Allow exclusion of cosign objects from the image repository database

[stefanprodan]

When using cosign to sign container images, a standalone object is push to the registry. Our image scanner thinks this is a valid container image tag (GHCR thinks that too) and could potentially crash live system if an image policy matches the cosign object.

For example I've signed flagger-loadtester, GHCR shows the signature object as a container image tag:

As expected Flux adds this tag to its database:

$ flux create image repository flagger-loadtester --image ghcr.io/fluxcd/flagger-loadtester --interval 20m

$ flux get images all
NAME                              	READY	MESSAGE                      	LAST SCAN                	SUSPENDED 
imagerepository/flagger-loadtester	True 	successful scan, found 2 tags	2021-08-24T16:08:15+03:00	False 

To avoid deploying cosign signatures as container images onto clusters, I propose we add a field to the ImageRepository API to allow people to exclude tags based on regex expression, e.g.:

apiVersion: image.toolkit.fluxcd.io/v1beta1
kind: ImageRepository
metadata:
  name: flagger-loadtester
  namespace: flux-system
spec:
  image: ghcr.io/fluxcd/flagger-loadtester
  interval: 20m0s
  exclusionList:
    - ".*sig$"

[aryan9600]

We could have a default to ignore all tags ending with .sig in case exclusionList is unspecified.

[aryan9600]

A better name for this field could be IgnoreSuffix? @stefanprodan
This would not suit the regex approach.