Add TrustedRootJSON to TrustRootSpec

[codysoyland]

This adds TrustedRootJSON to the TrustRootSpec to allow using of the TrustedRootJSON spec in air-gapped environments.

usage:

apiVersion: policy.sigstore.dev/v1alpha1
kind: TrustRoot
metadata:
  name: my-trusted-root
spec:
  trustedRootJSON: |
    {
      "mediaType": "application/vnd.dev.sigstore.trustedroot+json;version=0.1",
      "certificateAuthorities": [
        {
...

Note this uses type string. We could alternatively use type []byte for this, which would mean that the trustedRootJSON value would need to be base64-encoded. That would be perhaps less prone to human-error in indentation. I'm happy to make that change if deemed better by the maintainers.

Fixes #1704

Summary

Release Note

Documentation

[federico-falconieri-form3]

@malancas @hectorj2f @vaikas what do you think of this one?

[vaikas]

Regarding the format, I think you can create the json as a string as a user and not worry about the indentation , so not sure if it's worth doing the roundtrip to/from base64, but I don't really feel strongly about that. The validation here should catch any indentation errors:
https://github.com/sigstore/policy-controller/pull/1705/files#diff-b3bd6cb5089d48b1e5b33b8a00ea3b4239e42b17d34ff6cbc92227caa7c272a6R49

Can you add a test for this, something like:
https://github.com/sigstore/policy-controller/blob/main/test/e2e_test_cluster_image_policy_with_trustroot_repository.sh

Another way to do this might be to hoist the api definition to v1beta1 for trustroots, and at that point change the previous field(s) to not support the old version, and only support the TrustedRootJSON.

As in, the trust root is still in v1alpha1, and I'm curious if that should be hoisted to v1beta1, and get a deprecation plan for getting rid of v1alpha1 (obviously not part of this PR, but just thinking out loud).

[codysoyland]

Can you add a test for this, something like:
https://github.com/sigstore/policy-controller/blob/main/test/e2e_test_cluster_image_policy_with_trustroot_repository.sh

👍🏻

As in, the trust root is still in v1alpha1, and I'm curious if that should be hoisted to v1beta1, and get a deprecation plan for getting rid of v1alpha1 (obviously not part of this PR, but just thinking out loud).

No strong feelings here... perhaps the deprecation plan would be to support both in v1alpha1 and only trustroot json in v1beta1? I'm okay with either option!

[vaikas]

Yeah, since the old 'trustroot' was before the proto came to be, I don't think carrying that forward is a good move, and overall deprecating the v1alpha1 is probably the right thing to do sooner rather than later so folks have time to move off of it to v1beta1:
https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/

So, I'd vote for trustrootjson in v1beta1, deprecate the whole v1alpha1 (all the crds, not just the trustroot).