feat: integrate Red Hat Trusted Software Supply Chain (TSSF)

api/v1alpha1/imagebuild_types.go

@@ -178,6 +178,32 @@ type DiskExport struct {
 	// PVC *PVCExport `json:"pvc,omitempty"`
 }
 
+// ArtifactRef captures the supply-chain traceability metadata for a build artifact.
+// Registry and Digest are populated for any successful registry push.
+// SBOMRef, SignatureRef, and ProvenanceRef are populated when their respective
+// features (SBOM generation, Sigstore signing, Tekton Chains provenance) are active.
+type ArtifactRef struct {
+	// Registry is the OCI registry URL where the artifact was pushed (IMAGE_URL)
+	// +optional
+	Registry string `json:"registry,omitempty"`
+
+	// Digest is the content-addressable digest of the pushed artifact (sha256:...)
+	// +optional
+	Digest string `json:"digest,omitempty"`
+
+	// SBOMRef is the OCI reference to the attached SBOM artifact
+	// +optional
+	SBOMRef string `json:"sbomRef,omitempty"`
+
+	// SignatureRef is the OCI reference to the cosign/Sigstore signature
+	// +optional
+	SignatureRef string `json:"signatureRef,omitempty"`
+
+	// ProvenanceRef is the OCI reference to the SLSA provenance attestation
+	// +optional
+	ProvenanceRef string `json:"provenanceRef,omitempty"`
+}
+
 // ImageBuildStatus defines the observed state of ImageBuild
 type ImageBuildStatus struct {
 	// ObservedGeneration is the most recent generation observed by the controller.
@@ -227,6 +253,11 @@ type ImageBuildStatus struct {
 	// LeaseID is the Jumpstarter lease ID acquired during flash
 	// +optional
 	LeaseID string `json:"leaseId,omitempty"`
+
+	// Artifact captures supply-chain traceability metadata (digest, SBOM, signature, provenance)
+	// for the build output. Populated from PipelineRun results after a successful registry push.
+	// +optional
+	Artifact *ArtifactRef `json:"artifact,omitempty"`
 }
 
 // +kubebuilder:object:root=true

api/v1alpha1/operatorconfig_types.go

@@ -430,6 +430,59 @@ func (c *WorkspacesConfig) GetAutoPauseTimeoutMinutes() int32 {
 	return DefaultAutoPauseTimeoutMinutes
 }
 
+// DefaultSyftImage is the default Syft container image for SBOM generation
+const DefaultSyftImage = "docker.io/anchore/syft:v1.22.0"
+
+// DefaultSBOMFormat is the default SBOM output format
+const DefaultSBOMFormat = "spdx-json"
+
+// ComplianceConfig configures supply-chain compliance features (SBOM, signing, policy).
+// When Enabled, the operator appends an sbom-generate task to every build pipeline
+// and populates ArtifactRef in the build status.
+type ComplianceConfig struct {
+	// Enabled activates supply-chain compliance for build pipelines
+	// +kubebuilder:default=false
+	Enabled bool `json:"enabled"`
+
+	// SBOMFormat is the SBOM output format (spdx-json or cyclonedx-json)
+	// +kubebuilder:validation:Enum="spdx-json";"cyclonedx-json"
+	// +kubebuilder:default="spdx-json"
+	// +optional
+	SBOMFormat string `json:"sbomFormat,omitempty"`
+
+	// SyftImage is the container image for SBOM generation (Syft)
+	// +optional
+	SyftImage string `json:"syftImage,omitempty"`
+
+	// ECPolicyRef references an Enterprise Contract policy for optional gate enforcement
+	// +optional
+	ECPolicyRef string `json:"ecPolicyRef,omitempty"`
+
+	// RekorURL is the Rekor transparency log URL for Tekton Chains configuration
+	// +optional
+	RekorURL string `json:"rekorURL,omitempty"`
+
+	// FulcioURL is the Fulcio CA URL for keyless signing via Tekton Chains
+	// +optional
+	FulcioURL string `json:"fulcioURL,omitempty"`
+}
+
+// GetSBOMFormat returns the SBOM format, falling back to the default
+func (c *ComplianceConfig) GetSBOMFormat() string {
+	if c != nil && c.SBOMFormat != "" {
+		return c.SBOMFormat
+	}
+	return DefaultSBOMFormat
+}
+
+// GetSyftImage returns the Syft image, falling back to the default
+func (c *ComplianceConfig) GetSyftImage() string {
+	if c != nil && c.SyftImage != "" {
+		return c.SyftImage
+	}
+	return DefaultSyftImage
+}
+
 // OperatorConfigSpec defines the desired state of OperatorConfig
 type OperatorConfigSpec struct {
 	// OSBuilds defines the configuration for OS build operations
@@ -455,6 +508,12 @@ type OperatorConfigSpec struct {
 	// Workspaces defines configuration for developer workspaces
 	// +optional
 	Workspaces *WorkspacesConfig `json:"workspaces,omitempty"`
+
+	// Compliance configures supply-chain compliance features (SBOM generation,
+	// signing endpoints, policy enforcement). When enabled, build pipelines
+	// gain SBOM generation and emit results for Tekton Chains.
+	// +optional
+	Compliance *ComplianceConfig `json:"compliance,omitempty"`
 }
 
 // OSBuildsConfig defines configuration for OS build operations

config/crd/bases/automotive.sdv.cloud.redhat.com_imagebuilds.yaml

@@ -217,6 +217,32 @@ spec:
                 description: AIBImageUsed is the automotive-image-builder container
                   image that was used for the build
                 type: string
+              artifact:
+                description: |-
+                  Artifact captures supply-chain traceability metadata (digest, SBOM, signature, provenance)
+                  for the build output. Populated from PipelineRun results after a successful registry push.
+                properties:
+                  digest:
+                    description: Digest is the content-addressable digest of the pushed
+                      artifact (sha256:...)
+                    type: string
+                  provenanceRef:
+                    description: ProvenanceRef is the OCI reference to the SLSA provenance
+                      attestation
+                    type: string
+                  registry:
+                    description: Registry is the OCI registry URL where the artifact
+                      was pushed (IMAGE_URL)
+                    type: string
+                  sbomRef:
+                    description: SBOMRef is the OCI reference to the attached SBOM
+                      artifact
+                    type: string
+                  signatureRef:
+                    description: SignatureRef is the OCI reference to the cosign/Sigstore
+                      signature
+                    type: string
+                type: object
               builderImageUsed:
                 description: |-
                   BuilderImageUsed is the osbuild builder container image that was used for the build

config/crd/bases/automotive.sdv.cloud.redhat.com_operatorconfigs.yaml

@@ -609,6 +609,44 @@ spec:
                         type: object
                     type: object
                 type: object
+              compliance:
+                description: |-
+                  Compliance configures supply-chain compliance features (SBOM generation,
+                  signing endpoints, policy enforcement). When enabled, build pipelines
+                  gain SBOM generation and emit results for Tekton Chains.
+                properties:
+                  ecPolicyRef:
+                    description: ECPolicyRef references an Enterprise Contract policy
+                      for optional gate enforcement
+                    type: string
+                  enabled:
+                    default: false
+                    description: Enabled activates supply-chain compliance for build
+                      pipelines
+                    type: boolean
+                  fulcioURL:
+                    description: FulcioURL is the Fulcio CA URL for keyless signing
+                      via Tekton Chains
+                    type: string
+                  rekorURL:
+                    description: RekorURL is the Rekor transparency log URL for Tekton
+                      Chains configuration
+                    type: string
+                  sbomFormat:
+                    default: spdx-json
+                    description: SBOMFormat is the SBOM output format (spdx-json or
+                      cyclonedx-json)
+                    enum:
+                    - spdx-json
+                    - cyclonedx-json
+                    type: string
+                  syftImage:
+                    description: SyftImage is the container image for SBOM generation
+                      (Syft)
+                    type: string
+                required:
+                - enabled
+                type: object
               containerBuilds:
                 description: ContainerBuilds defines configuration for container build
                   operations

config/samples/automotive_v1_operatorconfig.yaml

@@ -50,6 +50,18 @@ spec:
     #   value: "automotive"
     #   effect: "NoExecute"
 
+  # Compliance configuration for supply-chain security (SBOM, signing, policy)
+  # When enabled, pipelines gain SBOM generation and emit Tekton Chains results
+  # compliance:
+  #   enabled: true
+  #   sbomFormat: "spdx-json"         # or "cyclonedx-json"
+  #   syftImage: "docker.io/anchore/syft:v1.22.0"
+  #   # RHTAS endpoints for Tekton Chains keyless signing
+  #   rekorURL: "https://rekor.example.com"
+  #   fulcioURL: "https://fulcio.example.com"
+  #   # Enterprise Contract policy ref (stretch goal)
+  #   ecPolicyRef: ""
+
   # BuildAPI configuration for the Build API server
   buildAPI:
     # Optional: Authentication configuration for OIDC/JWT providers