Refactor the way timeouts are handled

`{Task,Pipeline}Run` now handle timeouts via `EnqueueAfter` on the workqueue.

`pkg/timeout` is now removed.

We now have consistent `GetTimeout(ctx)` methods on types.

Avoid dangling symlinks in git-init

When the following conditions are met:

1. the feature flag disable-home-env-overwrite is "true"
2. the container user is root
3. no git / ssh secret is attached to a taskrun service account
4. user is running new-ish version of catalog git-clone task with git-init v0.15.2+

git-init will error out in the git-clone task because we create a circular symlink
from /root/.ssh to itself and then try to look up /root/.ssh/known_hosts.

This commit adds a check to avoid this from happening:

If the user's $HOME/.ssh directory doesn't exist or if they aren't able to access it
for any reason, then we don't try to create a symlink to it at all since we can trust that
the user is incapable of utilizing the credential.

This commit also expands an existing check to see if the $HOME/.ssh directory is
the same as the user's home directory + '.ssh'. This was originally only checked if
the user was nonroot, but now this is also checked if the user is root too.

(cherry picked from commit 1160686)
Signed-off-by: Vincent Demeester <[email protected]>

tekton: port koparse fix to release-0.17.x

Without porting those fixes to the release branch, we cannot do a
release 😅

Signed-off-by: Vincent Demeester <[email protected]>

Take -version into account in the controller ☕️

Set the `version.PipelineVersion` properly in the controller main so
that we annotate the object with the version (instead of a blank string).

Signed-off-by: Vincent Demeester <[email protected]>
(cherry picked from commit f59e1be)
Signed-off-by: Vincent Demeester <[email protected]>

Add docs demonstrating how to share a Workspace with Sidecars

Prior to this commit we didn't have any documentation showing how to share
a Workspace between Steps of a Task and the Task's Sidecars. In fact
there were two bugs that prevented this from working correctly. Those
bugs have since been squashed.

This commit adds documentation and an example yaml showing how to share a
Workspace between a Task's Steps and its Sidecars.

Fixing nil pointer in case of no timeout ⏲

If `pr.Spec.Timeout` is nil (aka no timeout applied), dereferencing
it (`*pr.Spec.Timout`) will panic.

Signed-off-by: Vincent Demeester <[email protected]>
(cherry picked from commit d3bf694)

Omit NotFound when cleaning up the Affinity Assistant

The PipelineRun reconciler cleanup the affinity assistant
when the PipelineRun is completed. If the cleanup-function
is called more than once, the DELETE request will return
a NotFound response. It does not make sense to return NotFound
responses as an error, since this is what we want to achieve.

(cherry picked from commit 204a403)

Disable keep-alive for cloud-event connections

Disable keep alive forces the HTTP client to drop the connection
once a response is received. This avoids building up large numbers
of idle connections and it fixes the immediate issue.

After this we may want to see how to ensure we can re-use connection
and also set and idle-connection timeout.

Fixes tektoncd#3190

(cherry picked from commit 7a9a85b)

Add support for repeated PVC-claim but using subPath in AA-validation

The validation for compatibility with the Affinity Assistant does not
support the same PVC repeated, but using different subPaths.

This patch adds support for this case and tests for the validation.

Co-authored-by: Scott <[email protected]>

Ensure pullrequest-init is based on a root image

The PullRequest Resource, when used as an output, is able to
read in a pr.json to determine if there have been any changes
that require syncing to github. pr.json may have been written
by any prior Step with any ownership settings. If pr.json
was written with root permissions then the PullRequest Resource
needs to be have permissions to read that file.

The PullRequest Resource image has been based on a nonroot
image in our `.ko.yaml` since 0.13 of Tekton Pipelines ([`.ko.yaml` was
updated here](tektoncd#2606)).

However, the published images did not match the configuration in the
`.ko.yaml` until 0.15.0 ([our `tekton/publish.yaml` was brought into line
with `.ko.yaml` here](tektoncd#3018)).

Given that copying or writing pr.json in a Step can result in the file
being owned by root using a nonroot image is not a suitable choice
of base image - the output PullRequest attempts to open pr.json and
hits a permissions error.

This commit updates the PullRequest image to be based on
distroless static instead of nonroot and adds an example yaml
file that should exercise the behaviour of copying the file from
an input to output pullrequest resource.