• OpenShift CLI (oc)
• An OCP cluster (ROSA instructions)

Deploy the hypershift-ci-1 manifests:

oc apply -f hypershift-ci-1.yaml

After initial installation or as part of a credentials rotation, create a kubeconfig from the admin SA token which can be injected into CI jobs:

oc serviceaccounts --namespace hypershift-ops create-kubeconfig admin > /tmp/hypershift-ci-1.kubeconfig

Store the kubeconfig in Vault under the clusters directory in a secret named hypershift-ci-1 with the following schema:

{
  "hypershift-ops-admin.kubeconfig": "<kubeconfig contents>",
  "secretsync/target-name": "hypershift-ci-1",
  "secretsync/target-namespace": "ci,test-credentials"
}

Deploy the template for developer namespaces (only needs to be done one time per CI cluster):

oc apply -f dev-namespace-template.yaml

This will enable developers to create their own namespace (and kubeconfig) for their cluster using the following command:

NAME=your-name
oc new-app developer-namespace -p NAME=$NAME
token=$(oc get secrets -n $NAME -o name | grep $NAME-dev-token | xargs oc get -o jsonpath='{.data.token}' -n $NAME | base64 -d)
oc login --token=$token

After doing this, the default context on your kubeconfig will be the low-privilege service account in your namespace, useful for creating HostedClusters and NodePools. If you still need privileged access, you can pass --context=admin to any oc command.