Rollback creds-init removal in 0.14 branch

[ghost]

Changes

In #2671 I removed the creds-init initContainer from Task Pods so that credentials could be used by containers running with non-root users. The intention was for this change to be free of any side-effects to end-users. Unfortunately a backwards incompatible issue has cropped up with this change:

When a user does not specify the known_hosts field in a creds-init Secret, the credential code will perform an ssh-keyscan of the remote server to get its public key. The problem is that previously we could guarantee ssh-keyscan was available since the code ran in our own creds-init container with our own docker image. Since we've now moved that code into Steps' entrypoint a Step's container is required to provide ssh-keyscan. This is a change in container contract and therefore backwards-incompatible.

In this PR I've reverted the creds-init change for the 0.14 branch rather than attempt to fix the ssh-keyscan issue and possibly introduce more problems.

Before 0.15 I'd like to get a better, backwards-compatible, fix organized. So I plan to leave the creds-init change in place in the master branch for the time being.

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• Commit messages follow commit message best practices
• Release notes block has been filled in or deleted (only if no user facing changes)

Release Notes

The removal of the creds-init initContainer that occurred in 0.14.0 has been rolled back. The change introduced an unintended backwards-incompatibility that needs to be resolved.

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/pod/creds_init.go	93.1%	84.2%	-8.9
pkg/pod/entrypoint.go	84.4%	84.1%	-0.2
pkg/pod/pod.go	87.3%	84.5%	-2.7
pkg/reconciler/taskrun/taskrun.go	76.5%	76.3%	-0.3

[afrittoli]

Thanks!
/approve

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: afrittoli

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [afrittoli]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[afrittoli]

So, if I got it right, the plan is rollback on the branch only, and fix on master for v0.15 instead, right?

[vdemeester]

That's my guess too, @sbwsg are we right ?

[ghost]

So, if I got it right, the plan is rollback on the branch only, and fix on master for v0.15 instead, right?

Yup, exactly right. I'm working on a fix now that should hopefully be ready in time for 0.15.

[vdemeester]

So, if I got it right, the plan is rollback on the branch only, and fix on master for v0.15 instead, right?

Yup, exactly right. I'm working on a fix now that should hopefully be ready in time for 0.15.

Let's add the refered issue in the milestone then 👼

/lgtm

[ghost]

Let's add the refered issue in the milestone then 👼

Good thinking, thanks for doing that!