Add CEL-compliant pod security and storage settings

[JPurcell-Braintrust]

Adding in the previous security enhancements to satisfy CEL based policies, previously based on 1.1.32 to the latest helm updates. The security enhancements were:

• add securityContext and podSecurityContext to all 3 pod types
• readOnlyRootFilesystem
• emptyDir size limits for Brainstore volumes

An example/google-autopilot-cel/ has been created to help the known customers currently needing these CEL enhancements in their production environment.

[Alexey Soldatchenko (soldatchenko)]

Overall this looks good to me. My only asks are around runtime validation rather than the Helm config itself

• confirm the read-only root filesystem with representative API/scorer + Brainstore trace paths
• make sure the Brainstore emptyDir.sizeLimit leaves enough headroom above the configured cache size in the example

[Alexey Soldatchenko (soldatchenko)]

Please make sure that the PR title is descriptive, and the comments make it easy for a customer/consumer of this chart to understand what changes are being made. A few examples:

• Add first-class WAL footer version and auto-derived storage URIs #76
• Data Plane 2.0 image tags and WAL v3 default #77
• Default no-PG mode to "all" #78

It will forever be immortalized in the public commit history and release notes.

[Alexey Soldatchenko (soldatchenko)]

This looks good to me now, thanks for addressing all the comments!

Note

• This does include the EKS quarantine example, make sure you truly want it in this commit and eventual release

[Alexey Soldatchenko (soldatchenko)]

Also the Helm unit test CI is failing during helm-unittest plugin installation, before any chart tests run, due to an unstable/unpinned plugin install path.

• I ran the unit tests locally and they all passed
• I created an issue in Linear to track the pipeline fix: https://linear.app/braintrustdata/issue/CR-5/fix-helm-unit-test-ci-plugin-installation