feat(charts): OpenShift compatibility + read-only rootfs support for collab & intel

Fixes: #177

This change makes the codetogether-collab and codetogether-intel charts work
out-of-the-box on both vanilla Kubernetes and OpenShift (restricted-v2 SCC),
and adds first-class support for readOnlyRootFilesystem via init containers.

Key changes
-----------
Collab
- Add initContainer `prepare-volatile` to create writable runtime paths when
  readOnlyRootFilesystem=true (e.g., /run, /var/log/nginx, /var/cache/nginx,
  and the existing /run/volatile/* tree).
- Conditionally handle OpenShift vs vanilla:
  - OpenShift: do NOT set runAsUser/runAsGroup/fsGroup; let SCC assign UIDs.
    Keep runAsNonRoot and disallow privilege escalation. Avoid chown.
    Use `install -d -m 0775/2775` for group-write with sticky set as needed.
  - Vanilla: init runs as root (UID 0) to chown created dirs to the non-root
    runtime user (defaults to 1000:1000); main container runs non-root.
- When readOnlyRootFilesystem=true:
  - Mount EmptyDir volumes to /run, /tmp (Memory), /var/log/nginx, /var/cache/nginx.
  - Add matching volumeMounts.
- Keep probes and ports unchanged.
- Values: add/clarify `openshift.enabled` flag, securityContext defaults,
  imageCredentials usage, and sample values for both environments.

Intel
- Add initContainer `prepare-runtime` to create /var/log/nginx and
  /var/cache/nginx and make them writable under read-only rootfs.
- Same OpenShift vs vanilla split as collab (no explicit UID/GID on OCP;
  root init + non-root app for vanilla).
- Mount EmptyDir + volumeMounts for /run, /tmp (Memory), /var/log/nginx,
/var/cache/nginx when readOnlyRootFilesystem=true.
- Preserve existing envs (AI mode, HQ base URL, Java options, etc.).

Why
---
- Fixes SCC denials on OpenShift when explicit runAsUser/fsGroup were set.
- Fixes initContainer permission errors (e.g., "Operation not permitted" on /run)
  by avoiding chown on OpenShift and using 2775 with umask 002.
- Enables secure read-only rootfs operation by provisioning necessary
  writable paths via EmptyDir.

Testing
-------
- OpenShift 4.x:
  - `openshift.enabled=true`, remove fsGroup=0, do not set runAsUser/runAsGroup.
  - initContainers succeed; pods transition to Running.
- Vanilla (DigitalOcean Kubernetes):
  - `openshift.enabled=false`, readOnlyRootFilesystem=true.
  - init runs as root, chowns to 1000:1000; app runs as non-root.
  - Pods healthy; readiness/liveness OK.

Breaking changes
----------------
- None functionally; however, when enabling readOnlyRootFilesystem, the chart
  now requires the EmptyDir mounts (added by default when the flag is true).

Author: danc094codetogether

charts/intel/templates/deployment.yaml

@@ -52,12 +52,12 @@ spec:
             {{- else }}
             - |
               set -eu
-              umask 002
               for d in \
+                /run \
                 /var/log/nginx \
                 /var/cache/nginx
               do
-                install -d -m 2775 "$d"
+                install -d -m 0775 "$d"
               done
               chown -R {{ default 1000 .Values.securityContext.runAsUser }}:{{ default 1000 .Values.securityContext.runAsGroup | default 1000 }} \
                 /run /var/log/nginx /var/cache/nginx

charts/intel/values.yaml

@@ -142,7 +142,7 @@ securityContext: {} #defaults
   #   - ALL
   # readOnlyRootFilesystem: true # enable for read-only setup
   # runAsNonRoot: true
-  # runAsUser: 1000 # Use '0' for root user, in vanilla k8s you can use any non-root uid
+  # runAsUser: 1000 # Use '0' for root user
   # runAsGroup: 1000
   # In openshift, dont set runAsUser or runAsGroup, let OpenShift assign the values