*** Bug 2010502 has been marked as a duplicate of this bug. ***

Raising priority since this seems to be causing trouble in a CI/CD pipepline as noted in https://bugzilla.redhat.com/show_bug.cgi?id=2010502

Any news on this issue?  It appears we may have a customer hitting this issue (I can provide details if you'd like)!

Follow the steps in Comment 0 and use 4.8.0-0.nightly-2021-10-18-115810 to do the verification
1. delete secret openshift-authenticator-certs
$ oc delete secret -n openshift-oauth-apiserver openshift-authenticator-certs
secret "openshift-authenticator-certs" deleted

2. check whether new created csr is using generateName with random suffix rather than previous fixed name 'system:openshift:openshift-authenticator'  
$ oc get csr
NAME                                             AGE   SIGNERNAME                            REQUESTOR                                                                         REQUESTEDDURATION   CONDITION
...
system:openshift:openshift-authenticator-s8mgr   8s    kubernetes.io/kube-apiserver-client           system:serviceaccount:openshift-authentication-operator:authentication-operator   Approved,Issued


3. check labels 'authentication.openshift.io/csr: openshift-authenticator' is added to the new csr
$ oc get csr system:openshift:openshift-authenticator-s8mgr -o yaml | grep -A5 -B5 'labels'
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  creationTimestamp: "2021-10-19T08:49:21Z"
  generateName: system:openshift:openshift-authenticator-
  labels:
    authentication.openshift.io/csr: openshift-authenticator
  name: system:openshift:openshift-authenticator-s8mgr
  resourceVersion: "39133"
  uid: 619c5a1f-b389-4fba-bad6-e81ce19f6f2a
spec:


4. delete secret openshift-authenticator-certs again
$ oc delete secret -n openshift-oauth-apiserver openshift-authenticator-certs
secret "openshift-authenticator-certs" deleted

5. check whether new created csr is using different random suffix from the previous one
$ oc get csr
NAME                                             AGE   SIGNERNAME                            REQUESTOR                                                                         REQUESTEDDURATION   CONDITION
...
system:openshift:openshift-authenticator-s8mgr   2m21s   kubernetes.io/kube-apiserver-client           system:serviceaccount:openshift-authentication-operator:authentication-operator   Approved,Issued
system:openshift:openshift-authenticator-sm9kq   14s     kubernetes.io/kube-apiserver-client           system:serviceaccount:openshift-authentication-operator:authentication-operator   Approved,Issued


6. check whether there are errors in authentication-operator pod logs, no error like in Comment 0 appears, which is expected with the fix
$ oc logs <pod-name> -n openshift-authentication-operator

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.8.17 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:3927