Set necessary pod security labels on the devfile-registry for OCP 4.12

[johnmcollier]

/kind bug

Which area this bug is related to?

/area registry

What versions of software are you using?

OCP 4.12

Bug Summary

Starting with OCP 4.12, the Devfile Registry fails to deploy with the following error:

      message: 'pods "devfile-registry-858d9b69d6-hhr2d" is forbidden: violates PodSecurity
        "restricted:latest": allowPrivilegeEscalation != false (containers "devfile-registry",
        "oci-registry" must set securityContext.allowPrivilegeEscalation=false), unrestricted
        capabilities (containers "devfile-registry", "oci-registry" must set securityContext.capabilities.drop=["ALL"]),
        runAsNonRoot != true (pod or containers "devfile-registry", "oci-registry"
        must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers
        "devfile-registry", "oci-registry" must set securityContext.seccompProfile.type

We need to add the proper security contexts in the devfile registry deployment

To Reproduce:
Deploy devfile registry via helm chart or operator on OCP 4.12

Expected behavior

Devfile registry deploys properly without error.

[johnmcollier]

The following will need to be updated:

• Helm chart
• Registry Operator
• OpenShift Template

[kim-tsao]

It's just the registry operator that needs updating

[michael-valdron]

It's just the registry operator that needs updating

I have this implemented in devfile/registry-operator#29.

[kim-tsao]

It's just the registry operator that needs updating

I have this implemented in devfile/registry-operator#29.

ok, let me assign this to you

[michael-valdron]

It's just the registry operator that needs updating

I have this implemented in devfile/registry-operator#29.

The changes currently in this PR produces the following error in OpenShift:

+ '[' '!' -d /registry/stacks ']'
+ '[' '!' -e /registry/index.json ']'
+ /registry/index-server
2023/02/02 21:30:01 Registry is up and running
2023/02/02 21:30:01 Pushing dotnet50 version 1.0.3 to localhost:5000/devfile-catalog/dotnet50:1.0.3...
time="2023-02-02T21:30:01Z" level=warning msg="reference for unknown type: application/vnd.devfileio.devfile.layer.v1" digest="sha256:bfc1eeb74457cd935aa80dbb859be28e8ed9889a11122dd4e97aa46fbfcdb5c5" mediatype=application/vnd.devfileio.devfile.layer.v1 size=1488
time="2023-02-02T21:30:01Z" level=warning msg="reference for unknown type: application/vnd.devfileio.devfile.config.v2+json" digest="sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a" mediatype=application/vnd.devfileio.devfile.config.v2+json size=2
2023/02/02 21:30:01 failed to push dotnet50 version 1.0.3 to localhost:5000/devfile-catalog/dotnet50:1.0.3: unexpected response: 500 Internal Server Error

After doing some testing this error seems to only happen when the operator is deployed with OpenShift. When deploying on minikube this error does not occur.

[michael-valdron]

It's just the registry operator that needs updating

I have this implemented in devfile/registry-operator#29.

The changes currently in this PR produces the following error in OpenShift:

+ '[' '!' -d /registry/stacks ']'
+ '[' '!' -e /registry/index.json ']'
+ /registry/index-server
2023/02/02 21:30:01 Registry is up and running
2023/02/02 21:30:01 Pushing dotnet50 version 1.0.3 to localhost:5000/devfile-catalog/dotnet50:1.0.3...
time="2023-02-02T21:30:01Z" level=warning msg="reference for unknown type: application/vnd.devfileio.devfile.layer.v1" digest="sha256:bfc1eeb74457cd935aa80dbb859be28e8ed9889a11122dd4e97aa46fbfcdb5c5" mediatype=application/vnd.devfileio.devfile.layer.v1 size=1488
time="2023-02-02T21:30:01Z" level=warning msg="reference for unknown type: application/vnd.devfileio.devfile.config.v2+json" digest="sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a" mediatype=application/vnd.devfileio.devfile.config.v2+json size=2
2023/02/02 21:30:01 failed to push dotnet50 version 1.0.3 to localhost:5000/devfile-catalog/dotnet50:1.0.3: unexpected response: 500 Internal Server Error

After doing some testing this error seems to only happen when the operator is deployed with OpenShift. When deploying on minikube this error does not occur.

This is now its own issue (#1025), this issue is now block by #1025.

[michael-valdron]

It's just the registry operator that needs updating

I have this implemented in devfile/registry-operator#29.

The changes currently in this PR produces the following error in OpenShift:

+ '[' '!' -d /registry/stacks ']'
+ '[' '!' -e /registry/index.json ']'
+ /registry/index-server
2023/02/02 21:30:01 Registry is up and running
2023/02/02 21:30:01 Pushing dotnet50 version 1.0.3 to localhost:5000/devfile-catalog/dotnet50:1.0.3...
time="2023-02-02T21:30:01Z" level=warning msg="reference for unknown type: application/vnd.devfileio.devfile.layer.v1" digest="sha256:bfc1eeb74457cd935aa80dbb859be28e8ed9889a11122dd4e97aa46fbfcdb5c5" mediatype=application/vnd.devfileio.devfile.layer.v1 size=1488
time="2023-02-02T21:30:01Z" level=warning msg="reference for unknown type: application/vnd.devfileio.devfile.config.v2+json" digest="sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a" mediatype=application/vnd.devfileio.devfile.config.v2+json size=2
2023/02/02 21:30:01 failed to push dotnet50 version 1.0.3 to localhost:5000/devfile-catalog/dotnet50:1.0.3: unexpected response: 500 Internal Server Error

After doing some testing this error seems to only happen when the operator is deployed with OpenShift. When deploying on minikube this error does not occur.

This is now its own issue (#1025), this issue is now block by #1025.

This issue and #1025 are now being merged in the same PR (devfile/registry-operator#29).