Build Gitaly image according with OpenShift best practices
What does this MR do?
Currently if we run Gitaly in OpenShift it runs fine only under "anyuid" or "nonroot" SCC.
OpenShift best practice is to run pods under "restricted" SCC which enforces OpenShift UID randomization: UID is random but the GID is always 0 ("root") which doesn't have any special permissions. That means that all files that must be writable by application should be owned by root group.
This MR introduces new build arg "GITLAB_GROUP" which is equal to "root" and chowns all Gitaly directories using this group. This will allow Gitaly to run under "restricted" SCC in OpenShift.
Related issues
Expected (please provide an explanation if not completing)
-
Gitaly runs successfully under "restricted" SCC in OpenShift. This can be verified by deploying Gitlab to OpenShift using Gitlab Operator using "restricted" SCC.