Allow the Rekor URL to be configured

[richardjennings]

Currently the cosign.VerifyImageSignatures call will try to use either bring-your-own PKI chain if specified via environment variable SIGSTORE_ROOT_FILE or use the public Fulcio chain; as instructed by the cosign.CheckOpts provided. A signature verifier is created with these details and used to verify the OCI signature.

As the Rekor Client in the cosign.CheckOpts is not nil, the code will (in the absence of a prior error), reach out to the default public Rekor to VerifyBundle and tlogValidateCertificate. The only way to use cosign-gatekeeper-provider currently requires using the public good Rekor transparency log.

Please allow the Rekor URL to be configurable so that the provider is usable in circumstances where reaching out to a public Rekor instance is not viable.

I am happy to create a PR if this suggestion is accepted.

[Dentrax]

Hey @richardjennings, in overall, I agree with you. Since we currently only support public rekor instance, which is a limitation and is hardcoded set to: https://rekor.sigstore.dev. Making this configurable would be nice to have. Maybe we can introduce a new flag --rekor-url or a new config infra (yaml).

Feel free to submit a PR for this! I assigned you.