openshift-docs/modules/manually-maintained-credentials-upgrade-extract.adoc

// Module included in the following assemblies:
//
// * updating/preparing_for_updates/preparing-manual-creds-update.adoc


:_mod-docs-content-type: PROCEDURE
[id="cco-ccoctl-upgrading-extracting_{context}"]
= Extracting and preparing credentials request resources

Before updating a cluster that uses the Cloud Credential Operator (CCO) in manual mode, you must extract and prepare the `CredentialsRequest` custom resources (CRs) for the new release.

.Prerequisites

* Install the {oc-first} that matches the version for your updated version.
* Log in to the cluster as user with `cluster-admin` privileges.

.Procedure

. Obtain the pull spec for the update that you want to apply by running the following command:
+
[source,terminal]
----
$ oc adm upgrade
----
+
The output of this command includes pull specs for the available updates similar to the following:
+
.Partial example output
[source,text]
----
...
Recommended updates:

VERSION IMAGE
4.21.0  quay.io/openshift-release-dev/ocp-release@sha256:6a899c54dda6b844bb12a247e324a0f6cde367e880b73ba110c056df6d018032
...
----

. Set a `$RELEASE_IMAGE` variable with the release image that you want to use by running the following command:
+
[source,terminal]
----
$ RELEASE_IMAGE=<update_pull_spec>
----
+
where `<update_pull_spec>` is the pull spec for the release image that you want to use. For example:
+
[source,text]
----
quay.io/openshift-release-dev/ocp-release@sha256:6a899c54dda6b844bb12a247e324a0f6cde367e880b73ba110c056df6d018032
----

. Extract the list of `CredentialsRequest` custom resources (CRs) from the {product-title} release image by running the following command:
+
[source,terminal]
----
$ oc adm release extract \
  --from=$RELEASE_IMAGE \
  --credentials-requests \
  --included \// <1>
  --to=<path_to_directory_for_credentials_requests> <2>
----
<1> The `--included` parameter includes only the manifests that your specific cluster configuration requires for the target release.
<2> Specify the path to the directory where you want to store the `CredentialsRequest` objects. If the specified directory does not exist, this command creates it.
+
This command creates a YAML file for each `CredentialsRequest` object.

. For each `CredentialsRequest` CR in the release image, ensure that a namespace that matches the text in the `spec.secretRef.namespace` field exists in the cluster. This field is where the generated secrets that hold the credentials configuration are stored.
+
.Sample AWS `CredentialsRequest` object
[source,yaml]
----
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
  name: cloud-credential-operator-iam-ro
  namespace: openshift-cloud-credential-operator
spec:
  providerSpec:
    apiVersion: cloudcredential.openshift.io/v1
    kind: AWSProviderSpec
    statementEntries:
    - effect: Allow
      action:
      - iam:GetUser
      - iam:GetUserPolicy
      - iam:ListAccessKeys
      resource: "*"
  secretRef:
    name: cloud-credential-operator-iam-ro-creds
    namespace: openshift-cloud-credential-operator <1>
----
<1> This field indicates the namespace which must exist to hold the generated secret.
+
The `CredentialsRequest` CRs for other platforms have a similar format with different platform-specific values.

. For any `CredentialsRequest` CR for which the cluster does not already have a namespace with the name specified in `spec.secretRef.namespace`, create the namespace by running the following command:
+
[source,terminal]
----
$ oc create namespace <component_namespace>
----

.Next steps

* If the cloud credential management for your cluster was configured using the CCO utility (`ccoctl`), configure the `ccoctl` utility for a cluster update and use it to update your cloud provider resources.

* If your cluster was not configured with the `ccoctl` utility, manually update your cloud provider resources.