feat(chart): expose pod/container/initContainer securityContext per component

[nicola-preda]

Summary

Replaces hardcoded securityContext blocks across every chart workload with values-driven configuration. Defaults match what was previously hardcoded, so helm template output is semantically identical for any unchanged install

What changed

Three new blocks per component in values.yaml (where applicable):

• .podSecurityContext
• .containerSecurityContext
• .initContainerSecurityContext

Components touched: backend, web, edge, postgres, opensearch, trivy, dependencyTrack (+ the dependencyTrack.bootstrap Job).

Special cases

• opensearch.fixOwnership — the fix-ownership init container needs runAsUser: 0 + CHOWN/FOWNER, which doesn't fit the shared initContainerSecurityContext shape (used by the
  sysctl-check sidecar). It gets its own opensearch.fixOwnership.securityContext block, plus a new opensearch.fixOwnership.enabled toggle so operators relying on cluster-side
  fsGroup chown can skip the init container entirely.
• dependencyTrack.bootstrap — the bootstrap Job gets its own bootstrap.podSecurityContext / bootstrap.containerSecurityContext so it can be hardened independently of the main
  dtrack deployment.
• postgres.containerSecurityContext — previously had no container-level securityContext at all; default is {} so render output is unchanged, but the knob is now available.

Backward compatibility

• helm template against a fresh install with no value overrides produces field-for-field identical output (modulo toYaml's alphabetical key ordering).
• Existing overrides that targeted .podSecurityContext.runAsUser etc. continue to work — the structure is unchanged.
• One subtle change worth flagging: runAsNonRoot: true was hardcoded in several templates and is now expressed only via the values defaults. An operator who supplies a
  complete replacement podSecurityContext (rather than patching a single field) and forgets runAsNonRoot will lose the constraint. Documented in the values.yaml comment

Test Checklist

• Helm template renders without errors
• Terraform validates/plans cleanly
• Manually verified on staging cluster (if applicable)
• Rollback strategy documented

Infrastructure

• Helm: helm template renders correctly
• Terraform: terraform validate passes
• Terraform: terraform plan shows expected changes
• ArgoCD: Application manifests are valid
• N/A - documentation only

Closes #161