When deploying a dual stack HostedCluster the KAS certificate won't be created with the proper SAN. If we look into a regular dual-stack cluster we can see the certificate gets generated as follows:

X509v3 Subject Alternative Name:
    DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:openshift, DNS:openshift.default, DNS:openshift.default.svc, DNS:openshift.default.svc.cluster.local, DNS:172.30.0.1, DNS:fd02::1, IP Address:172.30.0.1,
IP Address:FD02:0:0:0:0:0:0:1


whereas in a dual-stack hosted cluster this is the SAN:

X509v3 Subject Alternative Name:
    DNS:localhost, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:kube-apiserver, DNS:kube-apiserver.clusters-hosted.svc, DNS:kube-apiserver.clusters-hosted.svc.cluster.local, DNS:api.hosted.dual.lab, DNS:api.hosted.hypershift.local, IP Address:127.0.0.1, IP Address:172.31.0.1


As you can see it's missing the IPv6 pod+service IP on the certificate.

This causes issues on some controllers when contacting the KAS.

example:
E0711 16:51:42.536367       1 reflector.go:140] github.com/openshift/router/pkg/router/template/service_lookup.go:33: Failed to watch *v1.Service: failed to list *v1.Service: Get "https://172.31.0.1:443/api/v1/services?limit=500&resourceVersion=0": x509: cannot validate certificate for 172.31.0.1 because it doesn't contain any IP SANs

latest

Always

1. Deploy a HC with the networking settings specified and using the image with dual stack patches included quay.io/jparrill/hypershift:OCPBUGS-15331-mix-413v4

KubeApiserver cert gets generated with the wrong SAN config.

KubeApiserver cert gets generated with the correct SAN config.