feat: add sbom verifier to helm chart

[susanshi]

Description

Doc walk through at notaryproject/ratify-web#44
Sample command:

helm install ratify
./charts/ratify --atomic
--namespace gatekeeper-system
--set featureFlags.RATIFY_CERT_ROTATION=true
--set sbom.enabled=true
--set sbom.disallowedLicenses={"Zlib"}
--set sbom.disallowedPackages[0].name="busybox"
--set sbom.disallowedPackages[0].version="1.36.1-r0"

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):

Fixes #

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Helm Chart Change (any edit/addition/update that is necessary for changes merged to the main branch)
• This change requires a documentation update

How Has This Been Tested?

Validation #1 , modiefied local chart to populate disallowed license and package
validation #2, manual testing with installing command below:

helm install ratify
./charts/ratify --atomic
--namespace gatekeeper-system
--set featureFlags.RATIFY_CERT_ROTATION=true
--set sbom.enabled=true
--set sbom.disallowedLicenses={"Zlib"}
--set sbom.disallowedPackages[0].name="busybox"
--set sbom.disallowedPackages[0].version="1.36.1-r0"

Checklist:

• Does the affected code have corresponding tests?
• Are the changes documented, not just with inline documentation, but also with conceptual documentation such as an overview of a new feature, or task-based documentation like a tutorial? Consider if this change should be announced on your project blog.
• Does this introduce breaking changes that would require an announcement or bumping the major version?
• Do all new files have appropriate license header?

Post Merge Requirements

• MAINTAINERS: manually trigger the "Publish Package" workflow after merging any PR that indicates Helm Chart Change

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (74e575a) 55.09% compared to head (dfe622d) 55.09%.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1204   +/-   ##
=======================================
  Coverage   55.09%   55.09%           
=======================================
  Files         104      104           
  Lines        6865     6865           
=======================================
  Hits         3782     3782           
  Misses       2751     2751           
  Partials      332      332           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[binbin-li]

one minor comment, lgtm overall

[binbin-li]

wonder if we should provide an example for package name/version pair?

[akashsinghal]

+1. You could consider pointing to the doc if the plan is to add that there. Not a blocker for this PR for me

[susanshi]

thanks , I will merge this PR first to unblock release changes. and will add the example in a separate PR.