Tetrate Service BridgeVersion: nextRepository secrets
TSB provides an automated way to obtain images from a remote private Docker container repository by defining imagePullSecrets in ManagementPlane and ControlPlane CRs.
If imagePullSecrets is defined, the required ServiceAccounts will be patched with the credentials from the secret, allowing for secure access to the containers that are stored in the remote private repository. The following steps outline the configuration process:
Synchronizing images
TSB images are located in Tetrate's repository and only available for copying to your repository (no direct download to any environment is allowed). The first step is to transfer the images to your repository. To synchronize the images, you need to use tctl install image-sync per the documentation (a license key provided by Tetrate is required).
Creating image pull secrets
Obtain JSON key for the private repository
The secret that is specified as imagePullSecrets will store credentials that allow kubernetes to pull the required containers from the private repository. The way to obtain the credentials depends on the repository. Please refer to the following links to get some guidance on major cloud providers - AWS, GCP and Azure.
Create secrets in TSB namespaces�
As stated in the Kubernetes documentation, secrets can only be accessed by pods within the same namespace they are created in. Therefore, a separate secret must be created for each namespace used by TSB. Note that the available namespaces may vary depending on the Kubernetes platform.
Currently, the following namespaces require a separate secret:
- For the TSB Management Plane cluster
tsbandcert-manager(if using the internal TSB packaged cert-manager) - For the TSB Control Plane cluster
istio-system,istio-gateway,cert-manager(if using the internal TSB packaged cert-manager) andkube-system(if using Istio CNI)
The list provided above is not exhaustive. Additional namespaces may be used for TSB components on different platforms and therefore will require a separate secret to be created. To check if there are any pods experiencing issues obtaining the container image, use the command kubectl get pods -A | grep ImagePullBackOff.
Create secrets in Application namespaces
To make sure that istio enabled application can download images, the repository credentials secret is required to be present in every application namespace with istio-sidecar enabled pods and ingress gateways.
Installing TSB with ImagePullSecrets
It's very important that the Kubernetes secret for the private repository is created before installing TSB. Following this proper sequence will allow for efficient deployment and will minimize any downtime.
Helm installation
If you use Helm to install TSB, set imagePullSecrets for both operator and components as follows:
operator:
...
serviceAccount:
imagePullSecrets:
- <secret name>
spec:
...
imagePullSecrets:
- name: <secret name>
...
tctl installation
When installing TSB with tctl, there are two main steps:
- Install the operator
- Install the components by applying the TSB install Custom Resource (CR)
To add imagePullSecrets to TSB operator, create a values file that specify operator imagePullSecrets
echo "operator:
serviceAccount:
imagePullSecrets:
- <secret_name>" > values.yaml
run following command when creating Management plane operator manifests
tctl install manifest management-plane-operator \
--registry <registry-location> \
--values values.yaml \
> managementplaneoperator.yaml
And following command for creating Control Plane operator manifests
tctl install manifest cluster-operators \
--registry <registry-location> \
--values values.yaml \
> controlplaneoperator.yaml
Then install TSB management plane or TSB control plane operator on your cluster by applying above generated yamls.
Before installing TSB components with ManagementPlane and ControlPlane CR, configure imagePullSecrets in the CR as follows:
spec:
...
imagePullSecrets:
- name: <secret name>
...
Troubleshooting
If you encounter issues with image pulling after configuration:
- Verify secret creation in all required namespaces.
- Check pod status for ImagePullBackOff errors.
- Ensure the JSON key for your private repository is correctly formatted and valid.
- Confirm that the
imagePullSecretsare correctly referenced in both operator and component configurations.