Add workflow to validate UBI images pass RedHat Certification

[shaun-nx]

Proposed changes

This change adds a new workflow file, openshift-certification.yml which is responsible for validating that our UBI based images of NGF, NGINX OSS, and NGF Operator will pass the RedHad certification process.

This workflow uses RedHat Openshift Preflight tool to pre-certify images before they are published:
https://github.com/redhat-openshift-ecosystem/openshift-preflight

Closes #3909

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have checked that all unit tests pass after adding my changes
• I have updated necessary documentation
• I have rebased my branch onto main
• I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.71%. Comparing base (690d123) to head (1ff669b).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #4035   +/-   ##
=======================================
  Coverage   86.70%   86.71%           
=======================================
  Files         128      128           
  Lines       16758    16758           
  Branches       62       62           
=======================================
+ Hits        14530    14531    +1     
  Misses       2043     2043           
+ Partials      185      184    -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ciarams87]

Why are we pushing to quay.io? Can't we just run the tool against our images in ghcr?

[shaun-nx]

That's a good point... 😅
I think in my mind I was avoiding that as we don't normally push there during PRs, but we will only need to do that while testing this.

[shaun-nx]

For context, NIC push to quay.io: https://quay.io/organization/nginx
I figured that was the way to go about it.

[shaun-nx]

I'm going to leave it as is right now just while we're testing this.
Once this works I'll remove those and then test with the ghcr images

[shaun-nx]

@ciarams87 the workflow should be using the images from ghcr.io now as well as only running on merges to main and on prod releases