Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 4.22.0
Component/s: OLM
Labels:
- olmv0
- pre-merge-tested

Activity Type:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Important
Regression:
None

Target Backport Versions:
None
Target Version:

4.22.0
Release Blocker:
Rejected
Sprint:
Weedle Sprint 283
sprint_count:
1

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

The olm-operator fails to receive subsequent APIServer TLS configuration updates after
the initial sync during cluster startup. The catalog-operator works correctly and receives all updates.

jiazha-mac:~ jiazha$ oc patch apiserver cluster --type merge -p '{"spec":{"tlsSecurityProfile":{"type":"Modern","modern":{}}}}' 
apiserver.config.openshift.io/cluster patched

jiazha-mac:~ jiazha$  oc logs -n openshift-operator-lifecycle-manager deploy/catalog-operator | grep -i "APIServer TLS"
time="2026-01-26T04:04:16Z" level=info msg="OpenShift APIServer API available - setting up watch for APIServer TLS configuration"
time="2026-01-26T04:04:16Z" level=info msg="APIServer TLS configuration will be applied to HTTPS servers"
time="2026-01-26T04:04:17Z" level=info msg="APIServer TLS configuration changed: profile=Intermediate (default), minVersion=TLS 1.2, cipherCount=9"
time="2026-01-26T05:12:31Z" level=info msg="APIServer TLS configuration changed: profile=Modern, minVersion=TLS 1.3, cipherCount=3"

jiazha-mac:~ jiazha$ oc logs -n openshift-operator-lifecycle-manager deploy/olm-operator | grep -i "APIServer TLS"
time="2026-01-26T04:04:21Z" level=info msg="OpenShift APIServer API available - setting up watch for APIServer TLS configuration"
time="2026-01-26T04:04:21Z" level=info msg="APIServer TLS configuration will be applied to HTTPS servers"
time="2026-01-26T04:04:21Z" level=info msg="APIServer TLS configuration changed: profile=Intermediate (default), minVersion=TLS 1.2, cipherCount=9"

Version-Release number of selected component (if applicable):

    launch 4.22,openshift/operator-framework-olm#1202,operator-framework/operator-marketplace#715 aws

How reproducible:

    always

Steps to Reproduce:

    1. Build an OCP cluster with the unmerged PR via the cluster-bot.
launch 4.22,openshift/operator-framework-olm#1202,operator-framework/operator-marketplace#715 aws

jiazha-mac:~ jiazha$ oc get clusterversion
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.22.0-0-2026-01-26-034519-test-ci-ln-xjwh5pk-latest   True        False         53m     Cluster version is 4.22.0-0-2026-01-26-034519-test-ci-ln-xjwh5pk-latest

    2. Update TLS configure
jiazha-mac:~ jiazha$ oc patch apiserver cluster --type merge -p '{"spec":{"tlsSecurityProfile":{"type":"Modern","modern":{}}}}' 
apiserver.config.openshift.io/cluster patched

     3.Check olm-operator logs
jiazha-mac:~ jiazha$ oc logs -n openshift-operator-lifecycle-manager deploy/olm-operator | grep -i "APIServer TLS"
time="2026-01-26T04:04:21Z" level=info msg="OpenShift APIServer API available - setting up watch for APIServer TLS configuration"
time="2026-01-26T04:04:21Z" level=info msg="APIServer TLS configuration will be applied to HTTPS servers"
time="2026-01-26T04:04:21Z" level=info msg="APIServer TLS configuration changed: profile=Intermediate (default), minVersion=TLS 1.2, cipherCount=9"

Actual results:

The olm-operator fails to receive subsequent APIServer TLS configuration updates.

Expected results:

The olm-operator can receive subsequent APIServer TLS configuration updates

Additional info:

Workaround:

The olm-operator can receive subsequent APIServer TLS configuration updates after the pod restarted.

    jiazha-mac:~ jiazha$ oc delete pods olm-operator-7ddd568cf8-srjdk -n openshift-operator-lifecycle-manager
pod "olm-operator-7ddd568cf8-srjdk" deleted

jiazha-mac:~ jiazha$ oc get pods -n openshift-operator-lifecycle-manager
NAME                                     READY   STATUS      RESTARTS   AGE
catalog-operator-688b548f-ck52r          1/1     Running     0          80m
collect-profiles-29490045-bs5qk          0/1     Completed   0          35m
collect-profiles-29490060-ppwkt          0/1     Completed   0          20m
collect-profiles-29490075-brn7v          0/1     Completed   0          5m42s
olm-operator-7ddd568cf8-rfx6d            1/1     Running     0          4s
package-server-manager-b7d4644dc-b9x9c   1/1     Running     0          80m
packageserver-5b4f6c48c4-kgrl5           1/1     Running     0          6m44s
packageserver-5b4f6c48c4-mn86v           1/1     Running     0          76m

jiazha-mac:~ jiazha$ oc logs -n openshift-operator-lifecycle-manager deploy/olm-operator | grep -i "APIServer TLS"
time="2026-01-26T05:20:39Z" level=info msg="OpenShift APIServer API available - setting up watch for APIServer TLS configuration"
time="2026-01-26T05:20:39Z" level=info msg="APIServer TLS configuration will be applied to HTTPS servers"
time="2026-01-26T05:20:40Z" level=info msg="APIServer TLS configuration changed: profile=Modern, minVersion=TLS 1.3, cipherCount=3"

is caused by

OPRUN-4415 OLMv0 Central TLS Profile Consistency

In Progress

links to

openshift/operator-framework-olm#1206: OCPBUGS-74389: Synchronize From Upstream Repositories

Assignee:: Anik Bhattacharjee

Reporter:: Jian Zhang

Need Info From:: None

Contributors:: None

QA Contact:: Jian Zhang

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2026/01/26 5:45 AM

Updated:: 2026/01/27 10:34 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates