The following is needed to renew OSP credentials in RHOCP, however it should be enough to only roll out the kube-controller-manager and additional restarts should not be needed or should be automatically handled:

oc annotate secret openstack-credentials -n kube-system cloudcredential.openshift.io/mode=passthrough
oc set data -n kube-system secret/openstack-credentials clouds.yaml="$(<~/clouds.yaml)" clouds.conf="$(<~/clouds.conf)"
oc delete pod --namespace openshift-cluster-csi-drivers -l app=openstack-cinder-csi-driver-controller
oc delete pod --namespace openshift-cluster-csi-drivers -l app=openstack-cinder-csi-driver-node
oc delete pod --namespace openshift-cluster-csi-drivers -l name=openstack-cinder-csi-driver-operator
oc delete pod --namespace openshift-cluster-csi-drivers -l  name=manila-csi-driver-operator
oc delete pod --namespace openshift-cloud-controller-manager -l k8s-app=openstack-cloud-controller-manager
oc delete pod --namespace openshift-cloud-controller-manager-operator -l k8s-app=cloud-manager-operator
oc delete pod --namespace openshift-cloud-credential-operator -l app=cloud-credential-operator
oc delete pod --namespace openshift-cloud-network-config-controller -l   app=cloud-network-config-controller
oc patch kubecontrollermanager cluster -p='{"spec": {"forceRedeploymentReason": "recovery-'"$( date --rfc-3339=ns )"'"}}' --type=merge
oc get pods -A | grep -iE 'csi-driver|openshift-cloud|openshift-kube-controller-manager'
    

    4.12

    Update OSP credentials and proceed with the change in RHOCP. Check in Keystone at OSP side that accounts gets locked if we only restart KCM:

We need to restart every component. In other cloud providers, this is enough. In OSP, additional steps are required.    

To only need to restart KCM.