Description of problem:

The termination policy for the server route remains passthrough during an upgrade from 1.12.4 to 1.13.0 even in the absence of argocd-server-tls secret in 1.12.4. This has been identified as a race condition as the creation of argocd-server-tls secret is managed by openshift service CA and the route might be created even before the secret creation.

At this point, we are able to log in to the ArgoCD server.

Upon deleting the route, the the termination policy gets updated to reencrypt as route.Spec.TLS momentarily turns to nil. For logging in to the ArgoCD server, the pod needs to be restarted.

Even with reencrypt termination policy, the certificate issuer is not changed to ingress-operator and remains openshift-service-serving-signer

Scenarios to debug/try out

1. Certificate issuer not changing to ingress-operator for reencrypt policy
2. CR is configured with passthrough policy during upgrade
3. CR is configured with passthrough policy and custom tls certificate during upgrade
4. CR is configured with reencrypt policy during upgrade
5. Upgrade from 1.12.3 to 1.13 with argocd-server-tls secret 
6. Upgrade from 1.12.3 to 1.13 without argocd-server-tls secret 

Workaround

Prerequisites (if any, like setup, operators/versions):

Steps to Reproduce

Upgrade the operator from 1.12.4 to 1.13.0

Actual results:

Expected results:

Reproducibility (Always/Intermittent/Only Once):

Intermittent

Acceptance criteria: 

Definition of Done:

Build Details:

Additional info (Such as Logs, Screenshots, etc):

 *