Use case:

1. Admin creates an Alibaba cluster with the cloud-cred operator in manual mode.
2. Day-2, admin configures mint mode.
3. There happens to be an Alibaba-targeted CredentialsRequest in the cluster.
4. Admin expect the cloud-cred operator to fill that request, or complain about not being able to fill Alibaba requests.
5. Cloud-cred operator silently ignores Alibaba-targeted CredentialsRequests.
6. Confusion and finger-pointing.

One way to avoid this confusion is to try and keep CredentialsRequests out of the cluster. This doesn't protect us from admin-created CredentialsRequests, but does ensure that we aren't contributing to the confusion with platform CredentialsRequests. We could teach ccoctl a way to complain about any CredentialsRequests manifests that:

• Set an unrecognized platform, and
• Set any include.release.openshift.io/.* = "true" cluster-profile annotations, and
• Does not set the release.openshift.io/delete: "true" removal annotation.

That way, any release payload component declaring such a manifest would fail jobs passing through steps like this one, and folks would notice, and could fix the offending manifest (e.g. by dropping the cluster-profile annotations).