+++ This bug was initially created as a clone of Bug #1825983 +++ On recovery flow, KASO regenerate certificates routine create new KCM client certs in openshift-config-managed namespace. We need to sync them to openshift-kube-controller-manager namespace so cert syncer can sync them to disk to be live-reloaded.
This along with https://bugzilla.redhat.com/show_bug.cgi?id=1817997 is required for the automatic cert-rotation to fully work. Given that there are the following items left: - https://github.com/openshift/cluster-kube-controller-manager-operator/pull/401 - Sync new client cert-key on recovery for 4.4 - https://github.com/kubernetes/kubernetes/pull/90360 - Fix client-ca dynamic reload in apiserver With the latter we need to land it upstream first and backport to the current origin master and only then back to 4.4. With all of the above tasks we'll continue to land this ASAP, but that won't make the 4.4.0 cut. We still have the manual steps described in https://docs.openshift.com/container-platform/4.3/backup_and_restore/disaster_recovery/scenario-3-expired-certs.html#dr-recovering-expired-certs working we have a fallback solution in place for 4.4.0.
[root@dhcp-140-138 scripts]# ./check_secrets_experts-30.sh 2020-05-08T06:07:41Z 2020-06-07T06:07:42Z openshift-config-managed kube-controller-manager-client-cert-key 2020-05-08T06:07:41Z 2020-06-07T06:07:42Z openshift-kube-controller-manager kube-controller-manager-client-cert-key [root@dhcp-140-138 ~]# oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.4.0-0.nightly-2020-05-08-004736 True False 30h Cluster version is 4.4.0-0.nightly-2020-05-08-004736
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2133