add sealed-secrets package (#44219)

adds sealed-secrets and sealed-secrets-kubeseal with provides:kubeseal
via this patch.

---------

Signed-off-by: kranurag7 <81210977+kranurag7@users.noreply.github.com>
Co-authored-by: Furkan Türkal <furkan.turkal@hotmail.com>
Co-authored-by: Wojciech Kocjan <wojciech.kocjan@chainguard.dev>

Author: 3 people

sealed-secrets.yaml

@@ -0,0 +1,116 @@
+package:
+  name: sealed-secrets
+  version: 0.28.0
+  epoch: 0
+  description: A Kubernetes controller and tool for one-way encrypted Secrets
+  copyright:
+    - license: Apache-2.0
+
+pipeline:
+  - uses: git-checkout
+    with:
+      repository: https://github.com/bitnami-labs/sealed-secrets
+      tag: v${{package.version}}
+      expected-commit: 6b1b331a2cd3a58569ce4d819a7cabc59c0a3e50
+
+  - uses: go/bump
+    with:
+      deps: |-
+        golang.org/x/crypto@v0.35.0
+        golang.org/x/oauth2@v0.27.0
+        golang.org/x/net@v0.36.0
+
+  - uses: go/build
+    with:
+      packages: ./cmd/controller
+      output: controller
+      ldflags: -X main.VERSION=${{package.version}}
+
+subpackages:
+  - name: ${{package.name}}-kubeseal
+    dependencies:
+      provides:
+        - kubeseal=${{package.full-version}}
+    pipeline:
+      - uses: go/build
+        with:
+          packages: ./cmd/kubeseal
+          output: kubeseal
+          ldflags: -X main.VERSION=${{package.version}}
+    test:
+      pipeline:
+        - runs: |
+            kubeseal --version | grep ${{package.version}}
+
+  - name: ${{package.name}}-kubeseal-bitnami-compat
+    description: "compat package with bitnami/sealed-secrets-kubeseal image"
+    pipeline:
+      - runs: |
+          mkdir -p ${{targets.contextdir}}/opt/bitnami/sealed-secrets-kubeseal/bin/
+          ln -s /usr/bin/kubeseal ${{targets.contextdir}}/opt/bitnami/sealed-secrets-kubeseal/bin/kubeseal
+          ln -s /usr/bin/kubeseal ${{targets.contextdir}}/kubeseal
+    test:
+      environment:
+        contents:
+          packages:
+            - ${{package.name}}-kubeseal
+      pipeline:
+        - runs: |
+            stat /opt/bitnami/sealed-secrets-kubeseal/bin/kubeseal
+            stat /kubeseal
+            /opt/bitnami/sealed-secrets-kubeseal/bin/kubeseal --version | grep ${{package.version}}
+
+  - name: ${{package.name}}-bitnami-compat
+    description: "compat package with bitnami/sealed-secrets-controller image"
+    pipeline:
+      - runs: |
+          mkdir -p ${{targets.contextdir}}/opt/bitnami/sealed-secrets-controller/bin/
+          ln -s /usr/bin/controller ${{targets.contextdir}}/opt/bitnami/sealed-secrets-controller/bin/controller
+          ln -s /usr/bin/controller ${{targets.contextdir}}/controller
+    test:
+      environment:
+        contents:
+          packages:
+            - ${{package.name}}
+      pipeline:
+        - runs: |
+            stat /opt/bitnami/sealed-secrets-controller/bin/controller
+            stat /controller
+            /opt/bitnami/sealed-secrets-controller/bin/controller --version | grep ${{package.version}}
+
+update:
+  enabled: true
+  github:
+    identifier: bitnami-labs/sealed-secrets
+    strip-prefix: v
+
+# only passes with docker runner
+# MELANGE_EXTRA_OPTS="--runner docker" make test/sealed-secrets
+test:
+  environment:
+    environment:
+      KUBERNETES_SERVICE_HOST: "127.0.0.1"
+      KUBERNETES_SERVICE_PORT: 32764
+  pipeline:
+    - name: version test
+      runs: |
+        controller --version | grep ${{package.version}}
+    - uses: test/kwok/cluster
+    - uses: test/daemon-check-output
+      with:
+        start: /usr/bin/controller
+        setup: |
+          mkdir -p /var/run/secrets/kubernetes.io/serviceaccount
+          CA=$(kubectl config view --raw -o jsonpath='{.clusters[0].cluster.certificate-authority}')
+          cp $CA /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+          kubectl create serviceaccount default
+          kubectl create token default > /var/run/secrets/kubernetes.io/serviceaccount/token
+          kubectl create role secrets-admin --verb='*' --resource=secrets
+          kubectl create rolebinding default-secrets-admin-binding --role=secrets-admin --serviceaccount=default:default
+        timeout: 30
+        expected_output: |
+          Starting sealed-secrets controller
+          Searching for existing private keys
+          New key written
+          HTTP server serving
+          HTTP metrics server serving