Secrets in Tanzu Build Service

--- title: Secrets in Tanzu Build Service owner: Build Service Team --- Tanzu Build Service uses standard Kubernetes secrets to store credentials for registries and git based repositories. These credentials include the following: * Git credentials added to namespaces * Registry credentials added to namespaces * Registry credentials provided during installation ## <a id='encrypt-secrets'></a> Encrypting Secrets at Rest Because Tanzu Build Service uses standard Kubernetes secrets, administrators may configure the cluster to encrypt secrets at rest. For more information, see the following link: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ ## <a id='sync-secrets'></a> Using Synced Secrets to access Cluster Builders To enable the use of Cluster Builders from private registries, a Secret with registry credentials must exist in the namespace of the Image using that Cluster Builder. You can configure this secret manually for each namespace, but Tanzu Build Service provides functionality to synchronize secrets across namespaces to simplify this process. This feature is applicable in the following cases: * You have installed Tanzu Build Service to a private registry and do not wish to make Cluster Builders imported by `kp` publicly readable. * You have used `kp` to create a Cluster Builder in a private registry and do not wish to make it publicly readable. Synchronized secrets are attached to build pods as `imagePullSecrets` so that the Cluster Builder Image can be pulled at build time. <p class='note'><strong>Note:</strong> Synchronizing secrets with write access is not recommended. Instead, create and synchronize read-only secrets. A synced secret is not created during installation because the credentials provided for installation must be writable.</p> ## <a id='manage-sync'></a> Managing Secret Synchronization Currently, the `kp` CLI does not support adding and removing synchronized secrets. However, this may be achieved by using the `kubectl` CLI. ### <a id='create-sync'></a> Create a Synchronized Secret To start synchronizing a secret to all namespaces with builds, use `kubectl` to create a docker-registry (Dockercfg or DockerConfigJson) secret in the `build-service` namespace with the following label: `com.vmware.tanzu.buildservice.sync=true`. Example Secret: ``` apiVersion: v1 data: .dockerconfigjson: <SECRET DATA> kind: Secret metadata: labels: com.vmware.tanzu.buildservice.sync: "true" name: my-synced-secret namespace: build-service type: kubernetes.io/dockerconfigjson ``` Example configuration steps: ``` # Remove current local docker config rm ~/.docker/config.json # Login locally with READ-ONLY creds docker login my-registry.io -u <read-only-user> -p <read-only-password> # Create kubernetes Secret cat <<EOF | kubectl apply -f- apiVersion: v1 data: .dockerconfigjson: $(cat ~/.docker/config.json | base64) kind: Secret metadata: labels: com.vmware.tanzu.buildservice.sync: "true" name: my-synced-secret namespace: build-service type: kubernetes.io/dockerconfigjson EOF ``` ### <a id='update-sync'></a> Updating a Synchronized Secret To update a secret and roll-out those changes to all namespaces that use Builds, simply update the secret(s) with the `com.vmware.tanzu.buildservice.sync=true` label located in the `build-service` namespace. ### <a id='stop-sync'></a> Stop Synchronizing a Secret To stop synchronizing a secret, delete the secret from the `build-service` namespace or remove the `com.vmware.tanzu.buildservice.sync=true` label from the secret located in the `build-service` namespace.