OCPBUGS-63502: Redeploy console pods upon cert rotation by jhadvig · Pull Request #1093 · openshift/console-operator

jhadvig · 2026-01-14T14:59:27Z

Adding tracking of console-serving-cert secret, even though it's mounted as a volume at /var/serving-cert

Tracking or better say registering its informer would redeploy the console pod once the rotation occurs. Which I think should fix the issue for the OCP version which dont have conversion webhook server, so 4.17 and higher. For older versions 4.14 - 4.16 we would need to do also redeployment of the conversion webhook server.

/assgin @TheRealJon

openshift-ci-robot · 2026-01-14T14:59:33Z

@jhadvig: This pull request references Jira Issue OCPBUGS-63502, which is invalid:

expected the bug to target either version "4.22." or "openshift-4.22.", but it targets "4.21.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Adding tracking of console-serving-cert secret, even though it's mounted as a volume at /var/serving-cert

Tracking or better say registering its informer would redeploy the console pod once the rotation occurs. Which I think should fix the issue for the OCP version which dont have conversion webhook server, so 4.17 and higher. For older versions 4.14 - 4.16 we would need to do also redeployment of the conversion webhook server.

/assgin @TheRealJon

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

jhadvig · 2026-01-14T15:01:02Z

/jira refresh

openshift-ci-robot · 2026-01-14T15:01:11Z

@jhadvig: This pull request references Jira Issue OCPBUGS-63502, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.22.0) matches configured target version for branch (4.22.0)
bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yapei

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

TheRealJon

/lgtm

jhadvig · 2026-01-22T08:37:23Z

/retest

TheRealJon

/lgtm

openshift-ci · 2026-03-04T17:45:29Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jhadvig, TheRealJon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [TheRealJon,jhadvig]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

jhadvig · 2026-03-24T11:04:59Z

@yapei could you please take a look 🙏

yapei · 2026-03-26T06:53:50Z

@yapei could you please take a look 🙏

Checking

yapei · 2026-03-27T02:22:33Z

== Scenario 1: Verify Secret Informer Registration
$ oc logs -n openshift-console-operator deployment/console-operator | grep -i "secret.*informer\|watching.*secret"
I0327 01:27:05.128215       1 reflector.go:436] "Caches populated" type="*v1.Secret" reflector="k8s.io/client-go/informers/factory.go:160"
$ oc get secret console-serving-cert -n openshift-console -o jsonpath='{.metadata.resourceVersion}'
36546   <----
$ oc get deployment console -n openshift-console -o jsonpath='{.spec.template.metadata.annotations.console\.openshift\.io/serving-cert-secret-version}'
36546  <--- matching version with secret resource version

== Scenario 2: Automatic Pod Restart on Certificate Rotation (Manual Trigger)
$ oc delete secret console-serving-cert -n openshift-console
$ wait for it to be recreated automatically
$ oc get secret -n openshift-console
NAME                        TYPE                      DATA   AGE
builder-dockercfg-4ktmw     kubernetes.io/dockercfg   1      40m
console-dockercfg-5p5xr     kubernetes.io/dockercfg   1      40m
console-oauth-config        Opaque                    1      50m
console-serving-cert        kubernetes.io/tls         2      5m46s   <----- regenerated
default-dockercfg-dm7bj     kubernetes.io/dockercfg   1      40m
deployer-dockercfg-h22v9    kubernetes.io/dockercfg   1      40m
downloads-dockercfg-kv2j5   kubernetes.io/dockercfg   1      40m
$ oc get secret console-serving-cert -n openshift-console -o jsonpath='{.metadata.resourceVersion}'
38672  <--- resource version updated
$ oc get deployment console -n openshift-console -o jsonpath='{.spec.template.metadata.annotations.console\.openshift\.io/serving-cert-secret-version}'
38672  <--- deployment annotation updated accordingly
$ oc get pods -n openshift-console
NAME                         READY   STATUS    RESTARTS   AGE
console-75d8bfcdf6-6w2wf     1/1     Running   0          55s  <-- console pods redeployed
console-75d8bfcdf6-9zn7z     1/1     Running   0          55s  <-- console pods redeployed
downloads-6d94488dc7-rnqts   1/1     Running   0          52m
downloads-6d94488dc7-tb4bz   1/1     Running   0          52m

we can see console pods are redeployed when console-serving-cert secret rotated
/verified by @yapei

openshift-ci-robot · 2026-03-27T02:22:44Z

@yapei: This PR has been marked as verified by @yapei.

Details

In response to this:

== Scenario 1: Verify Secret Informer Registration
$ oc logs -n openshift-console-operator deployment/console-operator | grep -i "secret.*informer\|watching.*secret"
I0327 01:27:05.128215       1 reflector.go:436] "Caches populated" type="*v1.Secret" reflector="k8s.io/client-go/informers/factory.go:160"
$ oc get secret console-serving-cert -n openshift-console -o jsonpath='{.metadata.resourceVersion}'
36546   <----
$ oc get deployment console -n openshift-console -o jsonpath='{.spec.template.metadata.annotations.console\.openshift\.io/serving-cert-secret-version}'
36546  <--- matching version with secret resource version

== Scenario 2: Automatic Pod Restart on Certificate Rotation (Manual Trigger)
$ oc delete secret console-serving-cert -n openshift-console
$ wait for it to be recreated automatically
$ oc get secret -n openshift-console
NAME                        TYPE                      DATA   AGE
builder-dockercfg-4ktmw     kubernetes.io/dockercfg   1      40m
console-dockercfg-5p5xr     kubernetes.io/dockercfg   1      40m
console-oauth-config        Opaque                    1      50m
console-serving-cert        kubernetes.io/tls         2      5m46s   <----- regenerated
default-dockercfg-dm7bj     kubernetes.io/dockercfg   1      40m
deployer-dockercfg-h22v9    kubernetes.io/dockercfg   1      40m
downloads-dockercfg-kv2j5   kubernetes.io/dockercfg   1      40m
$ oc get secret console-serving-cert -n openshift-console -o jsonpath='{.metadata.resourceVersion}'
38672  <--- resource version updated
$ oc get deployment console -n openshift-console -o jsonpath='{.spec.template.metadata.annotations.console\.openshift\.io/serving-cert-secret-version}'
38672  <--- deployment annotation updated accordingly
$ oc get pods -n openshift-console
NAME                         READY   STATUS    RESTARTS   AGE
console-75d8bfcdf6-6w2wf     1/1     Running   0          55s  <-- console pods redeployed
console-75d8bfcdf6-9zn7z     1/1     Running   0          55s  <-- console pods redeployed
downloads-6d94488dc7-rnqts   1/1     Running   0          52m
downloads-6d94488dc7-tb4bz   1/1     Running   0          52m

we can see console pods are redeployed when console-serving-cert secret rotated
/verified by @yapei

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2026-03-27T03:04:14Z

/retest-required

Remaining retests: 0 against base HEAD ec0e75c and 2 for PR HEAD 23bcaef in total

openshift-ci · 2026-03-27T10:38:17Z

@jhadvig: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci-robot · 2026-03-27T10:41:32Z

@jhadvig: Jira Issue Verification Checks: Jira Issue OCPBUGS-63502
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-63502 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Adding tracking of console-serving-cert secret, even though it's mounted as a volume at /var/serving-cert

Tracking or better say registering its informer would redeploy the console pod once the rotation occurs. Which I think should fix the issue for the OCP version which dont have conversion webhook server, so 4.17 and higher. For older versions 4.14 - 4.16 we would need to do also redeployment of the conversion webhook server.

/assgin @TheRealJon

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jan 14, 2026

openshift-ci bot requested review from TheRealJon, spadgett and yapei January 14, 2026 15:01

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 14, 2026

TheRealJon approved these changes Jan 14, 2026

View reviewed changes

openshift-ci bot assigned TheRealJon Jan 14, 2026

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 14, 2026

OCPBUGS-63502: Redeploy console pods upon cert rotation

23bcaef

jhadvig force-pushed the OCPBUGS-63502 branch from 7effdda to 23bcaef Compare January 19, 2026 14:49

openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Jan 19, 2026

TheRealJon approved these changes Mar 4, 2026

View reviewed changes

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 4, 2026

openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Mar 27, 2026

openshift-merge-bot bot merged commit 5d8737d into openshift:main Mar 27, 2026
11 checks passed

Conversation

jhadvig commented Jan 14, 2026

Uh oh!

openshift-ci-robot commented Jan 14, 2026

Uh oh!

jhadvig commented Jan 14, 2026

Uh oh!

openshift-ci-robot commented Jan 14, 2026

Uh oh!

TheRealJon left a comment

Choose a reason for hiding this comment

Uh oh!

jhadvig commented Jan 22, 2026

Uh oh!

TheRealJon left a comment

Choose a reason for hiding this comment

Uh oh!

openshift-ci bot commented Mar 4, 2026

Uh oh!

jhadvig commented Mar 24, 2026

Uh oh!

yapei commented Mar 26, 2026

Uh oh!

yapei commented Mar 27, 2026

Uh oh!

openshift-ci-robot commented Mar 27, 2026

Uh oh!

openshift-ci-robot commented Mar 27, 2026

Uh oh!

openshift-ci bot commented Mar 27, 2026

Uh oh!

Uh oh!

openshift-ci-robot commented Mar 27, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants