Skip to main content

Manually Rotate Chainguard Secret

This process will be automated in the future but currently it’s manual.

Overview of how we use the Chainguard image

There is a flag in the ingress module that can be toggled to enable support for the Chainguard image:

enable_chainguard = true

This then tells the helm chart to use the following image pull secret:

%{ if enable_chainguard ~}
imagePullSecrets:
  - name: chainguard-credentials
%{ endif ~}

The secret is populated from the following parameter store /cloud-platform/infrastructure/account/chainguard_registry_credentials when the default ingress namespace is created.

Rotate Chainguard Secret

The Chainguard Secret is a docker login auth token which needs to be generated.

  1. Create a new access token via the Chainguard console

  2. Run the docker login command provided

  3. Copy the generated docker auth config to the parameter store and save

  4. Re-run the infrastructure pipelines to ensure the new docker credentials are applied to the kubernetes secrets

  5. Optional: rollout restart ingress controllers

This page was last reviewed on 26 May 2026. It needs to be reviewed again on 26 November 2026 by the page owner #cloud-platform-notify .