Extend HTTP Resolver spec to support optional hash field

[aThorp96]

Feature request

Add an optional hash, digest, or more appropriately named field to the HTTP resolver spec in which a user provides a hash of the content at the URL. If the field is populated, http resolver would enforce that the http response's content hashes to the same value.

The http resolver could also have a configuration setting to require this field.

Use case

As a security-minded Tekton user, I prefer using resolvers which have some security guarantees. The git resolver provides guarantees via git hashes and the bundles resolver provides similar guarantees via the bundle digest. However in some cases the http resolver is necessary, but as of right now there are no mechanisms to guarantee the content received from the http request is the content I expect. Further, in order to better secure the pipelines I would like to enforce that anyone authoring pipelineruns in my cluster are using secure practices.

[aThorp96]

CC @lcarva

[afrittoli]

@aThorp96 Thanks! Shall we mark this as "help wanted" or is this something you're going to work on yourself?

[aThorp96]

@afrittoli I may work on this in the next few months but it could be a little bit before I can get around to it. No objection to the help wanted label

[zakisk]

can someone please assign it to me? I wanna work on it.

[waveywaves]

/assign zakisk