Merge pull request #75627 from jeana-redhat/OSDOCS-10416-Entra-Workload-ID-migration

OSDOCS-10416: Support cluster migration to Entra Workload ID

Author: jeana-redhat

modules/cco-ccoctl-configuring.adoc

@@ -1,11 +1,14 @@
 // Module included in the following assemblies:
 //
+//Postinstall  and update content
+// * post_installation_configuration/cluster-tasks.adoc
+// * updating/preparing_for_updates/preparing-manual-creds-update.adoc
+//
 //Platforms that must use `ccoctl` and update content
 // * installing/installing_ibm_cloud_public/configuring-iam-ibm-cloud.adoc
 // * installing/installing_ibm_powervs/preparing-to-install-on-ibm-power-vs.doc
 // * installing/installing_alibaba/manually-creating-alibaba-ram.adoc
 // * installing/installing_nutanix/preparing-to-install-on-nutanix.adoc
-// * updating/preparing_for_updates/preparing-manual-creds-update.adoc
 //
 // AWS assemblies:
 // * installing/installing_aws/installing-aws-customizations.adoc
@@ -34,7 +37,15 @@
 // * installing/installing_azure/installing-azure-vnet.adoc
 // * installing/installing_azure/installing-restricted-networks-azure-installer-provisioned.adoc
 
-//Platforms that must use `ccoctl` and update content
+//Postinstall  and update content
+ifeval::["{context}" == "post-install-cluster-tasks"]
+:postinstall:
+endif::[]
+ifeval::["{context}" == "preparing-manual-creds-update"]
+:update:
+endif::[]
+
+//Platforms that must use `ccoctl`
 ifeval::["{context}" == "configuring-iam-ibm-cloud"]
 :ibm-cloud:
 endif::[]
@@ -44,9 +55,6 @@ endif::[]
 ifeval::["{context}" == "preparing-to-install-on-nutanix"]
 :nutanix:
 endif::[]
-ifeval::["{context}" == "preparing-manual-creds-update"]
-:update:
-endif::[]
 ifeval::["{context}" == "preparing-to-install-on-ibm-power-vs"]
 :ibm-power-vs:
 endif::[]
@@ -138,10 +146,15 @@ ifdef::ibm-power-vs[]
 The Cloud Credential Operator (CCO) manages cloud provider credentials as Kubernetes custom resource definitions (CRDs). To install a cluster on {ibm-power-server-name}, you must set the CCO to `manual` mode as part of the installation process.
 endif::ibm-power-vs[]
 
-//Alibaba Cloud uses ccoctl, but creates different kinds of resources than other clouds, so this applies to everyone else. The upgrade procs also have a different intro, so they are excluded here.
-ifndef::alibabacloud,update[]
+//Alibaba Cloud uses ccoctl, but creates different kinds of resources than other clouds, so this applies to everyone else. The upgrade and postinstall procs also have a different intro, so they are excluded here.
+ifndef::alibabacloud,update,postinstall[]
 To create and manage cloud credentials from outside of the cluster when the Cloud Credential Operator (CCO) is operating in manual mode, extract and prepare the CCO utility (`ccoctl`) binary.
-endif::alibabacloud,update[]
+endif::alibabacloud,update,postinstall[]
+
+//Intro for the postinstall procs.
+ifdef::postinstall[]
+To configure an existing cluster to create and manage cloud credentials from outside of the cluster, extract and prepare the Cloud Credential Operator utility (`ccoctl`) binary.
+endif::postinstall[]
 
 //Intro for the upgrade procs.
 ifdef::update[]
@@ -317,14 +330,19 @@ endif::google-cloud-platform[]
 
 .Procedure
 
-ifndef::update[]
-. Obtain the {product-title} release image by running the following command:
+. Set a variable for the {product-title} release image by running the following command:
 +
 [source,terminal]
+ifndef::update,postinstall[]
 ----
 $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')
 ----
-endif::update[]
+endif::update,postinstall[]
+ifdef::update,postinstall[]
+----
+$ RELEASE_IMAGE=$(oc get clusterversion -o jsonpath={..desired.image})
+----
+endif::update,postinstall[]
 
 . Obtain the CCO container image from the {product-title} release image by running the following command:
 +
@@ -384,6 +402,14 @@ Flags:
 Use "ccoctl [command] --help" for more information about a command.
 ----
 
+//Postinstall and update content
+ifeval::["{context}" == "post-install-cluster-tasks"]
+:!postinstall:
+endif::[]
+ifeval::["{context}" == "preparing-manual-creds-update"]
+:!update:
+endif::[]
+
 //Platforms that must use `ccoctl` and update content
 ifeval::["{context}" == "configuring-iam-ibm-cloud"]
 :!ibm-cloud:
@@ -394,9 +420,6 @@ endif::[]
 ifeval::["{context}" == "preparing-to-install-on-nutanix"]
 :!nutanix:
 endif::[]
-ifeval::["{context}" == "preparing-manual-creds-update"]
-:!update:
-endif::[]
 ifeval::["{context}" == "preparing-to-install-on-ibm-power-vs"]
 :!ibm-power-vs:
 endif::[]

modules/cco-ccoctl-install-verifying.adoc

@@ -1,29 +1,46 @@
 // Module included in the following assemblies:
 //
 // * installing/validating-an-installation.adoc
+// * post_installation_configuration/cluster-tasks.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="cco-ccoctl-install-verifying_{context}"]
-= Clusters that use short-term credentials: Verifying the credentials configuration
+= Verifying that a cluster uses short-term credentials
 
-You can verify that your cluster is using short-term security credentials for individual components.
+You can verify that a cluster uses short-term security credentials for individual components by checking the Cloud Credential Operator (CCO) configuration and other values in the cluster.
 
 .Prerequisites
 
 * You deployed an {product-title} cluster using the Cloud Credential Operator utility (`ccoctl`) to implement short-term credentials.
 
 * You installed the {oc-first}.
 
+* You are logged in as a user with `cluster-admin` privileges.
 
 .Procedure
 
-. Log in as a user with `cluster-admin` privileges.
+* Verify that the CCO is configured to operate in manual mode by running the following command:
++
+[source,terminal]
+----
+$ oc get cloudcredentials cluster \
+  -o=jsonpath={.spec.credentialsMode}
+----
++
+The following output confirms that the CCO is operating in manual mode:
++
+.Example output
+[source,text]
+----
+Manual
+----
 
-. Verify that the cluster does not have `root` credentials by running the following command:
+* Verify that the cluster does not have `root` credentials by running the following command:
 +
 [source,terminal]
 ----
-$ oc get secrets -n kube-system <secret_name>
+$ oc get secrets \
+  -n kube-system <secret_name>
 ----
 +
 where `<secret_name>` is the name of the root secret for your cloud provider.
@@ -33,26 +50,26 @@ where `<secret_name>` is the name of the root secret for your cloud provider.
 |Platform
 |Secret name
 
-|AWS
+|{aws-first}
 |`aws-creds`
 
-|Azure
+|{azure-first}
 |`azure-credentials`
 
-|GCP
+|{gcp-first}
 |`gcp-credentials`
 
 |===
 +
-An error confirms that the root secret is not present on the cluster. The following example shows the expected output from an AWS cluster:
+An error confirms that the root secret is not present on the cluster.
 +
-.Example output
+.Example output for an {aws-short} cluster
 [source,text]
 ----
 Error from server (NotFound): secrets "aws-creds" not found
 ----
 
-. Verify that the components are using short-term security credentials for individual components by running the following command:
+* Verify that the components are using short-term security credentials for individual components by running the following command:
 +
 [source,terminal]
 ----
@@ -61,4 +78,32 @@ $ oc get authentication cluster \
   --template='{ .spec.serviceAccountIssuer }'
 ----
 +
-This command displays the value of the `.spec.serviceAccountIssuer` parameter in the cluster `Authentication` object. An output of a URL that is associated with your cloud provider indicates that the cluster is using manual mode with short-term credentials that are created and managed from outside of the cluster.
+This command displays the value of the `.spec.serviceAccountIssuer` parameter in the cluster `Authentication` object.
+An output of a URL that is associated with your cloud provider indicates that the cluster is using manual mode with short-term credentials that are created and managed from outside of the cluster.
+
+* {azure-short} clusters: Verify that the components are assuming the {azure-short} client ID that is specified in the secret manifests by running the following command:
++
+[source,terminal]
+----
+$ oc get secrets \
+  -n openshift-image-registry installer-cloud-credentials \
+  -o jsonpath='{.data}'
+----
++
+An output that contains the `azure_client_id` and `azure_federated_token_file` felids confirms that the components are assuming the {azure-short} client ID.
+
+* {azure-short} clusters: Verify that the pod identity webhook is running by running the following command:
++
+[source,terminal]
+----
+$ oc get pods \
+  -n openshift-cloud-credential-operator
+----
++
+.Example output
+[source,text]
+----
+NAME                                         READY   STATUS    RESTARTS   AGE
+cloud-credential-operator-59cf744f78-r8pbq   2/2     Running   2          71m
+pod-identity-webhook-548f977b4c-859lz        1/1     Running   1          70m
+----