feat: add SubjectExpression CEL field to Identity for dynamic keyless signing

[jzeng4]

Summary

• Add a new optional subjectExpression field to the Identity struct in ImageValidatingPolicy
• The field accepts a CEL expression evaluated at admission time; the result is used as a regexp match against the certificate SAN URI
• This is a backward-compatible addition: existing subject, subjectRegExp, issuer, and issuerRegExp fields are unchanged
• Follows the message/messageExpression convention used elsewhere in Kyverno

Motivation

When verifying keyless (Fulcio/Sigstore) image signatures in multi-tenant clusters, the expected certificate SAN URI often needs to be derived from runtime context — for example, the namespace of the requesting object or the image reference itself. The static subjectRegExp field cannot express this.

Related issue

Fixes kyverno/kyverno#15398

Next PR: kyverno/kyverno#15479

Example

identities:
  - issuer: https://token.actions.githubusercontent.com
    # derive the subject regexp from the namespace at admission time
    subjectExpression: '"^https://github\\.com/my-org/" + object.metadata.namespace + "/.*"'

Test plan

• Unit tests in pkg/imageverification/variables/attestors_test.go cover static values, subject-from-namespace, subject-from-image, and error cases
• No changes to existing field types — API compatibility preserved