diff --git a/tekton/base/kustomization.yaml b/tekton/base/kustomization.yaml
index 0b10bbe..24528c8 100644
--- a/tekton/base/kustomization.yaml
+++ b/tekton/base/kustomization.yaml
@@ -13,3 +13,4 @@ resources:
   #- triggers/route.yaml
   - knative-rbac.yaml
   - cronjob-cache.yaml
+  - push-secret.yaml
diff --git a/tekton/base/push-secret.yaml b/tekton/base/push-secret.yaml
new file mode 100644
index 0000000..54f0fc9
--- /dev/null
+++ b/tekton/base/push-secret.yaml
@@ -0,0 +1,43 @@
+apiVersion: generators.external-secrets.io/v1alpha1
+kind: QuayAccessToken
+metadata:
+  name: apps-push-pull-secret
+  namespace: analytics-for-spotify
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  url: registry.arthurvardevanyan.com
+  robotAccount: apps+push
+  serviceAccountRef:
+    name: "pipeline"
+    audiences:
+      - openshift
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: apps-push-pull-secret
+  namespace: analytics-for-spotify
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  dataFrom:
+    - sourceRef:
+        generatorRef:
+          apiVersion: generators.external-secrets.io/v1alpha1
+          kind: QuayAccessToken
+          name: apps-push-pull-secret
+  refreshInterval: "55m" # Overlap with Token Expire
+  target:
+    name: apps-push-pull-secret
+    template:
+      type: kubernetes.io/dockerconfigjson
+      data:
+        .dockerconfigjson: |
+          {
+            "auths": {
+              "{{ .registry }}": {
+                "auth": "{{ .auth }}"
+              }
+            }
+          }