Description of problem:

The kube-apiserver is rolling out unexpectedly after changing the logging configuration of the default ingress-controller.

We can see this behaviour after updating the certificates of the kube-apiserver and the routers and after the expected rollout of the certificate update.

Version-Release number of selected component (if applicable): v4.9.37

How reproducible:

In multiple environments, we had the same issue every time we followed the steps listed below.

Steps to Reproduce:

1. Change openshift-config/api-certificate secret with pem and key certificate (for api servers) (update)
2. Change openshift-ingress/lb-routers-certificate secret with pem and key certificate (for all sharding routers, default router too)
3. Wait for new certificates to be available in API and haproxy
4. Wait for another 30 minutes

  logging:
    access:
      destination:
        syslog:
          address: XX.XX.XX.XX
          port: 10514
        type: Syslog
      httpCaptureHeaders:
        request:
        - maxLength: 128
          name: Host
      httpLogFormat: tenant="default",cluster="xxxxxxxx",datacenter="xxxxx",status_code="%ST"....
      logEmptyRequests: Ignore

1. Change haproxy log format in default ingress-controller with the following configuration
2. Wait for default routers to rollout
3. unexpected rollout of kube-apiserver, kube-controller and kube-scheduler (just after starting the rollout of the routers)

Actual results:

The kube-apiserver is rolling out for a new revision.

Expected results:

No extra rollout is expected.

Additional info:

The kube-controller and the kube-scheduler are also rolling out at the same time.