OpenShift token we use in the CI variables, is short-lived and has too much permissions in the idea to production demo
Jorge from RedHat brought up that we should be using a service account instead of our OpenShift user account for this.
At the moment, we do have one service account in our template for the runner, with edit permissions on the namespace you install it into. I'm not sure if we can create service accounts from our template that will have elevated permissions on other projects? Or in our case, the ability to create a new project in OpenShift.
We can though create the service account user, give the appropriate roles, and create a token for us to use if we do this from the command line tools, with an admin user.
There is also the question of whether GitLab should even have the power to create new OpenShift projects.
Needs more investigation.