After configured 4 allowedSubjectPatterns under the ingress-controller, the router pods can't be started correctly. check the logs, can see got retryable error logs of operator.ingress_controller

4.13.0-0.nightly-2023-02-27-101545

100%

1. create configmap/test-client-ca in namespace openshift-config and openshift-ingress
%oc -n openshift-config create configmap test-client-ca --from-file=./ca-bundle.pem
%oc -n openshift-ingress create configmap test-client-ca --from-file=./ca-bundle.pem
2. worked well with 2 allowedSubjectPatterns under the ingress-controller
spec:
  clientTLS:
    allowedSubjectPatterns:
    - ^/CN=myreen1-default.cus1.shudig36.qe.gcp.devcluster.openshift.com$
    - ^/CN=myedge1-default.cus1.shudig36.qe.gcp.devcluster.openshift.com$
    clientCA:
      name: test-client-ca
    clientCertificatePolicy: Required
  domain: cus1.shudig36.qe.gcp.devcluster.openshift.com
  endpointPublishingStrategy:
    loadBalancer:
      dnsManagementPolicy: Managed
      scope: External
    type: LoadBalancerService
  httpCompression: {}
  httpEmptyRequestsPolicy: Respond
  httpErrorCodePages:
    name: ""
  routeSelector:
    matchExpressions:
    - key: test
      operator: In
      values:
      - aaa
3. edit the IC and add two more allowedSubjectPatterns
spec:
  clientTLS:
    allowedSubjectPatterns:
    - ^/CN=myreen1-default.cus1.shudig36.qe.gcp.devcluster.openshift.com$
    - ^/CN=myedge1-default.cus1.shudig36.qe.gcp.devcluster.openshift.com$
    - ^/CN=example.com/ST=NC/C=US/O=Security/OU=OpenShift$
    - ^/CN=www.exampleca.com/ST=SC/C=US/O=Default Company Ltd/OU=Test CA$
    clientCA:
      name: test-client-ca
    clientCertificatePolicy: Required

4. the router-cus1 pods can't be created successfully
% oc -n openshift-ingress get pods                            
NAME                             READY   STATUS    RESTARTS      AGE
router-cus1-55fdcdfd-p2fnj       1/1     Running   0             12m
router-cus1-7876bcdb96-4tcjs     0/1     Running   3 (15s ago)   8m36s
router-cus1-7876bcdb96-8vnfg     0/1     Running   3 (15s ago)   8m35s
router-default-6779b9c5b-fgcz4   1/1     Running   0             4h24m
router-default-6779b9c5b-tv855   1/1     Running   0             4h24m
% 

5. check the logs
% oc -n openshift-ingress-operator logs ingress-operator-c8fb4579d-4n9vm  -c ingress-operator --tail=10
2023-03-02T05:58:36.367Z	INFO	operator.status_controller	controller/controller.go:122	Reconciling	{"request": "openshift-ingress-operator/cus1"}
2023-03-02T05:58:36.374Z	ERROR	operator.ingress_controller	controller/controller.go:122	got retryable error; requeueing	{"after": "59m59.99997559s", "error": "IngressController may become degraded soon: DeploymentReplicasAllAvailable=False"}
2023-03-02T05:58:36.374Z	INFO	operator.ingress_controller	controller/controller.go:122	reconciling	{"request": "openshift-ingress-operator/cus1"}
2023-03-02T05:58:36.398Z	INFO	operator.status_controller	controller/controller.go:122	Reconciling	{"request": "openshift-ingress-operator/default"}
2023-03-02T05:58:36.463Z	INFO	operator.ingress_controller	ingress/internal_service.go:44	updated internal service	{"namespace": "openshift-ingress", "name": "router-internal-cus1", "diff": "  &v1.Service{\n  \tTypeMeta:   {},\n  \tObjectMeta: {Name: \"router-internal-cus1\", Namespace: \"openshift-ingress\", UID: \"804b21a4-3206-4d3e-9fd0-b82c300aec5d\", ResourceVersion: \"40385\", ...},\n  \tSpec: v1.ServiceSpec{\n  \t\tPorts:                    {{Name: \"http\", Protocol: \"TCP\", Port: 80, TargetPort: {Type: 1, StrVal: \"http\"}, ...}, {Name: \"https\", Protocol: \"TCP\", Port: 443, TargetPort: {Type: 1, StrVal: \"https\"}, ...}, {Name: \"metrics\", Protocol: \"TCP\", Port: 1936, TargetPort: {Type: 1, StrVal: \"metrics\"}, ...}},\n  \t\tSelector:                 {\"ingresscontroller.operator.openshift.io/deployment-ingresscontroller\": \"cus1\"},\n  \t\tClusterIP:                \"172.30.108.19\",\n- \t\tClusterIPs:               []string{\"172.30.108.19\"},\n+ \t\tClusterIPs:               nil,\n  \t\tType:                     \"ClusterIP\",\n  \t\tExternalIPs:              nil,\n- \t\tSessionAffinity:          \"None\",\n+ \t\tSessionAffinity:          \"\",\n  \t\tLoadBalancerIP:           \"\",\n  \t\tLoadBalancerSourceRanges: nil,\n  \t\t... // 3 identical fields\n  \t\tPublishNotReadyAddresses:      false,\n  \t\tSessionAffinityConfig:         nil,\n- \t\tIPFamilies:                    []v1.IPFamily{\"IPv4\"},\n+ \t\tIPFamilies:                    nil,\n- \t\tIPFamilyPolicy:                &\"SingleStack\",\n+ \t\tIPFamilyPolicy:                nil,\n  \t\tAllocateLoadBalancerNodePorts: nil,\n  \t\tLoadBalancerClass:             nil,\n- \t\tInternalTrafficPolicy:         &\"Cluster\",\n+ \t\tInternalTrafficPolicy:         nil,\n  \t},\n  \tStatus: {},\n  }\n"}
2023-03-02T05:58:36.498Z	ERROR	operator.ingress_controller	controller/controller.go:122	got retryable error; requeueing	{"after": "59m59.504218876s", "error": "IngressController may become degraded soon: DeploymentReplicasAllAvailable=False"}
2023-03-02T05:59:23.103Z	INFO	operator.ingress_controller	handler/enqueue_mapped.go:80	queueing ingress	{"name": "cus1", "related": ""}
2023-03-02T05:59:23.103Z	INFO	operator.ingress_controller	controller/controller.go:122	reconciling	{"request": "openshift-ingress-operator/cus1"}
2023-03-02T05:59:23.219Z	INFO	operator.ingress_controller	ingress/internal_service.go:44	updated internal service	{"namespace": "openshift-ingress", "name": "router-internal-cus1", "diff": "  &v1.Service{\n  \tTypeMeta:   {},\n  \tObjectMeta: {Name: \"router-internal-cus1\", Namespace: \"openshift-ingress\", UID: \"804b21a4-3206-4d3e-9fd0-b82c300aec5d\", ResourceVersion: \"40385\", ...},\n  \tSpec: v1.ServiceSpec{\n  \t\tPorts:                    {{Name: \"http\", Protocol: \"TCP\", Port: 80, TargetPort: {Type: 1, StrVal: \"http\"}, ...}, {Name: \"https\", Protocol: \"TCP\", Port: 443, TargetPort: {Type: 1, StrVal: \"https\"}, ...}, {Name: \"metrics\", Protocol: \"TCP\", Port: 1936, TargetPort: {Type: 1, StrVal: \"metrics\"}, ...}},\n  \t\tSelector:                 {\"ingresscontroller.operator.openshift.io/deployment-ingresscontroller\": \"cus1\"},\n  \t\tClusterIP:                \"172.30.108.19\",\n- \t\tClusterIPs:               []string{\"172.30.108.19\"},\n+ \t\tClusterIPs:               nil,\n  \t\tType:                     \"ClusterIP\",\n  \t\tExternalIPs:              nil,\n- \t\tSessionAffinity:          \"None\",\n+ \t\tSessionAffinity:          \"\",\n  \t\tLoadBalancerIP:           \"\",\n  \t\tLoadBalancerSourceRanges: nil,\n  \t\t... // 3 identical fields\n  \t\tPublishNotReadyAddresses:      false,\n  \t\tSessionAffinityConfig:         nil,\n- \t\tIPFamilies:                    []v1.IPFamily{\"IPv4\"},\n+ \t\tIPFamilies:                    nil,\n- \t\tIPFamilyPolicy:                &\"SingleStack\",\n+ \t\tIPFamilyPolicy:                nil,\n  \t\tAllocateLoadBalancerNodePorts: nil,\n  \t\tLoadBalancerClass:             nil,\n- \t\tInternalTrafficPolicy:         &\"Cluster\",\n+ \t\tInternalTrafficPolicy:         nil,\n  \t},\n  \tStatus: {},\n  }\n"}
2023-03-02T05:59:23.279Z	ERROR	operator.ingress_controller	controller/controller.go:122	got retryable error; requeueing	{"after": "59m12.722589181s", "error": "IngressController may become degraded soon: DeploymentReplicasAllAvailable=False"}
%

new router pods can't be created successfully and can see the got retryable error logs of operator.ingress_controller

new router pods can be created successfully and can't see the error logs