docs: document openshift-priv and private repositories

pkg/webreg/webreg.go

@@ -2459,9 +2459,93 @@ const privateRepositoriesPage = `
 <h2 id="title"><a href="#title">Private Repositories</a></h2>
 
 <p>
-All of <a href="https://github.com/openshift/release/tree/master/ci-operator/config/openshift-priv"><code>ci-operator/config/openshift-priv</code></a> is autogenerated with <a href="https://github.com/openshift/ci-tools/tree/master/cmd/private-prow-configs-mirror#private-prow-configs-mirror"><code>private-prow-configs-mirror</code></a> from corresponding content in <a href="https://github.com/openshift/release/tree/master/ci-operator/config/openshift"><code>ci-operator/config/openshift</code></a>, and should not be manually edited.
-For example, see <a href="https://github.com/openshift/release/pull/10382">release#10382</a>.
-</ul>
+OpenShift CI supports setting up CI jobs for private repositories mainly to
+allow temporary non-public development on the forks of the otherwise public
+repositories. The CI jobs executed for these forks are not shown in the public
+Deck instance, and all their artifacts are not public. Access to these jobs is
+limited to engineers who need it.
+</p>
+
+<p>
+Unfortunately, such access cannot be granted to developers of other private
+repositories. Therefore, OpenShift CI only allows setting up <em>public</em> CI
+jobs for private repositories -- the logs and artifacts executed for such
+private repository will be public. <strong>Only set up such jobs when you are
+absolutely sure your jobs would not leak any sensitive information</strong>.
+</p>
+
+<p>
+To allow the CI jobs to access a private repo, drop a following file to the
+directory in <code>openshift/release</code> holding the <code>ci-operator</code>
+configuration for your repository (usually <code>ci-operator/config/$org/$repo</code>):
+</p>
+
+<code>.config.prowgen</code>
+{{ yamlSyntax (index . "privateRepoProwgenConfigExample") }}
+
+<h3><code>openshift-priv</code> organization</h3>
+
+<p>
+The <code>openshift-priv</code> organization holds private forks of selected
+repositories. The purpose of these forks is to allow temporary non-public
+development. Their presence, content, settings, and all CI configuration are
+managed automatically.
+</p>
+
+<p>
+<em>Automated tools manage all CI configuration for repositories in <code>openshift-priv</code>
+organization. Humans should not change any CI configuration related to these
+repositories. All manual changes to this configuration will be overwritten.</em>
+</p>
+
+<h4>Involved Repositories</h4>
+
+<p>
+The set of repositories that are managed automatically in <code>openshift-priv</code>
+is dynamic and consists of the following two subsets:
+</p>
+
+<ol>
+  <li>Repositories with existing CI configuration promoting images to the <code>ocp/4.X</code>
+      namespace (same criteria like for enrollment into the centralized release
+      branch management)</li>
+  <li>Repositories explicitly listed in the
+      <a href="https://github.com/openshift/release/blob/master/core-services/openshift-priv/_whitelist.yaml">allowlist</a></li>
+</ol>
+
+<h4>Automation Architecture</h4>
+
+When a repository is identified to be included in <code>openshift-priv</code>
+by having the appropriate promoting configuration or by being present in the
+allowlist, the following jobs and tools maintain the existence, repository
+settings, repository content, and all necessary CI configuration of the fork in
+<code>openshift-priv</code>:
+
+<ol>
+  <li>The <a href="https://deck-internal-ci.apps.ci.l2s4.p1.openshiftapps.com/?job=periodic-auto-private-org-peribolos-sync">periodic-auto-private-org-peribolos-sync</a>
+      job runs the <a href="https://github.com/openshift/ci-tools/tree/master/cmd/private-org-peribolos-sync">private-org-peribolos-sync</a>
+      tool to maintain the GitHub settings for the fork. These settings are asynchronously
+      consumed by the <a href="https://prow.ci.openshift.org/?job=periodic-org-sync">periodic-org-sync</a>
+      job running the <a href="https://github.com/kubernetes/test-infra/tree/master/prow/cmd/peribolos">peribolos</a>
+      tool to create the fork on GitHub and maintain its settings.</li>
+  <li>The <a href="https://deck-internal-ci.apps.ci.l2s4.p1.openshiftapps.com/?job=periodic-openshift-release-private-org-sync">periodic-openshift-release-private-org-sync</a>
+      job runs the <a href="https://github.com/openshift/ci-tools/tree/master/cmd/private-org-sync">private-org-sync</a>
+      tool to synchronize the git content of the fork with the source repository.</li>
+  <li>The <a href="https://prow.ci.openshift.org/?job=periodic-prow-auto-config-brancher">periodic-prow-auto-config-brancher</a>
+      runs the <a href="https://github.com/openshift/ci-tools/tree/master/cmd/ci-operator-config-mirror">ci-operator-config-mirror</a>
+      tool to create and maintain the CI configuration for the fork (<code>ci-operator</code>
+      configuration files). The same job then generates the CI jobs from the <code>ci-operator</code>
+      files. This has a caveat of not carrying over handcrafted (non-generated)
+      jobs and also manual changes to the generated jobs.</li>
+  <li>The <a href="https://prow.ci.openshift.org/?job=periodic-prow-auto-config-brancher">periodic-prow-auto-config-brancher</a>
+      also runs the <a href="https://github.com/openshift/ci-tools/tree/master/cmd/private-prow-configs-mirror">private-prow-configs-mirror</a>
+      tool to mirror the repository-specific Prow configuration, like merging
+      criteria, plugin enablement, etc.</li>
+</ol>
+`
+
+const privateRepoProwgenConfigExample = `private: true
+expose: true
 `
 
 const quotasAndLeasesPage = `<h2 id="title"><a href="#title">How are Cloud Quota and Aggregate Concurrency Limits Handled?</a></h2>
@@ -3024,6 +3108,7 @@ func helpHandler(subPath string, w http.ResponseWriter, _ *http.Request) {
 		data["makeNewRepoExample"] = makeNewRepoExample
 		helpTemplate, err = helpFuncs.Parse(releasePage)
 	case "/private-repositories":
+		data["privateRepoProwgenConfigExample"] = privateRepoProwgenConfigExample
 		helpTemplate, err = helpFuncs.Parse(privateRepositoriesPage)
 	case "/examples":
 		helpTemplate, err = helpFuncs.Parse(examplesPage)