When adding API server certificate to the HostedCluster the bootstrap-kubeconfig is no longer trusted. This seems to be a issue when adding new nodes (using kubevirt) to the cluster. They dont register/show up on the HostedCluster.When not adding certificate to the apiServer the nodes register fine.

This issue initially was solved by setting servicePublishingStrategy.loadBalancer.hostname to the apiServer's internal service URL, the certificate-authority-data in bootstrap-kubeconfig is then trusted. (https://github.com/openshift/hypershift/issues/3985#issuecomment-2097859446)

After some time the issue was reopened:

"We are experiencing issues using the apiserver internal service url at a later stage in our deployment.Ideally we would like to use the external apiserver fqdn in servicePublishingStrategy.loadBalancer.hostname. But adding apiserver certificate the bootstrap-kubeconfig is no longer trusted.Is there any way to modify the bootstrap-kubeconfig?I also found this issue that seems to be the same issue I am experiencing
https://issues.redhat.com/browse/OCPBUGS-19067"

4.14, 4.15, 4.16 (at least)

Looks like always (day-0 or day-2)

1. Create a HostedCluster with different serving certificate

apiVersion: hypershift.openshift.io/v1beta1
kind: HostedCluster
metadata:
  name: test
  namespace: test
spec:
  configuration:
    apiServer:
      servingCerts:
        namedCertificates:
        - servingCertificate:
            name: tls-secret

2. The Bootstrap-kubconfig will not contain the new cert
3. The node deployment will not happen
    

Nodes cannot join the HCP Cluster with the failure:

Unable to connect to the server: tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "root-ca")

Nodes join the cluster and trust the new TLS certificate