Operators using VMware Tanzu Mission Control can now create and manage image registry secrets. This new feature of Tanzu Mission Control enables people to create image registry secrets in a single namespace and make them available for use by all namespaces in a cluster, providing a single place to manage all registry secrets for that cluster. With this feature addition, namespaces within clusters managed by Tanzu Mission Control can authenticate to private registries, including registries that store VMware Tanzu Application Platform components. Here’s how it works.
User experience
In the Tanzu Mission Control user interface, after selecting a cluster, users will see a new tab within the cluster view called “Secrets” (see image below). Within this tab, users can create and export registry secrets in the cluster. Users can also find this capability in the Tanzu Mission Control API and CLI.
Click the “Secrets” tab within the cluster, and you will see a list of all the secrets created in that cluster.
To create a secret, click the “Create secret” button and select the namespace where you would like to create the secret, provide the registry URL, and enter your credentials in Base64-encoded byte-array format.
After the secret is created, you will be able to select whether or not to export the secret to all namespaces within that cluster. Exporting the secret will make it available to all namespaces in the cluster, allowing all namespaces to authenticate to the private registry.
The workflow to create a new secret.
Optionally, you can elect to share the secret with all namespaces in the cluster, as shown below.
Sharing the secret with all namespaces in the cluster.
Implementation details
Tanzu Mission Control leverages secretgen-controller to manage the export of secrets to all other namespaces in the cluster. This does not copy the secret into other namespaces but allows other namespaces to request access to and use that secret.
Secrets are created and exported using a new Tanzu Mission Control service called the cluster secrets service (see the architecture diagram below). When a secret is created and exported to all namespaces through this new service, Tanzu Mission Control stores the secret using the account manager service and uses the secure channel with the in-cluster intent agent to provision the secret to the cluster and to send the secret export intent to the cluster secrets agent, a new in-cluster agent.
The cluster secrets agent is responsible for deploying secretgen-controller and for creating secret export custom resources (CRs) that will be picked up by secretgen-controller.
It is recommended that only credentials that allow read-only access to the registry should be exported.
Workflow diagram for the secrets management feature.
Key capabilities
Here are the standout capabilities of this new feature:
-
Create and manage image registry secrets in Tanzu Mission Control clusters
-
Export secrets to make them available to all namespaces in the cluster
-
Enable namespaces in Tanzu Mission Control managed clusters to authenticate to private registries, including Tanzu Application Platform registries
With the addition of registry secrets management in Tanzu Mission Control, operators can reduce the headache of having to manually create registry secrets in all namespaces in a cluster. Operators can now conveniently provision registry secrets directly from Tanzu Mission Control and then to all namespaces in a cluster.
To learn more about recent feature additions in Tanzu Mission Control, visit our recent blog post on Tanzu Mission Control catalog feature.