ggcr: authn should also read secrets from ServiceAccount's .secrets

[lcarva]

Feature Request

The authn/kubenertes keychain reads Secrets associated with a ServiceAccount from its .imagePullSecrets attribute. However, Secrets can also be associated with a ServiceAccount via its '.secrets` attribute. The first is usually used at the Node level for pulling images for a Pod, while the second is mounted on Pods and used directly by Containers.

The keychain should read Secrets from both locations.

Use Case

The Tekton Chains controller uses this library to determine the authentication required to push content to the user provided registry. Since users are instructed to using only .secrets in other parts of the ecosystem, they must do something different when using Tekton Chains. Further context in tektoncd/chains#700

[lcarva]

Are there any objections to taking this approach? If not, I would be happy to submit a patch.

[imjasonh]

Yeah I think we'd be open to accepting this. Do you want to send a PR and we can discuss specifics there?

[lcarva]

Sounds good! PR submitted: #1560