Pac Github Organization with non trusted CLuster users

# Pac Github Organization with non trusted CLuster users ## Statement `Admin` install the PAC application on their organization enabled for every repository on that cluster. `Owner` is the owner of a private `Repo` `OrgUser` orguser is a user of the organisation but not part of the private `Repo` OrgUser create a CRD in a namespace with the URL of private `Repo` on cluster and is able to read the content of the repository in that namespace and even has access to a token (scoped, temporary and limited) for operations. This only can happen if the `Owner` had created .tekton/pr* files with `git-clone` into her repository. ## Problems There is no correlation between the cluster user and Github or any providers. If we link the Github app oauth to the Openshift cluster then cluster user name match the github user but that's not ensured when there is local conflicts or multiple openshift auth providers. ## Solutions ### Solution 1 When Admin create an Organization, they can pre-provision a namespace for the `Repo` with a `Repo CR` of the repo URL scopped to the allowed cluster user. For new private `Repo` the user pre-setup the private `CR` in her namespace. ### Solution 2 User create the pipeline as code pipelinerun with the annotations : ``` pipelinesascode.tekton.dev/target-namespace: "mynamespace" ``` this will force running into `mynamespace` as long there is a Repository CR matching it, it would not try to some other place. ### Solution 3 We can have some sort of [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) certifications on the webhook validator. When user add a new REPO CR on cluster, they have a random string into a spec field. That field will need to be in a file (ie: `.tekton/.cookie`) with the content of the random string. The webhook validator will compare the contents of the two only allowing user who has write access to the cluster to add new REPO CR. ### Solution 4 Extend on: https://issues.redhat.com/browse/SRVKP-2488 - Ability to enable pac for all repos in a GitHub org Only let admin defines associations by a set of rules