Creating secrets for your builds
When you build your pipeline, you might want to add tasks that require secrets in order to access external resources.
One such task is the sast-snyk-check task that uses the third-party service snyk to perform static application security testing (SAST) as a part of the default Konflux pipeline. Use this procedure to upload your snyk.io token. Name the secret sast_snyk_task so that the snyk task in the Konflux pipeline will recognize it and use it.
|
If you want to create an application using source code from GitLab, you need to add a GitLab access token to Konflux before you create an application. For details, see Creating secrets for GitLab-sourced apps below.
-
In Konflux, from the left navigation menu, select Secrets.
-
From the Secrets page, click Add secret.
-
Select a secret type:
-
Key/value secret
-
Image pull secret
-
Source secret
-
-
For Secret name, enter a unique name for your secret.
-
Under Key/value secret, expand Key/value 1, then enter a key.
-
For Upload the file with value for your key or paste its contents, do one of the following:
-
Click Upload to browse to, select, and upload the file that contains your key value.
-
Drag the file that contains your key value into the space under Upload.
-
Paste the contents of the file that contains your key value into the space under Upload. Click Clear to remove the contents of the space under Upload.
-
-
Optional: Click Add another key/value.
-
Optional: Under Labels, add a label to tag or provide more context for your secret.
-
Click Add secret.
Creating secrets for GitLab-sourced apps
Before you create an application using source code from GitLab, generate an access token for your GitLab repository and upload it to your Konflux workspace.
-
In GitLab select your avatar, then select Edit profile > Access Tokens > Add new token.
-
Select the following scopes:
api
,read_repository
, andwrite_repository
. -
Optional: If your GitLab instance supports setting token role, set a role to
Maintainer
. -
Select Create personal access token.
-
Add a token to your Konflux workspace by running the
oc create
command and creating a new YAML file with a secret:oc create -f GL-secret.yaml
apiVersion: v1 kind: Secret metadata: name: pipelines-as-code-secret namespace: <YOUR NAMESPACE> labels: appstudio.redhat.com/credentials: scm appstudio.redhat.com/scm.host: <gitlab-host> # for example, gitlab.com type: kubernetes.io/basic-auth stringData: password: <PERSONAL GITLAB ACCESS TOKEN>
Using the PAT authentication requires only the
password
key. Theusername
should not be set. If you set both theusername
andpassword
keys, the authentication type will be considered asbasic
, and a basic authentication client will be created using those credentials. This client might not work or can be considered as a deprecated login method by some Source Code Management (SCM) providers.
This secret will be used by the build service to perform both default and Pipeline-as-Code builds.
It is also possible to have secrets for per-repository or organization access. To do this, a appstudio.redhat.com/scm.repository
annotation should be added to the secret. It may either specify the full repository path or the partial path with a wildcard. For example, to create a secret for all repositories in the my-user
organization, create (or add) the following YAML file:
apiVersion: v1
kind: Secret
metadata:
name: pipelines-as-code-secret
namespace: <YOUR NAMESPACE>
labels:
appstudio.redhat.com/credentials: scm
appstudio.redhat.com/scm.host: <gitlab-host> # for example, gitlab.com
annotations:
appstudio.redhat.com/scm.repository: my-user/*
type: kubernetes.io/basic-auth
stringData:
password: <PERSONAL GITLAB ACCESS TOKEN>
For a specific repository, the following secret should be created:
apiVersion: v1
kind: Secret
metadata:
name: pipelines-as-code-secret
namespace: <YOUR NAMESPACE>
labels:
appstudio.redhat.com/credentials: scm
appstudio.redhat.com/scm.host: <gitlab-host> # for example, gitlab.com
annotations:
appstudio.redhat.com/scm.repository: <repository-path> # for example, my-user/my-repo
type: kubernetes.io/basic-auth
stringData:
password: <PERSONAL GITLAB ACCESS TOKEN>
You can have multiple repositories listed under the |
|
-
For more information about GitLab access tokens, see Personal access tokens.
-
To configure push secrets for your Build and Release pipelines, see Configuring push secrets in the Konflux GitHub repository.