Reproducible/deterministic bundles

[zregvart]

Feature request

Currently if I run tkn bundle push with the same set files I will get two different images (different layer and manifest digests). This is due to the bundle builder setting the time to the current time and because I might specify different ordering when providing the files.
It would be beneficial for caching and provenance to have the option to build the bundle that is reproducible, i.e. deterministic based on the inputs.

I propose adding a command line parameter (e.g. --ctime) to set the created at time and to sort the layers of the manifest based on their digest by default. I think this should lead to reproducible/deterministic bundle builds.

Happy to contribute a pull request for this.

Use case

Some argumentation for reproducible builds can be found on https://reproducible-builds.org/. It would also be useful for caching that the image is unchanged unless the files composing the image have changed.

UI Example

For example if I run:

$ tkn bundle push -f one.yaml -f two.yaml registry.io/repository/bundle:latest --ctime 1970-01-01
$ tkn bundle push -f two.yaml -f one.yaml registry.io/repository/bundle:latest --ctime 1970-01-01

The registry.io/repository/bundle:latest would be unchanged by the second invocation.