+++ This bug was initially created as a clone of Bug #1821680 +++ When recovering from expired certificates, the refreshed csr-controller-ca configmap needs to be propagated to openshift-config-managed namespace to be consumed by CKAO to trust the new client certs.
Confirmed with payload: 4.4.0-0.nightly-2020-04-15-095927, after stop more than 24hours , the issue can't reproduce now: [root@dhcp-140-138 ~]# oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.4.0-0.nightly-2020-04-15-095927 True False 35h Cluster version is 4.4.0-0.nightly-2020-04-15-095927 [root@dhcp-140-138 ~]# oc get secrets csr-signer -n openshift-kube-controller-manager -o json |jq -r '.data."tls.crt"' |base64 -d |openssl x509 -in - --text Certificate: Data: Version: 3 (0x2) Serial Number: 5204450091857526175 (0x4839ebc8c06abd9f) Signature Algorithm: sha256WithRSAEncryption Issuer: CN = openshift-kube-controller-manager-operator_csr-signer-signer@1587082310 Validity Not Before: Apr 17 00:11:50 2020 GMT Not After : May 17 00:11:51 2020 GMT [root@dhcp-140-138 ~]# oc get configmap csr-controller-ca -n openshift-config-managed -o json |jq -r '.data."ca-bundle.crt"' |openssl x509 -in - --text Certificate: Data: Version: 3 (0x2) Serial Number: 5204450091857526175 (0x4839ebc8c06abd9f) Signature Algorithm: sha256WithRSAEncryption Issuer: CN = openshift-kube-controller-manager-operator_csr-signer-signer@1587082310 Validity Not Before: Apr 17 00:11:50 2020 GMT Not After : May 17 00:11:51 2020 GMT
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581
*** Bug 1817997 has been marked as a duplicate of this bug. ***