Restrict ArgoCD Redis ServiceAccount to restricted-v2 SCC

[Mangaal]

What type of PR is this?
In OpenShift clusters using the GitOps Operator, the argocd-redis ServiceAccount currently inherits the nonroot-v2 SecurityContextConstraints (SCC). This grants more privileges than the standard restricted-v2 SCC, allowing other pods in the namespace to use this ServiceAccount with elevated permissions.

This PR updates both cluster-scoped and namespace-scoped ArgoCD instances to use the restricted-v2 SCC for the Redis ServiceAccount

/kind bug

Verification: No Issues Running with restricted-v2 SCC

To confirm that using restricted-v2 SCC does not cause any issues, we checked an ArgoCD instance in another namespace (test-argocd), where all components are running as expected under restricted-v2:

$ oc get po -n test-argocd
NAME                                       READY   STATUS    RESTARTS   AGE
argocd-application-controller-0            1/1     Running   0          99m
argocd-redis-ha-haproxy-7c8599bb57-kdw4q   1/1     Running   0          99m
argocd-redis-ha-server-0                   2/2     Running   0          99m
argocd-redis-ha-server-1                   2/2     Running   0          98m
argocd-redis-ha-server-2                   2/2     Running   0          97m
argocd-repo-server-8684889b98-z88ts        1/1     Running   0          99m
argocd-server-59c5859dfd-spcj2             1/1     Running   0          99m

Checking the SCC assigned to the Redis components:

$ oc get pod argocd-redis-ha-haproxy-7c8599bb57-kdw4q -n test-argocd -o jsonpath="{.metadata.annotations.openshift\.io/scc}"
restricted-v2

$ oc get pod argocd-redis-ha-server-0 -n test-argocd -o jsonpath="{.metadata.annotations.openshift\.io/scc}"
restricted-v2

Fixes #?
#1662

[EmmanuelKasper]

Most probably this comment needs to be rewritten (mentioning that on OpenShift we make sure the Pods are running under the least allowed privilege) or dropped altogether.

[Mangaal]

Thanks @EmmanuelKasper , I have added the suggested comment

[svghadi]

A nit, rest all looks good. Thanks @Mangaal

[svghadi]

The only thing that changes between k8s and openshift is

RunAsUser:    int64Ptr(999),

Can you simplify the if? Maybe try using deploy.Spec.Template.Spec.SecurityContext like redis ha statefulset or use a var for securitycontext value and set that in deploy.Spec.Template.Spec.Containers[*]

Also can we try changing the user to 1000 or 1001 if the redis image supports it on k8s?

[Mangaal]

Thanks, @svghadi , its works with user 1000.

kubectl  get po -n kuttl-test-tight-wallaby
NAME                                  READY   STATUS    RESTARTS   AGE
argocd-application-controller-0       1/1     Running   0          13s
argocd-redis-56996db676-nplfr         1/1     Running   0          14s
argocd-repo-server-7f864dd87b-x7r7x   1/1     Running   0          14s
argocd-server-8678799b84-c54dz        1/1     Running   0          14s

kubectl  get po -n kuttl-test-tight-wallaby argocd-redis-56996db676-nplfr -o jsonpath={.spec.securityContext.runAsUser}
1000

[svghadi]

LGTM

[iam-veeramalla]

LGTM, Thanks @Mangaal