A change in the set of internal ip addresses for a node causes the operator to go degraded. The operator is unable to detect node changes, so any discrepancy between node internal addresses and the SANs of certificates for that node is presumed to represent a potential membership change requiring manual intervention.
This bz is a hoop-jumping exercise to get a change that merged to 4.8 (see linked PR) eligible to be backported to 4.7. Changes to node ips (either due to membership changes or the addition of node internal ip addresses) previous to this change would result in the operator going degraded, but after the change certs will automatically be regenerated to be correct. Please prioritize testing this change to unblock the backport.
Re-opening. The original fix didn't reflect the possibility of node ip's changing on upgrade.
And, no further change required since an ip address change for the same node requires an out-of-band cluster membership change.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days