ci: Skip SELinux relabel on start

By default, CRI-O assigns a random SELinux category to every pod, and
then must adjust the label of every file and directory in the persistent
volume to match.  For very large volumes like a Buildroot output
directory, this can take quite some time.  Fortunately, if we assign a
static category, we can tell CRI-O to skip the relabel step.

Unfortunately, Jenkins does not merge the `securityContext` field of the
pod spec when the `yamlMergeStrategy` is set to `merge`.  For our custom
settings to apply, we have to leave the merge strategy at the default,
`override`.

ci/Jenkinsfile

@@ -11,7 +11,6 @@ pipeline {
     agent {
         kubernetes {
             yamlFile 'ci/podTemplate.yaml'
-            yamlMergeStrategy merge()
             workspaceVolume persistentVolumeClaimWorkspaceVolume(
                 claimName: 'buildroot-airplaypi'
             )

ci/podTemplate.yaml

@@ -1,4 +1,15 @@
+metadata:
+  annotations:
+    io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel: 'true'
 spec:
+  affinity:
+    nodeAffinity:
+      preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 100
+        preference:
+          matchExpressions:
+          - key: node-role.kubernetes.io/jenkins
+            operator: Exists
   containers:
   - name: build
     image: git.pyrocufflink.net/containerimages/buildroot
@@ -11,8 +22,14 @@ spec:
     - mountPath: /etc/ssh/ssh_known_hosts
       name: ssh-known-hosts
       subPath: ssh_known_hosts
+  nodeSelector:
+    kubernetes.io/arch: amd64
   securityContext:
     fsGroupChangePolicy: OnRootMismatch
+    seLinuxOptions:
+      level: s0:c596,c675
+  tolerations:
+  - key: du5t1n.me/jenkins
   volumes:
   - name: ssh-known-hosts
     configMap: