Apiserver not restarted after adding new custom certificates

    4.16

    Always

export fqdn_name=api.$(oc get dns/cluster -o=jsonpath='{.spec.baseDomain}')               
cp $KUBECONFIG $KUBECONFIG.origin
grep certificate-authority-data $KUBECONFIG | grep -Eo "[^ ]+$" | base64 -d > /tmp/certificate-authority-data-origin.crt
rahulgangwar@rgangwar-mac openshift-tests-private % curl --cacert /tmp/certificate-authority-data-origin.crt https://${fqdn_name}:6443/healthz
ok%                                                                                                                                                                                                         rahulgangwar@rgangwar-mac openshift-tests-private % cat > /tmp/server.conf << EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${fqdn_name}
EOF


rahulgangwar@rgangwar-mac openshift-tests-private % CN_BASE=kas-test-cert
openssl genrsa -out /tmp/caKey.pem 2048
openssl req  -sha256 -x509 -new -nodes -key /tmp/caKey.pem -days 100000 -out /tmp/caCert.pem -subj "/CN=${CN_BASE}_ca"
openssl genrsa -out /tmp/serverKey.pem 2048
openssl req -sha256 -new -key /tmp/serverKey.pem -out /tmp/server.csr -subj "/CN=${CN_BASE}_server" -config /tmp/server.conf
openssl x509 -sha256 -req -in /tmp/server.csr -CA /tmp/caCert.pem -CAkey /tmp/caKey.pem -CAcreateserial -out /tmp/serverCert.pem -days 100000 -extensions v3_req -extfile /tmp/server.conf
Certificate request self-signature ok
subject=CN=kas-test-cert_server
rahulgangwar@rgangwar-mac openshift-tests-private % oc create secret tls custom-api-cert --cert=/tmp/serverCert.pem --key=/tmp/serverKey.pem -n clusters
secret/custom-api-cert created


oc patch hostedcluster hypershift-ci-270834 -n clusters --type=merge -p '{"spec": {"configuration": {"apiServer": {"servingCerts": {"namedCertificates": [{"names": ["${fqdn_name}"], "servingCertificate": {"name": "custom-api-cert"}}]}}}}}'




oc get co --kubeconfig=/tmp/hyper-kube.txt
NAME                                       VERSION                              AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
console                                    4.16.0-0.nightly-2024-03-13-061822   True        False         False      81m     
csi-snapshot-controller                    4.16.0-0.nightly-2024-03-13-061822   True        False         False      87m     
dns                                        4.16.0-0.nightly-2024-03-13-061822   True        False         False      81m     
image-registry                             4.16.0-0.nightly-2024-03-13-061822   True        False         False      81m     
ingress                                    4.16.0-0.nightly-2024-03-13-061822   True        False         False      81m     
insights                                   4.16.0-0.nightly-2024-03-13-061822   True        False         False      82m     
kube-apiserver                             4.16.0-0.nightly-2024-03-13-061822   True        False         False      87m     
kube-controller-manager                    4.16.0-0.nightly-2024-03-13-061822   True        False         False      87m     
kube-scheduler                             4.16.0-0.nightly-2024-03-13-061822   True        False         False      87m     
kube-storage-version-migrator              4.16.0-0.nightly-2024-03-13-061822   True        False         False      82m     
monitoring                                 4.16.0-0.nightly-2024-03-13-061822   True        False         False      79m     
network                                    4.16.0-0.nightly-2024-03-13-061822   True        False         False      86m     
node-tuning                                4.16.0-0.nightly-2024-03-13-061822   True        False         False      83m     
openshift-apiserver                        4.16.0-0.nightly-2024-03-13-061822   True        False         False      87m     
openshift-controller-manager               4.16.0-0.nightly-2024-03-13-061822   True        False         False      87m     
openshift-samples                          4.16.0-0.nightly-2024-03-13-061822   True        False         False      81m     
operator-lifecycle-manager                 4.16.0-0.nightly-2024-03-13-061822   True        False         False      87m     
operator-lifecycle-manager-catalog         4.16.0-0.nightly-2024-03-13-061822   True        False         False      86m     
operator-lifecycle-manager-packageserver   4.16.0-0.nightly-2024-03-13-061822   True        False         False      87m     
service-ca                                 4.16.0-0.nightly-2024-03-13-061822   True        False         False      82m     
storage                                    4.16.0-0.nightly-2024-03-13-061822   True        False         False      83m     
rahulgangwar@rgangwar-mac openshift-tests-private % curl --cacert /tmp/caCert.pem https://${fqdn_name}:6443/healthz
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html


curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
rahulgangwar@rgangwar-mac openshift-tests-private % 

   Apiserver not restarted and curl gives error

 Apiserver should restart and curl should pass and give new cert details