Feature Overview (aka. Goal Summary)  

An elevator pitch (value statement) that describes the Feature in a clear, concise way.  Complete during New status.

 
The Cloud Credentials Operator (CCO) manual mode (used with short-lived tokens on cloud providers) user experience in OpenShift currently suffers from complexity, fragmentation, and error-prone manual steps across installation, upgrade, and key rotation workflows.
 
This feature aims to streamline and automate these processes by enhancing CCO tooling i.e. ccoctl, improving documentation, and modifying the OpenShift installer to provide a more cohesive and user-friendly experience.

Key improvements include:

• Streamlined installation workflow with automatic manifest handling
• Simplified upgrade process with automated annotation management
• Automated key rotation workflows
• Enhanced migration path to short-term token authentication
• Improved ccoctl capabilities for direct cluster interaction and state management

Goals (aka. expected user outcomes)

The observable functionality that the user now has as a result of receiving this feature. Include the anticipated primary user type/persona and which existing features, if any, will be expanded. Complete during New status.

Primary Goals

1. Reduce Manual Steps: Minimize the number of manual operations required for installation, upgrade, and maintenance of clusters using short-term credentials
2. Improve Error Prevention: Automate error-prone manual processes to reduce configuration mistakes
3. Enhance Workflow Coherence: Create logical, sequential workflows that naturally guide users through complex operations
4. Increase Automation: Enable ccoctl to perform operations directly on clusters and manage state between commands
5. Simplify Documentation: Consolidate and streamline documentation to reduce cognitive load

Secondary Goals

1. Maintain Compatibility: Ensure all improvements are backward compatible with existing workflows
2. Enable Progressive Adoption: Allow users to adopt improvements incrementally
3. Improve Troubleshooting: Provide better visibility into the state of credentials and operations

Outcomes

• Reduced learning curve due to fewer manual steps
• Expected decrease in credential-related support tickets

Requirements (aka. Acceptance Criteria):

A list of specific needs or objectives that a feature must deliver in order to be considered complete.  Be sure to include nonfunctional requirements such as security, reliability, performance, maintainability, scalability, usability, etc.  Initial completion during Refinement status.

• Improve installation workflow on AWS, Azure, and GCP
• Improve the upgrade workflow
• Improve the workflow for rotating the bound-service-account-signing-key
• Improve the workflow for enabling short-term token authentication
• Improve CCO documentation to streamline and simplify user experience for short-term token integration via manual mode
• Refer to Improve manual (short-term) mode user experience for details.

Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed.  Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.

Use Cases (Optional):

Include use case diagrams, main success scenarios, alternative flow scenarios.  Initial completion during Refinement status.

Use Case 1: New Cluster Installation with Short-Term Credentials
Actor: Platform Administrator
Scenario: Installing a new OpenShift cluster using short-term credentials in manual mode
Current Pain Points: Complex multi-step process with manual manifest management

Use Case 2: Cluster Upgrade with Credential Updates
Actor: Platform Administrator
Scenario: Upgrading cluster version while ensuring credentials remain valid
Current Pain Points: Manual annotation management and manifest application

Use Case 3: Service Account Signing Key Rotation
Actor: Security Administrator
Scenario: Rotating signing keys as part of security compliance
Current Pain Points: Complex 13+ step manual process

Use Case 4: Migration from Long-Lived to Short-Term Credentials
Actor: Platform Administrator
Scenario: Converting existing cluster from mint/passthrough mode to manual mode
Current Pain Points: Error-prone manual process with multiple cluster reboots

Use Case 5: Multi-Cluster Credential Management
Actor: Platform Team
Scenario: Managing credentials across multiple clusters in different lifecycle stages

Questions to Answer (Optional):

Include a list of refinement / architectural questions that may need to be answered before coding can begin.  Initial completion during Refinement status.

<your text here>

Out of Scope

High-level list of items that are out of scope.  Initial completion during Refinement status.

1. Deprecation of Mint/Passthrough Modes: This feature focuses on improving manual mode, not replacing other credential modes
2. Cross-Cloud Provider Migrations: Moving clusters between cloud providers
3. Credential Mode Auto-Detection: Automatically determining the best credential mode for a given environment
4. Console Integration: Web-based interfaces for credential management
5. Third-Party Cloud Provider Support: Limited to AWS, Azure, and GCP
6. Automated Compliance Reporting: Credential compliance and audit features
7. Credential Backup and Restore: Automated backup of credential configurations
8. Multi-Region Credential Management: Cross-region credential synchronization

Background

Provide any additional context is needed to frame the feature.  Initial completion during Refinement status.
 
The CCO manual mode  implementation in OpenShift provides enhanced security by eliminating long-lived credentials. However, the current implementation requires numerous manual steps that are:

• Scattered across multiple documentation sections
• Prone to user error due to manual file manipulation
• Inconsistent between installation and day-2 operations
• Platform-specific with little abstraction

Technical Debt

• Manual manifest copying between directories
• No state management between `ccoctl` invocations
• Lack of direct cluster interaction capabilities
• Complex multi-step processes for common operations

Security Considerations
Short-term credentials provide superior security posture by:

• Limiting credential lifetime
• Reducing attack surface
• Enabling fine-grained access control
• Supporting zero-trust architectures{}

Customer Considerations

Provide any additional customer-specific considerations that must be made when designing and delivering the Feature.  Initial completion during Refinement status.

Impact on Existing Workflows

• Backward Compatibility: All existing manual workflows remain functional
• Progressive Enhancement: Customers can adopt improvements incrementally
• Documentation Updates: Clear migration guides from old to new workflows
• 4.x to 4.y: Seamless upgrade path with optional adoption of new features/capabilities

Documentation Considerations

Provide information that needs to be considered and planned so that documentation will meet customer needs.  If the feature extends existing functionality, provide a link to its current documentation. Initial completion during Refinement status.

<your text here>

Interoperability Considerations

Which other projects, including ROSA/OSD/ARO, and versions in our portfolio does this feature impact?  What interoperability test scenarios should be factored by the layered products?  Initial completion during Refinement status.

<your text here>