feat(KONFLUX-14449): Add serviceaccount-loadtest SA with RBAC to tenant namespaces

[jhutar]

Define serviceaccount-loadtest in konflux-perfscale-{1,2,3,4}-tenant namespaces for dev and staging, replacing konflux-bot-0 as the subject in the event-reader bindings. Each tenant gets:

• ServiceAccount with rhtap-perf-test-oci-storage-robot-pull-secret ref
• RoleBinding to konflux-admin-user-actions ClusterRole
• serviceaccounttoken-manager Role + RoleBinding for konflux-performance group to generate tokens
• Dummy Opaque secret in development/ (real secret only exists in staging/prod)

Generated-by: Claude

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jhutar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• components/perf-team-prometheus-reader/OWNERS [jhutar]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[github-actions]

Kustomize Render Diff

Comparing 5f56d7523 → 1f4f2c9fe

Component	Environment	Changes
components/perf-team-prometheus-reader/development	development	+228 -4
components/perf-team-prometheus-reader/staging/base	staging	+200 -4

Total: 2 components, +428 -8 lines

📋 Full diff available in the workflow summary and as a downloadable artifact.

[qodo-for-redhat-appstudio]

PR Summary by Qodo

Add loadtest ServiceAccount + token RBAC to perfscale tenant namespaces
⚙️ Configuration changes ✨ Enhancement 🕐 20-40 Minutes

Description

• Add serviceaccount-loadtest and RBAC in perfscale tenant namespaces for load tests.
• Switch event-reader RoleBindings from konflux-bot-0 to serviceaccount-loadtest.
• Add dev-only dummy pull-secret manifests to satisfy ServiceAccount secret references.

Diagram

graph TD
  A["dev kustomization"] --> B["base tenants-rbac"] --> C(("perfscale tenant ns")) --> D["serviceaccount-loadtest"] --> E["RBAC bindings"]
  D --> F[("pull secret")]
  E --> G["token manager role"]
  E --> H["konflux-admin-user-actions"]
  subgraph Legend
    direction LR
    _k["Kustomize"] ~~~ _ns(("Namespace")) ~~~ _sec[("Secret")]
  end

Loading

High-Level Assessment

The following are alternative approaches to this PR:

1. Single base SA/RBAC + per-namespace kustomize `namespace:` overlays

• ➕ Eliminates duplicated 49-line SA/RBAC manifest across 4 tenants
• ➕ Reduces drift risk (future RBAC edits change once)
• ➖ Requires restructuring kustomizations (base without fixed namespace)
• ➖ May be less explicit to operators browsing per-tenant folders

2. Use kustomize patches (StrategicMerge/JSON6902) to swap binding subject

• ➕ Keeps existing tenant-rbac.yaml as canonical; only patch the subject name
• ➕ Smaller diffs when switching subjects again
• ➖ Patch mechanics can be harder to debug than explicit YAML
• ➖ Still need a strategy for SA/RBAC resource reuse

3. Generate tenants from a template (Helm or kustomize replacements)

• ➕ Scales cleanly if perfscale tenants grow beyond 4
• ➕ Enforces uniform naming and RBAC across tenants
• ➖ Introduces additional tooling/conventions to the repo
• ➖ Higher upfront refactor compared to the current explicit approach

Recommendation: The PR’s explicit per-tenant manifests are reasonable for 4 namespaces and make review/auditing straightforward. If these tenants are expected to expand or the RBAC will evolve, consider a follow-up refactor to a namespace-agnostic base plus overlays to reduce duplication and long-term drift.

Files changed (18) +240 / -4

Other (18) +240 / -4

kustomization.yamlInclude loadtest ServiceAccount manifest for perfscale-1 +1/-0

Include loadtest ServiceAccount manifest for perfscale-1

• Adds 'serviceaccount-loadtest.yaml' to the tenant kustomization resources so the new ServiceAccount and RBAC are applied.

components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-1-tenant/kustomization.yaml

serviceaccount-loadtest.yamlDefine loadtest ServiceAccount + RBAC for perfscale-1 +49/-0

Define loadtest ServiceAccount + RBAC for perfscale-1

• Introduces 'serviceaccount-loadtest' with a pull-secret reference. Grants 'konflux-admin-user-actions' via RoleBinding and adds a 'serviceaccounttoken-manager' Role/RoleBinding for the 'konflux-performance' group to create serviceaccount tokens.

components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-1-tenant/serviceaccount-loadtest.yaml

tenant-rbac.yamlSwitch event-reader binding subject to serviceaccount-loadtest (perfscale-1) +1/-1

Switch event-reader binding subject to serviceaccount-loadtest (perfscale-1)

• Replaces the RoleBinding subject ServiceAccount from 'konflux-bot-0' to 'serviceaccount-loadtest' in the perfscale-1 tenant namespace.

components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-1-tenant/tenant-rbac.yaml

kustomization.yamlInclude loadtest ServiceAccount manifest for perfscale-2 +1/-0

Include loadtest ServiceAccount manifest for perfscale-2

• Adds 'serviceaccount-loadtest.yaml' to the tenant kustomization resources so the new ServiceAccount and RBAC are applied.

components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-2-tenant/kustomization.yaml

serviceaccount-loadtest.yamlDefine loadtest ServiceAccount + RBAC for perfscale-2 +49/-0

Define loadtest ServiceAccount + RBAC for perfscale-2

• Introduces 'serviceaccount-loadtest' with a pull-secret reference. Grants 'konflux-admin-user-actions' via RoleBinding and adds a 'serviceaccounttoken-manager' Role/RoleBinding for the 'konflux-performance' group to create serviceaccount tokens.

components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-2-tenant/serviceaccount-loadtest.yaml

tenant-rbac.yamlSwitch event-reader binding subject to serviceaccount-loadtest (perfscale-2) +1/-1

Switch event-reader binding subject to serviceaccount-loadtest (perfscale-2)

• Replaces the RoleBinding subject ServiceAccount from 'konflux-bot-0' to 'serviceaccount-loadtest' in the perfscale-2 tenant namespace.

components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-2-tenant/tenant-rbac.yaml

kustomization.yamlInclude loadtest ServiceAccount manifest for [perfscale-3](https://redhat.atlassian.net/browse/perfscale-3) +1/-0

Include loadtest ServiceAccount manifest for perfscale-3

• Adds 'serviceaccount-loadtest.yaml' to the tenant kustomization resources so the new ServiceAccount and RBAC are applied.

components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-3-tenant/kustomization.yaml

serviceaccount-loadtest.yamlDefine loadtest ServiceAccount + RBAC for [perfscale-3](https://redhat.atlassian.net/browse/perfscale-3) +49/-0

Define loadtest ServiceAccount + RBAC for perfscale-3

• Introduces 'serviceaccount-loadtest' with a pull-secret reference. Grants 'konflux-admin-user-actions' via RoleBinding and adds a 'serviceaccounttoken-manager' Role/RoleBinding for the 'konflux-performance' group to create serviceaccount tokens.

components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-3-tenant/serviceaccount-loadtest.yaml

tenant-rbac.yamlSwitch event-reader binding subject to serviceaccount-loadtest ([perfscale-3](https://redhat.atlassian.net/browse/perfscale-3)) +1/-1

Switch event-reader binding subject to serviceaccount-loadtest (perfscale-3)

• Replaces the RoleBinding subject ServiceAccount from 'konflux-bot-0' to 'serviceaccount-loadtest' in the [perfscale-3](https://redhat.atlassian.net/browse/perfscale-3) tenant namespace.

components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-3-tenant/tenant-rbac.yaml

kustomization.yamlInclude loadtest ServiceAccount manifest for perfscale-4 +1/-0

Include loadtest ServiceAccount manifest for perfscale-4

• Adds 'serviceaccount-loadtest.yaml' to the tenant kustomization resources so the new ServiceAccount and RBAC are applied.

components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-4-tenant/kustomization.yaml

serviceaccount-loadtest.yamlDefine loadtest ServiceAccount + RBAC for perfscale-4 +49/-0

Define loadtest ServiceAccount + RBAC for perfscale-4

• Introduces 'serviceaccount-loadtest' with a pull-secret reference. Grants 'konflux-admin-user-actions' via RoleBinding and adds a 'serviceaccounttoken-manager' Role/RoleBinding for the 'konflux-performance' group to create serviceaccount tokens.

components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-4-tenant/serviceaccount-loadtest.yaml

tenant-rbac.yamlSwitch event-reader binding subject to serviceaccount-loadtest (perfscale-4) +1/-1

Switch event-reader binding subject to serviceaccount-loadtest (perfscale-4)

• Replaces the RoleBinding subject ServiceAccount from 'konflux-bot-0' to 'serviceaccount-loadtest' in the perfscale-4 tenant namespace.

components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-4-tenant/tenant-rbac.yaml

kustomization.yamlInclude development loadtest secret manifests +1/-0

Include development loadtest secret manifests

• Adds the './loadtest-secrets' resource folder to the development overlay so dummy secrets are applied in dev clusters.

components/perf-team-prometheus-reader/development/kustomization.yaml

konflux-perfscale-1-tenant.yamlAdd dummy pull secret for perfscale-1 (dev) +7/-0

Add dummy pull secret for perfscale-1 (dev)

• Creates an Opaque Secret named 'rhtap-perf-test-oci-storage-robot-pull-secret' in 'konflux-perfscale-1-tenant' for development environments.

components/perf-team-prometheus-reader/development/loadtest-secrets/konflux-perfscale-1-tenant.yaml

konflux-perfscale-2-tenant.yamlAdd dummy pull secret for perfscale-2 (dev) +7/-0

Add dummy pull secret for perfscale-2 (dev)

• Creates an Opaque Secret named 'rhtap-perf-test-oci-storage-robot-pull-secret' in 'konflux-perfscale-2-tenant' for development environments.

components/perf-team-prometheus-reader/development/loadtest-secrets/konflux-perfscale-2-tenant.yaml

konflux-perfscale-3-tenant.yamlAdd dummy pull secret for [perfscale-3](https://redhat.atlassian.net/browse/perfscale-3) (dev) +7/-0

Add dummy pull secret for perfscale-3 (dev)

• Creates an Opaque Secret named 'rhtap-perf-test-oci-storage-robot-pull-secret' in 'konflux-perfscale-3-tenant' for development environments.

components/perf-team-prometheus-reader/development/loadtest-secrets/konflux-perfscale-3-tenant.yaml

konflux-perfscale-4-tenant.yamlAdd dummy pull secret for perfscale-4 (dev) +7/-0

Add dummy pull secret for perfscale-4 (dev)

• Creates an Opaque Secret named 'rhtap-perf-test-oci-storage-robot-pull-secret' in 'konflux-perfscale-4-tenant' for development environments.

components/perf-team-prometheus-reader/development/loadtest-secrets/konflux-perfscale-4-tenant.yaml

kustomization.yamlAdd kustomization for dev loadtest secrets bundle +7/-0

Add kustomization for dev loadtest secrets bundle

• Defines a kustomization that aggregates the four per-tenant dummy secret manifests for development.

components/perf-team-prometheus-reader/development/loadtest-secrets/kustomization.yaml

[qodo-for-redhat-appstudio]

Code Review by Qodo

🐞 Bugs (3) 📘 Rule violations (0) 📜 Skill insights (0)

Context used

✅ Compliance rules (platform): 4 rules

1. Overbroad token creation 🐞 Bug ⛨ Security

Description

The new serviceaccounttoken-manager Role allows konflux-performance to create
serviceaccounts/token for any ServiceAccount in the tenant namespace, enabling minting tokens for
higher-privileged ServiceAccounts if present. This is broader than the repo’s pattern that restricts
TokenRequests via resourceNames.

Code

components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-1-tenant/serviceaccount-loadtest.yaml[R24-35]

+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: serviceaccounttoken-manager
+  namespace: konflux-perfscale-1-tenant
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create

Relevance

⭐⭐⭐ High

Perf-team token-creation RBAC previously merged with resourceNames scoping; broad TokenRequest
likely rejected.

PR-#11983
PR-#12012

ⓘ Recommendations generated based on similar findings in past PRs

Evidence

The new Role grants TokenRequest creation without any name restriction, while an existing Role in
this repo demonstrates the safer, restricted pattern using resourceNames.

components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-1-tenant/serviceaccount-loadtest.yaml[24-49]
components/perf-team-prometheus-reader/production/base/sa-token-rbac.yaml[1-16]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`konflux-performance` is granted `create` on `serviceaccounts/token` without `resourceNames`, which permits requesting tokens for *any* ServiceAccount in the namespace.

### Issue Context
In other parts of this repo, TokenRequest permissions are limited to specific ServiceAccounts using `resourceNames`.

### Fix Focus Areas
- components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-1-tenant/serviceaccount-loadtest.yaml[24-49]
- components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-2-tenant/serviceaccount-loadtest.yaml[24-49]
- components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-3-tenant/serviceaccount-loadtest.yaml[24-49]
- components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-4-tenant/serviceaccount-loadtest.yaml[24-49]

### Implementation notes
Restrict the Role rule to only the intended SA(s), e.g.:
```yaml
rules:
- apiGroups: [""]
 resources: ["serviceaccounts/token"]
 verbs: ["create"]
 resourceNames:
 - serviceaccount-loadtest
```
If multiple SAs are intended, list them explicitly.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Missing imagePullSecrets 🐞 Bug ≡ Correctness

Description

serviceaccount-loadtest only references rhtap-perf-test-oci-storage-robot-pull-secret under
.secrets, so workloads using this ServiceAccount will not use it for registry authentication and
private image pulls can fail. In this repo, image-pull credentials are wired via
.imagePullSecrets, not .secrets alone.

Code

components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-1-tenant/serviceaccount-loadtest.yaml[R7-8]

+secrets:
+  - name: rhtap-perf-test-oci-storage-robot-pull-secret

Relevance

⭐⭐ Medium

No clear historical evidence enforcing imagePullSecrets over secrets for ServiceAccounts in this
repo.

ⓘ Recommendations generated based on similar findings in past PRs

Evidence

The new ServiceAccount manifest lacks imagePullSecrets while other repo ServiceAccounts configure
pull secrets with imagePullSecrets, indicating the new SA will not use the secret for image pulls.

components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-1-tenant/serviceaccount-loadtest.yaml[1-9]
components/konflux-ci/base/serviceaccount.yaml[1-10]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`serviceaccount-loadtest` references a `*-pull-secret` only in `spec.secrets`, which does not configure pods to use it for image pulls. Pods needing private registry auth must have the secret referenced via `imagePullSecrets`.

### Issue Context
Other ServiceAccounts in this repo set `imagePullSecrets` explicitly when a pull secret is required.

### Fix Focus Areas
- components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-1-tenant/serviceaccount-loadtest.yaml[1-9]
- components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-2-tenant/serviceaccount-loadtest.yaml[1-9]
- components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-3-tenant/serviceaccount-loadtest.yaml[1-9]
- components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-4-tenant/serviceaccount-loadtest.yaml[1-9]

### Implementation notes
Add:
```yaml
imagePullSecrets:
 - name: rhtap-perf-test-oci-storage-robot-pull-secret
```
Optionally keep/remove `.secrets` depending on whether pods need it mounted; for image pulls, `imagePullSecrets` is the required field.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. Invalid dev pull secret 🐞 Bug ≡ Correctness

Description

The development overlay creates rhtap-perf-test-oci-storage-robot-pull-secret as type: Opaque
with no .dockerconfigjson, so it cannot function as a Docker registry pull secret. If workloads
rely on this secret for image pulls in development, pulls will fail or authenticate anonymously.

Code

components/perf-team-prometheus-reader/development/loadtest-secrets/konflux-perfscale-1-tenant.yaml[R1-7]

+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: rhtap-perf-test-oci-storage-robot-pull-secret
+  namespace: konflux-perfscale-1-tenant
+type: Opaque

Relevance

⭐ Low

Repo has accepted dev-only Opaque Secrets as dummy placeholders; non-functional pull secret likely
intentional.

PR-#10751

ⓘ Recommendations generated based on similar findings in past PRs

Evidence

The dev secret is explicitly Opaque with no auth data, while repo pull secrets are modeled as
kubernetes.io/dockerconfigjson with .dockerconfigjson, so the new dev secret cannot serve the
same purpose.

components/perf-team-prometheus-reader/development/loadtest-secrets/konflux-perfscale-1-tenant.yaml[1-7]
components/konflux-ci/base/external-secrets/registry-redhat-io-pull-secret.yaml[16-24]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The dev placeholder secret is declared as `Opaque` with no docker auth payload, so it cannot be used as an image pull secret.

### Issue Context
Other pull secrets in this repo are created as `kubernetes.io/dockerconfigjson` and provide `.dockerconfigjson`.

### Fix Focus Areas
- components/perf-team-prometheus-reader/development/loadtest-secrets/konflux-perfscale-1-tenant.yaml[1-7]
- components/perf-team-prometheus-reader/development/loadtest-secrets/konflux-perfscale-2-tenant.yaml[1-7]
- components/perf-team-prometheus-reader/development/loadtest-secrets/konflux-perfscale-3-tenant.yaml[1-7]
- components/perf-team-prometheus-reader/development/loadtest-secrets/konflux-perfscale-4-tenant.yaml[1-7]

### Implementation notes
If this is meant to be a non-functional placeholder but still a *valid* pull secret, change to:
```yaml
type: kubernetes.io/dockerconfigjson
data:
 .dockerconfigjson: e30=
```
(`e30=` is base64 for `{}`), or populate real credentials via ExternalSecret if needed.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[qodo-for-redhat-appstudio]

1. Missing imagepullsecrets 🐞 Bug ≡ Correctness

serviceaccount-loadtest only references rhtap-perf-test-oci-storage-robot-pull-secret under
.secrets, so workloads using this ServiceAccount will not use it for registry authentication and
private image pulls can fail. In this repo, image-pull credentials are wired via
.imagePullSecrets, not .secrets alone.

Agent Prompt

### Issue description
`serviceaccount-loadtest` references a `*-pull-secret` only in `spec.secrets`, which does not configure pods to use it for image pulls. Pods needing private registry auth must have the secret referenced via `imagePullSecrets`.

### Issue Context
Other ServiceAccounts in this repo set `imagePullSecrets` explicitly when a pull secret is required.

### Fix Focus Areas
- components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-1-tenant/serviceaccount-loadtest.yaml[1-9]
- components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-2-tenant/serviceaccount-loadtest.yaml[1-9]
- components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-3-tenant/serviceaccount-loadtest.yaml[1-9]
- components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-4-tenant/serviceaccount-loadtest.yaml[1-9]

### Implementation notes
Add:
```yaml
imagePullSecrets:
  - name: rhtap-perf-test-oci-storage-robot-pull-secret
```
Optionally keep/remove `.secrets` depending on whether pods need it mounted; for image pulls, `imagePullSecrets` is the required field.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[qodo-for-redhat-appstudio]

3. Overbroad token creation 🐞 Bug ⛨ Security

The new serviceaccounttoken-manager Role allows konflux-performance to create
serviceaccounts/token for any ServiceAccount in the tenant namespace, enabling minting tokens for
higher-privileged ServiceAccounts if present. This is broader than the repo’s pattern that restricts
TokenRequests via resourceNames.

Agent Prompt

### Issue description
`konflux-performance` is granted `create` on `serviceaccounts/token` without `resourceNames`, which permits requesting tokens for *any* ServiceAccount in the namespace.

### Issue Context
In other parts of this repo, TokenRequest permissions are limited to specific ServiceAccounts using `resourceNames`.

### Fix Focus Areas
- components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-1-tenant/serviceaccount-loadtest.yaml[24-49]
- components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-2-tenant/serviceaccount-loadtest.yaml[24-49]
- components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-3-tenant/serviceaccount-loadtest.yaml[24-49]
- components/perf-team-prometheus-reader/base/tenants-rbac/konflux-perfscale-4-tenant/serviceaccount-loadtest.yaml[24-49]

### Implementation notes
Restrict the Role rule to only the intended SA(s), e.g.:
```yaml
rules:
- apiGroups: [""]
  resources: ["serviceaccounts/token"]
  verbs: ["create"]
  resourceNames:
  - serviceaccount-loadtest
```
If multiple SAs are intended, list them explicitly.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.32%. Comparing base (09f413f) to head (2ce2678).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #12656   +/-   ##
=======================================
  Coverage   53.32%   53.32%           
=======================================
  Files          20       20           
  Lines        1309     1309           
=======================================
  Hits          698      698           
  Misses        539      539           
  Partials       72       72           

Flag	Coverage Δ
go	53.32% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.