Added oauth annotations to gcsweb-private service account

[hector-vido]

Some annotations used by oauth was missing from gcsweb-private service account, without them we can't even insert our credentials, an error screen is returned immediately.

The error was:
{"error": "server_error","error_description": "The authorization server encountered an unexpected condition that prevented it from fulfilling the request.","state": "a54de56e299bd70629af15c6657870b8:/gcs/origin-ci-private/pr-logs/pull/openshift-priv_cluster-etcd-operator/1/pull-ci-openshift-priv-cluster-etcd-operator-release-4.22-e2e-aws-ovn-single-node/2067426346849538048/"}
Slack thread: https://redhat-internal.slack.com/archives/CBN38N3MW/p1781792228650009

Summary by CodeRabbit

This PR adds missing OAuth annotations to the gcsweb-private service account in the OpenShift CI Prow cluster deployment. The gcsweb-private service is part of the Prow infrastructure (specifically the Google Cloud Storage web service) that requires OAuth authentication.

Two annotations were added to enable OAuth proxy integration:

1. OAuth redirect reference: Points the service to the gcsweb-private Route, enabling the OAuth proxy to know where to route authentication redirects
2. OAuth redirect URI: Explicitly sets the OAuth redirect endpoint for the internal ingress path (https://gcsweb-private-ci.apps.ci.l2s4.p1.openshiftapps.com)

These annotations follow the standard pattern used by other OAuth-protected services in the OpenShift CI infrastructure (such as release-controller and gangway). Without these annotations, the authorization server was unable to properly configure the OAuth flow for this service, resulting in "server_error" responses when attempting to authenticate requests. This change resolves that authorization issue by providing the necessary OAuth configuration metadata.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@hector-vido: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: f6e92642-4203-47ea-8357-8175eda5c962

📥 Commits

Reviewing files that changed from the base of the PR and between 093f449 and e84f8bb.

📒 Files selected for processing (1)

• clusters/app.ci/prow/03_deployment/admin_gcsweb-private_rbac.yaml

---

Walkthrough

Two OAuth-related annotations are added to the gcsweb-private ServiceAccount in namespace ci: one oauth-redirectreference pointing to the gcsweb-private Route, and one oauth-redirecturi specifying the Prow internal ingress redirect URI.

Changes

gcsweb-private OAuth Redirect Configuration

Layer / File(s)	Summary
gcsweb-private ServiceAccount OAuth annotations clusters/app.ci/prow/03_deployment/admin_gcsweb-private_rbac.yaml	Adds serviceaccounts.openshift.io/oauth-redirectreference.deck-internal and serviceaccounts.openshift.io/oauth-redirecturi.prow-internal-ingress annotations to the gcsweb-private ServiceAccount.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• openshift/release#80556: Directly related — adjusts OAuth integration for gcsweb-private/deck-internal by modifying the gcsweb-private service account's OAuth redirect and RBAC delegation configuration.

Suggested labels

lgtm, approved, rehearsals-ack

Suggested reviewers

• droslean
• bradmwilliams

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding OAuth annotations to the gcsweb-private service account, which directly matches the modifications shown in the raw summary.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR modifies a Kubernetes resource YAML file, not test code. The custom check applies only to Ginkgo test names, which are not present in this PR.
Test Structure And Quality	✅ Passed	PR modifies only Kubernetes YAML configuration (ServiceAccount annotations), not Ginkgo test code. Check for "Ginkgo test code quality" is not applicable to infrastructure/configuration changes.
Microshift Test Compatibility	✅ Passed	This PR only modifies a Kubernetes YAML config file (ServiceAccount with OAuth annotations) and does not add any new Ginkgo e2e tests, so the MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only modifies Kubernetes YAML configuration file for OAuth annotations; it contains no Ginkgo e2e tests, so SNO test compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR only adds OAuth annotations to a ServiceAccount RBAC configuration, with no modifications to deployment manifests, operator code, controllers, or scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	PR contains only Kubernetes YAML configuration changes to add OAuth annotations; no Go code, OTE binaries, or stdout-writing code is present, making the check not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR modifies only Kubernetes YAML manifests (ServiceAccount, ClusterRole, ClusterRoleBinding) with no Ginkgo e2e tests added. Check applies only to new tests.
No-Weak-Crypto	✅ Passed	PR modifies only Kubernetes YAML configuration; no cryptographic code, weak crypto algorithms, or custom implementations are present.
Container-Privileges	✅ Passed	File contains only RBAC resources (ServiceAccount, ClusterRole, ClusterRoleBinding) with no container specifications. No privileged configurations found.
No-Sensitive-Data-In-Logs	✅ Passed	PR contains only OAuth annotations with service references and standard HTTPS URIs; no passwords, tokens, API keys, PII, or sensitive credentials are exposed in logs or configuration.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hector-vido

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• clusters/app.ci/prow/OWNERS [hector-vido]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@hector-vido: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.