1. Proposed title of this feature request

Support Multiple Signatures in Tekton Chains

2. What is the nature and description of the request?

Tekton Chains in OpenShift Pipelines only supports a single signature per controller and on OpenShift AFAIK we only support a single controller cluster-wide. The request is to support multiple signatures and provide a way to select the signature to use in specific pipelines.

These tenant signatures may be sourced from secrets or from KMS systems like Vault.

RBAC will be an important consideration here as it should not be possible for different teams to sign their images using other teams signatures. Either the signature should be stored in the same namespace as the pipeline or alternatively a CRD be defined for signatures that supports defining the scope (global or specific set of namespaces where the signature can be used) as well as signature specific configuration (secret, KMS, etc...)

Personally I like the CRD model for signatures as it enables signatures as a service (similar to cert-manager TLS as a service) but obviously a lot more thinking required here to see if it makes sense.

3. Why does the customer need this? (List the business requirements here)

In organizations where there is a single cluster wide key this would work fine, however many of our customers operate multi-tenant clusters. In this scenario the various teams operating on the cluster will want to use and manage their own signing keys for their images.

4. List any affected packages or components.

OpenShift Pipelines (specifically the Chains component)