Merge pull request #28974 from jeana-redhat/CO-1159_delete_GCP_root_creds_post-install

HIVE-1159: Cloud Credentials Operator (CCO) support for deleting GCP root creds post-install

Author: jeana-redhat

installing/installing_aws/manually-creating-iam.adoc

@@ -3,6 +3,8 @@
 include::modules/common-attributes.adoc[]
 :context: manually-creating-iam-aws
 
+//TO-DO: this should be one file for AWS, Azure, and GCP with conditions for specifics.
+
 toc::[]
 
 In environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster `kube-system` namespace, you can put the Cloud Credential Operator (CCO) into manual mode before you install the cluster.
@@ -11,7 +13,10 @@ include::modules/alternatives-to-storing-admin-secrets-in-kube-system.adoc[level
 
 .Additional resources
 
-See xref:../../operators/operator-reference.adoc#cloud-credential-operator_red-hat-operators[Cloud Credential Operator] for a detailed description of all available CCO credential modes and their supported platforms.
+// Not supported in Azure. Condition out if combining topic for AWS/Azure/GCP.
+* To learn how to rotate or remove the administrator-level credential secret after installing {product-title}, see xref:../../post_installation_configuration/cluster-tasks.adoc#post-install-rotate-remove-cloud-creds[Rotating or removing cloud provider credentials].
+
+* See xref:../../operators/operator-reference.adoc#cloud-credential-operator_red-hat-operators[Cloud Credential Operator] for a detailed description of all available CCO credential modes and their supported platforms.
 
 include::modules/manually-create-identity-access-management.adoc[leveloffset=+1]
 

installing/installing_azure/manually-creating-iam-azure.adoc

@@ -5,10 +5,26 @@ include::modules/common-attributes.adoc[]
 
 toc::[]
 
+In environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster `kube-system` namespace, you can put the Cloud Credential Operator (CCO) into manual mode before you install the cluster.
+
+include::modules/alternatives-to-storing-admin-secrets-in-kube-system.adoc[leveloffset=+1]
+
+.Additional resources
+
+* See xref:../../operators/operator-reference.adoc#cloud-credential-operator_red-hat-operators[Cloud Credential Operator] for a detailed description of all available CCO credential modes and their supported platforms.
+
 include::modules/manually-create-identity-access-management.adoc[leveloffset=+1]
 
 include::modules/admin-credentials-root-secret-formats.adoc[leveloffset=+1]
 
 include::modules/manually-maintained-credentials-upgrade.adoc[leveloffset=+1]
 
 include::modules/mint-mode.adoc[leveloffset=+1]
+
+[id="manually-creating-iam-azure-next-steps"]
+== Next steps
+
+* Install an {product-title} cluster:
+** xref:../../installing/installing_azure/installing-azure-default.adoc#installing-azure-default[Quickly install a cluster] with default options on installer-provisioned infrastructure
+** xref:../../installing/installing_azure/installing-azure-customizations.adoc#installing-azure-customizations[Install a cluster with cloud customizations on installer-provisioned infrastructure]
+** xref:../../installing/installing_azure/installing-azure-network-customizations.adoc#installing-azure-network-customizations[Install a cluster with network customizations on installer-provisioned infrastructure]

installing/installing_gcp/manually-creating-iam-gcp.adoc

@@ -5,10 +5,30 @@ include::modules/common-attributes.adoc[]
 
 toc::[]
 
+In environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster `kube-system` namespace, you can put the Cloud Credential Operator (CCO) into manual mode before you install the cluster.
+
+include::modules/alternatives-to-storing-admin-secrets-in-kube-system.adoc[leveloffset=+1]
+
+.Additional resources
+
+* To learn how to rotate or remove the administrator-level credential secret after installing {product-title}, see xref:../../post_installation_configuration/cluster-tasks.adoc#post-install-rotate-remove-cloud-creds[Rotating or removing cloud provider credentials].
+
+* See xref:../../operators/operator-reference.adoc#cloud-credential-operator_red-hat-operators[Cloud Credential Operator] for a detailed description of all available CCO credential modes and their supported platforms.
+
 include::modules/manually-create-identity-access-management.adoc[leveloffset=+1]
 
 include::modules/admin-credentials-root-secret-formats.adoc[leveloffset=+1]
 
 include::modules/manually-maintained-credentials-upgrade.adoc[leveloffset=+1]
 
 include::modules/mint-mode.adoc[leveloffset=+1]
+
+include::modules/mint-mode-with-removal-of-admin-credential.adoc[leveloffset=+1]
+
+[id="manually-creating-iam-gcp-next-steps"]
+== Next steps
+
+* Install an {product-title} cluster:
+** xref:../../installing/installing_gcp/installing-gcp-default.adoc#installing-gcp-default[Quickly install a cluster] with default options on installer-provisioned infrastructure
+** xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#installing-gcp-customizations[Install a cluster with cloud customizations on installer-provisioned infrastructure]
+** xref:../../installing/installing_gcp/installing-gcp-network-customizations.adoc#installing-gcp-network-customizations[Install a cluster with network customizations on installer-provisioned infrastructure]

modules/alternatives-to-storing-admin-secrets-in-kube-system.adoc

@@ -1,14 +1,44 @@
 // Module included in the following assemblies:
 //
+// * installing/installing_aws/manually-creating-iam.adoc
+// * installing/installing_azure/manually-creating-iam-azure.adoc
 // * installing/installing_gcp/manually-creating-iam-gcp.adoc
 
+ifeval::["{context}" == "manually-creating-iam-aws"]
+:aws:
+endif::[]
+ifeval::["{context}" == "manually-creating-iam-azure"]
+:azure:
+endif::[]
+ifeval::["{context}" == "manually-creating-iam-gcp"]
+:google-cloud-platform:
+endif::[]
+
 [id="alternatives-to-storing-admin-secrets-in-kube-system.adoc_{context}"]
-= Alternatives to storing administrator-level secrets in the `kube-system` project
+= Alternatives to storing administrator-level secrets in the kube-system project
 
 The Cloud Credential Operator (CCO) manages cloud provider credentials as Kubernetes custom resource definitions (CRDs). You can configure the CCO to suit the security requirements of your organization by setting different values for the `credentialsMode` parameter in the `install-config.yaml` file.
 
-If you prefer not to store an administrator-level credential secret in the cluster `kube-system` project, you can choose one of the following options when installing {product-title} on AWS:
+ifdef::aws,google-cloud-platform[]
+If you prefer not to store an administrator-level credential secret in the cluster `kube-system` project, you can choose one of the following options when installing {product-title}:
+
+* *Manage cloud credentials manually*:
++
+You can set the `credentialsMode` parameter for the CCO to `Manual` to manage cloud credentials manually. Using manual mode allows each cluster component to have only the permissions it requires, without storing an administrator-level credential in the cluster. You can also use this mode if your environment does not have connectivity to the cloud provider public IAM endpoint. However, you must manually reconcile permissions with new release images for every upgrade. You must also manually supply credentials for every component that requests them.
+
+* *Remove the administrator-level credential secret after installing {product-title} with mint mode*:
++
+If you are using the CCO with the `credentialsMode` parameter set to `Mint`, you can remove or rotate the administrator-level credential after installing {product-title}. Mint mode is the default configuration for the CCO. This option requires the presence of the administrator-level credential during an installation. The administrator-level credential is used during the installation to mint other credentials with some permissions granted. The original credential secret is not stored in the cluster permanently.
+
+[NOTE]
+====
+Prior to a non z-stream upgrade, you must reinstate the credential secret with the administrator-level credential. If the credential is not present, the upgrade might be blocked.
+====
+
+endif::aws,google-cloud-platform[]
 
-* *Manage cloud credentials manually*. You can set the `credentialsMode` for the CCO to `Manual` to manage cloud credentials manually. Using manual mode allows each cluster component to have only the permissions it requires, without storing an administrator-level credential in the cluster. You can also use this mode if your environment does not have connectivity to the AWS public IAM endpoint. However, you must manually reconcile permissions with new release images for every upgrade. You must also manually supply credentials for every component that requests them.
+ifdef::azure[]
+If you prefer not to store an administrator-level credential secret in the cluster `kube-system` project, you can set the `credentialsMode` parameter for the CCO to `Manual` when installing {product-title} and manage your cloud credentials manually.
 
-* *Remove the administrator-level credential secret after installing {product-title} with mint mode*. You can remove or rotate the administrator-level credential after installing {product-title} with the `Mint` CCO credentials mode applied. The `Mint` CCO credentials mode is the default. This option requires the presence of the administrator-level credential during an installation. The administrator-level credential is used during the installation to mint other credentials with some permissions granted. The original credential secret is not stored in the cluster permanently.
+Using manual mode allows each cluster component to have only the permissions it requires, without storing an administrator-level credential in the cluster. You can also use this mode if your environment does not have connectivity to the cloud provider public IAM endpoint. However, you must manually reconcile permissions with new release images for every upgrade. You must also manually supply credentials for every component that requests them.
+endif::azure[]