Improve cosign configuration options

[hiddeco]

For future improvements these are the things I think we should address:

• appending signature to transparency log is the default in v2 (where it was only done for keyless in v1) and we can opt out. We should provide that option.
• verify image using keyless verification with the given certificate chain and identity parameters, without Fulcio roots (for BYO PKI): cosign verify --cert-chain chain.crt --certificate-oidc-issuer https://issuer.example.com --certificate-identity [email protected] <IMAGE>
• k8s-keychain, whether to use the kubernetes keychain instead of the default keychain (supports workload identity).
• rekor-url, for private rekor instances
• signature-digest-algorithm, the default is sha-256

There is also the topic of sbom attachement but there is different discussion for that.

Originally posted by @souleb in #1096 (comment)

[timaebi]

Adding options to the CRD to verify the oidc issuer and the certificate identity would be very helpful.

[stefanprodan]

@timaebi see #1250