$ oc edit cloudcredential cluster
Manual mode is supported for Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
In manual mode, a user manages cloud credentials instead of the Cloud Credential Operator (CCO). To use this mode, you must examine the CredentialsRequest
CRs in the release image for the version of OpenShift Container Platform that you are running or installing, create corresponding credentials in the underlying cloud provider, and create Kubernetes secrets in the correct namespaces to satisfy all CredentialsRequest
CRs for the cluster’s cloud provider.
Using manual mode allows each cluster component to have only the permissions it requires, without storing an administrator-level credential in the cluster. This mode also does not require connectivity to the AWS public IAM endpoint. However, you must manually reconcile permissions with new release images for every upgrade.
You can configure an AWS cluster in manual mode to use Amazon Web Services Security Token Service (AWS STS). With this configuration, the CCO uses temporary credentials for different components.
The Cloud Credential Operator (CCO) Upgradable
status for a cluster with manually maintained credentials is False
by default.
For minor releases, for example, from 4.8 to 4.9, this status prevents you from upgrading until you have addressed any updated permissions and annotated the CloudCredential
resource to indicate that the permissions are updated as needed for the next version. This annotation changes the Upgradable
status to True
.
For z-stream releases, for example, from 4.9.0 to 4.9.1, no permissions are added or changed, so the upgrade is not blocked.
Before upgrading a cluster with manually maintained credentials, you must create any new credentials for the release image that you are upgrading to. Additionally, you must review the required permissions for existing credentials and accommodate any new permissions requirements in the new release for those components.
Extract and examine the CredentialsRequest
custom resource for the new release.
The "Manually creating IAM" section of the installation content for your cloud provider explains how to obtain and use the credentials required for your cloud.
Update the manually maintained credentials on your cluster:
Create new secrets for any CredentialsRequest
custom resources that are added by the new release image.
If the CredentialsRequest
custom resources for any existing credentials that are stored in secrets have changed their permissions requirements, update the permissions as required.
When all of the secrets are correct for the new release, indicate that the cluster is ready to upgrade:
Log in to the OpenShift Container Platform CLI as a user with the cluster-admin
role.
Edit the CloudCredential
resource to add an upgradeable-to
annotation within the metadata
field:
$ oc edit cloudcredential cluster
...
metadata:
annotations:
cloudcredential.openshift.io/upgradeable-to: <version_number>
...
Where <version_number>
is the version you are upgrading to, in the format x.y.z
. For example, 4.8.2
for OpenShift Container Platform 4.8.2.
It may take several minutes after adding the annotation for the upgradeable status to change.
Verify that the CCO is upgradeable:
In the Administrator perspective of the web console, navigate to Administration → Cluster Settings.
To view the CCO status details, click cloud-credential in the Cluster Operators list.
If the Upgradeable status in the Conditions section is False, verify that the upgradeable-to
annotation is free of typographical errors.
When the Upgradeable status in the Conditions section is True, you can begin the OpenShift Container Platform upgrade.