-
Bug
-
Resolution: Not a Bug
-
Undefined
-
None
-
4.17
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
When the kube-controller-manager cert-syncer container has bad kube-apiserver client credentials, the operator doesn't become degraded
Version-Release number of selected component (if applicable):
4.17
How reproducible:
Not trivial to reproduce, was caused by a bug in an external tool that modified the JWT token in a bad way
Steps to Reproduce:
1. Mess up the token used by cert-syncer
Actual results:
kube-controller-manager cert-syncer can't reach kube-apiserver, yet the operator doesn't become degraded in response
Expected results:
operator should notice the cert-syncer can't reach the kube-apiserver and become degraded to let the user know there's something wrong
Additional info:
It doesn't lead to any issue initially, but eventually the cert-syncer not syncing certs causes the certs to expire and the cluster starts falling apart.
Could arguably be considered not a bug, since there's nothing in OCP to cause this naturally, but still thought it's a bit weird behavior from kcmo that should probably be adjusted - if cert-syncer is having a bad time, I would expect the operator to go degraded
