+++ This bug was initially created as a clone of Bug #1811061 +++ We need KCM and KS to be able to reload certificates so it can recover when cert regeneration controller fixes the cert in the API and certsyncer downloads them.
Confirmed with payload: 4.4.0-0.nightly-2020-03-15-215151, when set certificate rotation time to 15 mins, check the operator not rollout when certificate rotation: [root@dhcp-140-138 ~]# openssl s_client -connect api.yinzhou-0316-4.qe.devcluster.openshift.com:6443 |openssl x509 -noout -dates depth=1 OU = openshift, CN = kube-apiserver-lb-signer verify error:num=19:self signed certificate in certificate chain verify return:1 depth=1 OU = openshift, CN = kube-apiserver-lb-signer verify return:1 depth=0 CN = api.yinzhou-0316-4.qe.devcluster.openshift.com verify return:1 notBefore=Mar 17 06:22:55 2020 GMT notAfter=Mar 17 06:37:56 2020 GMT ^C [root@dhcp-140-138 ~]# oc get po -n openshift-kube-scheduler NAME READY STATUS RESTARTS AGE openshift-kube-scheduler-ip-10-0-143-54.us-east-2.compute.internal 2/2 Running 11 59m openshift-kube-scheduler-ip-10-0-148-151.us-east-2.compute.internal 2/2 Running 8 59m openshift-kube-scheduler-ip-10-0-171-149.us-east-2.compute.internal 2/2 Running 15 58m revision-pruner-7-ip-10-0-143-54.us-east-2.compute.internal 0/1 Completed 0 42m revision-pruner-7-ip-10-0-148-151.us-east-2.compute.internal 0/1 Completed 0 39m revision-pruner-7-ip-10-0-171-149.us-east-2.compute.internal 0/1 Completed 0 45m [root@dhcp-140-138 ~]# oc get po -n openshift-kube-controller-manager NAME READY STATUS RESTARTS AGE installer-12-ip-10-0-143-54.us-east-2.compute.internal 0/1 Completed 0 35m installer-12-ip-10-0-148-151.us-east-2.compute.internal 0/1 Completed 0 34m installer-12-ip-10-0-171-149.us-east-2.compute.internal 0/1 Completed 0 33m kube-controller-manager-ip-10-0-143-54.us-east-2.compute.internal 4/4 Running 0 35m kube-controller-manager-ip-10-0-148-151.us-east-2.compute.internal 4/4 Running 0 34m kube-controller-manager-ip-10-0-171-149.us-east-2.compute.internal 4/4 Running 0 33m revision-pruner-11-ip-10-0-143-54.us-east-2.compute.internal 0/1 Completed 0 43m revision-pruner-11-ip-10-0-148-151.us-east-2.compute.internal 0/1 Completed 0 39m revision-pruner-11-ip-10-0-171-149.us-east-2.compute.internal 0/1 Completed 0 45m revision-pruner-12-ip-10-0-143-54.us-east-2.compute.internal 0/1 Completed 0 34m revision-pruner-12-ip-10-0-148-151.us-east-2.compute.internal 0/1 Completed 0 33m revision-pruner-12-ip-10-0-171-149.us-east-2.compute.internal 0/1 Completed 0 32m
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581