This enables running Consul in a basic configuration with PSA enforcement
set to restricted on the namespace where Consul is deployed. (This
requires deploying the CNI to a different privileged namespace).

On OpenShift, we have the option to set the security context or not. If
the security context is unset, then it is set automatically by OpenShift
SCCs. However, we prefer to set the security context to avoid useless
warnings on OpenShift and to reduce the config difference between
OpenShift and plain Kube. By default, OpenShift namespaces have the
audit and warn PSA labels set to restricted, so we receive pod security
warnings when deploying Consul to OpenShift even though the pods will be
able to run.

* When `-enable-openshift` and `-enable-cni` are set, configure the CNI
  settings correctly for OpenShift, which must look like:

  ```
  connectInject:
    cni:
      enabled: true
      multus: true
      cniBinDir: /var/lib/cni/bin
      cniNetDir: /etc/kubernetes/cni/net.
  ```

* Add `-cni-namespace` flag to support deploying the CNI into a separate
  namespace. This is needed to testing with the CNI when restricted PSA
  enforcement is enabled on the namespace where Consul is deployed
  because the CNI cannot run in a PSA-restricted namespace.
* Add `-app-namespace` and `-secondary-app-namespace` flags to support
  deploying test applications into a specific namespace. This is needed
  to test with restricted PSA enforcement enabled on the Consul
  namespace because our test applications require a bit more privilege.
* Update the ConnectHelper to configure the NetworkAttachmentDefinition
  required to be compatible with the CNI on OpenShift.
* Add fixtures for static-client and static-server for OpenShift. This
  is necessary because the deployment configs must reference the network
  attachment definition when using the CNI on OpenShift.
* Update tests in the `acceptance/tests/connect` directory to either
  run or skip based on -enable-cni and -enable-openshift (all but two
  cases are skipped for now).

…connect-test

Also (oops I did this as part of the rebase/merge):

- Remove the -app-namespace test flags.
- Instead, support enabling an app namespace in Connect Helper
  so that tests can choose which namespace to use for applications.
- Add -restricted-psa-enforcement-enabled flag.

Setting a non-root user is necessary when `runAsNotRoot: true` is
configured in the securityContext. By setting `runAsUser: 100`, we are
most compatible with all of the consul, consul-dataplane, and
consul-k8s-control-plane images which all contain a user id 100.

On OpenShift, this is unnecessary because `runAsUser` is set
automatically (if it is unset), and by setting it explicitly we would
require the `anyuid` SCC which would bump the namespace out of the
`restricted` PSA profile.

…connect-test