Add Prow CI scripts and configuration

Add CI scripts for OFCIR SSH-from-Pod pattern:
- prow_setup.sh: machine setup (install deps, validate env)
- prow_e2e.sh: E2E deployment (connected/disconnected)
- prow_infra_verify.sh: infrastructure verification
- prow_disconnected_dry_run.sh: mirror config validation
- prow_cleanup.sh: periodic infrastructure cleanup

Add OWNERS file for Prow review workflow.
Add migration and OFCIR setup documentation.

Author: eliorerz

Makefile.ci

@@ -22,6 +22,7 @@ include Makefile
 .PHONY: validate validate-shell validate-yaml validate-json-schema validate-ansible \
         validate-tags validate-templates validate-mirror validate-makefile validate-plugins \
         build-ci-image push-ci-image test-ci-image build-push-ci-image \
+        build-tarball build-push-tarball \
         deploy-cluster-pre-install-validate \
         environment provision-landing-zone verify-landing-zone \
         install-enclave verify-enclave-installation \
@@ -241,6 +242,16 @@ validate-makefile:
 validate-plugins:
 	@./scripts/verification/validate.sh plugins
 
+# --- Tarball targets ---
+
+# Build distribution tarball (used by ci-operator container test)
+build-tarball:
+	@./scripts/ci/build_tarball.sh build
+
+# Build and push tarball to Quay (postsubmit)
+build-push-tarball:
+	@./scripts/ci/build_tarball.sh build-push
+
 # --- CI Image targets ---
 
 build-ci-image:

OWNERS

@@ -0,0 +1,20 @@
+approvers:
+- agonzalezrh
+- carbonin
+- danielerez
+- eliorerz
+- eurijon
+- javipolo
+- maorfr
+- mlorenzofr
+- rporres
+reviewers:
+- agonzalezrh
+- carbonin
+- danielerez
+- eliorerz
+- eurijon
+- javipolo
+- maorfr
+- mlorenzofr
+- rporres

docs/OFCIR_SETUP.md

@@ -0,0 +1,150 @@
+# OFCIR Setup Guide
+
+## Approach: Reuse `packet-assisted` Infrastructure
+
+Instead of creating a custom OFCIR pool and cluster profile from scratch, enclave
+reuses the existing `packet-assisted` profile and `assisted_medium_el9` machine pool.
+This is the same infrastructure that `assisted-service` uses.
+
+**What this gives us:**
+- Equinix bare-metal machines with EL9, KVM-capable, sufficient RAM
+- SSH access via `packet-ssh-key` (pre-configured in the profile)
+- OFCIR auth token (pre-configured in the profile)
+- Pull secret with all required registries
+
+**What we skip:**
+- No ci-tools PR (no new cluster profile constant)
+- No Vault self-service setup
+- No boskos lease configuration
+- No OFCIR pool/machine registration
+- No DPTP ticket
+
+### Why this works
+
+1. `packet-assisted` has **no owner restrictions** in `cluster-profiles-config.yaml` — any org can use it
+2. `assisted_medium_el9` machines are Equinix hosts with 64GB+ RAM and KVM support
+3. The SSH-from-Pod pattern is identical regardless of which profile provides the credentials
+
+### Trade-off
+
+Enclave jobs share the machine pool with assisted-service. If the pool is busy, jobs
+queue until a machine is available. If this becomes a bottleneck, we can create a
+dedicated pool later (see "Migrating to a Dedicated Pool" below).
+
+---
+
+## What's Needed Now
+
+### In `openshift/release` (single PR)
+
+The ci-operator config already uses:
+```yaml
+cluster_profile: packet-assisted
+CLUSTERTYPE: assisted_medium_el9
+```
+
+The step-registry entries (`e2e-setup`, `e2e-teardown`, `e2e-connected`, etc.)
+use `from: dev-scripts` and source `${SHARED_DIR}/packet-conf.sh` — both provided
+by the existing OFCIR infrastructure.
+
+No additional configuration is needed.
+
+### Verification
+
+After the `openshift/release` PR merges:
+
+1. Open a PR on the enclave repo that touches `playbooks/` or `scripts/`
+2. Run `/test infra-verify` to trigger the OFCIR-based job
+3. Check Prow logs to confirm:
+   - `ofcir-acquire` gets a machine IP
+   - `e2e-setup` SSHs in and clones the repo
+   - The test step runs on the machine
+   - `ofcir-release` returns the machine
+
+---
+
+## Migrating to a Dedicated Pool (Later)
+
+If sharing the assisted pool becomes a bottleneck, create a dedicated `enclave-edge`
+profile. This requires:
+
+### 1. PR to `openshift/ci-tools` (`pkg/api/types.go`)
+
+```go
+// Add constant
+ClusterProfileEnclaveEdge ClusterProfile = "enclave-edge"
+
+// Add to ClusterProfiles() list
+ClusterProfileEnclaveEdge,
+
+// Add to LeaseType()
+case ClusterProfileEnclaveEdge:
+    return "enclave-edge-quota-slice"
+```
+
+### 2. PR to `openshift/release`
+
+**`core-services/prow/02_config/_boskos.yaml`** — add lease:
+```yaml
+- type: enclave-edge-quota-slice
+  state: free
+  min-count: 1
+  max-count: 1
+```
+
+**`core-services/ci-secret-bootstrap/_config.yaml`** — seed pull-secret:
+```yaml
+- from:
+    pull-secret:
+      dockerconfigJSON:
+      - auth_field: token_image-puller_app.ci_reg_auth_value.txt
+        item: build_farm
+        registry_url: registry.ci.openshift.org
+      - auth_field: auth
+        email_field: email
+        item: quay.io-pull-secret
+        registry_url: quay.io
+      - auth_field: auth
+        email_field: email
+        item: registry.redhat.io-pull-secret
+        registry_url: registry.redhat.io
+  to:
+  - cluster_groups:
+    - non_app_ci
+    name: cluster-secrets-enclave-edge
+    namespace: ci
+```
+
+**`ci-operator/step-registry/cluster-profiles/cluster-profiles-config.yaml`** — restrict access:
+```yaml
+- profile: enclave-edge
+  owners:
+    - org: rh-ecosystem-edge
+      repos:
+        - enclave
+```
+
+### 3. Vault self-service (after PR 2 merges)
+
+At **vault.ci.openshift.org**:
+- Create collection at **selfservice.vault.ci.openshift.org**
+- Add secret with keys: `packet-ssh-key`, `ofcir-auth-token`
+- Set metadata: `secretsync/target-namespace: ci`, `secretsync/target-name: cluster-secrets-enclave-edge`
+
+### 4. DPTP request (`#forum-ocp-testplatform`)
+
+Request a new CIPool with type `enclave_edge_el9` and add the CLUSTERTYPE mapping
+to `ofcir-acquire-commands.sh`.
+
+### 5. Update ci-operator config
+
+Change `packet-assisted` -> `enclave-edge` and `assisted_medium_el9` -> `enclave_edge_el9`.
+
+---
+
+## References
+
+- [Adding a Cluster Profile](https://docs.ci.openshift.org/docs/how-tos/adding-a-cluster-profile/)
+- [Adding a New Secret to CI](https://docs.ci.openshift.org/docs/how-tos/adding-a-new-secret-to-ci/)
+- [ci-tools PR 4685](https://github.com/openshift/ci-tools/pull/4685) (example profile addition)
+- DPTP team: `#forum-ocp-testplatform` on Slack