As a platform operator, you can use Tanzu Mission Control to create and manage secrets for use in your cluster.

Tanzu Mission Control allows you to create image pull secrets in a namespace that allow namespaces in managed clusters to authenticate to private registries, including registries that store Tanzu Application Platform components.

You can also make a secret created in one namespace available for use by other namespaces in your cluster, providing a single place to manage secrets for the cluster. The secret is a Tanzu Mission Control resource.

Implementation Details

Tanzu Mission Control leverages secretgen-controller to manage the export of secrets to all other namespaces in the cluster. This does not copy the secret into other namespaces, but allows other namespaces to request access to, and use that secret.

As shown in the Cluster Secrets Architecture diagram below, secrets are created and exported using the Tanzu Mission Control cluster secret service. When a secret is created and exported to all namespaces through this service, Tanzu Mission Control stores the secret using the account manager service and uses the secure channel with the in-cluster intent agent to provision the secret to the cluster and to send the secret export intent to the cluster secret agent, a new in-cluster agent.

The cluster secret agent is responsible for deploying secretgen-controller, and for creating secret export CRs that will be picked up by secretgen-controller.

It is recommended that only credentials that allow read-only access to the registry should be exported.

Figure 1. Cluster Secrets Architecture
The Cluster Secrets Architecture