$ oc get proxy cluster -oyaml
$ oc get clusteroperator authentication
NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE
authentication Unknown Unknown True 24m
$ oc get event | grep OperatorStatusChanged | tail -n1
22m Normal OperatorStatusChanged deployment/authentication-operator Status for clusteroperator/authentication changed: Degraded changed from False to True ("RouteHealthDegraded: failed to GET route: dial tcp 10.42.10.202:443: connect: no route to host")
The pod does not have a route to the external network (where the router LB is) and thus can not do the route health check.
After talking to Clayton, I think we are just going to make it a requirement that the router wildcard DNS entry resolve to an address reachable from behind the proxy.