Creating registry pull secrets

Some container builds may use parent images from registries that require authentication, for example, registry.redhat.io. Until these credentials have been configured, the builds will continue to fail due to the system being unable to pull the required images.

Procedure

  1. Obtain the username and password login credentials for the container registry.

  2. In the correct Konflux tenant namespace, go to Secrets.

  3. Click Add secret.

  4. For Secret type, select Image pull secret.

  5. For Authentication type, select Image registry credentials.

  6. For Registry server address enter the image registry (for example registry.redhat.io).

  7. Enter the username for the registry in Username.

  8. Enter the password for the registry in Password.

  9. Click Add secret.

Example of creating a quay.io secret

  1. Login to Konflux console your tenant namespace

  2. Click on Secrets on the left menu.

  3. Click on Add Secret

  4. Choose Image pull secret for Secret type

  5. Enter Secret name , for example my-quay-secret

  6. From Link secret options select either All existing and future components in the namespace or Select components in the namespace and specify components

  7. Choose Image registry credentials in Authentication type field

  8. Enter quay.io/repository_full_path in Registry server address (specify full repository path, e.g. quay.io/test_organization/test-repository)

  9. Enter your Quay.io username in Username

  10. Enter your Quay.io API token in Password field.

  11. Click on Add secret

  12. Email is optional

Here is the YAML representation of the secret (for reference):

apiVersion: v1
data:
.dockerconfigjson: <base64-encoded-credentials>
kind: Secret
metadata:
name: my-quay-secret
namespace: <your-tenant>
type: kubernetes.io/dockerconfigjson

  • Secret Linking via UI The Konflux UI links image pull secrets to either selected or all components specific service accounts build-pipeline-$COMPONENT_NAME

    • No pipeline YAML changes are required.

    • Tasks like the buildah task will use this secret automatically when pulling images from quay.io. For details, see the buildah-oci-ta task documentation.

  • Manual Secret Creation

    1. Link Secret To SA

      • If you create the secret manually (e.g., via kubectl or YAML), you must manually link it to the component specific build-pipeline-$COMPONENT_NAME ServiceAccount in your namespace.

      • If you want to manually create shared secret which will be then linked to all newly onboarded component specific ServiceAccounts, add to the secret label: build.appstudio.openshift.io/common-secret: 'true'. It is the same as what UI is doing when selecting Link secret option with All existing and future components in the namespace.

    2. Secrets Via Tenant Namespace

      • Explicitly mount secrets as files using a tenant namespace

      • RBAC: Ensure the ServiceAccount has permission to access the secret (via Role/RoleBinding).

    3. Secrets as Environment Variables

      • Inject secrets into environment variables

      • RBAC: The ServiceAccount must have get permission for the secret.

  • Troubleshooting For issues with secret linking, review the troubleshooting section.