Add missing security context to Keystone pods/containers

This updates the Keystone chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem flag to true

Change-Id: I655ef19a3c187e3462ff8ec1a54bc9691ca64d41

keystone/templates/cron-job-fernet-rotate.yaml

@@ -72,6 +72,7 @@ spec:
 {{ tuple $envAll "keystone" "fernet-rotate" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
         spec:
           serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "fernet_rotate" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }}
           initContainers:
 {{ tuple $envAll "fernet_rotate" $mounts_keystone_fernet_rotate_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
           restartPolicy: OnFailure
@@ -81,6 +82,7 @@ spec:
             - name: keystone-fernet-rotate
 {{ tuple $envAll "keystone_fernet_rotate" | include "helm-toolkit.snippets.image" | indent 14 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.fernet_rotate | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
+{{ dict "envAll" $envAll "application" "fernet_rotate" "container" "keystone_fernet_rotate" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14}}
               env:
                 - name: KEYSTONE_USER
                   value: {{ .Values.jobs.fernet_rotate.user | quote }}

keystone/values.yaml

@@ -186,6 +186,13 @@ pod:
         keystone_fernet_setup:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
+    fernet_rotate:
+      pod:
+        runAsUser: 42424
+      container:
+        keystone_fernet_rotate:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
     domain_manage:
       pod:
         runAsUser: 42424