Creating secrets for your builds

When you build your pipeline, you might want to add tasks that require secrets in order to access external resources.

One such task is the sast-snyk-check task that uses the third-party service snyk to perform static application security testing (SAST) as a part of the default Konflux pipeline. Use this procedure to upload your snyk.io token. Name the secret sast_snyk_task so that the snyk task in the Konflux pipeline will recognize it and use it.

If you want to create an application using source code from GitLab, you need to add a GitLab access token to Konflux before you create an application. For details, see Creating secrets for GitLab-sourced apps below.

Procedure

In Konflux, from the left navigation menu, select Secrets.
From the Secrets page, click Add secret.
Select a secret type:
- Key/value secret
- Image pull secret
- Source secret
For Secret name, enter a unique name for your secret.
Under Key/value secret, expand Key/value 1, then enter a key.
For Upload the file with value for your key or paste its contents, do one of the following:
- Click Upload to browse to, select, and upload the file that contains your key value.
- Drag the file that contains your key value into the space under Upload.
- Paste the contents of the file that contains your key value into the space under Upload. Click Clear to remove the contents of the space under Upload.
Optional: Click Add another key/value.
Optional: Under Labels, add a label to tag or provide more context for your secret.
Click Add secret.

Creating secrets for GitLab-sourced apps

Before you create an application using source code from GitLab, generate an access token for your GitLab repository and upload it to your Konflux workspace.

Procedure

In GitLab select your avatar, then select Edit profile > Access Tokens > Add new token.
Select the following scopes: api, read_repository, and write_repository.
Optional: If your GitLab instance supports setting token role, set a role to Maintainer.
Select Create personal access token.

Add a token to your Konflux workspace by running the oc create command and creating a new YAML file with a secret:

oc create -f GL-secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: pipelines-as-code-secret
  namespace: <YOUR NAMESPACE>
  labels:
    appstudio.redhat.com/credentials: scm
    appstudio.redhat.com/scm.host: <gitlab-host> # for example, gitlab.com
type: kubernetes.io/basic-auth
stringData:
  password: <PERSONAL GITLAB ACCESS TOKEN>

Using the PAT authentication requires only the password key. The username should not be set. If you set both the username and password keys, the authentication type will be considered as basic, and a basic authentication client will be created using those credentials. This client might not work or can be considered as a deprecated login method by some Source Code Management (SCM) providers.

This secret will be used by the build service to perform both default and Pipeline-as-Code builds.

It is also possible to have secrets for per-repository or organization access. To do this, a appstudio.redhat.com/scm.repository annotation should be added to the secret. It may either specify the full repository path or the partial path with a wildcard. For example, to create a secret for all repositories in the my-user organization, create (or add) the following YAML file:

apiVersion: v1
kind: Secret
metadata:
  name: pipelines-as-code-secret
  namespace: <YOUR NAMESPACE>
  labels:
    appstudio.redhat.com/credentials: scm
    appstudio.redhat.com/scm.host: <gitlab-host> # for example, gitlab.com
  annotations:
    appstudio.redhat.com/scm.repository: my-user/*
type: kubernetes.io/basic-auth
stringData:
  password: <PERSONAL GITLAB ACCESS TOKEN>

For a specific repository, the following secret should be created:

apiVersion: v1
kind: Secret
metadata:
  name: pipelines-as-code-secret
  namespace: <YOUR NAMESPACE>
  labels:
    appstudio.redhat.com/credentials: scm
    appstudio.redhat.com/scm.host: <gitlab-host> # for example, gitlab.com
  annotations:
    appstudio.redhat.com/scm.repository: <repository-path> # for example, my-user/my-repo
type: kubernetes.io/basic-auth
stringData:
  password: <PERSONAL GITLAB ACCESS TOKEN>

You can have multiple repositories listed under the appstudio.redhat.com/scm.repository annotation. Separate repository names with commas when listing them. The secret will be used for all repositories that match the specified paths.

Secrets lookup mechanism is searching for the most specific secret first. The secret with a repository annotation will be used first if it matches the component repository path. In none found, then a lookup will try to find a secret with a wildcard, or just the host matching one.
If you upload a GitLab access token to a workspace, Konflux won’t use the global GitHub application when accessing GitHub repositories.

Additional resources

For more information about GitLab access tokens, see Personal access tokens.
To configure push secrets for your Build and Release pipelines, see Configuring push secrets in the Konflux GitHub repository.