Updating Tanzu registry secrets in TBS
search cancel

Updating Tanzu registry secrets in TBS

book

Article ID: 389955

calendar_today

Updated On:

Products

VMware Tanzu Build Service

Issue/Introduction

Customer has expired secrets and/or tokens in their TBS deployment and need guidance on how to change the secrets.

The customer should see output similar to the following when running the command kp image save:

Error verifying read access to run image "tanzu-build.packages.broadcom.com/build-service-dependency-updater/package-repo@sha256:################": UNAUTHORIZED

 

The customer should also see some clusterstacks not ready. 

Example:

Status:         Not Ready - GET https://tanzu-build.packages.broadcom.com/artifactory/api/docker/tanzu-build/v2/token?scope=repository:build-service-dependency-updater/package-repo:pull&service=tanzu-build.packages.broadcom.com:: Token failed verification: expired. 

Resolution

Prerequisite: make sure you have the latest Docker login token

  1. Log in to your image registry by running:
docker login MY-REGISTRY

Where MY-REGISTRY is your own registry.

     2. Retrieve a Docker login token for Tanzu Application Platform by navigating to the Broadcom Support Portal and clicking the green icon next to the version you want to install.

     3. Log in to the Broadcom registry with your Broadcom Support Portal username and access token by running:

docker login tanzu-build.packages.broadcom.com

 

Process:

In order to update the secrets you must first delete the secret followed by creating a new secret and giving permissions to the Service Account. All of this can be done using a combination of kubectl, kp CLI, and Tanzu CLI. Below is the process using kubectl and Tanzu CLI.

 

Delete secret

kubectl delete secret <SECRET NAME> -n <NAMESPACE>
kubectl delete secretexports -n <NAMESPACE> <SECRET NAME>

 

Create a new secret

*Note: Secrets are created in the Kubernetes current-context namespace, unless you specify a different namespace using the --namespace or -n flag. Kubernetes automatically adds these secrets to the default service account in the same namespace.

tanzu secret registry add <SECRET NAME> \
-username <USERNAME> \
-password <SUPPORT ACCESS TOKEN> \
-server "tanzu-build.packages.broadcom.com" \
-export-to-all-namespaces --yes --namespace <NAMESPACE>

 

Give the Service Account Permissions

*Make sure to patch the correct service account. You can verify by looking at the serviceAccountRef spec in the clusterstack.

kubectl patch serviceaccount <SERVICE_ACCOUNT> -n <NAMESPACE> -p "secrets": [{"name"; "secret-tanzu-registry"}], "imagePullSecrets": [{"name": "secret-tanzu-registry"}]} |

 

Force the clusterstacks to reconcile.

The clusterstacks won't automatically reconcile when the secret changes. Restarting the kpack controller will force a reconcile. 

kubectl rollout restart deployment kpack-controller -n kpack

 

Powered by Wolken Software