1. Proposed title of this feature request

Allow global pull secrets to be mount on-demand in PipelineRun/TaskRun

2. What is the nature and description of the request?

In OpenShift, cluster-admin can configure global pull secret that are available "for all users", allowing to use private images for their pod/container. User may have the expectation (as showed in https://bugzilla.redhat.com/show_bug.cgi?id=2018659) that this pull secret will be available as well when they are using buildah in OpenShift Pipelines. This expectation is re-enforced by the fact that this global pull secret is usable in OpenShift BuildConfig.

It should be possible to have these global pull secret available to buildah (or any other task if need be), inside the container, on demand (with a label, an annotation or something).

This is "slightly" related to https://issues.redhat.com/browse/SRVKP-1549 (imagestream in buildah/s2i tasks — the pull/push secret part) and https://issues.redhat.com/browse/SRVKP-1025.

3. Why does the customer need this? (List the business requirements here)

To be able to build images using buildah (or other oci image builder) that depends (use/FROM) on private images, without having to ask for cluster-admins to duplicate the secrets.

4. List any affected packages or components.

OpenShift Pipelines