tektoncd + kaniko + openstack s3 context
It must be using AWS SDK to access S3 underneath. Thus it uses the Credential Chain to obtain AWS creds. Java SDK example https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html, but it's same in all SDKs. Based on that you have multiple options:
- Pass AWS key/secret to tektoncd container environment (do not recommend)
- Mount
~/.aws/credentials
to a tektoncd container filesystem (maybe) - If the k8s cluster is on EC2, spin up a https://github.com/uswitch/kiam and assign an IAM role with S3 access to a tektoncd pods (highly recommend). Or poor man's version of this - just add S3 policy to a node role. In both cases, you don't deal with the secrets explicitly, at all.