openshift-docs/modules/cco-determine-mode-cli.adoc

// Module included in the following assemblies:
//
// * updating/preparing_for_updates/preparing-manual-creds-update.adoc
// * authentication/managing_cloud_provider_credentials/about-cloud-credential-operator.adoc

:_mod-docs-content-type: PROCEDURE

ifeval::["{context}" == "preparing-manual-creds-update"]
:update:
endif::[]
ifeval::["{context}" == "about-cloud-credential-operator"]
:about-cco:
endif::[]

[id="cco-determine-mode-cli_{context}"]
= Determining the Cloud Credential Operator mode by using the CLI

You can determine what mode the Cloud Credential Operator (CCO) is configured to use by using the CLI.

[NOTE]
====
Only Amazon Web Services (AWS), global Microsoft Azure, and {gcp-first} clusters support multiple CCO modes.
====

.Prerequisites

* You have access to an {product-title} account with cluster administrator permissions.
* You have installed the OpenShift CLI (`oc`).

.Procedure

. Log in to `oc` on the cluster as a user with the `cluster-admin` role.

. To determine the mode that the CCO is configured to use, enter the following command:
+
[source,terminal]
----
$ oc get cloudcredentials cluster \
  -o=jsonpath={.spec.credentialsMode}
----
+
The following output values are possible, though not all are supported on all platforms:
+
--
* `''`: The CCO is operating in the default mode. In this configuration, the CCO operates in mint or passthrough mode, depending on the credentials provided during installation.
* `Mint`: The CCO is operating in mint mode.
* `Passthrough`: The CCO is operating in passthrough mode.
* `Manual`: The CCO is operating in manual mode.
--
+
[IMPORTANT]
====
To determine the specific configuration of an AWS, {gcp-short}, or global Microsoft Azure cluster that has a `spec.credentialsMode` of `''`, `Mint`, or `Manual`, you must investigate further.

AWS and {gcp-short} clusters support using mint mode with the root secret deleted.
ifdef::update[]
If the cluster is specifically configured to use mint mode or uses mint mode by default, you must determine if the root secret is present on the cluster before updating.
endif::update[]

An AWS, {gcp-short}, or global Microsoft Azure cluster that uses manual mode might be configured to create and manage cloud credentials from outside of the cluster with AWS STS, {gcp-short} Workload Identity, or {entra-first}. You can determine whether your cluster uses this strategy by examining the cluster `Authentication` object.
====

ifdef::about-cco[]
. AWS or {gcp-short} clusters that use the default (`''`) only: To determine whether the cluster is operating in mint or passthrough mode, run the following command:
+
[source,terminal]
----
$ oc get secret <secret_name> \
  -n kube-system \
  -o jsonpath \
  --template '{ .metadata.annotations }'
----
+
where `<secret_name>` is `aws-creds` for AWS or `gcp-credentials` for {gcp-short}.
+
This command displays the value of the `.metadata.annotations` parameter in the cluster root secret object. The following output values are possible:
+
--
* `Mint`: The CCO is operating in mint mode.
* `Passthrough`: The CCO is operating in passthrough mode.
--
+
If your cluster uses mint mode, you can also determine whether the cluster is operating without the root secret.
endif::about-cco[]

. AWS or {gcp-short} clusters that use mint mode only: To determine whether the cluster is operating without the root secret, run the following command:
+
[source,terminal]
----
$ oc get secret <secret_name> \
  -n=kube-system
----
+
where `<secret_name>` is `aws-creds` for AWS or `gcp-credentials` for {gcp-short}.
+
If the root secret is present, the output of this command returns information about the secret. An error indicates that the root secret is not present on the cluster.

. AWS, {gcp-short}, or global Microsoft Azure clusters that use manual mode only: To determine whether the cluster is configured to create and manage cloud credentials from outside of the cluster, run the following command:
+
[source,terminal]
----
$ oc get authentication cluster \
  -o jsonpath \
  --template='{ .spec.serviceAccountIssuer }'
----
+
This command displays the value of the `.spec.serviceAccountIssuer` parameter in the cluster `Authentication` object.
+
--
* An output of a URL that is associated with your cloud provider indicates that the CCO is using manual mode with short-term credentials for components. These clusters are configured using the `ccoctl` utility to create and manage cloud credentials from outside of the cluster.

* An empty output indicates that the cluster is using the CCO in manual mode but was not configured using the `ccoctl` utility.
--

ifdef::update[]
.Next steps

* If you are updating a cluster that has the CCO operating in mint or passthrough mode and the root secret is present, you do not need to update any cloud provider resources and can continue to the next part of the update process.

* If your cluster is using the CCO in mint mode with the root secret removed, you must reinstate the credential secret with the administrator-level credential before continuing to the next part of the update process.

* If your cluster was configured using the CCO utility (`ccoctl`), you must take the following actions:

.. Extract and prepare the `CredentialsRequest` custom resources (CRs) for the new release.

.. Configure the `ccoctl` utility for the new release and use it to update the cloud provider resources.

.. Update the `upgradeable-to` annotation to indicate that the cluster is ready to update.

* If your cluster is using the CCO in manual mode but was not configured using the `ccoctl` utility, you must take the following actions:

.. Extract and prepare the `CredentialsRequest` custom resources (CRs) for the new release.

.. Manually update the cloud provider resources for the new release.

.. Update the `upgradeable-to` annotation to indicate that the cluster is ready to update.
endif::update[]

ifeval::["{context}" == "preparing-manual-creds-update"]
:!update:
endif::[]
ifeval::["{context}" == "about-cloud-credential-operator"]
:!about-cco:
endif::[]