[2.0.0] Refactoring & Security fixes

[clyso-dr]

This major update brings the chart to Wazuh 4.14.3, significantly improves security posture, fixes several template bugs, and refactors configuration management.

Features & Enhancements:

• Bumped appVersion to 4.14.3 and chart version to 2.0.0.
• Bumped cert-manager dependency to 1.19.3.
• Added full LDAP / Active Directory authentication and authorization support for the Indexer via values.yaml.
• Added nodePort support for Agent, Dashboard, and Manager cluster services.
• Added extensive dnsNames (SANs) to filebeat and node certificates for robust TLS validation and changed the filebeat commonName to the manager's fullname.
• Added support for ClusterIssuer in all certificate templates.
• Improved Dashboard config: dynamically resolving WAZUH_API_URL and injecting WAZUH_API_PORT.

Security Improvements:

• Changed automountServiceAccountToken default to false across all ServiceAccounts.
• Moved OpenSearch security configurations (internal_users, roles, etc.) from plain ConfigMaps to a secured Secret (indexer-security).
• Tightened volume mount permissions for manager configs from 0777 to 0755.
• Added explicit fsGroup context (1000/101) to Indexer setup job and Manager StatefulSet.

Refactoring:

• Removed massive hardcoded configuration blocks from _helpers.tpl. Manager configuration files are now elegantly loaded using .Files.Get (e.g., script.sh, local_decoder.xml, local_rules.xml).

Bug Fixes:

• Fixed Agent DaemonSet names/labels (used wazuh.indexer.fullname instead of wazuh.fullname).
• Fixed Indexer NetworkPolicy label selectors (wrongly targeted indexer.fullname for dashboard/manager instead of wazuh.fullname).
• Fixed Dashboard Deployment applying .Values.indexer.annotations instead of .Values.dashboard.annotations.
• Fixed Dashboard NetworkPolicy to dynamically look up the API port instead of relying on a hardcoded loop.

BREAKING CHANGE: This release introduces several breaking changes that require manual intervention during upgrades:

1. Config Management: Configurations like master.conf, worker.conf, and opensearch.yml are now loaded via .Files.Get from external files. Inline overrides via values.yaml for these specific config blocks are no longer supported and will be ignored.
2. Agent DaemonSet Labels: The label selectors for the Agent DaemonSet have been corrected. Since spec.selector.matchLabels is immutable in Kubernetes, existing agent DaemonSets must be manually deleted (kubectl delete ds <release-name>-wazuh-agent) prior to upgrading.
3. ServiceAccount Security: automountServiceAccountToken is now set to false by default. If you rely on custom scripts or sidecars that communicate with the Kubernetes API, you must explicitly set this back to true in your values.yaml.

[clyso-dr]

@morgoved please have a look, i think with this update also fix or improved some issues like #50 / #72 / #114