fix(Konflux 5917): add an example how user can use a secret in pipeline #208
Conversation
kasemAlem
changed the title
|
🚀 Preview is available at https://pr-208--konflux-docs.netlify.app |
| - name: registry-credentials | ||
| secret: | ||
| secretName: registry.redhat.io |
There was a problem hiding this comment.
This is how you use a secret, but what does this secret look like that you are using? Is it clear how values need to match up between the secret and its use?
There was a problem hiding this comment.
+1. I think only one secret name in volumes might not enough as one example.
There was a problem hiding this comment.
I'm confused, maybe I'm missing something
In the current documentation of creating secrets it's detailed step by step how user can create a secret of each type, also there is a good example stated in a note frame :
One such task is the [sast-snyk-check](https://github.com/konflux-ci/build-definitions/tree/main/task/sast-snyk-check) task that uses the third-party service [snyk](https://snyk.io/) to perform static application security testing (SAST) as a part of the default {ProductName} pipeline. Use this procedure to upload your snyk.io token. Name the secret snyk-secret so that the snyk task in the {ProductName} pipeline will recognize it and use it.
It's an example how a third party tool in task requires a specific secret and how it's been used within the task , isn't ?
There was a problem hiding this comment.
Would providing a link to the Creating registry pull secrets section of the guide either above or below this example do the job of clarifying how the secret should look like?
There was a problem hiding this comment.
What does the secret CR need to look like? Maybe this is just a lack of knowledge/experience coming from me. Maybe this is documented well for k8s.
What I understand here is that you are describing use of a secret by its name, but are there specific properties of how that secret is created in k8s that need to be reflected in the task?
Also, for your awareness, in #214 we have started to link the different places that secrets are documented in this page.
There was a problem hiding this comment.
Thanks @arewm , hope the new fix can be clear for a user :
kasemAlem
force-pushed
the
KONFLUX-5917
branch
from
e727907 to
b94be67
Compare
|
🚀 Preview is available at https://pr-208--konflux-docs.netlify.app |
| @@ -30,13 +30,6 @@ NOTE: One such task is the link:https://github.com/konflux-ci/build-definitions/ | |||
| . Optional: Under **Labels**, add a label to tag or provide more context for your secret. | |||
| . Click **Add secret**. | |||
|
|
|||
| === Notable task input secrets | |||
There was a problem hiding this comment.
was deleted by mistake , returned
thanks
| @@ -54,6 +47,61 @@ Some container builds may use parent images from registries that require authent | |||
| . Enter the password for the registry in **Password**. | |||
| . Click **Add secret**. | |||
|
|
|||
| == Example of creating a quay.io secret | |||
There was a problem hiding this comment.
Is this a bad example? Can users not get access to a registry secret without this additional task changes? When adding the secret with the UI, we link it with the ServiceAccount and it is then available in the task.
We do not, for example, do this in the buildah tasks: https://github.com/konflux-ci/build-definitions/blob/main/task/buildah-oci-ta/0.3/buildah-oci-ta.yaml#L159-L184
There was a problem hiding this comment.
you are right,
the fact is that secrets created via UI are automatically linked to the SA
so no action is required , I've removed the task example and updated the note
@arewm . WDYT?
kasemAlem
force-pushed
the
KONFLUX-5917
branch
from
b94be67 to
de9bd79
Compare
|
🚀 Preview is available at https://pr-208--konflux-docs.netlify.app |
kasemAlem
force-pushed
the
KONFLUX-5917
branch
3 times, most recently
from
bebbc53 to
df60879
Compare
|
🚀 Preview is available at https://pr-208--konflux-docs.netlify.app |
docs/modules/ROOT/pages/how-tos/configuring/creating-secrets.adoc
Outdated
Show resolved
Hide resolved
| * **Manual Secret Creation** | ||
| If you create the secret manually (e.g., via `kubectl` or YAML), you must **manually link it** to the `appstudio-pipeline` ServiceAccount in your namespace. |
There was a problem hiding this comment.
Do secrets always need to be linked to the ServiceAccount in order for it to be used by a task?
There was a problem hiding this comment.
another options :
- Create secret is in namespace and just have to make sure SA got the right access permissions by Role/RoleBinding
- Secret as Env environment
let me add both ways
Signed-off-by: Kasem Alem <[email protected]>
This reverts commit adbb34e.
kasemAlem
force-pushed
the
KONFLUX-5917
branch
from
df60879 to
a73827f
Compare
|
🚀 Preview is available at https://pr-208--konflux-docs.netlify.app |
|
|
||
| please review the xref:/troubleshooting/index.adoc#check-if-the-secret-is-linked-to-the-service-account[troubleshooting section]) for more info. | ||
| * **Automatic Secret Linking via UI** | ||
| The Konflux UI automatically links image pull secrets to the `appstudio-pipeline` ServiceAccount. |
There was a problem hiding this comment.
Last change before we can merge, please use {ProductName} instead of Konflux for consistency.
Signed-off-by: Kasem Alem <[email protected]>
kasemAlem
force-pushed
the
KONFLUX-5917
branch
from
a73827f to
5ccab9d
Compare
|
🚀 Preview is available at https://pr-208--konflux-docs.netlify.app |
We added a tekton task as an example how user can use the created secrets
within a build or integration pipeline
KONFLUX-5917