HIVE-1159: Cloud Credentials Operator (CCO) support for deleting GCP root creds post-install

[jeana-redhat]

Primarily an effort to cover HIVE-1159: Cloud Credentials Operator (CCO) support for deleting GCP root creds post-install, but also clarifying some sections and bringing them into parallel construction, and elaborating on the credentials rotation process.

Previews

• Cluster tasks: New section to contain rotation and removal info
  • Rotating cloud provider credentials manually: new section, process is related to removal
  • Removing cloud provider credentials: new section for HIVE-1159
• Related linking and structure alignment:
  • Manually creating IAM for AWS: added reference to procedure for removing credentials post-install
  • Manually creating IAM for GCP: added reference to procedure for removing credentials post-install, added information to make more parallel to AWS version
  • Manually creating IAM for Azure: added information to make more parallel to AWS version
• Red Hat Operators: Linked some related references as additional resources for the CCO to support new info.
  • Cloud Credential Operator: Updated with support for cred deletion on GCP, fixed some typos, moved Modes section to beginning to get all term definitions up front for better understanding.

[netlify]

Deploy preview for osdocs ready!

Built with commit 6dc493b

https://deploy-preview-28974--osdocs.netlify.app

[jeana-redhat]

(Adding a few minor edits I noticed while re-reviewing previews, will grab as part of SME revisions)

[jeana-redhat]

@akhil-rane this PR has revisions to cover cred removal on GCP, and some related changes to support that addition. PTAL when you can 🙏

[akhil-rane]

@jeana-redhat In the section Rotating cloud provider credentials manually, it is mentioned that supported platforms are AWS, Azure, and GCP. But I think other platforms are also supported. Only thing is that they are not supported for Mint mode (as mentioned in the support matrix).

[jeana-redhat]

@jeana-redhat In the section Rotating cloud provider credentials manually, it is mentioned that supported platforms are AWS, Azure, and GCP. But I think other platforms are also supported. Only thing is that they are not supported for Mint mode (as mentioned in the support matrix).

Updated rotation task prereq to split out mint vs passthrough supported status. Thank you!

[akhil-rane]

Here are some of the things that I noticed during the review:

1. when the user is extracting credentials requests from the release image using the command oc adm release extract quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64 --credentials-requests --cloud=azure, nothing gets displayed in stdout (in 4.7) as mentioned in the docs. Instead yaml files are created for each credentials request object.

2. In the section Removing cloud provider credentials, I am not sure why step 2 (Deleting IAM users) and step 3 (Deleting component secrets) are required?

3. For azure and gcp sections for Manually creating IAM it is mentioned that we can set the credentialsMode parameter for the CCO to Manual in the install-config.yaml when installing OpenShift Container Platform. But unlike AWS this step is missing from GCP and Azure.

4. Docs say that removal of admin credentials are only supported in AWS and GCP. I am not sure why that is not possible in Azure.

@joelddiaz your input on some of the above topics will help a lot in case I miss something :)

[joelddiaz]

Can't remove creds in Azure b/c there is no read-only credentials defined for Azure so that CCO can verify that things are working.

[jeana-redhat]

Ok - I think this most recent push resolves previous issues, but PTAL @akhil-rane & @joelddiaz 🙏 Preview links in fist comment have auto-updated for easier reading :)

[jeana-redhat]

@lwan-wanglin PTAL at the procedures here when you can - some changes from what you sent me (including doing some of it in the GUI instead of CLI). Preview links are in the top comment on the PR.

[adellape]

Real good! Just a few minor suggestions.

[jeana-redhat]

Status update:
✔️ SME review
✔️ Editorial review
And I see that Lin is back (welcome back!) and has moved the Jira to QE assigned 👍

[lwan-wanglin]

Status update:
SME review
Editorial review
And I see that Lin is back (welcome back!) and has moved the Jira to QE assigned

LGTM! The feature works well on my test and doc looks good to me.

[jeana-redhat]

/cherrypick enterprise-4.7

[openshift-cherrypick-robot]

@jeana-redhat: new pull request created: #29658

Details

In response to this:

/cherrypick enterprise-4.7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.