Loading...

XML

Word

Printable

Type: Feature Request
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.18
Component/s: Pipelines, Quay
Labels:
None

Target Version:
None
Activity Type:
Product / Portfolio Work
Status Summary:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Products:
None
Hierarchy Progress Bar:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Review Complete:
None
PX Impact Score:
PX Impact Range:
None
PX Priority Data:
None
PX Technical Impact:
None
PX Technical Impact Notes:
None
PX Scheduling Request:
None

1. Proposed title of this feature request
Flexible service account binding for Quay Robot credentials in OpenShift Pipelines

2. What is the nature and description of the request?
In CI/CD setups using OpenShift Pipelines, the pipeline ServiceAccount is the default SA used by PipelineRuns.

Quay Bridge Operator currently only configures the builder SA to push images to quay, which is primarily used by BuildConfig/S2I, not Tekton.

This forces users to either:

Rebind secrets manually.
Grant high-permission SCCs to builder, which may not be desirable.

Suggested Enhancements (by the customer)

New ConfigMap/CR parameter to set the SA name (quay.targetServiceAccount: pipeline).
Auto-bind Quay robot secret to that SA in the target namespace.
Optionally generate imagePullSecrets or mount options.

3. List any affected packages or components.

OpenShift Quay Bridge Operator
OpenShift Pipelines

Assignee:: Siamak Sadeghianfar

Reporter:: Gricel Barrera

Need Info From:: None

Votes:: 5 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2025/07/03 3:59 PM

Updated:: 2025/07/03 8:16 PM

Target start:: None

Target end:: None

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates