before we were only generating it for the git source type.

this eventually gets turned into a label on the image as specified in
https://github.com/buildpacks/spec/blob/main/platform.md#iobuildpacksprojectmetadata-json

Signed-off-by: Bohan Chen <[email protected]>

todo:
- extract source from app image labels
- record builder image

Signed-off-by: Bohan Chen <[email protected]>

The source metadata is read in from the project-metadata label on the
built image. This is done for 2 reasons:

1. It resolves floating pointers to concrete shas, this can be the case
   with a git source pointing to a branch, or a registry source pointing
   to a tag. We also can't figure out a blob's checksum without actually
   pulling it
2. It guarantees that this is the version pulled down by the `prepare`
   step and avoid weird TOCTOU edge cases where the underlying bits
   changed between the creation of the Build and the execution of the
   container

By exporting the Project, Source, Metadata, and Version structs, I hope
to create a code relation between the different packages, so that if we
every change one in the future, the compiler will yell at us instead of
us having to remember the relationship.

Signed-off-by: Bohan Chen <[email protected]>

supported key types are rsa, ecdsa, ed25519, and cosign (which is
basically a wrapper around the other 3).

there are some smoke tests with hard coded signatures, but i feel the
main tests should be the interop with cosign cli

Signed-off-by: Bohan Chen <[email protected]>

since we already have a package dedicated to grabbing secrets out of
k8s, lets expand it further so that it knows how to extract signing keys
out of it.

Signed-off-by: Bohan Chen <[email protected]>

- split out signing and pushing into different functions mainly to make
the error messages clearer

- move attestation sign and write functions to obj so that we can mock out
the attester interface later

- also change the slsa buildid to include `slsa` as a subpath to make it
clearer what its used for

Signed-off-by: Bohan Chen <[email protected]>

- the controller is now aware of its own service account name, this is
  to fetch all the secrets associated with it (currently for attestation
  only, but can be expanded to cosign later)

- the feature flag for enabling slsa is marked experimental since the
  RFC hasn't been merged in yet

Signed-off-by: Bohan Chen <[email protected]>

rename slsa.go as the name wasn't really descriptive of what its doing

bugs:
- client-go strips the TypeMeta from the object so we have to pass it in
manually.
- granting rbac for the controller to get namespaces
- and using version instead of identifier so we don't get the git sha
  when generating the build type link
- ecdsa signing requires digest not full msg
- stick to consistent tense for err msgs
- and make the start/stop time parsing best effort - the slsa spec says
  its optional so we shouldn't fail the whole attestation if we can't
  find it

Signed-off-by: Bohan Chen <[email protected]>

since tests are run in parallel, cluster-scoped resources needed to be
created with a different name for each of the suites

Signed-off-by: Bohan Chen <[email protected]>

Signed-off-by: Bohan Chen <[email protected]>

Signed-off-by: Bohan Chen <[email protected]>