openshift-docs/modules/cco-ccoctl-upgrading.adoc

// Module included in the following assemblies:
//
// * updating/preparing_for_updates/preparing-manual-creds-update.adoc


:_mod-docs-content-type: PROCEDURE
[id="cco-ccoctl-upgrading_{context}"]
= Updating cloud provider resources with the Cloud Credential Operator utility

[role="_abstract"]
Update the cloud provider resources for your {product-title} cluster by using the CCO utility (`ccoctl`). The process for upgrading these resources is similar to creating the resources during installation.

[NOTE]
====
On AWS clusters, some `ccoctl` commands make AWS API calls to create or modify AWS resources. You can use the `--dry-run` flag to avoid making API calls. Using this flag creates JSON files on the local file system instead. You can review and modify the JSON files and then apply them with the AWS CLI tool using the `--cli-input-json` parameters.
====

.Prerequisites

* You have extracted the `CredentialsRequest` custom resources (CRs) from the {product-title} release image and ensured that a namespace that matches the text in the `spec.secretRef.namespace` field exists in the cluster.

* You have extracted and configured the `ccoctl` binary from the release image.

.Procedure

. Create the output directory if it does not already exist by running the following command:
+
[source,terminal]
----
$ mkdir -p <path_to_ccoctl_output_dir>
----

. Extract the bound service account signing key from the cluster and save it to the output directory by running the following command:
+
[source,terminal]
----
$ oc get secret bound-service-account-signing-key \
  -n openshift-kube-apiserver \
  -ojsonpath='{ .data.service-account\.pub }' | base64 \
  -d > <path_to_ccoctl_output_dir>/serviceaccount-signer.public
----

. Use the `ccoctl` tool to process all `CredentialsRequest` objects by running the command for your cloud provider. The following commands process `CredentialsRequest` objects:
+
.Amazon Web Services (AWS)
[%collapsible]
====
[source,terminal]
----
$ ccoctl aws create-all \// <1>
  --name=<name> \// <2>
  --region=<aws_region> \// <3>
  --credentials-requests-dir=<path_to_credentials_requests_directory> \// <4>
  --output-dir=<path_to_ccoctl_output_dir> \// <5>
  --public-key-file=<path_to_ccoctl_output_dir>/serviceaccount-signer.public \// <6>
  --create-private-s3-bucket \// <7>
  --permissions-boundary-arn=<policy_arn> <8>
----
<1> To create the AWS resources individually, use the "Creating AWS resources individually" procedure in the "Installing a cluster on AWS with customizations" content. This option might be useful if you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization.
<2> Specify the name used to tag any cloud resources that are created for tracking.
<3> Specify the AWS region in which cloud resources will be created.
<4> Specify the directory containing the files for the component `CredentialsRequest` objects.
<5> Specify the path to the output directory.
<6> Specify the path to the `serviceaccount-signer.public` file that you extracted from the cluster.
<7> Optional: By default, the `ccoctl` utility stores the OpenID Connect (OIDC) configuration files in a public S3 bucket and uses the S3 URL as the public OIDC endpoint. To store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL instead, use the `--create-private-s3-bucket` parameter.
<8> Optional: Specify the Amazon Resource Name (ARN) of the {aws-short} IAM policy to use as the permissions boundary for the IAM roles created by the `ccoctl` utility.
====
+
.{gcp-first}
[%collapsible]
====
[source,terminal]
----
$ ccoctl gcp create-all \
  --name=<name> \// <1>
  --region=<gcp_region> \// <2>
  --project=<gcp_project_id> \// <3>
  --credentials-requests-dir=<path_to_credentials_requests_directory> \// <4>
  --output-dir=<path_to_ccoctl_output_dir> \// <5>
  --public-key-file=<path_to_ccoctl_output_dir>/serviceaccount-signer.public \// <6>
----
<1> Specify the user-defined name for all created {gcp-short} resources used for tracking.
<2> Specify the {gcp-short} region in which cloud resources will be created.
<3> Specify the {gcp-short} project ID in which cloud resources will be created.
<4> Specify the directory containing the files of `CredentialsRequest` manifests to create {gcp-short} service accounts.
<5> Specify the path to the output directory.
<6> Specify the path to the `serviceaccount-signer.public` file that you extracted from the cluster.
====
+
.{ibm-cloud-title}
[%collapsible]
====
[source,terminal]
----
$ ccoctl ibmcloud create-service-id \
  --credentials-requests-dir=<path_to_credential_requests_directory> \// <1>
  --name=<cluster_name> \// <2>
  --output-dir=<installation_directory> \// <3>
  --resource-group-name=<resource_group_name> <4>
----
<1> Specify the directory containing the files for the component `CredentialsRequest` objects.
<2> Specify the name of the {product-title} cluster.
<3> Optional: Specify the directory in which you want the `ccoctl` utility to create objects. By default, the utility creates objects in the directory in which the commands are run.
<4> Optional: Specify the name of the resource group used for scoping the access policies.
====
+
.{azure-first}
[%collapsible]
====
[source,terminal]
----
$ ccoctl azure create-managed-identities \
  --name <azure_infra_name> \// <1>
  --output-dir=<path_to_ccoctl_output_dir> \// <2>
  --region <azure_region> \// <3>
  --subscription-id <azure_subscription_id> \// <4>
  --credentials-requests-dir <path_to_directory_for_credentials_requests> \// <5>
  --issuer-url "${OIDC_ISSUER_URL}" \// <6>
  --dnszone-resource-group-name <azure_dns_zone_resourcegroup_name> \// <7>
  --installation-resource-group-name "${AZURE_INSTALL_RG}" \// <8>
  --preserve-existing-roles <9>
----
<1> The value of the `name` parameter is used to create an Azure resource group.
To use an existing Azure resource group instead of creating a new one, specify the `--oidc-resource-group-name` argument with the existing group name as its value.
<2> Specify the path to the output directory.
<3> Specify the region of the existing cluster.
<4> Specify the subscription ID of the existing cluster.
<5> Specify the directory containing the files for the component `CredentialsRequest` objects.
<6> Specify the OIDC issuer URL from the existing cluster.
You can obtain this value by running the following command:
+
[source,terminal]
----
$ oc get authentication cluster \
  -o jsonpath \
  --template='{ .spec.serviceAccountIssuer }'
----
<7> Specify the name of the resource group that contains the DNS zone.
<8> Specify the {azure-short} resource group name.
You can obtain this value by running the following command:
+
[source,terminal]
----
$ oc get infrastructure cluster \
  -o jsonpath \
  --template '{ .status.platformStatus.azure.resourceGroupName }'
----
<9> Optional: Specify this flag to ensure that any custom role assignments you define on managed identities are not removed during {product-title} updates.
====
+
.Nutanix
[%collapsible]
====
[source,terminal]
----
$ ccoctl nutanix create-shared-secrets \
  --credentials-requests-dir=<path_to_credentials_requests_directory> \// <1>
  --output-dir=<ccoctl_output_dir> \// <2>
  --credentials-source-filepath=<path_to_credentials_file> <3>
----
<1> Specify the path to the directory that contains the files for the component `CredentialsRequests` objects.
<2> Optional: Specify the directory in which you want the `ccoctl` utility to create objects. By default, the utility creates objects in the directory in which the commands are run.
<3> Optional: Specify the directory that contains the credentials data YAML file. By default, `ccoctl` expects this file to be in `<home_directory>/.nutanix/credentials`.
====
+
For each `CredentialsRequest` object, `ccoctl` creates the required provider resources and a permissions policy as defined in each `CredentialsRequest` object from the {product-title} release image.

. Apply the secrets to your cluster by running the following command:
+
[source,terminal]
----
$ ls <path_to_ccoctl_output_dir>/manifests/*-credentials.yaml | xargs -I{} oc apply -f {}
----

.Verification

You can verify that the required provider resources and permissions policies are created by querying the cloud provider. For more information, refer to your cloud provider documentation on listing roles or service accounts.

.Next steps

* Update the `upgradeable-to` annotation to indicate that the cluster is ready to upgrade.