Creating secrets for your builds

When you build your pipeline, you might want to add tasks that require secrets in order to access external resources.

Secrets can be categorized depending on when they need to be added.

  1. Before a component is added. If a secret is needed to access the source control platform like GitLab, you must create a secret before you create the component.

  2. Before a build succeeds. Some artifact build tasks need specific secrets to be able to pull all of the content to include in the final artifact. For example, you can add secrets for container registries after you create the component but they must be provided before a successful build can occur.

  3. After a component has been onboarded. These secrets are often used in tasks. The tasks included in the Konflux pipelines will not fail if a secret is not created properly. Instead, the task will just not run the code like with snyk.

Creating task input secrets

Sometimes to run the tasks properly, you may need to pass secrets to these tasks. Consult the documentation for these tasks to understand the proper specification of the secrets required, for example the required keys/values.

One such task is the sast-snyk-check task that uses the third-party service snyk to perform static application security testing (SAST) as a part of the default Konflux pipeline. Use this procedure to upload your token. Name the secret sast_snyk_task so that the snyk task in the Konflux pipeline will recognize it and use it.
  1. In Konflux, from the left navigation menu, select Secrets.

  2. From the Secrets page, click Add secret.

  3. For Secret type, select Key/value secret

  4. For Secret name, enter a unique name for your secret.

  5. Under Key/value secret, expand Key/value 1, then enter a key.

  6. For Upload the file with value for your key or paste its contents, do one of the following:

    • Click Upload to browse to, select, and upload the file that contains your key value.

    • Drag the file that contains your key value into the space under Upload.

    • Paste the contents of the file that contains your key value into the space under Upload. Click Clear to remove the contents of the space under Upload.

  7. Optional: Click Add another key/value.

  8. Optional: Under Labels, add a label to tag or provide more context for your secret.

  9. Click Add secret.

Creating registry pull secrets

Some container builds may use parent images from registries that require authentication, for example, Until these credentials have been configured, the builds will continue to fail due to the system being unable to pull the required images.

  1. Obtain the username and password login credentials for the container registry.

  2. In the correct Konflux workspace, go to Secrets.

  3. Click Add secret.

  4. For Secret type, select Image pull secret.

  5. For Authentication type, select Image registry credentials.

  6. For Registry server address enter the image registry (for example

  7. Enter the username for the registry in Username.

  8. Enter the password for the registry in Password.

  9. Click Add secret.

Example of creating a secret

  1. Login to Konflux console your workspace (<your workspace>/applications)

  2. Click on Secrets on the left menu.

  3. Click on Add Secret

  4. Choose Image pull secret for Secret type

  5. Enter Secret name , for example my-quay-secret

  6. Choose Image registry credentials in Authentication type field

  7. Enter in Registry server address

  8. Enter your username in Username

  9. Enter your API token in Password field.

  10. Click on Add secret

  11. Email is optional

Here is the YAML representation of the secret (for reference):

apiVersion: v1
.dockerconfigjson: <base64-encoded-credentials>
kind: Secret
name: my-quay-secret
namespace: <your-workspace-tenant>
  • Automatic Secret Linking via UI The Konflux UI automatically links image pull secrets to the appstudio-pipeline ServiceAccount.

  • Manual Secret Creation

    1. Link Secret To SA

      • If you create the secret manually (e.g., via kubectl or YAML), you must manually link it to the appstudio-pipeline ServiceAccount in your namespace.

    2. Secrets Via Workspace

      • Explicitly mount secrets as files using a workspace

      • RBAC: Ensure the ServiceAccount has permission to access the secret (via Role/RoleBinding).

    3. Secrets as Environment Variables

      • Inject secrets into environment variables

      • RBAC: The ServiceAccount must have get permission for the secret.

  • Troubleshooting For issues with secret linking, review the troubleshooting section.

Creating GitLab source control secrets

When building content from GitHub, you will need to install an application for Pipelines as a Code in your repository.

  1. In GitLab click on Settings → Access Tokens on the left menu of your repository.

    if you don’t see this option, you need someone with permissions to do so.
  2. Then click on Add new token.

  3. If your GitLab instance supports setting token roles, set the role to Maintainer.

  4. Select the following scopes: api, read_repository, and write_repository.

  5. Select Create project access token.

  6. Add a token to your Konflux workspace by running the kubectl create command and creating a new YAML file with a secret:

    kubectl create -f GL-secret.yaml
    apiVersion: v1
    kind: Secret
      name: pipelines-as-code-secret
      namespace: <YOUR NAMESPACE>
      labels: scm <source-control-management-host> # for example,
      password: <PROJECT ACCESS TOKEN>

    Using the PAT authentication requires only the password key. The username should not be set. If you set both the username and password keys, the authentication type will be considered as basic, and a basic authentication client will be created using those credentials. This client might not work or can be considered as a deprecated login method by some Source Code Management (SCM) providers.

This secret will be used by the build service to perform builds with Pipeline-as-Code.

This Project Access Tokens are scoped to a project, so you cannot use them to access resources from other projects. For more information regarding Project Access Tokens, see the Gitlab documentation.

It is also possible to have secrets for per-repository or organization access. To do this, a annotation should be added to the secret. It may either specify the full repository path or the partial path with a wildcard. For example, to create a secret for all repositories in the my-user organization, create (or add) the following YAML file:

apiVersion: v1
kind: Secret
  name: pipelines-as-code-secret
  namespace: <YOUR NAMESPACE>
  labels: scm <source-control-management-host> # for example,
  annotations: my-user/*

For a specific repository, the following secret should be created:

apiVersion: v1
kind: Secret
  name: pipelines-as-code-secret
  namespace: <YOUR NAMESPACE>
  labels: scm <source-control-management-host> # for example,
  annotations: <repository-path> # for example, my-user/my-repo
  • You can have multiple repositories listed under the annotation. Separate repository names with commas when listing them. The secret will be used for all repositories that match the specified paths.

  • You can also have multiple secrets with different labels and/or annotations. In order to work, at least the additional ones, need to be named with pipeline-as-code-secret as prefix (for example pipeline-as-code-secret-xxx).

  • Secrets lookup mechanism is searching for the most specific secret first. The secret with a repository annotation will be used first if it matches the component repository path. In none found, then a lookup will try to find a secret with a wildcard, or just the host matching one.

  • If you upload a GitLab access token to a workspace, Konflux won’t use the global GitHub application when accessing GitHub repositories.

Secrets from external vaults

There is no direct support for external vaults in Konflux itself. However, there are existing solutions which can be installed by administrators to support external vaults, for example external secrets operator.

Additional resources