docs(cas-backends): reference docs (#140)

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>

Author: migmartri

docs/faq.md

@@ -24,4 +24,4 @@ That said, there are [benefits](/reference/operator/contract#runner-context) for
 
 #### Does Chainloop store my Artifacts and Attestation metadata?
 
-No. They are stored in [your OCI Registry](/getting-started/setup#add-oci-repository).
+No. They are stored in [your Content-Addressable Storage (CAS)](/reference/operator/cas-backend).

docs/getting-started/setup.md

@@ -3,107 +3,4 @@ sidebar_position: 2
 title: Account Setup
 ---
 
-import Tabs from "@theme/Tabs";
-import TabItem from "@theme/TabItem";
-import CodeBlock from "@theme/CodeBlock";
-
-The attestation metadata and artifacts created by your workflows are **not stored in Chainloop but instead pushed to your [OCI registry](https://github.com/opencontainers/distribution-spec)**. That's why to have a fully functional Chainloop account, an OCI repository must be added.
-
-## Add OCI repository
-
-Setup your OCI repository by executing
-
-```bash
-$ chainloop config set-oci-repo --repo [REPO_URI] \
-                                --username [USERNAME] \
-                                --password [PASS]
-```
-
-Examples:
-
-<Tabs>
-  <TabItem value="gar" label="Google Artifact Registry" default>
-
-```bash
-  # Using json-based service account
-  # https://console.cloud.google.com/iam-admin/serviceaccounts
-
-  $ chainloop config set-oci-repo \
-    # i.e us-east1-docker.pkg.dev/my-project/chainloop-cas-devel
-    --repo [region]-docker.pkg.dev/[my-project]/[my-repository] \
-    --username _json_key \
-    --password "$(cat service-account.json)"
-```
-
-  </TabItem>
-
-  <TabItem value="github" label="GitHub packages" default>
-
-```bash
-  # Using personal access token with write:packages permissions
-  # https://github.com/settings/tokens
-
-  $ chainloop config set-oci-repo \
-    # i.e ghcr.io/chainloop-dev/chainloop-cas
-    --repo ghcr.io/[username or org]/[my-repository] \
-    --username [username] \
-    --password [personal access token]
-```
-
-  </TabItem>
-  <TabItem value="dockerhub" label="DockerHub" default>
-
-```bash
-# Create a personal access token at
-# https://hub.docker.com/settings/security
-
-$ chainloop config set-oci-repo \
-    --repo index.docker.io/[username] \
-    --username [username] \
-    --password [personal access token]
-```
-
-  </TabItem>
-  <TabItem value="ecr" label="AWS Container Registry" default>
-
-:::caution
-**AWS Container Registry is not supported yet**.
-:::
-
-  </TabItem>
-</Tabs>
-
-### Give it a try
-
-If everything went well, you should be able to upload and download artifact materials, let's give it a try
-
-```bash title="Upload a file to your OCI repository"
-$ chainloop artifact upload -f myfile
-myfile@sha256:c5cc0a2c712497c29f29c3ba11e7fcc0c3cc725ab591720db595e5d6469f3f37 ... done! [1.03KB in 0s; 5.48KB/s]
-```
-
-```bash title="Download by content digest (sha256)"
-$ chainloop artifact download -d sha256:c5cc0a2c712497c29f29c3ba11e7fcc0c3cc725ab591720db595e5d6469f3f37
-INF downloading file name=myfile to=/tmp/myfile
-INF file downloaded! path=/tmp/myfile
-```
-
-## Review configuration
-
-You can check your current context at any time by running
-
-```bash
-$ chainloop org describe
-┌──────────────────────────────────────────────────────────────────────────────────────┐
-│ Current Context                                                                      │
-├───────────────────┬──────────────────────────────────────────────────────────────────┤
-│ Logged in as      │ miguel@chainloop.dev                                             │
-├───────────────────┼──────────────────────────────────────────────────────────────────┤
-│ Organization ID   │ fe1c7a81-089a-4473-8084-4f963395be0d                             │
-│ Organization name │ Miguel's main org                                                │
-├───────────────────┼──────────────────────────────────────────────────────────────────┤
-│ OCI repository    │ europe-west1-docker.pkg.dev/redacted**********6622/chainloop-cas │
-└───────────────────┴──────────────────────────────────────────────────────────────────┘
-```
-
-Everything looks good, we are all set!
+Your Chainloop organization is now ready, let's [define our first Workflow](/getting-started/workflow-definition).

docs/getting-started/workflow-definition.mdx

@@ -176,6 +176,19 @@ Save the following token since it will not printed again:
 
 We have everything we need to integrate our CI with Chainloop!
 
-## Third-Party integrations
+## Optional setup
+
+### CAS Backend
+
+As part of an attestation process, you might want to collect different pieces of evidence such as Software Bill Of Materials (SBOMs), test results, runner logs, etc and then attach them to the final in-toto attestation. 
+
+By default, Chainloop comes pre-configured with what we call an `inline` backend. The inline backend **embeds** the pieces of evidence in the resulting attestations.
+This is useful to get started quickly but since the metadata is embedded in the attestation, their size is limited.
+
+We recommend that once you get closer to a production-ready setup, you [switch to a more robust backend](/reference/operator/cas-backend#oci-registry).
+
+Refer to [CAS Backends section](/reference/operator/cas-backend) for more information.
+
+### Third-Party integrations
 
 Optionally you can enable third-party integrations such as [DependencyTrack](/guides/dependency-track) so the received Software Bill Of Materials (SBOMs) are forwarded there for analysis.

docs/guides/dependency-track/dependency-track.mdx

@@ -16,7 +16,7 @@ Chainloop can be configured to **automatically send any [CycloneDX Software Bill
 
 <Image img={require("./overview-dark.png")} className="dark-mode-only" />
 
-If you have defined in your [Workflow Contract](/reference/operator/contract) a material of type `SBOM_CYCLONEDX_JSON`. This SBOM file, **in addition to being stored in your OCI registry, will be sent to Dependency-Track**.
+If you have defined in your [Workflow Contract](/reference/operator/contract) a material of type `SBOM_CYCLONEDX_JSON`. This SBOM file, **in addition to being stored in your [CAS Backend](/reference/operator/cas-backend), will be sent to Dependency-Track**.
 
 <CodeBlock language="yaml" title="skynet.contract.yaml">
   {ContractYAML}

docs/guides/sbom-management/sbom-management.mdx

@@ -92,7 +92,7 @@ And shortly after, add it to the previously initialized attestation process.
 chainloop att add --name sbom-cdx --value sbom.cyclonedx.json
 ```
 
-When you execute this command, it will perform two actions. Firstly, it will upload the SBOMS to a Content Addressable Storage in OCI repository that you added during the account setup. Secondly, it will verify that the content is indeed a CycloneDX.
+When you execute this command, it will perform two actions. Firstly, it will upload the SBOMS to a [Content Addressable Storage backend](../../reference/operator/cas-backend) that you added during the account setup. Secondly, it will verify that the content is indeed a CycloneDX.
 
 ### Attest and send the SBOM to Chainloop
 We send SBOMs to Chainloop for storage and additional analysis whenever we release a new version of our docs. 

docs/reference/operator/cas-backend/cas-backend-dark.png

@@ -0,0 +1,141 @@
+---
+sidebar_position: 2
+title: Content Addressable Storage (CAS) backend
+---
+
+import Image from "@theme/IdealImage";
+import Tabs from "@theme/Tabs";
+import TabItem from "@theme/TabItem";
+import CodeBlock from "@theme/CodeBlock";
+
+As part of an attestation process, you might want to collect different pieces of evidence such as Software Bill Of Materials (SBOMs), test results, runner logs, etc and then attach them to the final in-toto attestation. 
+
+Chainloop helps with this process by providing a Content Addressable Storage API proxy that:
+
+- **Abstracts away the underlying storage backend**. Currently, we support OCI registries as storage backends but you can expect blob storage, Artifactory and other storage backends to be supported in the future.  
+- Makes sure that the pieces of evidence are stored **in a tamper-proof manner**. This is achieved by storing the evidences named after their SHA256 content digest, which is calculated by the client, verified by the CAS server.
+- **Enables support of large pieces of evidence** since the content digest reference is what will be stored in the attestation. 
+
+<Image img={require("./cas-backend.png")} className="light-mode-only" />
+<Image img={require("./cas-backend-dark.png")} className="dark-mode-only" />
+
+
+## Manage backends
+
+You can setup as many CAS backends as you want, but you can only have **one enabled as default at the time**.  This **default backend will be used** during the attestation process **to store the pieces of evidence**.
+
+In Chainloop, CAS backends can be managed with the `chainloop cas-backend` command.
+
+
+```bash
+$ chainloop cas-backend ls                                              
+┌─────────────────────────────────┬──────────┬─────────────────────────────────────┬───────────────┬─────────┐
+│ LOCATION                        │ PROVIDER │ DESCRIPTION                         │ LIMITS        │ DEFAULT │
+├─────────────────────────────────┼──────────┼─────────────────────────────────────┼───────────────┼─────────┤
+│                                 │ INLINE   │ Embed artifacts content in the atte │ MaxSize: 500K │ false   │
+│                                 │          │ station (fallback)                  │               │         │
+├─────────────────────────────────┼──────────┼─────────────────────────────────────┼───────────────┼─────────┤
+│ ghcr.io/cyberdyne/chainloop-lab │ OCI      │                                     │ MaxSize: 100M │ true    │
+└─────────────────────────────────┴──────────┴─────────────────────────────────────┴───────────────┴─────────┘
+```
+
+## Backend providers
+
+:::info
+New CAS Backends will be added over time. If yours is not implemented yet, please [let us know](https://chainloop.dev/contact)
+:::
+
+### Inline (fallback)
+
+Chainloop comes pre-configured with what we call an `inline` backend.
+
+The inline backend **embeds** the pieces of evidence in the resulting attestations. This is useful to get started quickly but since the metadata is embedded in the attestation, its max size is limited.
+
+We recommend that once you get closer to a production-ready setup, you switch to a more robust backend such as an OCI registry.
+
+
+### OCI registry
+
+#### Add a new OCI registry backend
+
+<Tabs>
+  <TabItem value="gar" label="Google Artifact Registry" default>
+
+```bash
+  # Using json-based service account
+  # https://console.cloud.google.com/iam-admin/serviceaccounts
+
+  $ chainloop cas-backend add oci \
+    # i.e us-east1-docker.pkg.dev/my-project/chainloop-cas-devel
+    --repo [region]-docker.pkg.dev/[my-project]/[my-repository] \
+    --username _json_key \
+    --password "$(cat service-account.json)" \
+    --default
+```
+
+  </TabItem>
+
+  <TabItem value="github" label="GitHub packages" default>
+
+```bash
+  # Using personal access token with write:packages permissions
+  # https://github.com/settings/tokens
+
+  $ chainloop cas-backend add oci \
+    # i.e ghcr.io/chainloop-dev/chainloop-cas
+    --repo ghcr.io/[username or org]/[my-repository] \
+    --username [username] \
+    --password [personal access token] \
+    --default
+```
+
+  </TabItem>
+  <TabItem value="dockerhub" label="DockerHub" default>
+
+```bash
+# Create a personal access token at
+# https://hub.docker.com/settings/security
+
+$ chainloop cas-backend add oci \
+    --repo index.docker.io/[username] \
+    --username [username] \
+    --password [personal access token] \
+    --default
+```
+
+  </TabItem>
+  <TabItem value="ecr" label="AWS Container Registry" default>
+
+:::caution
+**AWS Container Registry is not supported yet**.
+:::
+
+  </TabItem>
+</Tabs>
+
+#### Rotate credentials
+
+```bash
+chainloop cas-backend update oci --id [BACKEND_ID] --username [NEW_USERNAME] --password [NEW_PASSWORD]
+```
+
+#### Set as default
+
+```bash
+chainloop cas-backend update oci --id [BACKEND_ID] --default=true 
+```
+
+## Give it a try
+
+If everything went well, you should be able to upload and download artifact materials, let's give it a try
+
+```bash title="Upload a file to your OCI repository"
+$ chainloop artifact upload -f myfile
+myfile@sha256:c5cc0a2c712497c29f29c3ba11e7fcc0c3cc725ab591720db595e5d6469f3f37 ... done! [1.03KB in 0s; 5.48KB/s]
+```
+
+```bash title="Download by content digest (sha256)"
+$ chainloop artifact download -d sha256:c5cc0a2c712497c29f29c3ba11e7fcc0c3cc725ab591720db595e5d6469f3f37
+INF downloading file name=myfile to=/tmp/myfile
+INF file downloaded! path=/tmp/myfile
+```

docs/reference/operator/cas-backend/cas-backend.mdx

@@ -1,6 +1,6 @@
 schemaVersion: v1
 materials:
-  # SBOMs will be uploaded to your OCI registry and referenced in the attestation
+  # SBOMs will be uploaded to the CAS Backend of your choice, such as an OCI registry and referenced in the attestation
   # Additionally they can be sent to any downstream integration for analysis
   # i.e https://docs.chainloop.dev/guides/dependency-track/
   - type: SBOM_CYCLONEDX_JSON