Background

In MAPA, we provide a way for a user to specify the credentials to use for creating and managing AWS resources. This secret comes from a CredentialsRequest and is created either by CCO, or manually, with the name `aws-cloud-credentials`.

Any Machine/MachineSet referencing these credentials is effectively using the "default".

In CAPA, the default is to us the cluster identity ref to work out what to do. When not specified, it will fallback to using the controllers role, which we populate today using a credentials request.

Therefore, any Machine using the default in MAPA/CAPA, has an option to be converted across.

Where we then have an issue, is converting non-standard credentials.

If any user has created a non-standard credential, we must set a static identity that would then be used for the entire cluster.

We must work out how to message about this/how to handle this. Initially, we can block the conversion and suggest a KCS to allow the user to set the AWSCluster IdentityRef, once the identity ref is configured, we can ignore the credentials secret.

Steps

• Implement detection and conversion of the default credentials secret as described above
• Add logic to detect non-default credentials and return an appropriate error message
• Create a KCS to explain the steps necessary to use a custom credential

Stakeholders

• Cluster Infra

Definition of Done

• Credentials secrets are converted/users are told what to do/how to convert across

• Docs

• <Add docs requirements for this card>

• Testing

• <Explain testing that will be added>