The router e2e tests create custom ingress controllers which appear to consistently (100%) trigger a rollout of a new oauth-apiserver. GO111MODULE=on GOFLAGS=-mod=vendor go test -timeout 1h -count 1 -v -tags e2e -run "TestHTTPHeaderBufferSize" ./test/e2e creates a new "router-header-buffer-size" deployment May 10 15:10:37.000 I ns/openshift-authentication-operator deployment/authentication-operator reason/SecretUpdated Updated Secret/v4-0-config-system-router-certs -n openshift-authentication because it changed (5 times) May 10 15:10:37.000 I ns/openshift-config-managed secret/router-certs reason/UpdatedPublishedRouterCertificates Updated the published router certificates (5 times) ... May 10 19:10:40.179 I ns/openshift-ingress pod/router-header-buffer-size-6847776996-j5pvn node/ci-ln-7491spt-f76d1-7nzpr-worker-d-x6blq container/router reason/ContainerStart duration/3.00s May 10 19:10:41.142 I ns/openshift-ingress pod/router-header-buffer-size-6847776996-j5pvn node/ci-ln-7491spt-f76d1-7nzpr-worker-d-x6blq container/router reason/Ready ... May 10 15:11:27.000 I ns/openshift-authentication pod/oauth-openshift-774c68999f-gnkc4 node/ci-ln-7491spt-f76d1-7nzpr-master-0 container/oauth-openshift reason/Killing May 10 15:11:27.000 I ns/openshift-authentication-operator deployment/authentication-operator reason/DeploymentUpdated Updated Deployment.apps/oauth-openshift -n openshift-authentication because it changed (5 times) and triggers auth rollout. I *assume* this is router cert related, but not sure. This causes an immense amount of disruption (which is covered by other bugs) but in general customers adding custom ingress controllers should have no impact on oauth. Starting with oauth because I'm not sure which side it's on, but oauth should not react unless the config it cares about changes. I'm able to trigger this on any run of https://prow.ci.openshift.org/job-history/gs/origin-ci-test/pr-logs/directory/pull-ci-openshift-cluster-ingress-operator-master-e2e-aws-operator and also directly from a launch by running the command above.
Note my naive expectation was non-default ingress controllers didn't automatically cause oauth to rollout because oauth should only care about router certs for the router its route is exposed on (which technically is part of the inferred logic from route status). However, if *every* ingress controller automatically exposes oauth, that could be bad for other reasons, and our testing needs a way to keep those from selecting those routes / disable that logic / bypass rollout. We shouldn't remove the flexibility to expose oauth on a different ingress controller, but we need to be more cautious about the impact of extra controllers on core oauth infra.
The fix in library-go resource syncer has finally been merged, this is being fixed as a part of https://bugzilla.redhat.com/show_bug.cgi?id=1950379 *** This bug has been marked as a duplicate of bug 1950379 ***