Feature Overview (aka. Goal Summary)  

An elevator pitch (value statement) that describes the Feature in a clear, concise way.  Complete during New status.

Currently, when running ccoctl during OpenShift minor version upgrades on Azure clusters, the tool removes all role assignments from managed identities, including custom roles added by customers for additional functionality. This feature will enhance ccoctl to preserve customer-added role assignments while still managing OpenShift-required roles appropriately.

Goals (aka. expected user outcomes)

The observable functionality that the user now has as a result of receiving this feature. Include the anticipated primary user type/persona and which existing features, if any, will be expanded. Complete during New status.

• Modify ccoctl to only manage (add/update/delete) role assignments that it created

• Preserve any custom role assignments added by customers to managed identities during OpenShift updates

• Ensure smooth upgrades without breaking additional customer-configured functionalities

Requirements (aka. Acceptance Criteria):

A list of specific needs or objectives that a feature must deliver in order to be considered complete.  Be sure to include nonfunctional requirements such as security, reliability, performance, maintainability, scalability, usability, etc.  Initial completion during Refinement status.

• ccoctl identifies and tracks role assignments it creates

• During updates, ccoctl only modifies its own managed role assignments

• Customer-added role assignments remain intact after running ccoctl

• Proper logging indicates which roles are managed vs. preserved

• Documentation updated to explain the new behavior

Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed.  Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.

Use Cases (Optional):

Include use case diagrams, main success scenarios, alternative flow scenarios.  Initial completion during Refinement status.

1. Enterprise Azure Integration: As an OpenShift administrator on Azure, I want to add custom Azure role assignments to OpenShift-managed identities for integration with additional Azure services (e.g., Azure Key Vault, custom monitoring solutions) without these roles being removed during OpenShift cluster updates.

1. Multi-team Operations: As a platform team, we want to allow application teams to add specific Azure permissions to their workload identities without worrying about losing them during OpenShift OpenShift updates.

Questions to Answer (Optional):

Include a list of refinement / architectural questions that may need to be answered before coding can begin.  Initial completion during Refinement status.

<your text here>

Out of Scope

High-level list of items that are out of scope.  Initial completion during Refinement status.

<your text here>

Background

Provide any additional context is needed to frame the feature.  Initial completion during Refinement status.

• Relates to RFE-7629

• Duplicates OCPBUGS-55778

Customer Considerations

Provide any additional customer-specific considerations that must be made when designing and delivering the Feature.  Initial completion during Refinement status.

<your text here>

Documentation Considerations

Provide information that needs to be considered and planned so that documentation will meet customer needs.  If the feature extends existing functionality, provide a link to its current documentation. Initial completion during Refinement status.

<your text here>

Interoperability Considerations

Which other projects, including ROSA/OSD/ARO, and versions in our portfolio does this feature impact?  What interoperability test scenarios should be factored by the layered products?  Initial completion during Refinement status.

<your text here>