Repository secrets

Starting with version 1.5, TSB provides an automated way to obtain images from a remote private Docker container repository by defining imagePullSecrets in ManagementPlane and ControlPlane CRs. If imagePullSecrets is defined, the required ServiceAccounts will be patched with the credentials from the secret, allowing for secure access to the containers that are stored in the remote private repository. The following steps outline the configuration process:

Synchronizing images

TSB images are located in Tetrate's repository and only available for copying to your repository (no direct download to any environment is allowed). The first step is to transfer the images to your repository. To synchronize the images, you need to use tctl install image-sync per the documentation (a license key provided by Tetrate is required).

Obtain JSON key for the private repository

The secret that is specified as imagePullSecrets will store credentials that allow kubernetes to pull the required containers from the private repository. The way to obtain the credentials depends on the repository. Please refer to the following links to get some guidance on major cloud providers - AWS, GCP and Azure.

Create secrets in every namespace used by TSB

As stated in the Kubernetes documentation, secrets can only be accessed by pods within the same namespace they are created in. Therefore, a separate secret must be created for each namespace used by TSB. Note that the available namespaces may vary depending on the Kubernetes platform.

Currently, the following namespaces require a separate secret:

• For the TSB Management Plane cluster tsb and cert-manager (if using the internal TSB packaged cert-manager)
• For the TSB Control Plane cluster istio-system, istio-gateway, cert-manager (if using the internal TSB packaged cert-manager) and kube-system (if using Istio CNI)

Additional namespaces

The list provided above is not exhaustive. Additional namespaces may be used for TSB components on different platforms and therefore will require a separate secret to be created. To check if there are any pods experiencing issues obtaining the container image, use the command kubectl get pods -A | grep ImagePullBackOff.

Application namespaces

To make sure that istio enabled application, can download images. The repository credentials secret is required to be present in every application namespace with istio-sidecar enabled pods and ingress gateways.

Install TSB

To install TSB, use your preferred method, but ensure that the ManagementPlane and ControlPlane CRs have imagePullSecrets configured as follows:

  spec:
    ...
    imagePullSecrets:
    - name: <secret name created in previous step>
    ...

Patch operator ServiceAccounts

Images of TSB Operators require credentials before the operators are able to propagate the imagePullSecrets to the rest of components.

The steps are the following:

• Patch the ServiceAccounts for TSB operator in istio-system and istio-gateway namespaces:

  kubectl patch serviceaccount tsb-operator-control-plane -p '{"imagePullSecrets": [{"name": "<secret name created per steps above>"}]}' -n istio-system
  kubectl patch serviceaccount tsb-operator-data-plane -p '{"imagePullSecrets": [{"name": "<secret name created per steps above>"}]}' -n istio-gateway

• Restart the operators in these namespaces:

  kubectl delete pod -n istio-system -l=name=tsb-operator 
  kubectl delete pod -n istio-gateway -l=name=tsb-operator
  kubectl delete pod -n istio-gateway -l=name=istio-operator

Helm chart installation

Steps to create secrets and define the imagePullSecrets can be automated using Helm installation

Sequence of steps

It's very important that the Kubernetes secret for the private repository is created before installing TSB. Following this proper sequence will allow for efficient deployment and will minimize any downtime.