fix: OpenShift restricted-v2 compatibility fixes

[wnevis-cmyk]

Summary

OpenShift restricted-v2 compatibility for the operator, its Helm dependencies, and W&B application workloads. Includes CRC/Tilt dev-loop fixes.

Features

• Frontend nginx on OpenShift: label-driven emptyDir overlay (writable html/conf/cache/run + seed initContainer) so nginx starts under SCC-assigned UIDs
• Application pod hardening: default seccomp, dropped capabilities, and no privilege escalation on W&B app/init containers
• Helm chart: hardened security contexts for dependency operators; prometheus-operator-crds gated by its own enabled flag; OpenShift profile overrides (null UID/GID, skip platform-owned CRDs, Tilt live-update); optional runAsUser on the CRD installer hook
• RBAC workarounds: ClusterRoles granting finalizer updates for Moco MySQL PVC ownership and the SeaweedFS operator
• Moco: --disable-default-security-context; mysqld_exporter collectors when telemetry is enabled
• Tilt / CRC: kube-state-metrics with OpenShift-friendly security; SeaweedFS privileged SCC binding for local dev; larger default CRC resources

Testing

• make test / make build
• CRC + Tilt; wandb verify --host http://localhost:8080

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ebb01b14-16a4-4655-bdef-e4801efb843b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch wnevis/openshiftFixes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wnevis-cmyk]

I should note this PR is pending changes I have in the moco repo and a release (that will require a quick version bump in this PR).

The

  extraArgs:
    - --disable-default-security-context

doesn't exist currently.