Creating secrets for your builds

When you build your pipeline, you might want to add tasks that require secrets in order to access external resources.

Secrets can be categorized depending on when they need to be added.

  1. Before a component is added. If a secret is needed to access a source control platform like GitLab or Forgejo, you must create a secret before you create the component.

  2. Before a build succeeds. Some artifact build tasks need specific secrets to be able to pull all of the content to include in the final artifact. For example, you can add secrets for container registries after you create the component but they must be provided before a successful build can occur.

  3. After a component has been onboarded. These secrets are often used in tasks. The tasks included in the Konflux pipelines will not fail if a secret is not created properly. Instead, the task will just not run the code, as is the case with the snyk task.

Creating task input secrets

Task input secrets are key/value secrets that provide credentials or tokens to specific pipeline tasks. These secrets are optional and only needed for tasks that interact with external services.

For detailed instructions on creating task input secrets, see Creating task input secrets.

Creating registry pull secrets

Registry pull secrets (image pull secrets) allow your builds to authenticate with private container registries when pulling base images or parent images.

For detailed instructions on creating registry pull secrets, see Creating registry pull secrets.

Creating source control management secrets

Some source control providers require authentication secrets before onboarding components. See Creating source control management secrets for detailed instructions.

Referencing Secrets in a Containerfile

You can mount secrets directly in your Containerfile using the ADDITIONAL_SECRET parameter and Buildah secret mounts. This is useful for build-time secrets like cryptographic keys or credentials.

For detailed instructions on referencing secrets in a Containerfile, see Referencing Secrets in a Containerfile.

Secrets from external vaults

You can integrate Konflux with external vault solutions to manage secrets centrally.

For more information, see Secrets from external vaults.

Additional resources

  • To configure push secrets for your Build and Release pipelines, see Configuring push secrets in the Konflux GitHub repository.