+++ This bug was initially created as a clone of Bug #1820255 +++ kube-apiserver can be deployed without cert-syncer having a valid token. This ca be caused by a race when making revisions from token Secret as in https://bugzilla.redhat.com/show_bug.cgi?id=1819256
Verified with OCP build 4.4.0-0.nightly-2020-04-18-095545, Verification steps: 1. In first terminal, Run this command in a loop to make sure that data.token is deleted from openshift-kube-controller-manager/localhost-recovery-client-token # for i in {1..100} ; do oc patch secret -n openshift-kube-controller-manager localhost-recovery-client-token --type='json' -p='[{"op": "replace", "path": "/data/token", "value": ""}]'; done 2. In another terminal, Force operator to retry rolling out by: $ oc patch kubeapiserver/cluster --type=json -p '[ {"op": "replace", "path": "/spec/forceRedeploymentReason", "value": "forced test 1" } ]' $ oc get pods -n openshift-kube-apiserver ... kube-apiserver-osp41-7g9pl-master-1 0/4 Init:0/1 0 2s ... kube-apiserver can be deployed even though data.token is deleted from openshift-kube-controller-manager/localhost-recovery-client-token.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581
*** Bug 1807881 has been marked as a duplicate of this bug. ***