ROX-31406: Update just the broken default categories

[ajheflin]

Description

This is a fix for what was originally in #17804 that is less invasive, so that it only updates default policy categories that were broken, not any user-created ones.

User-facing documentation

• CHANGELOG.md is updated OR update is not needed
• documentation PR is created and is linked above OR is not needed

Testing and quality

• the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
• CI results are inspected

Automated testing

• added unit tests
• added e2e tests
• added regression tests
• added compatibility tests
• modified existing tests

How I validated my change

Worked in a cluster when tested. Removed Docker Cis and Devops Best Practices.
Before changes (Using 4.10.x-nightly-20251028):

central_active=# SELECT p.name, pc.name FROM policies p 
RIGHT JOIN policy_category_edges pce ON p.id = pce.policyid 
RIGHT JOIN policy_categories pc ON pc.id = pce.categoryid 
WHERE lower(pc.name) = 'docker cis' OR lower(pc.name) = 'devops best practices' 
ORDER BY pc.name ASC, p.name ASC;
                                       name                                        |         name          
-----------------------------------------------------------------------------------+-----------------------
 90-Day Image Age                                                                  | Devops Best Practices
 ADD Command used instead of COPY                                                  | Devops Best Practices
 Deployments with externally exposed endpoints                                     | Devops Best Practices
 Drop All Capabilities                                                             | Devops Best Practices
 Improper Usage of Orchestrator Secrets Volume                                     | Devops Best Practices
 Latest tag                                                                        | Devops Best Practices
 No CPU request or memory limit specified                                          | Devops Best Practices
 Process with UID 0                                                                | Devops Best Practices
 Required Annotation: Email                                                        | Devops Best Practices
 Required Annotation: Owner/Team                                                   | Devops Best Practices
 Required Image Label                                                              | Devops Best Practices
 Required Label: Owner/Team                                                        | Devops Best Practices
                                                                                   | DevOps Best Practices
 ADD Command used instead of COPY                                                  | Docker Cis
 Container using read-write root filesystem                                        | Docker Cis
 Docker CIS 4.1: Ensure That a User for the Container Has Been Created             | Docker Cis
 Docker CIS 4.4: Ensure images are scanned and rebuilt to include security patches | Docker Cis
 Docker CIS 4.7: Alert on Update Instruction                                       | Docker Cis
 Docker CIS 5.15: Ensure that the host's process namespace is not shared           | Docker Cis
 Docker CIS 5.16: Ensure that the host's IPC namespace is not shared               | Docker Cis
 Docker CIS 5.19: Ensure mount propagation mode is not enabled                     | Docker Cis
 Docker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabled         | Docker Cis
 Docker CIS 5.21: Ensure the default seccomp profile is not disabled               | Docker Cis
 Docker CIS 5.7: Ensure privileged ports are not mapped within containers          | Docker Cis
 Docker CIS 5.9 and 5.20: Ensure that the host's network namespace is not shared   | Docker Cis
 No CPU request or memory limit specified                                          | Docker Cis
 Privileged Container                                                              | Docker Cis
 Secure Shell Server (sshd) Execution                                              | Docker Cis
                                                                                   | Docker CIS
(29 rows)

After changes:

central_active=# SELECT p.name, pc.name FROM policies p 
RIGHT JOIN policy_category_edges pce ON p.id = pce.policyid 
RIGHT JOIN policy_categories pc ON pc.id = pce.categoryid 
WHERE lower(pc.name) = 'docker cis' OR lower(pc.name) = 'devops best practices' 
ORDER BY pc.name ASC, p.name ASC;
                                       name                                        |         name          
-----------------------------------------------------------------------------------+-----------------------
 90-Day Image Age                                                                  | DevOps Best Practices
 ADD Command used instead of COPY                                                  | DevOps Best Practices
 Deployments with externally exposed endpoints                                     | DevOps Best Practices
 Drop All Capabilities                                                             | DevOps Best Practices
 Improper Usage of Orchestrator Secrets Volume                                     | DevOps Best Practices
 Latest tag                                                                        | DevOps Best Practices
 No CPU request or memory limit specified                                          | DevOps Best Practices
 Process with UID 0                                                                | DevOps Best Practices
 Required Annotation: Email                                                        | DevOps Best Practices
 Required Annotation: Owner/Team                                                   | DevOps Best Practices
 Required Image Label                                                              | DevOps Best Practices
 Required Label: Owner/Team                                                        | DevOps Best Practices
 ADD Command used instead of COPY                                                  | Docker CIS
 Container using read-write root filesystem                                        | Docker CIS
 Docker CIS 4.1: Ensure That a User for the Container Has Been Created             | Docker CIS
 Docker CIS 4.4: Ensure images are scanned and rebuilt to include security patches | Docker CIS
 Docker CIS 4.7: Alert on Update Instruction                                       | Docker CIS
 Docker CIS 5.15: Ensure that the host's process namespace is not shared           | Docker CIS
 Docker CIS 5.16: Ensure that the host's IPC namespace is not shared               | Docker CIS
 Docker CIS 5.19: Ensure mount propagation mode is not enabled                     | Docker CIS
 Docker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabled         | Docker CIS
 Docker CIS 5.21: Ensure the default seccomp profile is not disabled               | Docker CIS
 Docker CIS 5.7: Ensure privileged ports are not mapped within containers          | Docker CIS
 Docker CIS 5.9 and 5.20: Ensure that the host's network namespace is not shared   | Docker CIS
 No CPU request or memory limit specified                                          | Docker CIS
 Privileged Container                                                              | Docker CIS
 Secure Shell Server (sshd) Execution                                              | Docker CIS
(27 rows)

The two extra rows in the first query are the duplicate categories that have no policies in them, as you can see in the second query they're now the only category that exists as the "Incorrect" ones are gone

[ajheflin]

This change is part of the following stack:

• revert(17804): Add non-migration method of updating policy categories #18045
  • ROX-31406: Update just the broken default categories #18046 ◀

_{Change managed by git-spice.}

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[rhacs-bot]

Images are ready for the commit at 32eb261.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.10.x-487-g32eb261fdb.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 33 lines in your changes missing coverage. Please review.
✅ Project coverage is 49.36%. Comparing base (618c01a) to head (32eb261).

Files with missing lines	Patch %	Lines
central/policy/datastore/singleton.go	0.00%	33 Missing ⚠️

Additional details and impacted files

@@                      Coverage Diff                       @@
##           ajheflin/revert-ed9c7ab230   #18046      +/-   ##
==============================================================
- Coverage                       49.37%   49.36%   -0.01%     
==============================================================
  Files                            2698     2698              
  Lines                          198848   198879      +31     
==============================================================
+ Hits                            98177    98180       +3     
- Misses                          93052    93080      +28     
  Partials                         7619     7619              

Flag	Coverage Δ
go-unit-tests	49.36% <0.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.