We need to make a few enhancements to integrate Chains with Vault more first class:

• Vault token is supplied via the `signers.kms.kmsref.auth.token` field which is not very ideal as it stores the token in cleartext. This should be allowed to be read from a secret/configmap/etc.
  • This can also be fixed by allowing the operator to read any field via a secret/configmap.
  • story points: 5

• Allow supplying a token path besides a token in the Chains config, maybe something like `signers.kms.kmsref.auth.tokenpath` (???). This allows mounting the token inside the Chains controller and having it read from that path, instead of supplying in the config directly.
  • story point: 3

• Vault Agent Injector (https://developer.hashicorp.com/vault/docs/platform/k8s/injector) allows injecting token inside a pod with certain annotations at a particular path.
  `vault.hashicorp.com/agent-inject-token: true`. Chains controller should be able to be configured to read the token injected by the agent injector.
  • We need to make sure that the token being read by the sigstore library is up to date at all times.
    • either symlink the file to the location where sigstore expects
    • or, make sure the upstream sigstore library is configured with a custom path
    • we can implement this without sigstore in the short term (but probably not ideal)
      • chains controller can read this and
        • set content of tokenpath as VAULT_TOKEN env var
          OR
        • copy contents of tokenpath to ~/.vault-token
  • story points: 8

total estimate: 16

minimum acceptance criteria:

• add support for value agent injector in chains
• other enhancements to the operator are stretch goals