knative · Ankitsinghsisodya · May 17, 2026
diff --git a/cmd/func-util/main.go b/cmd/func-util/main.go
@@ -153,6 +153,22 @@ func deploy(ctx context.Context) error {
 	if f.Deploy.Image == "" {
 		f.Deploy.Image = f.Image
 	}
+
+	// For Git-based remote deploys the on-cluster func.yaml comes from the
+	// committed repo and never contains CLI overrides supplied by the user
+	// (--image-pull-secret, --service-account, --deployer).  The pipeline run
+	// forwards those overrides as environment variables so they can be applied
+	// here before deploying.
+	if v := os.Getenv("FUNC_IMAGE_PULL_SECRET"); v != "" {
+		f.Deploy.ImagePullSecret = v
+	}
+	if v := os.Getenv("FUNC_SERVICE_ACCOUNT"); v != "" {
+		f.Deploy.ServiceAccountName = v
+	}
+	if v := os.Getenv("FUNC_DEPLOYER"); v != "" {
+		f.Deploy.Deployer = v
+	}
+
 	if f.Deploy.Deployer == "" {
 		f.Deploy.Deployer = knative.KnativeDeployerName
 	}

diff --git a/pkg/pipelines/tekton/task-buildpack.yaml.tmpl b/pkg/pipelines/tekton/task-buildpack.yaml.tmpl
@@ -67,6 +67,15 @@ spec:
     - name: COMMIT
       description: Git commit SHA of the function source
       default: ""
+    - name: IMAGE_PULL_SECRET
+      description: Image pull secret name forwarded from the CLI to the in-cluster deploy step
+      default: ""
+    - name: SERVICE_ACCOUNT
+      description: Service account name forwarded from the CLI to the in-cluster deploy step
+      default: ""
+    - name: DEPLOYER
+      description: Deployer type forwarded from the CLI to the in-cluster deploy step (knative, raw, keda)
+      default: ""
   stepTemplate:
     env:
       - name: CNB_PLATFORM_API
@@ -292,6 +301,13 @@ spec:
     - name: func-deploy
       image: '{{.DeployerImage}}'
       workingDir: $(workspaces.source.path)
+      env:
+        - name: FUNC_IMAGE_PULL_SECRET
+          value: $(params.IMAGE_PULL_SECRET)
+        - name: FUNC_SERVICE_ACCOUNT
+          value: $(params.SERVICE_ACCOUNT)
+        - name: FUNC_DEPLOYER
+          value: $(params.DEPLOYER)
       command: ["deploy", $(params.SOURCE_SUBPATH), "$(params.APP_IMAGE)"]
   volumes:
     - name: empty-dir

diff --git a/pkg/pipelines/tekton/task-s2i.yaml.tmpl b/pkg/pipelines/tekton/task-s2i.yaml.tmpl
@@ -45,6 +45,15 @@ spec:
     - name: COMMIT
       description: Git commit SHA of the function source
       default: ""
+    - name: IMAGE_PULL_SECRET
+      description: Image pull secret name forwarded from the CLI to the in-cluster deploy step
+      default: ""
+    - name: SERVICE_ACCOUNT
+      description: Service account name forwarded from the CLI to the in-cluster deploy step
+      default: ""
+    - name: DEPLOYER
+      description: Deployer type forwarded from the CLI to the in-cluster deploy step (knative, raw, keda)
+      default: ""
   workspaces:
     - name: source
     - name: cache
@@ -148,6 +157,13 @@ spec:
     - name: func-deploy
       image: '{{.DeployerImage}}'
       workingDir: $(workspaces.source.path)
+      env:
+        - name: FUNC_IMAGE_PULL_SECRET
+          value: $(params.IMAGE_PULL_SECRET)
+        - name: FUNC_SERVICE_ACCOUNT
+          value: $(params.SERVICE_ACCOUNT)
+        - name: FUNC_DEPLOYER
+          value: $(params.DEPLOYER)
       command: ["deploy", $(params.PATH_CONTEXT), "$(params.IMAGE)"]
   volumes:
     - emptyDir: {}

diff --git a/pkg/pipelines/tekton/templates.go b/pkg/pipelines/tekton/templates.go
@@ -93,6 +93,14 @@ type templateData struct {
 
 	// Git commit SHA of the function source
 	Commit string
+
+	// CLI overrides forwarded to the in-cluster func-deploy task step.
+	// For Git-based remote deploys the on-cluster func.yaml comes from the
+	// committed repo and never contains these values; they must be threaded
+	// through the pipeline run as discrete params.
+	ImagePullSecret    string
+	ServiceAccountName string
+	Deployer           string
 }
 
 // createPipelineTemplatePAC creates a Pipeline template used for PAC on-cluster build
@@ -412,6 +420,10 @@ func createAndApplyPipelineRunTemplate(f fn.Function, namespace string, labels m
 
 		RepoUrl:  f.Build.Git.URL,
 		Revision: pipelinesTargetBranch,
+
+		ImagePullSecret:    f.Deploy.ImagePullSecret,
+		ServiceAccountName: f.Deploy.ServiceAccountName,
+		Deployer:           f.Deploy.Deployer,
 	}
 
 	var template string

diff --git a/pkg/pipelines/tekton/templates_pack.go b/pkg/pipelines/tekton/templates_pack.go
@@ -44,6 +44,18 @@ spec:
       name: commit
       default: ''
       type: string
+    - description: Image pull secret name forwarded to the in-cluster deploy step
+      name: imagePullSecret
+      default: ''
+      type: string
+    - description: Service account name forwarded to the in-cluster deploy step
+      name: serviceAccount
+      default: ''
+      type: string
+    - description: Deployer type forwarded to the in-cluster deploy step (knative, raw, keda)
+      name: deployer
+      default: ''
+      type: string
   tasks:
     - name: build
       params:
@@ -64,6 +76,12 @@ spec:
             - '$(params.buildEnvs[*])'
         - name: COMMIT
           value: $(params.commit)
+        - name: IMAGE_PULL_SECRET
+          value: $(params.imagePullSecret)
+        - name: SERVICE_ACCOUNT
+          value: $(params.serviceAccount)
+        - name: DEPLOYER
+          value: $(params.deployer)
         {{- if eq .TlsVerify "false"}}
         - name: INSECURE_REGISTRIES
           value: $(params.registry)
@@ -123,6 +141,12 @@ spec:
         {{end}}
     - name: commit
       value: "{{.Commit}}"
+    - name: imagePullSecret
+      value: "{{.ImagePullSecret}}"
+    - name: serviceAccount
+      value: "{{.ServiceAccountName}}"
+    - name: deployer
+      value: "{{.Deployer}}"
   pipelineRef:
    name: {{.PipelineName}}
   podTemplate:

diff --git a/pkg/pipelines/tekton/templates_s2i.go b/pkg/pipelines/tekton/templates_s2i.go
@@ -52,6 +52,18 @@ spec:
       name: commit
       default: ''
       type: string
+    - description: Image pull secret name forwarded to the in-cluster deploy step
+      name: imagePullSecret
+      default: ''
+      type: string
+    - description: Service account name forwarded to the in-cluster deploy step
+      name: serviceAccount
+      default: ''
+      type: string
+    - description: Deployer type forwarded to the in-cluster deploy step (knative, raw, keda)
+      name: deployer
+      default: ''
+      type: string
   tasks:
     - name: build
       params:
@@ -76,6 +88,12 @@ spec:
           value: $(params.tlsVerify)
         - name: COMMIT
           value: $(params.commit)
+        - name: IMAGE_PULL_SECRET
+          value: $(params.imagePullSecret)
+        - name: SERVICE_ACCOUNT
+          value: $(params.serviceAccount)
+        - name: DEPLOYER
+          value: $(params.deployer)
       {{.FuncS2iTaskRef}}
       workspaces:
         - name: source
@@ -134,6 +152,12 @@ spec:
       value: {{.TlsVerify}}
     - name: commit
       value: "{{.Commit}}"
+    - name: imagePullSecret
+      value: "{{.ImagePullSecret}}"
+    - name: serviceAccount
+      value: "{{.ServiceAccountName}}"
+    - name: deployer
+      value: "{{.Deployer}}"
   pipelineRef:
    name: {{.PipelineName}}
   podTemplate: