-
Bug
-
Resolution: Done
-
Major
-
None
-
4.18.z
-
None
-
False
-
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
The HyperShift operator fails to synchronize updates made to a CA ConfigMap in the clusters namespace to the corresponding ConfigMap in the Hosted Control Plane (HCP) namespace. This results in a permanent configuration mismatch if the ConfigMap is corrected later after the initial HostedCluster configuration. In a Hosted Control Plane architecture, resources like CA bundles are often mirrored from the user-facing management namespace (e.g., clusters) to the internal HCP namespace (e.g., clusters-mycluster). The current behavior suggests that the reconciliation logic for Identity Provider (IDP) CA bundles is only triggered upon the initial creation of the reference or a change in the HostedCluster CR itself. If the source ConfigMap is updated (e.g., changing a key name from wrong-key to ca.crt), the operator does not detect the change in the source object and therefore does not update the mirrored object in the HCP namespace.
Version-Release number of selected component (if applicable):
4.18.z
How reproducible:
100%
Steps to Reproduce:
1.Create a ConfigMap in the clusters namespace with an incorrect key:
oc create configmap ca-config-map --from-file=wrong-key=ca.crt -n clusters
2. Configure a HostedCluster to use this ConfigMap for an OpenID/LDAP IDP.
3. Verify the ConfigMap is created in the HCP namespace (e.g., clusters-hosted) with the wrong-key.
4. Update the original ConfigMap in the clusters namespace to use the correct key:
oc patch configmap ca-config-map -n clusters --type=json -p='[{"op": "remove", "path": "/data/wrong-key"}, {"op": "add", "path": "/data/ca.crt", "value": "..."}]'
5. Wait for reconciliation and inspect the ConfigMap in the HCP namespace.
Actual results:
The HCP namespace ConfigMap remains stale with wrong-key, causing the OAuth/Internal IDP pods to fail as they cannot find the ca.crt key.
control-plane-operator pod logs:
{"level":"error","ts":"2025-12-17T19:28:16Z","msg":"failed to initialize identity providers","controller":"hostedcontrolplane","controllerGroup":"hypershift.openshift.io","controllerKind":"HostedControlPlane","HostedControlPlane":{"name":"hosted","namespace":"clusters-hosted"},"namespace":"clusters-hosted","name":"hosted","reconcileID":"fe8ed9e9-57c8-493c-9adf-1ff53ad7c450","error":"failed to apply IDP sso config: config map dpateriy-hosted/ca-config-map has no ca data at key ca.crt","errorCauses":[{"error":"failed to apply IDP sso config: config map dpateriy-hosted/ca-config-map has no ca data at key ca.crt"}]
Expected results:
The HCP operator should reconcile the change, updating the ConfigMap in the HCP namespace to match the clusters namespace.
Additional info:
oc get cm ca-config-map -n clusters -o yaml
apiVersion: v1
data:
ca.crt: | ----> correct key
-----BEGIN CERTIFICATE-----
MIIDPDCCAiSgAwIBAgIIVAFaJTtzdGgwDQYJKoZIhvcNAQELBQ
...
...
oc get hc hosted -n clusters -o yaml
...
...
configuration:
oauth:
identityProviders:
- mappingMethod: claim
name: sso
openID:
ca:
name: ca-config-map
oc get cm ca-config-map -n clusters-hosted -o yaml
apiVersion: v1
data:
wrong-key: | -----> Still have the old key
-----BEGIN CERTIFICATE-----
MIIDPDCCAiSgAwIBAgIIVAFaJTtzdGgwDQYJKoZIhvcNAQELBQAwJjESMBAGA1UE
CxMJb3BlbnNoaWZ0MRAwDgYDVQQDEwdyb290LWNhMB4XDTI1MDYxNzE1MjIwM1oX
....
...
