"oc explain ingress.spec.domain --api-version=config.openshift.io/v1" shows "Once set, changing domain is not currently supported.", but user still can update the domain, and that causes auth/console operator become degraded.

    4.16 and before

    100%

    1. oc edit ingress.config/cluster

spec:
  domain: test.example.com   <----- change the domain

    2. check all routes, find that the auth/console/download routes hostname already changed.

$ oc get route -A
NAMESPACE                  NAME                      HOST/PORT                                                                                 PATH        SERVICES            PORT    TERMINATION            WILDCARD
openshift-authentication   oauth-openshift           oauth-openshift.test.example.com                                                                      oauth-openshift     6443    passthrough/Redirect   None
openshift-console          console                   console-openshift-console.test.example.com                                                            console             https   reencrypt/Redirect     None
openshift-console          downloads                 downloads-openshift-console.test.example.com                                                          downloads           http    edge/Redirect          None
openshift-ingress-canary   canary                    canary-openshift-ingress-canary.apps.hongli-aw.qe.devcluster.openshift.com                            ingress-canary      8080    edge/Redirect          None
openshift-monitoring       alertmanager-main         alertmanager-main-openshift-monitoring.apps.hongli-aw.qe.devcluster.openshift.com         /api        alertmanager-main   web     reencrypt/Redirect     None
openshift-monitoring       prometheus-k8s            prometheus-k8s-openshift-monitoring.apps.hongli-aw.qe.devcluster.openshift.com            /api        prometheus-k8s      web     reencrypt/Redirect     None
openshift-monitoring       prometheus-k8s-federate   prometheus-k8s-federate-openshift-monitoring.apps.hongli-aw.qe.devcluster.openshift.com   /federate   prometheus-k8s      web     reencrypt/Redirect     None
openshift-monitoring       thanos-querier            thanos-querier-openshift-monitoring.apps.hongli-aw.qe.devcluster.openshift.com            /api        thanos-querier      web     reencrypt/Redirect     None


    3.check co status, auth and console are degraded 

authentication                             4.16.0-0.nightly-2024-04-15-184947   False       True          True       14m     OAuthServerRouteEndpointAccessibleControllerAvailable: Get "https://oauth-openshift.apps.hongli-aw.qe.devcluster.openshift.com/healthz": tls: failed to verify certificate: x509: certificate signed by unknown authority

console                                    4.16.0-0.nightly-2024-04-15-184947   False       False         True       14m     RouteHealthAvailable: failed to GET route (https://console-openshift-console.test.example.com): Get "https://console-openshift-console.test.example.com": dial tcp: lookup console-openshift-console.test.example.com on 172.30.0.10:53: no such host
     

    1. auth/console/downloads route hostname changed
    2. co auth/console degraded 

    should add validation to make spec.domain is immutable 

    $ oc explain ingress.spec.domain --api-version=config.openshift.io/v1
GROUP:      config.openshift.io
KIND:       Ingress
VERSION:    v1FIELD: domain <string>DESCRIPTION:
    domain is used to generate a default host name for a route when the route's
    host name is empty. The generated host name will follow this pattern:
    "<route-name>.<route-namespace>.<domain>". 
     It is also used as the default wildcard domain suffix for ingress. The
    default ingresscontroller domain will follow this pattern: "*.<domain>". 
     Once set, changing domain is not currently supported.