Description of problem: This is an issue which has affected monitoring, logging and service mesh operators so far: when the certificate of the ingress controller is replaced with one signed by a unknown CA, the proxies fail in reaching the oauth URL. In all previous operators the solutions has been creating a configmap with the CA bundle from the cluster (including the custom CA from the customer) and mounting it in /etc/pki/ca-trust/extracted/pem in all the containers. Version-Release number of selected component (if applicable): 4.4 and all previous releases How reproducible: Always Steps to Reproduce: 1. Install OpnShift 4 2. Follow [1] and [2] to replace the ingress certificate and add the custom CA to the cluster-wide proxy 2. Install Metering operator and deploy an instance 3. Reach reporter URL Actual results: Error 500 when validating using the browser and/or sending a proper authentication token. 2020/04/30 15:37:29 oauthproxy.go:645: error redeeming code (client:10.130.2.1:57722): Post https://oauth-openshift.apps.infra.ont.belastingdienst.nl/oauth/token: x509: certificate signed by unknown authority 2020/04/30 15:37:29 oauthproxy.go:438: ErrorPage 500 Internal Error Internal Error Expected results: No issues when reaching https://oauth-openshift.apps.infra.ont.belastingdienst.nl/oauth/token Additional info: See next steps to fix the deployment reporter-operator: - create the configmap and fill it with the cluster ca-bundle: $ cat <<EOF | oc create -f - apiVersion: v1 kind: ConfigMap metadata: namespace: openshift-metering labels: config.openshift.io/inject-trusted-cabundle: "true" name: trusted-ca EOF - edit the deployment/reporting-operator to add : - a volume to mount: spec: spec: volumes: - configMap: defaultMode: 420 items: - key: ca-bundle.crt path: tls-ca-bundle.pem name: trusted-ca name: trusted-ca - the volume to each of the two pods in the deployment: spec: spec: containers - name: reporting-operator volumeMounts: - name: trusted-ca mountPath: /etc/pki/ca-trust/extracted/pem readOnly: true - name: reporting-operator-auth-proxy volumeMounts: - name: trusted-ca mountPath: /etc/pki/ca-trust/extracted/pem readOnly: true