Description of problem: oidcdiscoveryendpoint controller invalidates all TokenRequest API tokens during install by setting the serviceIssuerURL on the Authentication cluster CR. This was thought to be safe when we did it in 4.6, but it turns out it is not and changing this value requires a full cluster restart, which there is not mechanism for today. We should remove this controller and leave configuration of the endpoint as a pre-install exercise for the user.
Verified on payload: 4.7.0-0.nightly-2020-12-14-165231 $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.7.0-0.nightly-2020-12-14-165231 True False 6h25m Cluster version is 4.7.0-0.nightly-2020-12-14-165231 1. controller oidcdiscoveryendpoint has been removed. [lwan@lwan Downloads]$ oc logs cloud-credential-operator-65cd57bfff-lqp8f -c cloud-credential-operator | grep controller=o [lwan@lwan Downloads]$ 2. there is no serviceAccountIssuer field in authentication CR $ oc get authentication cluster -o json | jq -r ".spec" {} 3.there is no related OpenID discovery documents push to s3 bucket.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633