SecretExport object changed and not able anymore to export to allNamespaces

[cmoulliard]

Issue

During the installation of TAP 1.5 with the bash script, the script creates a secret using the command

tanzu secret registry add registry-credentials \
  --username ${REGISTRY_USERNAME} \
  --password ${REGISTRY_PASSWORD} \
  --server ${REGISTRY_SERVER} \
  --namespace $NAMESPACE_TAP \
  --export-to-all-namespaces \
  --yes

but the secretExport is changed when the packages are installed and yhen is not able to be exported to all the namespaces excpt kpack and buildservice

tanzu package install tap -p tap.tanzu.vmware.com -v ${TAP_VERSION} --values-file tap-values.yml -n $NAMESPACE_TAP

Before

k get secretExport -A -oyaml
apiVersion: v1
items:
- apiVersion: secretgen.carvel.dev/v1alpha1
  kind: SecretExport
  metadata:
    creationTimestamp: "2023-04-17T14:13:46Z"
    generation: 1
    name: registry-credentials
    namespace: tap-install
    resourceVersion: "3301"
    uid: 54981bd7-105c-4749-ac21-5dd5e4bf11cb
  spec:
    toNamespaces:
    - '*'

After

k get secretExport -A -oyaml
apiVersion: v1
items:
- apiVersion: secretgen.carvel.dev/v1alpha1
  kind: SecretExport
  metadata:
    annotations:
      kapp.k14s.io/identity: v1;tap-install/secretgen.carvel.dev/SecretExport/registry-credentials;secretgen.carvel.dev/v1alpha1
      kapp.k14s.io/original: '{"apiVersion":"secretgen.carvel.dev/v1alpha1","kind":"SecretExport","metadata":{"labels":{"kapp.k14s.io/app":"1681740943363058195","kapp.k14s.io/association":"v1.b38359fbcf33e253c4ece03f36c8cd50"},"name":"registry-credentials","namespace":"tap-install"},"spec":{"toNamespaces":["kpack","build-service"]}}'
      kapp.k14s.io/original-diff-md5: c6e94dc94aed3401b5d0f26ed6c0bff3
    creationTimestamp: "2023-04-17T14:13:46Z"
    generation: 2
    labels:
      kapp.k14s.io/app: "1681740943363058195"
      kapp.k14s.io/association: v1.b38359fbcf33e253c4ece03f36c8cd50
    name: registry-credentials
    namespace: tap-install
    resourceVersion: "5754"
    uid: 54981bd7-105c-4749-ac21-5dd5e4bf11cb
  spec:
    toNamespaces:
    - kpack
    - build-service

Investigation

To find the kapp which did the change, execute the following commands:

Get the label ==> [kapp.k14s.io/app](http://kapp.k14s.io/app): "1681740943363058195"

and find the associated app by running 

kapp ls -A --column namespace,name,label

[cmoulliard]

The workaround is to create another tanzu secret with the registry credentials and to specify it within the tap config file for the buildservice to avoid to use the shared one as kapp will override it:

buildservice:
  # Dockerhub has the form kp_default_repository: "my-dockerhub-user/build-service" or kp_default_repository: "index.docker.io/my-user/build-service"
  # Takes the value from the shared section by default, but can be overridden by setting a different value.
  kp_default_repository: "${REGISTRY_SERVER}/${REGISTRY_OWNER}/build-service"
  kp_default_repository_secret:
     name: kp-default-repository-creds
     namespace: ${NAMESPACE_TAP}