After setting the cluster proxy with the redhat-ca cert, I expect the OpenShift nodes to be able to communicate with the API endpoint using a cert cut from [RHCS|https://ca.corp.redhat.com/ca/ee/ca/](RedHat Certificate System). Unfortunately, the baremetal nodes are showing "kubelet_node_status.go:72] "Attempting to register node" node="hosted-worker-004.nodes.prod.psi.rdu2.redhat.com" kubelet_node_status.go:94] "Unable to register node with API server" err="Post \"https://api.gpc.ocp-hub.prod.psi.redhat.com:6443/api/v1/nodes\": x509: certificate signed by unknown authority"".

HostedCluster is running on OCP 4.13.12

very reproducible

To reproduce the code, all I had to do was add the following in the HostedCluster object. Of course both the secret and configMap references did exist in the hosted cluster namespace

  configuration:
    apiServer:
      audit:
        profile: Default
      clientCA:
        name: redhat-ca
      servingCerts:
        namedCertificates:
        - names:
          - api.gpc.ocp-hub.prod.psi.redhat.com
          servingCertificate:
            name: apiserver-tls

"kubelet_node_status.go:72] "Attempting to register node" node="hosted-worker-004.nodes.prod.psi.rdu2.redhat.com" kubelet_node_status.go:94] "Unable to register node with API server" err="Post \"https://api.gpc.ocp-hub.prod.psi.redhat.com:6443/api/v1/nodes\": x509: certificate signed by unknown authority"".
"Sep 15 06:09:24 hosted-worker-009.nodes.prod.psi.rdu2.redhat.com kubenswrapper[4306]: I0915 06:09:24.343424    4306 kubelet_node_status.go:72] "Attempting to register node" node="hosted-worker-009.nodes.prod.psi.rdu2.redhat.com"
Sep 15 06:09:24 hosted-worker-009.nodes.prod.psi.rdu2.redhat.com kubenswrapper[4306]: E0915 06:09:24.346873    4306 kubelet_node_status.go:94] "Unable to register node with API server" err="Post \"https://api.gpc.ocp-hub.prod.psi.redhat.com:6443/api/v1/nodes\": x509: certificate signed by unknown authority" node="hosted-worker-009.nodes.prod.psi.rdu2.redhat.com"
Sep 15 06:09:24 hosted-worker-009.nodes.prod.psi.rdu2.redhat.com kubenswrapper[4306]: I0915 06:09:24.574322    4306 csi_plugin.go:913] Failed to contact API server when waiting for CSINode publishing: Get "https://api.gpc.ocp-hub.prod.psi.redhat.com:6443/apis/storage.k8s.io/v1/csinodes/hosted-worker-009.nodes.prod.psi.rdu2.redhat.com": x509: certificate signed by unknown authority
Sep 15 06:09:25 hosted-worker-009.nodes.prod.psi.rdu2.redhat.com kubenswrapper[4306]: I0915 06:09:25.573760    4306 csi_plugin.go:913] Failed to contact API server when waiting for CSINode publishing: Get "https://api.gpc.ocp-hub.prod.psi.redhat.com:6443/apis/storage.k8s.io/v1/csinodes/hosted-worker-009.nodes.prod.psi.rdu2.redhat.com": x509: certificate signed by unknown authority
Sep 15 06:09:25 hosted-worker-009.nodes.prod.psi.rdu2.redhat.com kubenswrapper[4306]: E0915 06:09:25.642280    4306 eviction_manager.go:261] "Eviction manager: failed to get summary stats" err="failed to get node info: node \"hosted-worker-009.nodes.prod.psi.rdu2.redhat.com\" not found""

I've also confirmed the proxy on the hosted cluster does get updated and the redhat-ca configmap does get created in the openshift-config namespace. I've tried re-provisioning the nodes just to rule out stale certs on the node but that didn't make a difference. Even during a fresh cluster install, it always hangs until I manually modify the HostedCluster object and remove the apiServer Configuration. As mentioned earlier, we did manage to get this working on a separate hosted cluster
 configured exactly the same. It uses the same CA but the cert for the api is different as the host is different