Bug 1822666

Summary: openshift-authentication NS does not come back after being deleted
Product: OpenShift Container Platform Reporter: Standa Laznicka <slaznick>
Component: apiserver-authAssignee: Sally <somalley>
Status: CLOSED ERRATA QA Contact: pmali
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.5CC: aos-bugs, mfojtik, scheng, somalley, xxia
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-13 17:26:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Standa Laznicka 2020-04-09 15:03:33 UTC 
Description of problem:

openshift-authentication NS does not come back after being deleted. The authn operator also delegated the NS-keeping to CVO, but it should take care of it itself instead.
Comment 1 Sally 2020-04-09 15:50:58 UTC 
observed behavior:
1) delete openshift-authentication ns
   * auth-operator should recreate it but it doesn't

2) oc create -f ns.yaml is only way to get the openshift-authenticaton ns back from manifests/00_namespace.yaml in cluster-authentication-operator repository
   * once ns exists, deployment is created, but serviceaccount missing so openshift-authentication pod fails

3) refresh authentication-operator pod, only then is everything restored (delete pod in openshift-authentication-operator ns)

observed CO/authentication status:
Degraded=true, Available=true 2min after openshift-authentication ns terminated  then, Progressing=true after step 3 until all is restored.
Comment 2 Sally 2020-04-10 18:08:13 UTC 
Edit to Commont 1 - Eventually, after refreshing operator pod and/or waiting several minutes, the operand ns returns and health is restored.  However, ns creation should happen with the authentication operator rather than with CVO.  This way, the operand ns is restored immediately upon its termination. See https://github.com/openshift/cluster-authentication-operator/pull/268
Comment 9 errata-xmlrpc 2020-07-13 17:26:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409