Add support for making secretKeyRef optional

[skv-anders]

Feature request

Currently one can set and environment variable using secretKeyRef in a task. However this means that the secret must be present and have the specified keys. In some cases one might want to support optional features that require additional secrets. Currently, if a secret is optional in a task, the one have to write code to detect and extract the contents of the secret.

Kubernets seems to have similar support for optional secretKeyRef https://github.com/kubernetes/kubernetes/blob/e9e190c57c61a88a2ba96c4b0688b8eb3a8945a8/pkg/apis/core/types.go#L1762 https://stackoverflow.com/questions/48208705/how-to-mark-secret-as-optional-in-kubernetes

This is how I envision how it should look like in a tekton task:

env:
  - name: PASSWORD
      valueFrom:
        secretKeyRef:
          name: smtp-secret
          key: password
          optional: true

Use case

I want to write a "send mail" task, similar to the one in Tekton Hub https://hub.tekton.dev/tekton/task/sendmail However I don't want to input the optional user and password for connecting to the smtp-server as parameters. I still want user and password to be optional, but I want them to be stored in a secret, and also not fetched in some earlier task and passed around in the pipeline, since it will expose them more.

It seems that currently I have to add code into the script in the task to check the presense of the secret, check the presense of the keys, and then extract the values. It would be convenient (and less error prune) if the script only needed to check if the environment variables have been set or not.

[aThorp96]

CC @vdemeester @waveywaves @afrittoli

[vdemeester]

If it's supported by Kubernetes, I think it should be supported by Tekton already. We use corev1 types for env and envFrom, but it seems it's not super well document for envFrom (only here, here and here).

@skv-anders which version of pipeline are you running ?