Use Cluster Builders in Private Registries

This topic tells you how to use Cluster Builders in Private Registries.

Note: As of TBS 1.7, Synced Secrets are deactivated by default. To activate the synced secrets feature use enable_synced_secrets: true during installation.

When to use Synchronized Secrets

To allow the use of cluster builders from private registries, a secret with registry credentials must exist in the namespace of the image using that cluster builder.

You can configure this secret manually for each namespace, but Tanzu Build Service in tandem with the Carvel secret-gen-controller provides functionality to synchronize secrets across namespaces to simplify this process.

This feature is applicable in the following cases:

You have installed Tanzu Build Service to a private registry and do not wish to make cluster builders imported by kp publicly readable.
You have used kp to create a cluster builder in a private registry and do not wish to make it publicly readable.

Synchronized secrets are attached to build pods as imagePullSecrets so that the cluster builder image can be pulled at build time.

Note: Synchronizing secrets with write access is not recommended. Instead, create and synchronize read-only secrets. A synced secret is not created during installation because the credentials provided for installation must be writable.

Installing the Carvel secret-gen-controller

In order to manage secrets across namespaces, Tanzu Build Service utilizes the carvel secret-gen-controller. Tanzu Build Service automatically creates placeholder secrets in namespaces that contain Build resources and then the secret-gen-controller populates these placeholders across namespaces with the corresponding sync-secret in the secret-syncer namespace.

Please install it by following the README from Tanzu Cluster Essentials on Tanzu Network or from the install docs on GitHub to install the controller.

Managing secret synchronization

Currently, the kp CLI does not support adding and removing synchronized secrets. However, this may be achieved by using the kubectl CLI.

Create a synchronized secret

To start synchronizing a secret to all namespaces with builds, first create the secret in the build-service namespace by using the kubectl cli.

Example secret:

apiVersion: v1
data:
  .dockerconfigjson: <SECRET DATA>
kind: Secret
metadata:
  name: my-synced-secret
  namespace: build-service
type: kubernetes.io/dockerconfigjson

Create a secretExport resource

Example secretExport resource:

apiVersion: secretgen.carvel.dev/v1alpha1
kind: SecretExport
metadata:
  name: my-synced-secret
  namespace: build-service
spec:
  toNamespace: "*"

Once the Tanzu Build Service secret-syncer controller creates the placeholder, this secret is automatically copied to the build namespace.

For more detailed information on the carvel secret-gen-controller, please review the carvel docs

Update a synchronized secret

To update a secret and roll out those changes to all namespaces that use builds, update the secret(s) that have a corresponding secretExport resource located in the build-service namespace. After this secret is updated, the change is rolled out across namespaces.

Stop synchronizing a secret

To stop synchronizing a secret, delete the secret from the build-service namespace or remove the corresonding secretExport resource from the secret located in the build-service namespace.