Add gangway token for hypershift-pool-admins

[Nirshal]

Summary

Request a permanent gangway API token for the hypershift-pool-admins group (rover group: hypershift-team) to enable automated triggering of Prow periodic e2e jobs from the HyperShift Operator release gating pipeline in Konflux (CNTRLPLANE-3434 / OCPSTRAT-3250).

Generated with ./hack/gangway_token.py --group hypershift-pool-admins.

Discussed with DPTP on #forum-ocp-testplatform: https://redhat-internal.slack.com/archives/CBN38N3MW/p1781080323781869

Jira: https://issues.redhat.com/browse/CNTRLPLANE-3434

Summary by CodeRabbit

This PR adds Gangway API token infrastructure for the HyperShift team to enable automated triggering of Prow periodic e2e jobs from their Konflux release gating pipeline.

Changes made:

1. New namespace and service account setup (clusters/app.ci/gangway-tokens/hypershift-pool-admins/admin_rbac.yaml):

   • Creates a new hypershift-pool-admins namespace on the app.ci cluster
   • Provisions a periodic-job-bot service account to hold the Gangway API token
   • Generates a Kubernetes service account token secret (api-token-secret)
   • Establishes RBAC rules allowing the hypershift-pool-admins group to manage the token secret

2. Gangway authorization (clusters/app.ci/prow/03_deployment/gangway.yaml):

   • Adds the new periodic-job-bot service account from the hypershift-pool-admins namespace to the cluster-gangway-submit ClusterRoleBinding
   • This grants the service account permission to submit jobs through the Gangway API

The configuration follows the established pattern used by other teams in the repository (such as aro-hcp-prow-ci, hp-sre-rosa-ci, and others). Once deployed, the HyperShift team can retrieve the token from the secret and use it in their Konflux pipeline to automatically trigger OpenShift e2e tests, as part of their HyperShift Operator release process.

[coderabbitai]

Walkthrough

This PR establishes RBAC configuration for the periodic-job-bot service account in the hypershift-pool-admins namespace. It creates local secret-management permissions within the namespace and grants cluster-level Gangway submit access via an updated ClusterRoleBinding.

Changes

Gangway Token Access for HyperShift Pool Admins

Layer / File(s)	Summary
Namespace RBAC and ClusterRoleBinding wiring clusters/app.ci/gangway-tokens/hypershift-pool-admins/admin_rbac.yaml, clusters/app.ci/prow/03_deployment/gangway.yaml	Namespace manifest defines hypershift-pool-admins with periodic-job-bot ServiceAccount, api-token-secret token secret, and a secret-owner Role/RoleBinding granting full secret lifecycle permissions. The ClusterRoleBinding cluster-gangway-submit is updated to include the periodic-job-bot subject, wiring namespace-scoped permissions to cluster-level Gangway access.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding a Gangway API token for the hypershift-pool-admins group, which is the core purpose of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains only Kubernetes YAML manifests for RBAC configuration, no Ginkgo test code. The check for test name stability does not apply.
Test Structure And Quality	✅ Passed	PR contains only Kubernetes YAML manifests (admin_rbac.yaml, gangway.yaml), not Ginkgo test code. The custom check for test structure/quality is not applicable.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The changes are purely Kubernetes RBAC manifests and deployment configuration files with no test code.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR contains only Kubernetes YAML manifests (RBAC/gangway configuration), no Ginkgo e2e tests to evaluate for SNO compatibility.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds RBAC configuration files and ClusterRoleBinding subject entry only. No deployment specs, operator code, or scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	PR only modifies Kubernetes YAML manifests (admin_rbac.yaml, gangway.yaml templates). No executable source code (Go, Python, etc.) with process-level code exists. OTE Binary Stdout Contract check i...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR adds Kubernetes configuration files, not Ginkgo e2e tests. The custom check applies only to new Ginkgo tests; no test code is present in this PR.
No-Weak-Crypto	✅ Passed	PR contains only Kubernetes YAML configuration files (admin_rbac.yaml and updates to gangway.yaml) with no cryptographic code, weak algorithms, or non-constant-time comparisons.
Container-Privileges	✅ Passed	No privileged container settings found: neither file contains privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation, or runAsUser:0.
No-Sensitive-Data-In-Logs	✅ Passed	PR introduces only RBAC configuration changes (new namespace+serviceaccount and ClusterRoleBinding addition) with no logging statements, debug flags, or code that could expose sensitive data like t...
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@Nirshal: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@clusters/app.ci/gangway-tokens/hypershift-pool-admins/admin_rbac.yaml`:
- Around line 10-13: The ServiceAccount resource named "periodic-job-bot" in
namespace "hypershift-pool-admins" currently allows automatic token mounting;
add the field automountServiceAccountToken: false to the ServiceAccount manifest
(under the ServiceAccount spec/metadata block) so pods using this SA do not
automatically get a token mounted.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e95116de-2956-41b0-9b29-83cec8650ebf

📥 Commits

Reviewing files that changed from the base of the PR and between 51b034f and c352edd.

📒 Files selected for processing (2)

• clusters/app.ci/gangway-tokens/hypershift-pool-admins/admin_rbac.yaml
• clusters/app.ci/prow/03_deployment/gangway.yaml

[bryan-cox]

/retest

[bear-redhat]

/approve

[bear-redhat]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bear-redhat, Nirshal

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• clusters/OWNERS [bear-redhat]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@Nirshal: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.