 --gcr /tmp/my-gcr-service-account.json
"secret1" created

$ GCR_SERVICE_ACCOUNT_PATH="/tmp/my-gcr-service-account.json" kp secret create secret2
"secret2" created

Create an Artifactory, Harbor, or ACR registry secret

You can create an Artifactory, Harbor, or ACR secret using the --registry and --registry-user flags:

kp secret create SECRET-NAME --registry REGISTRY-URL --registry-user REGISTRY-USER-ID

Where:

  • SECRET-NAME is the name you give your secret.
  • REGISTRY-URL is the URL of the registry. This should only be the domain for the registry and should not contain folders or projects. Example: registry.io and not registry.io/project.
  • REGISTRY-USER-ID is your registry user ID.

When prompted, enter your registry password. Alternatively, you can use the REGISTRY_PASSWORD environment variable to bypass the password prompt.

The Artifactory, Harbor, or ACR registry secret is stored as a kubernetes.io/dockerconfigjson secret.

For example:

$ kp secret create secret1 \
  --registry registry.tanzu.vmware.com \
  --registry-user [email protected]
registry password:
"secret1" created

$ REGISTRY_PASSWORD="my-password" kp secret create secret2 \
  --registry registry.tanzu.vmware.com \
  --registry-user [email protected]
"secret2" created

Create a Git SSH secret

You can create a Git SSH secret by specifying a Git SSH URL and private SSH key.

kp secret create SECRET-NAME --git-url GIT-SSH-URL --git-ssh-key PRIVATE-SSH-KEY-PATH

Where:

  • SECRET-NAME is the name you give your secret.
  • GIT-SSH-URL is the Git SSH domain URL. This is not the full repository URL. For example, value should be [email protected] for GitHub.
  • PRIVATE-SSH-KEY-PATH is the path to your private SSH key.

Alternatively, use the GIT_SSH_KEY_PATH environment variable instead of the --git-ssh-key flag.

The Git SSH secret is stored as a kubernetes.io/ssh-auth secret.

For example:

$ kp secret create secret1 \
  --git-url [email protected] \
  --git-ssh-key /tmp/private-repo-git-deploy-key
"secret1" created

$ GIT_SSH_KEY_PATH="/tmp/private-repo-git-deploy-key" kp secret create secret2 \
  --git-url [email protected] \
"secret2" created

Create a Git basic auth secret

You can create a Git basic auth secret by providing your Git username and password:

kp secret create SECRET-NAME --git-url GIT-DOMAIN-URL --git-user GIT-USERNAME

Where:

  • SECRET-NAME is the name you give your secret.
  • GIT-DOMAIN-URL is the Git domain url. This is not the full repository url. For example, value should be https://github.com for GitHub.
  • GIT-USERNAME is your Git username.

When prompted, enter your Git password. Alternatively, you can use the GIT_PASSWORD environment variable to bypass the password prompt.

The Git basic auth secret is stored as a kubernetes.io/basic-auth secret.

For example:

$ kp secret create secret1 \
  --git-url https://github.com \
  --git-user [email protected]
git password:
"secret1" created

$ GIT_PASSWORD="my-password" kp secret create secret2 \
  --git-url https://github.com \
  --git-user [email protected]
"secret2" created

List secrets

To list the names and the targets for your secrets:

kp secret list

Unless you specify a namespace using the --namespace or -n flag, running the kp secret list command lists secrets for the Kubernetes current-context namespace.

For example:

$ kp secret list
NAME                   TARGET
default-token-qrdbr
docker-hub-creds       https://index.docker.io/v1/
gcr-creds              gcr.io
git-creds              https://github.com
git-ssh-creds          [email protected]
harbor-creds           registry.tanzu.vmware.com

The default-token-xxxxx secret is automatically added to the default service account by Kubernetes.

Delete secrets

To delete secrets:

kp secret delete SECRET-NAME

Where:

  • SECRET-NAME is the name of the secret you want to delete.

Unless you specify a namespace using the --namespace or -n flag, secrets are deleted from the Kubernetes current-context namespace. There is no confirmation required from the user.

Encrypting secrets at rest

Because Tanzu Build Service uses standard Kubernetes secrets, admins may configure the cluster to encrypt secrets at rest. For more information, see Encrypting Secret Data at Rest.

check-circle-line exclamation-circle-line close-line
Scroll to top icon