IGN-15040: Enhance Security Context Defaults

[thirdgen88]

📖 Background

The existing defaults for the Ignition Helm Chart already enforced non-root execution, but it didn't harden container-level security context configuration any further. As a result, custom values overrides were required to successfully deploy into namespaces with "restricted" Pod Security Standards profile.

Since most use cases will fall under the constraints of "restricted" profile, let's adjust the defaults.

⚙️ Changes

This PR refactors the existing application of pod-level security context configuration to a shared helper template to reduce duplication. We also introduce gateway.securityContext and gateway.preconfigure.securityContext values that default to the following (via another new shared helper template):

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  seccompProfile:
    type: RuntimeDefault

The shared helper templates also introduce the ability to omit the securityContext fields altogether by overriding the associated values definitions to "null". This shouldn't ever be needed but was simple enough to add as a capability along with unit test coverage.

A fix was applied to the Gateway Network and Web Server TLS certificate rotation jobs where a custom podSecurityContext values override was in place. The previous configuration produced incorrectly indented YAML in this configuration and errored out. Unit tests for the aforementioned CronJob resources were added.

Finally, during implementation, I noticed that many of the unit tests were using isSubset instead of equal assertions. This could allow extra unintended values to slip past the tests. Thankfully, I was able to change them out via a7217f9 without any actual Helm Chart changes. These tests are now hardened up for the future.

📝 Reviewer Notes

The primary changes are in 928b63b and 774758b. As mentioned above, a7217f9 is just unit test hardening and doesn't impact the Helm Chart rendering at all.

☑️ QA Notes

We'll want to test a standard install to make sure that the defaults still run as expected.

For testing the new compatibility with "restricted" Pod Security Standards profile, create a dedicated namespace with enforcement enabled, e.g.:

apiVersion: v1
kind: Namespace
metadata:
  name: ignition-restricted
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: latest

Installing the existing version of the chart will fail to create the pods. Upgrading or fresh install of the PR build chart should work as expected.

@thirdgen88 can also spin this up in an OpenShift Local cluster and make sure there are no surprises there either.

Fixes IGN-15040

[thirdgen88]

With 9e25f82 in place, this deploys successfully on OpenShift Local within the default restricted Security Context Constraint (SCC). Thankfully, other uses should be fine with the UID/GID runAs and fsGroup entries omitted since that is what the Ignition container image already uses by default.