Implicit Git & Image authentication contradicts explicit PipelineResource authentication

[ncskier]

Expected Behavior

I expect PipelineRun/TaskRun authentication to be consistent throughout the Tekton Pipelines project.

Actual Behavior

Tekton Pipelines has a strange mix of implicit and explicit authentication. As far as I can tell, Git and Image PipelineResources are the only PipelineResources that use the implicit authentication outlined in auth.md. It seems like all of the other PipelineResources use an explicit secrets field for authentication:

  secrets:
    - fieldName: authToken
      secretName: github-secrets
      secretKey: token

The example is from the Pull Request Resource, and this explicit design is also used by the Cluster and Storage Resources.

As a user, I think that it is confusing to set up a PipelineRun/TaskRun when I have to use a mix of both explicit and implicit authentication. I think that authentication would be more straightforward if it was either all explicit or all implicit (not a combination of both). Personally, I like explicit over implicit, because it's easier to keep track of what secrets are used in each PipelineRun/TaskRun

[vdemeester]

Note that PipelineResource are going through a "major" re-design, so… hopefully this is taken into account too, cc @sbwsg

/kind question
/kind api

[dibyom]

With PipelineResources not being in beta, and the new Tasks in the catalog to replace its use, the auth story is more explicit now I think? Is this still a concern @ncskier ?

[ncskier]

I guess it isn't a concern anymore. Is the implicit authentication pattern with annotations being deprecated?

[ghost]

Is the implicit authentication pattern with annotations being deprecated?

We're supporting it into the Beta but I have a pretty strong feeling we'll need to revisit it, particularly in light of changes to the $HOME directory in an upcoming release. #2013 for more info on that.

[bobcatfish]

Note that the pullrequest Task in the catalog is using a param to identify the name of the key https://github.com/tektoncd/catalog/tree/v1beta1-wip/pullrequest#configuring-the-tasks - not sure we'd want it to be implicit 🤔

[tekton-robot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

/close

Send feedback to tektoncd/plumbing.

[tekton-robot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

[tekton-robot]

@tekton-robot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

/close

Send feedback to tektoncd/plumbing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.