1. Proposed title of this feature request

Automatic Mode Re-Evaluation in Cloud Credential Operator (CCO)

2. What is the nature and description of the request?

Problem Statement:
Today, CCO determines its operating mode (mint, passthrough, or insufficient) once, based on the initial evaluation of cloud credentials during installation or operator startup. If the cloud credential permissions change (e.g., revoked, rotated, or reduced), CCO does not re-evaluate the mode and remains stuck in a failed state until an administrator intervenes. This limits cluster resilience and requires manual recovery steps.

Goal:
Introduce a mechanism to automatically re-evaluate and update the CCO mode when:

example:

• credential sync failures occur due to permission issues, or

• the credential capability changes over time.

This enhancement improves cluster self-healing and reduces operational burden on administrators.

Current Behavior Reference:

See: OpenShift Documentation - About the Cloud Credential Operator

Excerpt:

The Cloud Credential Operator (CCO) determines the cloud credential mode once based on the access provided by the credentials stored in the cloud-credentials Secret. If a failure occurs in provisioning credentials for a component, the CCO does not re-check the cloud credentials Secret or change the mode. You must manually adjust credentials or change the mode.

Refer for example: OCPBUGS-57933

3. Why does the customer need this? (List the business requirements here)

Why Improve This:

• Avoid persistent credential sync failures after permissions are modified.

• Keep the mode annotation accurate with actual capabilities.

• Improve out-of-box resilience and reduce the need for manual remediation.

4. List any affected packages or components.

• cloud credential operator