Feature Overview (aka. Goal Summary)  

Enable manual mode with short-term token credentials as the default authentication method for OpenShift clusters on all providers that support manual mode today, while deprecating Mint mode to improve security posture and align with cloud provider best practices.

This feature significantly reduces the attack surface by eliminating long-lived root credentials stored in clusters and enabling automatic credential rotation through short-term tokens.

Additionally, this feature aims to improve the user experience in manual mode by automating as much of the credential management process as possible during installation, upgrades, and day-2 operations, reducing manual intervention while maintaining enhanced security benefits.

Goals (aka. expected user outcomes)

• Cluster administrators will deploy new OpenShift clusters using manual mode with short-term token authentication by default on all platforms that support this mode
• Existing cluster administrators can migrate running clusters from Mint or Passthrough modes to Manual mode using automated workflows
• Users will experience improved security posture with no root credentials stored in clusters and automatic short-term token rotation
• Customers will receive clear deprecation warnings for Mint mode with documented migration paths and tooling
• Platform teams will benefit from simplified and more automated credential management workflows for both new installations and migrations
• Installation, upgrade, and migration processes will be streamlined with increased automation, reducing manual steps while maintaining security
• Security teams will gain fine-grained, per-component credential control with reduced privilege escalation risk across both new and migrated clusters

Requirements (aka. Acceptance Criteria):

Default to Manual Short-Term Mode

• Installer must default to manual mode with short-term tokens for all platforms that support manual mode
• ACM/Hive must default to manual mode with short-term tokens for all platforms that support manual mode
• Documentation must reflect manual mode as the default and recommended approach

Deprecate Mint Mode

• CCO must emit deprecation warnings (logs/events) when Mint mode is detected
• Installer must warn users when attempting to use Mint mode
• Documentation must clearly mark Mint mode as deprecated with a sunset timeline
• Documentation must provide clear migration paths from Mint mode to Manual mode

Enable Migration from Existing Modes to Manual Mode

• Provide automated migration or well-defined steps documented to transition clusters from Mint mode to Manual mode on supported platforms
• Provide automated migration or well-defined steps to transition clusters from Passthrough mode to Manual mode, where Manual mode is supported
• The migration process must be designed to minimize cluster disruption and downtime
• The migration process must include rollback instructions in case of failure
• Clear status reporting and logging throughout the migration process
• Ability to perform migration in stages with validation checkpoints
• Documentation for migration planning, execution, and validation

Improve Manual Mode User Experience 

• Captured in OCPSTRAT-2578

Migrate OLM Operators

• OLM operators must migrate away from CCO operator integration for credential consumption
• Operators must create secrets directly rather than through credentialRequests
• Enhancement documentation must be updated

Use Cases (Optional):

• New Cluster Installation with Manual Mode (Primary Success Scenario)
• Migration from Mint Mode to Manual Mode on Existing Cluster
• Migration from Passthrough Mode to Manual Mode on Existing Cluster
• Cluster Upgrade with Manual Mode

Out of Scope

• Deprecation of Passthrough mode - unless manual mode can be enabled for the providers that only support Passthrough today

Background

Additional information is included in this doc

Customer Considerations

• Migration Requirements: Customers using Mint mode must migrate during the deprecation window that minimizes risk and downtime. Passthrough mode users are encouraged to migrate for improved security.
• Security and Usability Trade-offs: Manual mode with automation provides comparable setup effort to Mint mode while delivering significantly improved security through elimination of long-lived root credentials.

Documentation Considerations

Comprehensive migration guides (Mint-to-Manual and Passthrough-to-Manual) with pre-migration planning, validation procedures, troubleshooting, and rollback instructions are required. All existing CCO documentation must be updated to mark Mint mode as deprecated, reflect Manual mode as the default for supported platforms, and include enhanced automation features. Updates span installation guides, upgrade procedures, security hardening guides, ccoctl reference documentation, and release notes.