Add missing security context to Keystone pods/containers

This updates the Keystone chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem flag to true

Change-Id: I0e00571d4060cca914d1bdb4f36e736fa8501130

keystone/templates/job-domain-manage.yaml

@@ -46,6 +46,7 @@ spec:
         - name: keystone-domain-manage-init
 {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.domain_manage | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "domain_manage" "container" "keystone_domain_manage_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}

keystone/values.yaml

@@ -197,6 +197,9 @@ pod:
       pod:
         runAsUser: 42424
       container:
+        keystone_domain_manage_init:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
         keystone_domain_manage:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false