add explanations for configs in osguard-ci-delta

Signed-off-by: Chris Co <chrco@microsoft.com>

Author: christopherco

toolkit/imageconfigs/templates/osguard-ci-delta.yaml

@@ -1,24 +1,37 @@
 os:
+  # Ensure SELinux is in Enforcing Mode for OS Guard Code Integrity image.
   selinux:
     mode: enforcing
   kernelCommandLine:
     extraCommandLine:
+      # Enforce signatures for all dm-verity volumes on the system. This
+      # verification is needed in conjunction with our dm-verity-enabled
+      # erofs-snapshotter to ensure erofs container layers, which are
+      # dm-verity volumes, are signed by a trusted entity
       - dm_verity.require_signatures=1
   packages:
     install:
+    # For containerd erofs-snapshotter to function, supply its userland
+    # utilities
     - erofs-utils
   modules:
+  # Ensure the erofs kernel module is always loaded so containerd
+  # erofs-snapshotter can use it.
   - name: erofs
     loadMode: always
   additionalFiles:
+  # Place custom containerd config that configures erofs-snapshotter as the
+  # default snapshotter when setting up container images
   - source: files/osguard-ci/config.toml
     destination: /etc/containerd/config.toml
     permissions: "644"
+  # Place custom CNI config for enabling pod networking on container creation
   - source: files/osguard-ci/10-podnet.conf
     destination: /etc/cni/net.d/10-podnet.conf
     permissions: "644"
 scripts:
   postCustomization:
+  # Tag this image variant with its specific variant-id
   - path: scripts/set_os_release_variant_entries.sh
     arguments:
     - --variant-id