In the Integration (INT) environment, the Kube API Server (KAS) is failing to reload certificates specifically during the creation of breakglass credentials. While the certificate rotation controller successfully generates the new breakglass secrets, the KAS does not pick them up, rendering the emergency credentials unusable. 

    4.20.8

    Trigger Event: The failure occurs during the generation of breakglass credentials.Controller Action: The rotation controller correctly reconciles and produces the new certificate secrets.

KAS Behavior: The KAS remains stale; it does not acknowledge the new certificates or reload the secret mount, causing the INT tests to fail.

Environmental Context: This is isolated to the INT environment. Both STG and PROD are handling the breakglass workflow correctly.

    1.
    2.
    3.
    

We observe on ARO-HCP, we do not see the KAS reload certificates, even though the certificate rotation controller produces new ones.

We need for on ARO-HCP that in INT, need to see the KAS reload certificates, with the new produced certificate.

We have attached a must-gather for the HyperShift team to analyze the communication between the management cluster and the hosted control plane:

PKI Operator: Logs confirming the creation of the breakglass secret.

KAS: Logs and pod volume mount status to determine if the secret update was propagated.