Allow Chains to use the SharedSecret resource

Signed-off-by: Luiz Carvalho <lucarval@redhat.com>

README.md

@@ -88,6 +88,20 @@ SPI Vault instance has to be manually initialized. There is a script to help wit
 2) Clone SPI operator repo `git clone https://github.com/redhat-appstudio/service-provider-integration-operator && cd service-provider-integration-operator`
 3) run `vault-init.sh` script from repo root directory `./hack/vault-init.sh`
 
+### Optional: Use SharedSecret with Tekton Chains
+
+During the build pipeline, it is possible to use the `redhat-appstudio-user-workload`
+[SharedSecret](https://github.com/openshift/csi-driver-shared-resource) to specify the credentials
+for pushing container images. If this is used, Tekton Chains must also be configured to use the
+same `SharedSecret`. This is done by default. However, the `Secret` referred to by the
+`SharedSecret` may not exist at bootstrap time. If the underlying `Secret` is created, or modified
+in any way, the changes will NOT be picked up by Tekton Chains. Whenever a modification is done,
+delete the Tekton Chains controller pod to cause it to restart and pick up the new changes:
+
+```
+oc -n tekton-chains delete pods -l app=tekton-chains-controller
+```
+
 ### Install Toolchain (Sandbox) Operators
 There are two scripts which you can use:
 - `./hack/sandbox-development-mode.sh` for development mode

components/build/tekton-chains/kustomization.yaml

@@ -9,6 +9,7 @@ resources:
 - allow-argocd-to-manage.yaml
 - https://storage.googleapis.com/tekton-releases/chains/previous/v0.9.0/release.yaml
 - chains-secrets-config.yaml
+- tekton-chains-controller-shared-secrets-rolebinding.yaml
 
 patchesStrategicMerge:
 #
@@ -21,5 +22,8 @@ patchesStrategicMerge:
 # Mount the secrets volume and use the forked image
 - chains-controller-deployment.yaml
 
+# Mount the shared secret
+- tekton-chains-controller-shared-secret.yaml
+
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

components/build/tekton-chains/tekton-chains-controller-shared-secret.yaml

@@ -0,0 +1,28 @@
+---
+# Mount the contents of the SharedSecret named redhat-appstudio-user-workload
+# on the Tekton Chains controller at $DOCKER_CONFIG/config.json. This makes
+# Chains consider those credentials when pushing content to an OCI repo.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tekton-chains-controller
+  namespace: tekton-chains
+spec:
+  template:
+    spec:
+      containers:
+      - name: tekton-chains-controller
+        env:
+        - name: DOCKER_CONFIG
+          value: /secret/default-push-secret
+        volumeMounts:
+        - mountPath: /secret/default-push-secret/config.json
+          subPath: .dockerconfigjson
+          name: default-push-secret
+      volumes:
+      - name: default-push-secret
+        csi:
+          driver: csi.sharedresource.openshift.io
+          readOnly: true
+          volumeAttributes:
+            sharedSecret: redhat-appstudio-user-workload

components/build/tekton-chains/tekton-chains-controller-shared-secrets-rolebinding.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tekton-chains-controller-shared-secrets
+  namespace: tekton-chains
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: globally-shared-secrets-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: tekton-chains-controller
+  namespace: tekton-chains
+