(feat) Add supply chain verification for Helm charts

[gianlucam76]

Sveltos can now verify the integrity and origin of a Helm chart before
deploying it. Two mechanisms are supported, each targeting a different
chart source.

For charts pulled from OCI registries, Sveltos verifies the Cosign signature
attached to the chart. Two providers are available:

1. The PublicKey provider checks the signature against a static key stored in a Kubernetes
   Secret on the management cluster. No Sigstore transparency log or certificate authority is
   contacted. Only the public key and the signature stored in the OCI registry are used.
2. The Keyless provider is designed for CI-signed charts: it verifies that the Fulcio-issued
   certificate in the signature was granted to the expected OIDC identity (issuer and subject
   regexp), and that the signing event was recorded in the Rekor transparency log. This means
   the chart must have been signed by a specific pipeline in a specific repository, not just by
   anyone who holds a key.

Both providers support the Sigstore Bundle v0.3 OCI referrer format produced by current cosign
releases and fall back to the legacy tag-based signature format automatically.

For charts pulled from HTTP repositories, Sveltos verifies the Helm .prov provenance file using a GPG
keyring stored in a Kubernetes Secret. The file contains a checksum and a PGP signature over the chart
archive, and verification confirms the chart has not been modified since it was signed.

In both cases, if verification fails the deployment is blocked and the failure reason is recorded on the
ClusterSummary status. Charts without a verification field deploy as before.

signatureVerification:
  provider: Keyless
  matchOIDCIdentity:
    - issuer: "^https://token.actions.githubusercontent.com$"
      subject: "^https://github.com/myorg/myapp/.*$"

provenanceVerification:
  keyringSecretRef:
    name: my-gpg-keyring