Skip to main content


Passing secrets to the Pipeline

Under Development

We're currently working on providing alternative ways to read secrets from both self hosted and SaaS providers. If you'd like early access, reach out.

To allow the Pipeline to access in-cluster secrets, you will need to use Kubernetes RBAC.

Make sure to target the platform cluster and do the following:

  1. Create the Secret you'd like to access. For example:

    kubectl create secret generic promise-secret \
  2. Create a ClusterRole giving get permissions to the promise-secret created above:

    kubectl create clusterrole promise-secret-cr \
    --verb=get \
    --resource=secrets \
  3. Create a ClusterRoleBinding to associate the Pipeline ServiceAccount created by Kratix. For Promise Pipelines the service accounts are called PROMISE-promise-pipeline in the kratix-platform-system namespace and for Resource Pipelines PROMISE-resource-pipeline in whatever namespace the resource is requested in.

    # Replace PROMISE with the name of your Promise
    kubectl create clusterrolebinding promise-secret \
    --clusterrole=promise-secret-cr \
  4. Access the Base64 enconded Secret in the Pipeline with the kubectl CLI

    kubectl get secret promise-secret -o=jsonpath='{.data.apikey}'

For a working example, check the Slack Promise available in the Marketplace.