Implement tekton-chains

[Roming22]

Configuration is taken verbatim from https://github.com/redhat-appstudio/infra-deployments/tree/ef1f8459a0ab86964c1421f7475fb41626cec905/components/build/tekton-chains

Signed-off-by: Romain Arnaud rarnaud@redhat.com

PR can be tested by running ./ckcp/openshift_dev_setup.sh followed by ./ckcp/test.sh chains.

[bnallapeta]

@Roming22 Before going into the PR review, I would like to understand the use case for Tekton Chains installation in the workload clusters? Why do we need it?

[adambkaplan]

In our Phase 1 architecture, Tekton Chains needs to run on the workload cluster so that it can do the provenance attestation and image signing for TaskRuns (which only exist on workload clusters).

@Roming22 - is there any reason why we are manually deploying Chains instead of using the Pipelines operator? There is a CR we can use to configure Chains via the Pipelines Operator: https://docs.openshift.com/container-platform/4.10/cicd/pipelines/using-tekton-chains-for-openshift-pipelines-supply-chain-security.html

[Roming22]

Is there any reason why we are manually deploying Chains instead of using the Pipelines operator? There is a CR we can use to configure Chains via the Pipelines Operator: https://docs.openshift.com/container-platform/4.10/cicd/pipelines/using-tekton-chains-for-openshift-pipelines-supply-chain-security.html

My understanding is that I cannot configure Chains using gitops if I install it using the CR. ArgoCD cannot control/patch a resource (in this case the chains-config configmap) that is not declared in the application (source). This means we would have to run an oc patch command, which would go against the gitops model of declaring the state you want and letting the controller deal how to get to that state.

Not that I know of at least 3 resources that we need to patch:

1. chains-config: to configure the format, storage, and transparency;
2. tekton-chains-controller: to override the default image with the development image that supports pipelineruns, and override the runAs* ids;
3. chains-certs-configuration: to setup the certificates differently on k8s and openshift.

Let me know if I misunderstood something.

[xinredhat]

/test all

[Roming22]

/retest

[Roming22]

/retest

[Roming22]

/retest

[xinredhat]

/retest

[Roming22]

@bnallapeta If you want to test, please use this branch.

[bnallapeta]

@Roming22 Looks good apart from that one comment. But I see that the plnsvc-ckcp-test has failed. Please look into that.

[Roming22]

@bnallapeta The plnsvc-ckcp-test cannot succeed until the PR has been merged since it relies on having the manifests committed to main.

[openshift-ci]

@Roming22: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/plnsvc-ckcp-test	4b3d626	link	true	/test plnsvc-ckcp-test

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[bnallapeta]

@bnallapeta The plnsvc-ckcp-test cannot succeed until the PR has been merged since it relies on having the manifests committed to main.

No worries. I've tested it locally using your branch. Looks good.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bnallapeta, Roming22

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Roming22,bnallapeta]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment