As an administrator of a cluster utilizing AWS STS with a public S3 bucket OIDC provider, I would like a documented procedure with steps that can be followed to migrate to a private S3 bucket with CloudFront Distribution so that I do not have to recreate my cluster.

ccoctl documentation including parameter `--create-private-s3-bucket`: https://github.com/openshift/cloud-credential-operator/blob/a8ee8a426d38cca3f7339ecd0eac88f922b6d5a0/docs/ccoctl.md

Existing manual procedure for configuring private S3 bucket with CloudFront Distribution: https://github.com/openshift/cloud-credential-operator/blob/master/docs/sts-private-bucket.md

https://coreos.slack.com/archives/CE3ETN3J8/p1666174054230389?thread_ts=1665496599.847459&cid=CE3ETN3J8

Goal:

The participation on SPLAT will be:

• Document the steps to migrate public buckets to private (with all dependencies: CloudFront Distribution, OAI, and Bucket policies)
• Document the steps to patch existing clusters: replace authentication issuerURL to the new URL
• Create the document on the CCO repo to peer review, like this: https://github.com/openshift/cloud-credential-operator/blob/master/docs/sts-private-bucket.md 
• Create KCS with the information approved by Hive team

ACCEPTANCE CRITERIA

• Document created on CCO repo, reviewed, approved by QE and merged
• KCS/Article created

REFERENCES:

Supporting document: https://github.com/openshift/cloud-credential-operator/blob/master/docs/sts.md#steps-to-in-place-migrate-an-openshift-cluster-to-sts

NOTE: we should add that this step is not supported or recommended.