Skip to main content
logoTetrate Service BridgeVersion: next

Repository secrets

TSB provides an automated way to obtain images from a remote private Docker container repository by defining imagePullSecrets in ManagementPlane and ControlPlane CRs. If imagePullSecrets is defined, the required ServiceAccounts will be patched with the credentials from the secret, allowing for secure access to the containers that are stored in the remote private repository. The following steps outline the configuration process:

Synchronizing images

TSB images are located in Tetrate's repository and only available for copying to your repository (no direct download to any environment is allowed). The first step is to transfer the images to your repository. To synchronize the images, you need to use tctl install image-sync per the documentation (a license key provided by Tetrate is required).

Creating image pull secrets

Obtain JSON key for the private repository

The secret that is specified as imagePullSecrets will store credentials that allow kubernetes to pull the required containers from the private repository. The way to obtain the credentials depends on the repository. Please refer to the following links to get some guidance on major cloud providers - AWS, GCP and Azure.

Create secrets in TSB namespaces

As stated in the Kubernetes documentation, secrets can only be accessed by pods within the same namespace they are created in. Therefore, a separate secret must be created for each namespace used by TSB. Note that the available namespaces may vary depending on the Kubernetes platform.

Currently, the following namespaces require a separate secret:

  • For the TSB Management Plane cluster tsb and cert-manager (if using the internal TSB packaged cert-manager)
  • For the TSB Control Plane cluster istio-system, istio-gateway, cert-manager (if using the internal TSB packaged cert-manager) and kube-system (if using Istio CNI)
Additional namespaces

The list provided above is not exhaustive. Additional namespaces may be used for TSB components on different platforms and therefore will require a separate secret to be created. To check if there are any pods experiencing issues obtaining the container image, use the command kubectl get pods -A | grep ImagePullBackOff.

Create secrets in Application namespaces

To make sure that istio enabled application can download images, the repository credentials secret is required to be present in every application namespace with istio-sidecar enabled pods and ingress gateways.

Installing TSB with ImagePullSecrets

Sequence of steps

It's very important that the Kubernetes secret for the private repository is created before installing TSB. Following this proper sequence will allow for efficient deployment and will minimize any downtime.

Helm installation

If you use Helm to install TSB, set imagePullSecrets for both operator and components as follows:

operator:
  ...
  serviceAccount:
    imagePullSecrets:
    - <secret name>

spec:
  ...
  imagePullSecrets:
  - name: <secret name>
...

tctl installation

When installing TSB with tctl, there are two main steps:

  1. Install the operator
  2. Install the components by applying the TSB install Custom Resource (CR)

To add imagePullSecrets to TSB operator, create a values file that specify operator imagePullSecrets

echo "operator:
  serviceAccount:
    imagePullSecrets:
    - <secret_name>" > values.yaml

run following command when creating Management plane operator manifests

tctl install manifest management-plane-operator \
    --registry <registry-location> \
    --values values.yaml \
    > managementplaneoperator.yaml

And following command for creating Control Plane operator manifests

tctl install manifest cluster-operators \
    --registry <registry-location> \
    --values values.yaml \
    > controlplaneoperator.yaml

Then install TSB management plane or TSB control plane operator on your cluster by applying above generated yamls.

Before installing TSB components with ManagementPlane and ControlPlane CR, configure imagePullSecrets in the CR as follows:

spec:
  ...
  imagePullSecrets:
  - name: <secret name>
...

Troubleshooting

If you encounter issues with image pulling after configuration:

  1. Verify secret creation in all required namespaces.
  2. Check pod status for ImagePullBackOff errors.
  3. Ensure the JSON key for your private repository is correctly formatted and valid.
  4. Confirm that the imagePullSecrets are correctly referenced in both operator and component configurations.