Accessing Private Repositories

Accessing Images in Private Repositories

The Konflux integration Tekton pipelines use the konflux-integration-runner service account. Tekton automatically mounts all secrets which are linked to that service accounts to the PipelineRuns and Tasks. All your component image registry secrets are automatically linked to this service account.

If your integration pipeline needs to use special credentials to registries other than ones for your component images (e.g. the ones for the registry.redhat.io or similar), you will need to manually link the secret containing them to the konflux-integration-runner service account.

  1. Create the registry pull secret in your tenant namespace - consult the guide for pull secret creation.

  2. Manually link the new secret to the konflux-integration-runner service account - consult the guide for linking secrets to service account.

Accessing Pipelines and Tasks in Private Git Repositories

Integration Test Scenarios point to their corresponding pipeline with a Git Resolver. The Git Resolver schema is inherited from Tekton and functions in the same way. Users should create an access token for their repository in Github or Gitlab then store that token in a secret in their namespace.

Once this is done, the Resolver should be updated with the fields token and tokenKey, which provide the name of the secret and the key within the data section of that secret in which the access token is stored.

Example of Resolver in IntegrationTestScenario

its.yaml
apiVersion: appstudio.redhat.com/v1beta2
kind: IntegrationTestScenario
metadata:
  name: example-pass
  namespace: default
spec:
  application: application-sample
  contexts:
    - description: Application testing
      name: application
  resolverRef:
    resolver: git
    params:
      - name: org
        value: konflux-ci
      - name: repo
        value: sample-private-repo
      - name: serverURL
        value: https://github.com
      - name: revision
        value: main
      - name: pathInRepo
        value: pipelines/integration_pipeline_pass.yaml
      - name: token
        value: ${SECRET_NAME}
      - name: tokenKey
        value: ${SECRET_KEY}

Example of Resolver in Pipeline

This is an example of how tasks in private repos can be accessed with the Git Resolver using the same method as above.

pipeline.yaml
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
  name: deploy-and-test
spec:
  description: |
    Demonstrates the use of Git Resolvers to access tasks in private repos
  tasks:
    - name: parse-metadata
      taskRef:
        resolver: git
        params:
            - name: org
              value: konflux-ci
            - name: repo
              value: sample-private-repo
            - name: serverURL
              value: https://github.com
            - name: revision
              value: main
            - name: pathInRepo
              value: tasks/test_metadata.yaml
            - name: token
              value: ${SECRET_NAME}
            - name: tokenKey
              value: ${SECRET_KEY}
      params:
      - name: SNAPSHOT
        value: $(params.SNAPSHOT)