:sparkles: install-job: allow setting securityContext/volumes/volumeM…

[moritzjohner-form3]

What this PR does / why we need it:

This is a follow-up of #149. It allows users to set the pod's securityContext, volumes, automountServiceAccountToken as well as container volumeMounts on the install-job pod. This can be used so that workloads conform with CIS, BSI or NSA security standards.

Proof of work

1. most of it is included in unittests
2. i ran a manual test to the installation procedure, see below

I modified the values like this:

diff --git a/charts/flux2/values.yaml b/charts/flux2/values.yaml
index 4815528..e73fb54 100644
--- a/charts/flux2/values.yaml
+++ b/charts/flux2/values.yaml
@@ -25,7 +25,29 @@ cli:
   affinity: {}
   tolerations: []
   serviceAccount:
-    automount: true
+    automount: false
+  volumeMounts:
+    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+      name: serviceaccount-token
+  volumes:
+    - name: serviceaccount-token
+      projected:
+        defaultMode: 420
+        sources:
+        - serviceAccountToken:
+            expirationSeconds: 3607
+            path: token
+        - configMap:
+            name: kube-root-ca.crt
+            items:
+            - key: ca.crt
+              path: ca.crt
+        - downwardAPI:
+            items:
+            - path: namespace
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.namespace

Then did a helm template . | tee flux.install.yaml | kubectl apply -f -. here a extract from the install job yaml:

Installation went smoothly, pods are up and running:

Which issue this PR fixes

Special notes for your reviewer:

Checklist

• [x] DCO signed
• [x] Chart Version bumped
• [x] helm-docs are updated
• [x] Helm chart is tested
• [x] Update artifacthub.io/changes in Chart.yaml
• [x] Run make reviewable