Fix config-bootstrapper and test-runner RBAC

prow/cluster/control-plane/301-rbac.yaml

@@ -35,7 +35,16 @@ roleRef:
   name: "test-pods-default"
 subjects:
 - kind: ServiceAccount
-  name: "default"
+  name: default
+  namespace: test-pods
+- kind: ServiceAccount
+  name: test-runner
+  namespace: test-pods
+- kind: ServiceAccount
+  name: nightly
+  namespace: test-pods
+- kind: ServiceAccount
+  name: release
   namespace: test-pods
 ---
 kind: Role

prow/cluster/control-plane/config-bootstrapper.yaml

@@ -0,0 +1,45 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: default
+  name: config-bootstrapper
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - patch
+      - update
+      - list
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: default
+  name: config-bootstrapper
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: config-bootstrapper
+subjects:
+- kind: ServiceAccount
+  name: config-bootstrapper
+  namespace: default
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: config-bootstrapper
+  namespace: default
+---
+# This is temporary and needs to be removed when prow plugins support gke-k8s-auth-plugins
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/service-account-token
+metadata:
+  name: config-bootstrapper-token
+  namespace: default
+  annotations:
+    kubernetes.io/service-account.name: config-bootstrapper

prow/cluster/trusted/secrets.yaml

@@ -6,3 +6,21 @@ spec:
   provider:
     gcpsm:
       projectID: knative-tests
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: prow-kubeconfig
+  namespace: test-pods
+spec:
+  refreshInterval: 30m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: knative-tests
+  target:
+    name: prow-kubeconfig
+    creationPolicy: Owner
+  data:
+  - secretKey: kubeconfig.yaml
+    remoteRef:
+      key: config-bootstrap-kubeconfig