On recovery flow, KASO regenerate certificates routine create new KCM client certs in openshift-config-managed namespace. We need to sync them to openshift-kube-controller-manager namespace so cert syncer can sync them to disk to be live-reloaded.
Confrimed with payload: 4.5.0-0.nightly-2020-04-24-231436, the issue has fixed: [root@dhcp-140-138 scripts]# ./check_secrets_experts.sh 2020-04-26T03:57:18Z 2020-04-26T15:57:19Z openshift-config-managed kube-controller-manager-client-cert-key ... 2020-04-26T03:57:18Z 2020-04-26T15:57:19Z openshift-kube-controller-manager kube-controller-manager-client-cert-key
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409