feat: support protected repositories with Tekton Chains provenance (#136)

* feat: support protected repositories with Tekton Chains provenance

Add support for cloning source code from protected (private) Git
repositories in the Tekton supply-chain pipeline. Credentials are
stored in Vault and delivered to the pipeline via an ExternalSecret
that generates .git-credentials and .gitconfig files for the
git-clone task's basic-auth workspace.

Supply-chain chart changes:
- Add init task (skopeo pre-flight image check, skip rebuild)
- Add optional git-auth workspace and Chains provenance results
  (CHAINS-GIT_URL, CHAINS-GIT_COMMIT, IMAGE_URL, IMAGE_DIGEST)
- Add ExternalSecret for git credentials (Opaque with .git-credentials)
- Conditionally attach git-credentials secret to pipeline SA
- Add skopeo image to tasks.images for the init task
- Migrate all Tekton resources from v1beta1 to v1 API

Generator and feature fragments:
- Add protected-repos feature fragment with git.credentials overrides
  and qtodo.repository placeholder
- Add --git-repo CLI argument to gen-feature-variants.py (required
  when protected-repos feature is enabled)
- Add ignoreDifferences for Tekton Task/Pipeline defaulted fields
  to the supply-chain feature fragment

Default values-hub.yaml:
- Extend hub-supply-chain-jwt-secret Vault policy to cover
  secret/data/hub/supply-chain/*
- Add commented-out Tekton ignoreDifferences, git.credentials
  overrides, and qtodo.repository override

Documentation:
- Update docs/supply-chain.md with protected repos setup,
  generator --git-repo usage, and git-auth workspace selection
- Update scripts/gen-feature-variants.md with --git-repo examples
- Add git-credentials entry to values-secret.yaml.template

Signed-off-by: Min Zhang <minzhang@redhat.com>

* feat: SSH auth support and review fixes for protected repositories

- Support SSH auth for protected repositories
- Fix ESO SSH template with index syntax for hyphenated keys
- Add Vault NetworkPolicy rules for registry-token-refresher
- Update gen-feature-variants with protected-repos feature
- Clarify that git credentials use SA injection (no git-auth
  workspace binding needed)

Signed-off-by: Min Zhang <minzhang@redhat.com>

* docs: differentiate git-auth workspace binding for HTTPS vs SSH modes

HTTPS mode requires explicitly binding the git-auth workspace to the
qtodo-git-credentials secret, while SSH mode must leave it unbound
due to the git-clone ClusterTask's prepare.sh chmod failing on
read-only projected volume symlinks.

Signed-off-by: Min Zhang <minzhang@redhat.com>

* fix: address PR #136 review feedback from Manuel (mlorenzofr)

- Restore PR #139 dedup logic (named list upsert, duplicate override
  validation) that was inadvertently removed
- Use file-based path instead of inline value for HTTPS git credentials
  and registry token to avoid plaintext password leaks in values-secret
- Add | trim to ESO password template for path-sourced credentials
- Add ssh-keygen instructions and passwordless key requirement
- Fix make load-secrets -> ./pattern.sh make load-secrets
- Add explicit SSH URL example to qtodo.repository override comment

Signed-off-by: Min Zhang <minzhang@redhat.com>

---------

Signed-off-by: Min Zhang <minzhang@redhat.com>

Author: minmzzhang

charts/supply-chain/templates/pipeline-qtodo.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: Pipeline
 metadata:
   name: qtodo-supply-chain
@@ -8,12 +8,20 @@ spec:
   params:
     - name: git-url
       type: string
-      description: The URL of the public Github qtodo repository
+      description: The URL of the qtodo repository (public or protected)
       default: {{ .Values.qtodo.repository | quote }}
     - name: git-revision
       type: string
-      description: The revision of the public Github qtodo repository
+      description: The revision of the qtodo repository
       default: {{ .Values.qtodo.revision }}
+    - name: rebuild
+      type: string
+      description: Force rebuild the image even if it already exists
+      default: "false"
+    - name: skip-checks
+      type: string
+      description: Skip pre-build checks against existing image
+      default: "false"
     - name: qtodo-build-cmd
       type: string
       description: The command to build the qtodo artifact
@@ -100,9 +108,44 @@ spec:
   workspaces:
     - name: qtodo-source
     - name: registry-auth-config
+    - name: git-auth
+      optional: true
+
+  results:
+    - name: CHAINS-GIT_URL
+      description: The git URL used for the build (Tekton Chains provenance)
+      value: $(tasks.qtodo-clone-repository.results.URL)
+    - name: CHAINS-GIT_COMMIT
+      description: The git commit SHA used for the build (Tekton Chains provenance)
+      value: $(tasks.qtodo-clone-repository.results.COMMIT)
+    - name: IMAGE_URL
+      description: The image URL built by the pipeline (Tekton Chains provenance)
+      value: $(tasks.qtodo-build-image.results.IMAGE_URL)
+    - name: IMAGE_DIGEST
+      description: The image digest built by the pipeline (Tekton Chains provenance)
+      value: $(tasks.qtodo-build-image.results.IMAGE_DIGEST)
 
   tasks:
+    - name: init
+      taskRef:
+        name: init
+        kind: Task
+      params:
+        - name: image-url
+          value: $(params.image-target)
+        - name: rebuild
+          value: $(params.rebuild)
+        - name: skip-checks
+          value: $(params.skip-checks)
+
     - name: qtodo-clone-repository
+      runAfter:
+        - init
+      when:
+        - input: $(tasks.init.results.build)
+          operator: in
+          values:
+            - "true"
       taskRef:
         resolver: cluster
         params:
@@ -120,6 +163,13 @@ spec:
       workspaces:
         - name: output
           workspace: qtodo-source
+{{- if eq (default "https" .Values.git.credentials.authType) "ssh" }}
+        - name: ssh-directory
+          workspace: git-auth
+{{- else }}
+        - name: basic-auth
+          workspace: git-auth
+{{- end }}
 
     - name: qtodo-build-artifact
       runAfter:

charts/supply-chain/templates/pipelinerun-qtodo.yaml

@@ -92,7 +92,7 @@ spec:
           fi
 
           cat <<'MANIFEST' | oc create -f -
-          apiVersion: tekton.dev/v1beta1
+          apiVersion: tekton.dev/v1
           kind: PipelineRun
           metadata:
             generateName: qtodo-supply-chain-

charts/supply-chain/templates/rbac/pipeline-sa.yaml

@@ -10,4 +10,7 @@ metadata:
     argocd.argoproj.io/compare-options: IgnoreExtraneous
     argocd.argoproj.io/syncOptions: ServerSideApply=true
 secrets:
-  - name: qtodo-registry-auth
+  - name: qtodo-registry-auth
+{{- if .Values.git.credentials.enabled }}
+  - name: qtodo-git-credentials
+{{- end }}

charts/supply-chain/templates/rbac/registry-token-refresher.yaml

@@ -72,6 +72,9 @@ spec:
     spec:
       backoffLimit: 3
       template:
+        metadata:
+          labels:
+            app.kubernetes.io/name: registry-token-refresher
         spec:
           serviceAccountName: {{ .Values.pipelineServiceAccount }}
           restartPolicy: Never

charts/supply-chain/templates/secrets/qtodo-git-credentials.yaml

@@ -0,0 +1,58 @@
+{{- if .Values.git.credentials.enabled }}
+{{- $authType := .Values.git.credentials.authType | default "https" }}
+{{- $host := .Values.git.credentials.host }}
+---
+apiVersion: "external-secrets.io/v1beta1"
+kind: ExternalSecret
+metadata:
+  name: qtodo-git-credentials
+  namespace: {{ .Release.Namespace | default .Values.global.namespace }}
+spec:
+  refreshInterval: 15s
+  secretStoreRef:
+    name: {{ .Values.global.secretStore.name }}
+    kind: {{ .Values.global.secretStore.kind }}
+  target:
+    name: qtodo-git-credentials
+    template:
+{{- if eq $authType "ssh" }}
+      type: kubernetes.io/ssh-auth
+      metadata:
+        annotations:
+          tekton.dev/git-0: {{ $host | quote }}
+      data:
+        ssh-privatekey: {{ printf "{{ index . \"%s\" }}" .Values.git.credentials.sshPrivateKeyKey | quote }}
+        known_hosts: {{ printf "{{ index . \"%s\" }}" .Values.git.credentials.knownHostsKey | quote }}
+  data:
+    - secretKey: {{ .Values.git.credentials.sshPrivateKeyKey }}
+      remoteRef:
+        key: {{ .Values.git.credentials.vaultPath }}
+        property: {{ .Values.git.credentials.sshPrivateKeyKey }}
+    - secretKey: {{ .Values.git.credentials.knownHostsKey }}
+      remoteRef:
+        key: {{ .Values.git.credentials.vaultPath }}
+        property: {{ .Values.git.credentials.knownHostsKey }}
+{{- else }}
+{{- $hostBare := $host | trimPrefix "https://" | trimPrefix "http://" }}
+{{- $userKey := .Values.git.credentials.usernameKey }}
+{{- $passKey := .Values.git.credentials.passwordKey }}
+      type: Opaque
+      metadata:
+        annotations:
+          tekton.dev/git-0: {{ $host | quote }}
+      data:
+        .gitconfig: |
+          [credential "{{ $host }}"]
+            helper = store
+        .git-credentials: {{ printf "https://{{ .%s }}:{{ .%s | trim }}@%s" $userKey $passKey $hostBare | quote }}
+  data:
+    - secretKey: {{ $userKey }}
+      remoteRef:
+        key: {{ .Values.git.credentials.vaultPath }}
+        property: {{ $userKey }}
+    - secretKey: {{ $passKey }}
+      remoteRef:
+        key: {{ .Values.git.credentials.vaultPath }}
+        property: {{ $passKey }}
+{{- end }}
+{{- end }}

charts/supply-chain/templates/tasks/build-artifact.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: Task
 metadata:
   name: qtodo-build-artifact

charts/supply-chain/templates/tasks/generate-sbom.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: Task
 metadata:
   name: qtodo-generate-sbom

charts/supply-chain/templates/tasks/init.yaml

@@ -0,0 +1,55 @@
+---
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  labels:
+    app.kubernetes.io/version: "0.1"
+  annotations:
+    tekton.dev/pipelines.minVersion: "0.12.1"
+    tekton.dev/tags: "supply-chain"
+  name: init
+  namespace: {{ .Values.global.namespace }}
+spec:
+  description: >-
+    Initialize Pipeline Task. Determines whether the image should be built
+    by checking if the target image already exists in the registry.
+    Supports rebuild and skip-checks flags.
+  params:
+    - name: image-url
+      description: Image URL for build by PipelineRun
+    - name: rebuild
+      description: Rebuild the image even if it exists
+      default: "false"
+    - name: skip-checks
+      description: Skip checks against built image
+      default: "false"
+  results:
+    - name: build
+      description: Defines if the image in param image-url should be built
+  steps:
+    - name: init
+      image: {{ .Values.tasks.images.skopeo }}
+      computeResources:
+        limits:
+          memory: 256Mi
+        requests:
+          memory: 256Mi
+          cpu: 100m
+      env:
+        - name: IMAGE_URL
+          value: $(params.image-url)
+        - name: REBUILD
+          value: $(params.rebuild)
+        - name: SKIP_CHECKS
+          value: $(params.skip-checks)
+      script: |
+        #!/bin/bash
+        echo "Build Initialize: $IMAGE_URL"
+        echo
+
+        echo "Determine if Image Already Exists"
+        if [ "$REBUILD" == "true" ] || [ "$SKIP_CHECKS" == "false" ] || ! skopeo inspect --no-tags --raw "docker://$IMAGE_URL" &>/dev/null; then
+          echo -n "true" > $(results.build.path)
+        else
+          echo -n "false" > $(results.build.path)
+        fi

charts/supply-chain/templates/tasks/restart-qtodo.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: Task
 metadata:
   name: restart-qtodo

charts/supply-chain/templates/tasks/sbom-attest.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: Task
 metadata:
   name: qtodo-sbom-attestation