The WMCO seems to read "ignition" while it is really reading the MachineConfig’s encapsulated ignition.

see: https://github.com/openshift/windows-machine-config-operator/blob/32fbcfcf36013554e2af22f1318a65ff92f49422/pkg/ignition/ignition.go#L42-L55

the MCO is removing certificates from its MachineConfig. Namely, we are removing:

/etc/kubernetes/kubelet-ca.crt
/etc/kubernetes/static-pod-resources/configmaps/cloud-config/ca-bundle.pem
/etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt

These will now all be stored in the controllerConfig, even during bootstrap. the WMCO either needs to read this encapsulated data rather than the MachineConfig. OR an alternate path needs to be developed in the MCO to serve a WMCO specific MachineConfig.

It is unclear if this operator is impacted due to aspects like this: https://github.com/openshift/windows-machine-config-operator/blob/875e972c63bc336c6638464d7c0ae727c825a2df/pkg/nodeconfig/nodeconfig.go#L393-L412 which seem to read certs from our bootstrap secret. If the team believes they are not impacted by this, we can close this bug.

I believe doing something like the following should work:

ccList := mcfg.controllerConfigList{}
if err := c.List(context.TODO(), ccList); err != nil {
 return err
}
kubeletCA := []byte{}
 // and then somehow doing (there should only be one item)
for _, item := range ccList {
  kubeletCA = item.spec.KubeAPIServerServingCAData
  // do this for each cert in the ccSpec
}

configuration, report, err := ignCfg.Parse(renderedWorker.Spec.Config.Raw)
if err != nil || report.IsFatal() {
    return nil, fmt.Errorf("failed to parse MachineConfig ignition: %v\nReport: %v", err, report)
 }
 ign := &Ignition{
    config: configuration,
 }

ign.config.storage.files = apppend(ign.config.storage.files, <NEW FILE WITH CA DATA>)