Begin exploration of an trust path for specified, unsigned images

[coyote240]

Fixes: #1653

Summary

Intended to address the referenced issue, where a user must allow a public image to be admitted without a signature.

In this use case, a separate ClusterImagePolicy would be created with a minimal match for the public image, and a single "trusted" authority specified:

apiVersion: cosigned.sigstore.dev/v1alpha1
kind: ClusterImagePolicy
metadata:
  name: image-policy
spec:
  images:
  - glob: gcr.io/knative-releases/knative.dev/serving/cmd/queue@
  authorities:
  - trusted:
    - trust: implicit
    - expiry: <iso datestring>

I'm proposing an optional expiration be added, though this may be a bit much.

@vaikas @hectorj2f @DennyHoang

[codecov-commenter]

Codecov Report

Merging #1877 (9cdd921) into main (8c5e8db) will decrease coverage by 0.03%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #1877      +/-   ##
==========================================
- Coverage   33.37%   33.34%   -0.04%     
==========================================
  Files         146      146              
  Lines        9378     9378              
==========================================
- Hits         3130     3127       -3     
- Misses       5875     5877       +2     
- Partials      373      374       +1     

Impacted Files	Coverage Δ
...apis/cosigned/v1alpha1/clusterimagepolicy_types.go	0.00% <ø> (ø)
pkg/cosign/tuf/client.go	61.68% <0.00%> (-0.82%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8c5e8db...9cdd921. Read the comment docs.

[github-actions]

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 10 days.

[coyote240]

Closing as stale, the project has moved on.