chmouel
diff --git a/‎pkg/pod/creds_init.go
+94 b/‎pkg/pod/creds_init.go
+94
diff --git a/‎pkg/pod/creds_init_test.go
+134 b/‎pkg/pod/creds_init_test.go
+134
diff --git a/‎pkg/pod/doc.go
+18 b/‎pkg/pod/doc.go
+18
diff --git a/‎pkg/pod/workingdir_init.go
+17 b/‎pkg/pod/workingdir_init.go
+17
diff --git a/‎pkg/pod/workingdir_init_test.go
+16 b/‎pkg/pod/workingdir_init_test.go
+16
@@ -0,0 +1,94 @@
+/*
+Copyright 2019 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package pod
+
+import (
+	"fmt"
+
+	"github.com/tektoncd/pipeline/pkg/credentials"
+	"github.com/tektoncd/pipeline/pkg/credentials/dockercreds"
+	"github.com/tektoncd/pipeline/pkg/credentials/gitcreds"
+	"github.com/tektoncd/pipeline/pkg/names"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+)
+
+const (
+	// Name of the credential initialization container.
+	credsInit = "credential-initializer"
+)
+
+func CredsInit(credsImage string, serviceAccountName, namespace string, kubeclient kubernetes.Interface, volumeMounts []corev1.VolumeMount, implicitEnvVars []corev1.EnvVar) (*corev1.Container, []corev1.Volume, error) {
+	if serviceAccountName == "" {
+		serviceAccountName = "default"
+	}
+
+	sa, err := kubeclient.CoreV1().ServiceAccounts(namespace).Get(serviceAccountName, metav1.GetOptions{})
+	if err != nil {
+		return nil, nil, err
+	}
+
+	builders := []credentials.Builder{dockercreds.NewBuilder(), gitcreds.NewBuilder()}
+
+	var volumes []corev1.Volume
+	args := []string{}
+	for _, secretEntry := range sa.Secrets {
+		secret, err := kubeclient.CoreV1().Secrets(namespace).Get(secretEntry.Name, metav1.GetOptions{})
+		if err != nil {
+			return nil, nil, err
+		}
+
+		matched := false
+		for _, b := range builders {
+			if sa := b.MatchingAnnotations(secret); len(sa) > 0 {
+				matched = true
+				args = append(args, sa...)
+			}
+		}
+
+		if matched {
+			name := names.SimpleNameGenerator.RestrictLengthWithRandomSuffix(fmt.Sprintf("secret-volume-%s", secret.Name))
+			volumeMounts = append(volumeMounts, corev1.VolumeMount{
+				Name:      name,
+				MountPath: credentials.VolumeName(secret.Name),
+			})
+			volumes = append(volumes, corev1.Volume{
+				Name: name,
+				VolumeSource: corev1.VolumeSource{
+					Secret: &corev1.SecretVolumeSource{
+						SecretName: secret.Name,
+					},
+				},
+			})
+		}
+	}
+
+	if len(args) == 0 {
+		// There are no creds to initialize.
+		return nil, nil, nil
+	}
+
+	return &corev1.Container{
+		Name:         names.SimpleNameGenerator.RestrictLengthWithRandomSuffix(credsInit),
+		Image:        credsImage,
+		Command:      []string{"/ko-app/creds-init"},
+		Args:         args,
+		Env:          implicitEnvVars,
+		VolumeMounts: volumeMounts,
+	}, volumes, nil
+}
@@ -0,0 +1,134 @@
+/*
+Copyright 2019 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package pod
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/tektoncd/pipeline/test/names"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	fakek8s "k8s.io/client-go/kubernetes/fake"
+)
+
+const (
+	credsImage         = "creds-image"
+	serviceAccountName = "my-service-account"
+	namespace          = "namespacey-mcnamespace"
+)
+
+func TestCredsInit(t *testing.T) {
+	volumeMounts := []corev1.VolumeMount{{
+		Name: "implicit-volume-mount",
+	}}
+	envVars := []corev1.EnvVar{{
+		Name:  "FOO",
+		Value: "bar",
+	}}
+
+	for _, c := range []struct {
+		desc string
+		want *corev1.Container
+		objs []runtime.Object
+	}{{
+		desc: "service account exists with no secrets; nothing to initialize",
+		objs: []runtime.Object{
+			&corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: serviceAccountName, Namespace: namespace}},
+		},
+		want: nil,
+	}, {
+		desc: "service account has no annotated secrets; nothing to initialize",
+		objs: []runtime.Object{
+			&corev1.ServiceAccount{
+				ObjectMeta: metav1.ObjectMeta{Name: serviceAccountName, Namespace: namespace},
+				Secrets: []corev1.ObjectReference{{
+					Name: "my-creds",
+				}},
+			},
+			&corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        "my-creds",
+					Namespace:   namespace,
+					Annotations: map[string]string{
+						// No matching annotations.
+					},
+				},
+			},
+		},
+		want: nil,
+	}, {
+		desc: "service account has annotated secret; initialize creds",
+		objs: []runtime.Object{
+			&corev1.ServiceAccount{
+				ObjectMeta: metav1.ObjectMeta{Name: serviceAccountName, Namespace: namespace},
+				Secrets: []corev1.ObjectReference{{
+					Name: "my-creds",
+				}},
+			},
+			&corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-creds",
+					Namespace: namespace,
+					Annotations: map[string]string{
+						"tekton.dev/docker-0": "https://us.gcr.io",
+						"tekton.dev/docker-1": "https://docker.io",
+						"tekton.dev/git-0":    "github.com",
+						"tekton.dev/git-1":    "gitlab.com",
+					},
+				},
+				Type: "kubernetes.io/basic-auth",
+				Data: map[string][]byte{
+					"username": []byte("foo"),
+					"password": []byte("BestEver"),
+				},
+			},
+		},
+		want: &corev1.Container{
+			Name:    "credential-initializer-mz4c7",
+			Image:   credsImage,
+			Command: []string{"/ko-app/creds-init"},
+			Args: []string{
+				"-basic-docker=my-creds=https://docker.io",
+				"-basic-docker=my-creds=https://us.gcr.io",
+				"-basic-git=my-creds=github.com",
+				"-basic-git=my-creds=gitlab.com",
+			},
+			Env: envVars,
+			VolumeMounts: append(volumeMounts, corev1.VolumeMount{
+				Name:      "secret-volume-my-creds-9l9zj",
+				MountPath: "/var/build-secrets/my-creds",
+			}),
+		},
+	}} {
+		t.Run(c.desc, func(t *testing.T) {
+			names.TestingSeed()
+			kubeclient := fakek8s.NewSimpleClientset(c.objs...)
+			got, volumes, err := CredsInit(credsImage, serviceAccountName, namespace, kubeclient, volumeMounts, envVars)
+			if err != nil {
+				t.Fatalf("CredsInit: %v", err)
+			}
+			if got == nil && len(volumes) > 0 {
+				t.Errorf("Got nil creds-init container, with non-empty volumes: %v", volumes)
+			}
+			if d := cmp.Diff(c.want, got); d != "" {
+				t.Fatalf("Diff(-want, +got): %s", d)
+			}
+		})
+	}
+}
@@ -0,0 +1,18 @@
+/*
+Copyright 2019 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package pod provides methods for converting between a TaskRun and a Pod.
+package pod
@@ -1,3 +1,19 @@
+/*
+Copyright 2019 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package pod
 
 import (
@@ -54,6 +70,7 @@ func WorkingDirInit(shellImage string, steps []v1alpha1.Step) *corev1.Container
 	}
 
 	if len(relativeDirs) == 0 {
+		// There are no workingDirs to initialize.
 		return nil
 	}
 
 
@@ -1,3 +1,19 @@
+/*
+Copyright 2019 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package pod
 
 import (