You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/modules/ROOT/pages/how-tos/configuring/creating-secrets.adoc
+49-8Lines changed: 49 additions & 8 deletions
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,7 @@ Secrets can be categorized depending on when they need to be added.
12
12
13
13
Sometimes to run the tasks properly, you may need to pass secrets to these tasks. Consult the documentation for these tasks to understand the proper specification of the secrets required, for example the required keys/values.
14
14
15
-
NOTE: One such task is the link:https://github.com/konflux-ci/build-definitions/tree/main/task/sast-snyk-check[sast-snyk-check] task that uses the third-party service link:https://snyk.io/[snyk] to perform static application security testing (SAST) as a part of the default {ProductName} pipeline. Use this procedure to upload your snyk.io token. Name the secret `snyk-secret` so that the snyk task in the {ProductName} pipeline will recognize it and use it.
15
+
NOTE: One such task is the link:https://github.com/konflux-ci/build-definitions/tree/main/task/sast-snyk-check[sast-snyk-check] task that uses the third-party service link:https://snyk.io/[snyk] to perform static application security testing (SAST) as a part of the default {ProductName} pipeline. Use this procedure to upload your snyk.io token. Name the secret `sast_snyk_task` so that the snyk task in the {ProductName} pipeline will recognize it and use it.
16
16
17
17
.Procedure
18
18
@@ -54,15 +54,56 @@ Some container builds may use parent images from registries that require authent
54
54
. Enter the password for the registry in **Password**.
55
55
. Click **Add secret**.
56
56
57
+
=== Example of creating a quay.io secret
58
+
59
+
. Login to {ProductName} console your workspace (https://console.redhat.com/application-pipeline/workspaces/<your workspace>/applications)
60
+
. Click on `Secrets` on the left menu.
61
+
. Click on `Add Secret`
62
+
. Choose `Image pull secret` for `Secret type`
63
+
. Enter `Secret name` , for example `my-quay-secret`
64
+
. Choose `Image registry credentials` in `Authentication type` field
65
+
. Enter `quay.io` in `Registry server address`
66
+
. Enter your Quay.io username in `Username`
67
+
. Enter your Quay.io API token in `Password` field.
68
+
. Click on `Add secret`
69
+
. Email is optional
70
+
71
+
72
+
Here is the YAML representation of the secret (for reference):
73
+
74
+
[source,yaml]
75
+
----
76
+
apiVersion: v1
77
+
data:
78
+
.dockerconfigjson: <base64-encoded-credentials>
79
+
kind: Secret
80
+
metadata:
81
+
name: my-quay-secret
82
+
namespace: <your-workspace-tenant>
83
+
type: kubernetes.io/dockerconfigjson
84
+
----
85
+
57
86
58
87
[NOTE]
59
88
====
60
-
Performing this operation through the UI will link the secret to the `appstudio-pipeline`
61
-
`serviceaccount` automatically. If you instead wanted to add manually the secret to the
62
-
namespace (creating the `secret` directly on the tenant
63
-
workspace), you'll need to have the secret linked manually.
64
-
65
-
please review the xref:/troubleshooting/index.adoc#check-if-the-secret-is-linked-to-the-service-account[troubleshooting section]) for more info.
89
+
* **Automatic Secret Linking via UI**
90
+
The {ProductName} UI automatically links image pull secrets to the `appstudio-pipeline` ServiceAccount.
91
+
- No pipeline YAML changes are required.
92
+
- Tasks like the buildah task will use this secret automatically when pulling images from `quay.io`. (https://github.com/konflux-ci/build-definitions/blob/main/task/buildah-oci-ta/0.3/buildah-oci-ta.yaml in volumes)
93
+
94
+
* **Manual Secret Creation**
95
+
. **Link Secret To SA**
96
+
- If you create the secret manually (e.g., via `kubectl` or YAML), you must **manually link it** to the `appstudio-pipeline` ServiceAccount in your namespace.
97
+
. **Secrets Via Workspace**
98
+
- Explicitly mount secrets as files using a workspace
99
+
- RBAC: Ensure the ServiceAccount has permission to access the secret (via Role/RoleBinding).
100
+
101
+
. **Secrets as Environment Variables**
102
+
- Inject secrets into environment variables
103
+
- RBAC: The ServiceAccount must have `get` permission for the secret.
104
+
105
+
* **Troubleshooting**
106
+
For issues with secret linking, review the xref:/troubleshooting/index.adoc#check-if-the-secret-is-linked-to-the-service-account[troubleshooting section].
66
107
====
67
108
68
109
== Creating source control secrets
@@ -171,4 +212,4 @@ stringData:
171
212
172
213
* For more information about GitLab access tokens, see link:https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html[Project access tokens].
173
214
174
-
* To configure push secrets for your Build and Release pipelines, see link:https://github.com/konflux-ci/konflux-ci?tab=readme-ov-file#configuring-a-push-secret-for-the-build-pipeline[Configuring push secrets] in the Konflux GitHub repository.
215
+
* To configure push secrets for your Build and Release pipelines, see link:https://github.com/konflux-ci/konflux-ci?tab=readme-ov-file#configuring-a-push-secret-for-the-build-pipeline[Configuring push secrets] in the Konflux GitHub repository.
0 commit comments