in-toto Layout Creation to validate Tekton Pipeline

[pxp928]

Current Behavior

Currently we are missing validation that all the steps that need to run in a pipeline (in a specific order if need be) have completed running. Using in-toto, we can create a layout file that checks to ensure that all steps ran in a specific order and the expected materials and products are accounted for.

Currently there was a POC to convert Tekton yaml and convert it to a in-toto layout -> https://github.com/tap8stry/tkn-intoto-formatter

There is also an old TEP that was started related to this integration with Tekton -> tektoncd/community#534

Thought here is we make this part of the Tekton ecosystem where the pipeline controller is able to generate the layout file (using keys from SPIRE where available for each "step" in the in-toto layout). The chains controller would validate that the pipeline against the layout once completed.

Open Questions:

1. Using CUE to generate the in-toto layout?
2. Should it be integrated directly into Tekton?

[pxp928]

Had discussion with Santiago and Aditya (in-toto maintainers) to discuss a path forward. Currently in-toto does not support in-toto attestation generated by chains as the "link" files for verification.

Path Forward:

1. Top level layout created by CUE (based on policy)
2. Sub-layout created by Tekton Chains (signed by the tekton chains controller SVID)
3. In-toto-golang will have to be updated (experimental) to allow for validation of in-toto attestation generated by chains.
4. Chains would utilize in-toto verify to check that all tasks/steps ran before signing.