fix: Add update logic to handle addition of PSS to deployments

[svghadi]

What type of PR is this?

/kind bug

What does this PR do / why we need it:

#1288 and #1493 introduced Pod Security Standards (PSS) to ensure all Argo CD component pods comply with the restricted security policy. However, these changes only apply to new installations.

This PR addresses the gap by adding logic to update existing installations. It ensures that the necessary securityContext is applied to existing pods and automatically reconciles any manual changes back to the intended configuration.

Which issue(s) this PR fixes:

Closes #1492

How to test changes / Special notes to the reviewer:

I performed an upgrade test as follows:

1. Ran make run with the v0.11.0 tag.
2. Created an ArgoCD CR.
3. Stopped make run and switched to this PR branch.
4. Ran make run again.

The following command should return no warnings:

# Example of a non-compliant namespace
$ kubectl label --overwrite --dry-run=server ns test pod-security.kubernetes.io/enforce=restricted
Warning: existing pods in namespace "test" violate the new PodSecurity enforce level "restricted:latest"
namespace/test labeled (server dry run)

# Example of a compliant namespace
$ kubectl label --overwrite --dry-run=server ns test pod-security.kubernetes.io/enforce=restricted
namespace/test labeled (server dry run)

[saumeya]

Good solution for upgrade testing @svghadi

[saumeya]

Why are we creating a function for security context only for keycloak resource?

[svghadi]

Actually, I wanted to create a common function for all deployments but realized that some have slightly different securityContext configurations. So to keep things simpler, didn't proceed with it. We can revisit this when we work on refactoring again.

[saumeya]

Tested with the upgrade scenario from 0.11 to this branch and works as expected.
LGTM
Thanks @svghadi

[iam-veeramalla]

LGTM @svghadi, Thanks for the PR.