Customers are experiencing significant ingress console access issues after upgrading their OpenShift clusters to version 4.16. This disruption arises because the upgraded HAProxy no longer supports the weak cryptographic algorithms present in the certificates associated with the OpenShift Route or Ingress objects. This has created compatibility issues, leading to failed connections and diminished user experience for critical applications.

Proposed Solution: I strongly recommend a new feature in the OpenShift Container Platform (OCP) upgrade process that incorporates a preflight check for weak certificates before proceeding with the cluster upgrade. Specifically, we request that the OCP Ingress Operator performs a thorough verification of all certificates (both custom and default) that are part of the OCP Route or Ingress objects.

[ALERT]    (25) : config : parsing [/var/lib/haproxy/conf/haproxy.config:131] : 'bind unix@/var/lib/haproxy/run/haproxy-sni.sock' in section 'frontend' : 'crt-list' : error processing line 4 in file '/var/lib/haproxy/conf/cert_config.map' : unable to load chain certificate into SSL Context '/var/lib/haproxy/router/certs/xxx.pem': ca md too weak.