Add TrustedRootJSON to TrustRootSpec

[codysoyland]

This adds TrustedRootJSON to the TrustRootSpec to allow using of the TrustedRootJSON spec in air-gapped environments.

usage:

apiVersion: policy.sigstore.dev/v1alpha1
kind: TrustRoot
metadata:
  name: my-trusted-root
spec:
  trustedRootJSON: |
    {
      "mediaType": "application/vnd.dev.sigstore.trustedroot+json;version=0.1",
      "certificateAuthorities": [
        {
...

Note this uses type string. We could alternatively use type []byte for this, which would mean that the trustedRootJSON value would need to be base64-encoded. That would be perhaps less prone to human-error in indentation. I'm happy to make that change if deemed better by the maintainers.

Fixes #1704

Summary

Release Note

Documentation

[federico-falconieri-form3]

@malancas @hectorj2f @vaikas what do you think of this one?

[vaikas]

Regarding the format, I think you can create the json as a string as a user and not worry about the indentation , so not sure if it's worth doing the roundtrip to/from base64, but I don't really feel strongly about that. The validation here should catch any indentation errors:
https://github.com/sigstore/policy-controller/pull/1705/files#diff-b3bd6cb5089d48b1e5b33b8a00ea3b4239e42b17d34ff6cbc92227caa7c272a6R49

Can you add a test for this, something like:
https://github.com/sigstore/policy-controller/blob/main/test/e2e_test_cluster_image_policy_with_trustroot_repository.sh

Another way to do this might be to hoist the api definition to v1beta1 for trustroots, and at that point change the previous field(s) to not support the old version, and only support the TrustedRootJSON.

As in, the trust root is still in v1alpha1, and I'm curious if that should be hoisted to v1beta1, and get a deprecation plan for getting rid of v1alpha1 (obviously not part of this PR, but just thinking out loud).