• Etcd encryption key rotation (new etcd-encryption-secret). 

• After that, kube-apiserver and openshift-apiserver operators changed to "Progressing=True" with reason `EncryptionMigrationController_Migrating` and got stuck in that state What caused the problem: 

• There was a route which referenced a Certificate, but the secret which held the certificate had been deleted.

• Migrator pod logs (openshift-kube-storage-version-migrator) repeated: 

  Route.route.openshift.io
  "nginx-test" is invalid: spec.tls.externalCertificate: Not found: "secrets \"nginx-test-cert-tls\" not found" 

Request:

• One faulty Route should not stall the entire encryption process.

• Either the Secret deletion should be blocked, or the migration controller should skip invalid objects instead of retrying forever.

Work Around followed to back to kube-apiserver-operator healthy. 

Deleting the faulty Route lets the migration finish and after that operator was healthy.