With the upcoming sunset of the Azure AD Graph API, CCO will no longer be able to reliably create ServicePrincipals while processing a CredentialsRequest.

Presently, the permissions requested by the various in-cluster OCP components are uniform. They all ask for the exact same Azure 'Contributor' Role. As that Role is already documented as required during installation (step 6 in https://docs.openshift.com/container-platform/4.9/installing/installing_azure/installing-azure-account.html#installation-azure-service-principal_installing-azure-account ), we can pivot to sharing the credentials in the Secret kube-system/azure-credentials (placed by the installer) for satisfying all of the in-cluster components' Azure credentials requirements.

Update the secretannotator controller to always put CCO in Passthrough mode.

Update the credentialsrequest reconciliation for Azure to only implement Passthrough mode.

Process an already minted CredentialsRequest by overwriting the existing Secret contents with the "shared" Secret contents from kube-system/azure-credentials.

(optional) Try to delete an already-provisioned CredentialsRequests (treat errors as non-fatal and log a condition explaining that a ServicePrincipal has "leaked")