Red Hat SummitChapter 1. Adding secrets and variables to Azure Pipelines for integration with external tools
This procedure explains how to add secrets and environment variables to Azure Pipelines and also lists which variables are required. All listed variables must be added to ensure that Azure Pipelines works correctly with RHADS - SSC and related Red Hat products.
Prerequisites
Before you configure Azure Pipelines, ensure you have the following:
- Admin access to your repository in Bitbucket or GitHub.
- Admin access to your Azure DevOps project and pipeline settings.
- Container registry credentials for pulling container images from Quay.io, JFrog Artifactory, or Sonatype Nexus.
Authentication details for specific Azure Pipelines tasks:
For ACS security tasks:
- ROX Central server endpoint
- ROX API token
For SBOM and artifact signing tasks:
- Cosign signing key password, private key and public key
- Trustification API and issuer URL, client ID, client secret, and supported CycloneDX version
NoteThe credentials and other details are already Base64-encoded, so you do not need to encode them again. You can find these credentials in your
private.envfile, which you created during RHADS - SSC installation.
Procedure
- Log in to https://dev.azure.com and open your Azure DevOps project.
- In the left navigation panel, select Pipelines, then select Library.
- Select Variable group to create a new variable group.
-
Enter a name for the variable group, for example,
rhtap. In the variable group editor:
- Select Add to add a new variable.
-
In the Name field, enter the key. For example,
GITOPS_AUTH_PASSWORD. - In the Value field, enter the value used to authenticate with the GitOps repository for pushing updated image information.
- Select the Keep this value secret checkbox to mask the value in the UI and logs.
Repeat step 5 to add all required secrets:
Expand Table 1.1. Image registry and GitOps secrets Variable Description IMAGE_REGISTRY_PASSWORDPassword for accessing your container image registry.
GITOPS_AUTH_PASSWORDThe token the system uses to update the GitOps repository for newly built images.
Expand Table 1.2. Secrets required for ACS and SBOM tasks Variable Description ROX_API_TOKENAPI token for accessing the ROX server.
COSIGN_SECRET_PASSWORDPassword for Cosign signing key.
COSIGN_SECRET_KEYPrivate key for Cosign.
TRUSTIFICATION_OIDC_CLIENT_SECRETClient secret used alongside the client ID to authenticate to the Trustification Bombastic API.
Now add regular environment variables and don’t mask their values. In the variable group editor:
- Select Add.
-
In the Name field, enter the key. For example,
IMAGE_REGISTRY_USER. - In the Value field, enter the value. In our example: a username for accessing your container image registry.
- Do not select the Keep this value secret checkbox.
Repeat step 6 to add all required environment variables:
Expand Table 1.3. Image registry and GitOps variables Variable Description IMAGE_REGISTRY_USERUsername for accessing your container image registry.
GITOPS_AUTH_USERNAME(optional)Your OpenShift GitOps username. This variable is required for Azure to work with Bitbucket. By default, lines with this variable are commented in the
azure-pipelines.ymlfile. To start using Bitbucket, uncomment all 5 instances of the line# GITOPS_AUTH_USERNAME: $(GITOPS_AUTH_USERNAME).Expand Table 1.4. Variables required for ACS and SBOM tasks Variable Description ROX_CENTRAL_ENDPOINTEndpoint for the ROX Central server.
COSIGN_PUBLIC_KEYPublic key for Cosign.
TRUSTIFICATION_BOMBASTIC_API_URLURL for Trustification Bombastic API used in SBOM generation.
TRUSTIFICATION_OIDC_ISSUER_URLOIDC issuer URL used for authentication when interacting with the Trustification Bombastic API.
TRUSTIFICATION_OIDC_CLIENT_IDClient ID for authenticating to the Trustification Bombastic API using OIDC.
TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSIONSpecifies the CycloneDX SBOM version that is supported and generated by the system.
Optional: Set the Rekor and TUF variables if your CI provider runners do not run on the same cluster as the RHADS - SSC instance.
Expand Table 1.5. Rekor and TUF variables Variable Description REKOR_HOSTURL of your Rekor server.
TUF_MIRRORURL of your TUF service.
- Select Save.
To authorize pipelines to use this variable group:
- Select the Pipeline permissions tab.
- Select Add pipeline.
- Select the pipelines that require access to this variable group and select Authorize selected pipelines.
Optional: If you use a different name for the variable group other than
rhtap, you must update the variable group name in theazure-pipelines.ymlfile.variables: - group: <my-variable-group>variables: - group: <my-variable-group>Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
- Rerun the latest pipeline. If the secrets are applied correctly, the pipeline will complete successfully. After a successful run, verify that tasks such as RHACS or SBOM display the expected details.
Revised on 2025-08-20 05:26:16 UTC
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}