From bd982542fe747530db687e1d304300723e8a691c Mon Sep 17 00:00:00 2001
From: Justin Pierce <jupierce@redhat.com>
Date: Wed, 28 Aug 2024 13:52:35 -0400
Subject: [PATCH] Allow RHCOS team to create and monitor PRPQR (#56053)

---
 clusters/app.ci/coreos/OWNERS                |  2 ++
 clusters/app.ci/coreos/README.md             |  2 ++
 clusters/app.ci/coreos/prpqr_rbac.yaml       | 26 ++++++++++++++++++++
 core-services/sync-rover-groups/_config.yaml |  3 +++
 4 files changed, 33 insertions(+)
 create mode 100644 clusters/app.ci/coreos/OWNERS
 create mode 100644 clusters/app.ci/coreos/README.md
 create mode 100644 clusters/app.ci/coreos/prpqr_rbac.yaml

diff --git a/clusters/app.ci/coreos/OWNERS b/clusters/app.ci/coreos/OWNERS
new file mode 100644
index 000000000000..a258ef3505ec
--- /dev/null
+++ b/clusters/app.ci/coreos/OWNERS
@@ -0,0 +1,2 @@
+approvers:
+- jupierce
diff --git a/clusters/app.ci/coreos/README.md b/clusters/app.ci/coreos/README.md
new file mode 100644
index 000000000000..41a864aa9cdb
--- /dev/null
+++ b/clusters/app.ci/coreos/README.md
@@ -0,0 +1,2 @@
+Permits members of the CoreOS team and future team automation to construct PullRequestPayloadQualificationRun
+for the purpose of qualifying new builds of coreos before they are incorporated into nightlies.
diff --git a/clusters/app.ci/coreos/prpqr_rbac.yaml b/clusters/app.ci/coreos/prpqr_rbac.yaml
new file mode 100644
index 000000000000..7601ced39267
--- /dev/null
+++ b/clusters/app.ci/coreos/prpqr_rbac.yaml
@@ -0,0 +1,26 @@
+apiVersion: authorization.openshift.io/v1
+kind: ClusterRole
+metadata:
+  name: payload-testing-coreos
+rules:
+- apiGroups:
+  - ci.openshift.io
+  resources:
+  - pullrequestpayloadqualificationruns
+  verbs:
+  - get
+  - create
+  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: payload-testing-coreos
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: payload-testing-coreos
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: rhel-sst-rhcos
diff --git a/core-services/sync-rover-groups/_config.yaml b/core-services/sync-rover-groups/_config.yaml
index 80a3a8242aae..18e2641cd1f9 100644
--- a/core-services/sync-rover-groups/_config.yaml
+++ b/core-services/sync-rover-groups/_config.yaml
@@ -139,6 +139,9 @@ groups:
   rhecoedge-nvidia-ci-pool-admins:
     clusters:
     - hosted-mgmt
+  rhel-sst-rhcos:
+    clusters:
+    - app.ci
   rhoam-pool-admins:
     clusters:
     - hosted-mgmt