Server Version: 4.4.0-0.nightly-2020-03-12-152413 Kubernetes Version: v1.17.1 kube-controller-manager-recovery-controller container logs: E0316 14:12:33.320759 1 configmap_cafile_content.go:246] key failed with : missing content for CA bundle "client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" E0316 14:13:24.063412 1 configmap_cafile_content.go:246] kube-system/extension-apiserver-authentication failed with : missing content for CA bundle "client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" it blocks the recovery controller from starting
Confirmed with payload: 4.5.0-0.nightly-2020-03-18-022051, can't reproduce the issue now after certificate recovery: [root@dhcp-140-138 ~]# oc logs -f po/kube-controller-manager-ip-xxxxx -c kube-controller-manager-recovery-controller W0318 06:22:35.423538 1 cmd.go:200] Using insecure, self-signed certificates I0318 06:22:35.423917 1 crypto.go:580] Generating new CA for cert-recovery-controller-signer@1584512555 cert, and key in /tmp/serving-cert-915852097/serving-signer.crt, /tmp/serving-cert-915852097/serving-signer.key I0318 06:22:35.925252 1 observer_polling.go:155] Starting file observer I0318 06:22:35.950329 1 leaderelection.go:242] attempting to acquire leader lease openshift-kube-controller-manager/cert-recovery-controller-lock...
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409