Update non-privileged overlay to support read-only root file systems by default

Created by: caugustus-sourcegraph

https://github.com/sourcegraph/deploy-sourcegraph/tree/dt/overlay_cleanup - this branch contains work to remove the non-privileged-create-cluster overlay and harden the non-privileged overlay by making it also read-only root system. The outstanding work is:

Do another testing pass to assess the impact on existing deployments
Update documentation references to the old overlay
Consider adding an init container to gitserver that can chown file ownership so the migrate overlay can be eliminated