openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/cco-determine-mode-gui.adoc
Ben Scott 0ca20e31a1 gcp-first replacement
2025-10-28 14:54:43 -04:00

167 lines
6.4 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * updating/preparing_for_updates/preparing-manual-creds-update.adoc
// * authentication/managing_cloud_provider_credentials/about-cloud-credential-operator.adoc
:_mod-docs-content-type: PROCEDURE
ifeval::["{context}" == "preparing-manual-creds-update"]
:update:
endif::[]
ifeval::["{context}" == "about-cloud-credential-operator"]
:about-cco:
endif::[]
[id="cco-determine-mode-gui_{context}"]
= Determining the Cloud Credential Operator mode by using the web console
You can determine what mode the Cloud Credential Operator (CCO) is configured to use by using the web console.
[NOTE]
====
Only Amazon Web Services (AWS), global Microsoft Azure, and {gcp-first} clusters support multiple CCO modes.
====
.Prerequisites
* You have access to an {product-title} account with cluster administrator permissions.
.Procedure
. Log in to the {product-title} web console as a user with the `cluster-admin` role.
. Navigate to *Administration* -> *Cluster Settings*.
. On the *Cluster Settings* page, select the *Configuration* tab.
. Under *Configuration resource*, select *CloudCredential*.
. On the *CloudCredential details* page, select the *YAML* tab.
. In the YAML block, check the value of `spec.credentialsMode`. The following values are possible, though not all are supported on all platforms:
+
--
* `''`: The CCO is operating in the default mode. In this configuration, the CCO operates in mint or passthrough mode, depending on the credentials provided during installation.
* `Mint`: The CCO is operating in mint mode.
* `Passthrough`: The CCO is operating in passthrough mode.
* `Manual`: The CCO is operating in manual mode.
--
+
[IMPORTANT]
====
To determine the specific configuration of an AWS, {gcp-short}, or global Microsoft Azure cluster that has a `spec.credentialsMode` of `''`, `Mint`, or `Manual`, you must investigate further.
AWS and {gcp-short} clusters support using mint mode with the root secret deleted.
ifdef::update[]
If the cluster is specifically configured to use mint mode or uses mint mode by default, you must determine if the root secret is present on the cluster before updating.
endif::update[]
An AWS, {gcp-short}, or global Microsoft Azure cluster that uses manual mode might be configured to create and manage cloud credentials from outside of the cluster with AWS STS, {gcp-short} Workload Identity, or {entra-first}. You can determine whether your cluster uses this strategy by examining the cluster `Authentication` object.
====
ifdef::about-cco[]
. AWS or {gcp-short} clusters that use the default (`''`) only: To determine whether the cluster is operating in mint or passthrough mode, inspect the annotations on the cluster root secret:
.. Navigate to *Workloads* -> *Secrets* and look for the root secret for your cloud provider.
+
[NOTE]
====
Ensure that the *Project* dropdown is set to *All Projects*.
====
+
[cols=2,options=header]
|===
|Platform
|Secret name
|AWS
|`aws-creds`
|{gcp-short}
|`gcp-credentials`
|===
.. To view the CCO mode that the cluster is using, click `1 annotation` under *Annotations*, and check the value field. The following values are possible:
+
--
* `Mint`: The CCO is operating in mint mode.
* `Passthrough`: The CCO is operating in passthrough mode.
--
+
If your cluster uses mint mode, you can also determine whether the cluster is operating without the root secret.
endif::about-cco[]
. AWS or {gcp-short} clusters that use mint mode only: To determine whether the cluster is operating without the root secret, navigate to *Workloads* -> *Secrets* and look for the root secret for your cloud provider.
+
[NOTE]
====
Ensure that the *Project* dropdown is set to *All Projects*.
====
+
[cols=2,options=header]
|===
|Platform
|Secret name
|AWS
|`aws-creds`
|{gcp-short}
|`gcp-credentials`
|===
+
--
* If you see one of these values, your cluster is using mint or passthrough mode with the root secret present.
* If you do not see these values, your cluster is using the CCO in mint mode with the root secret removed.
--
. AWS, {gcp-short}, or global Microsoft Azure clusters that use manual mode only: To determine whether the cluster is configured to create and manage cloud credentials from outside of the cluster, you must check the cluster `Authentication` object YAML values.
.. Navigate to *Administration* -> *Cluster Settings*.
.. On the *Cluster Settings* page, select the *Configuration* tab.
.. Under *Configuration resource*, select *Authentication*.
.. On the *Authentication details* page, select the *YAML* tab.
.. In the YAML block, check the value of the `.spec.serviceAccountIssuer` parameter.
+
--
* A value that contains a URL that is associated with your cloud provider indicates that the CCO is using manual mode with short-term credentials for components. These clusters are configured using the `ccoctl` utility to create and manage cloud credentials from outside of the cluster.
* An empty value (`''`) indicates that the cluster is using the CCO in manual mode but was not configured using the `ccoctl` utility.
--
ifdef::update[]
.Next steps
* If you are updating a cluster that has the CCO operating in mint or passthrough mode and the root secret is present, you do not need to update any cloud provider resources and can continue to the next part of the update process.
* If your cluster is using the CCO in mint mode with the root secret removed, you must reinstate the credential secret with the administrator-level credential before continuing to the next part of the update process.
* If your cluster was configured using the CCO utility (`ccoctl`), you must take the following actions:
.. Extract and prepare the `CredentialsRequest` custom resources (CRs) for the new release.
.. Configure the `ccoctl` utility for the new release and use it to update the cloud provider resources.
.. Update the `upgradeable-to` annotation to indicate that the cluster is ready to update.
* If your cluster is using the CCO in manual mode but was not configured using the `ccoctl` utility, you must take the following actions:
.. Extract and prepare the `CredentialsRequest` custom resources (CRs) for the new release.
.. Manually update the cloud provider resources for the new release.
.. Update the `upgradeable-to` annotation to indicate that the cluster is ready to update.
endif::update[]
ifeval::["{context}" == "preparing-manual-creds-update"]
:!update:
endif::[]
ifeval::["{context}" == "about-cloud-credential-operator"]
:!about-cco:
endif::[]
View Git Blame Copy Permalink