I0325 11:04:22.288485       1 cmd.go:253] Using service-serving-cert provided certificates
I0325 11:04:22.288640       1 leaderelection.go:121] The leader election gives 4 retries and allows for 30s of clock skew. The kube-apiserver downtime tolerance is 78s. Worst non-graceful lease acquisition is 2m43s. Worst graceful lease acquisition is {26s}.
I0325 11:04:22.289241       1 envvar.go:172] "Feature gate default state" feature="ClientsPreferCBOR" enabled=false
I0325 11:04:22.289301       1 envvar.go:172] "Feature gate default state" feature="InformerResourceVersion" enabled=false
I0325 11:04:22.289328       1 envvar.go:172] "Feature gate default state" feature="WatchListClient" enabled=false
I0325 11:04:22.289353       1 envvar.go:172] "Feature gate default state" feature="ClientsAllowCBOR" enabled=false
I0325 11:04:22.290563       1 observer_polling.go:159] Starting file observer
I0325 11:04:22.331711       1 builder.go:304] service-ca-operator version -
I0325 11:04:22.332758       1 dynamic_serving_content.go:116] "Loaded a new cert/key pair" name="serving-cert::/var/run/secrets/serving-cert/tls.crt::/var/run/secrets/serving-cert/tls.key"
I0325 11:04:24.296074       1 requestheader_controller.go:255] Loaded a new request header values for RequestHeaderAuthRequestController
I0325 11:04:24.303165       1 maxinflight.go:139] "Initialized nonMutatingChan" len=400
I0325 11:04:24.303184       1 maxinflight.go:145] "Initialized mutatingChan" len=200
I0325 11:04:24.303216       1 maxinflight.go:116] "Set denominator for readonly requests" limit=400
I0325 11:04:24.303224       1 maxinflight.go:120] "Set denominator for mutating requests" limit=200
I0325 11:04:24.307643       1 secure_serving.go:57] Forcing use of http/1.1 only
I0325 11:04:24.307659       1 genericapiserver.go:535] MuxAndDiscoveryComplete has all endpoints registered and discovery information is complete
W0325 11:04:24.307665       1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256' detected.
W0325 11:04:24.307671       1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' detected.
W0325 11:04:24.307675       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_128_GCM_SHA256' detected.
W0325 11:04:24.307678       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_256_GCM_SHA384' detected.
W0325 11:04:24.307681       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_128_CBC_SHA' detected.
W0325 11:04:24.307684       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_256_CBC_SHA' detected.
I0325 11:04:24.313607       1 requestheader_controller.go:180] Starting RequestHeaderAuthRequestController
I0325 11:04:24.313624       1 configmap_cafile_content.go:205] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::client-ca-file"
I0325 11:04:24.313650       1 shared_informer.go:313] Waiting for caches to sync for RequestHeaderAuthRequestController
I0325 11:04:24.313657       1 shared_informer.go:313] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0325 11:04:24.313679       1 configmap_cafile_content.go:205] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file"
I0325 11:04:24.313689       1 shared_informer.go:313] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0325 11:04:24.314064       1 dynamic_serving_content.go:135] "Starting controller" name="serving-cert::/var/run/secrets/serving-cert/tls.crt::/var/run/secrets/serving-cert/tls.key"
I0325 11:04:24.314170       1 tlsconfig.go:203] "Loaded serving cert" certName="serving-cert::/var/run/secrets/serving-cert/tls.crt::/var/run/secrets/serving-cert/tls.key" certDetail="\"metrics.openshift-service-ca-operator.svc\" [serving] validServingFor=[metrics.openshift-service-ca-operator.svc,metrics.openshift-service-ca-operator.svc.cluster.local] issuer=\"openshift-service-serving-signer@1774436388\" (2026-03-25 11:00:01 +0000 UTC to 2028-03-24 11:00:02 +0000 UTC (now=2026-03-25 11:04:24.314115889 +0000 UTC))"
I0325 11:04:24.314445       1 named_certificates.go:53] "Loaded SNI cert" index=0 certName="self-signed loopback" certDetail="\"apiserver-loopback-client@1774436664\" [serving] validServingFor=[apiserver-loopback-client] issuer=\"apiserver-loopback-client-ca@1774436663\" (2026-03-25 10:04:22 +0000 UTC to 2027-03-25 10:04:22 +0000 UTC (now=2026-03-25 11:04:24.314418756 +0000 UTC))"
I0325 11:04:24.314463       1 leaderelection.go:257] attempting to acquire leader lease openshift-service-ca-operator/service-ca-operator-lock...
I0325 11:04:24.314468       1 secure_serving.go:213] Serving securely on [::]:8443
I0325 11:04:24.314496       1 genericapiserver.go:685] [graceful-termination] waiting for shutdown to be initiated
I0325 11:04:24.314513       1 tlsconfig.go:243] "Starting DynamicServingCertificateController"
I0325 11:04:24.316574       1 reflector.go:376] Caches populated for *v1.ConfigMap from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0325 11:04:24.316720       1 reflector.go:376] Caches populated for *v1.ConfigMap from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0325 11:04:24.316928       1 reflector.go:376] Caches populated for *v1.ConfigMap from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0325 11:04:24.413792       1 shared_informer.go:320] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0325 11:04:24.413820       1 shared_informer.go:320] Caches are synced for RequestHeaderAuthRequestController
I0325 11:04:24.413794       1 shared_informer.go:320] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0325 11:04:24.414063       1 tlsconfig.go:181] "Loaded client CA" index=0 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"aggregator-signer\" [] issuer=\"<self>\" (2026-03-25 10:43:57 +0000 UTC to 2036-03-22 10:43:57 +0000 UTC (now=2026-03-25 11:04:24.414029688 +0000 UTC))"
I0325 11:04:24.414289       1 tlsconfig.go:203] "Loaded serving cert" certName="serving-cert::/var/run/secrets/serving-cert/tls.crt::/var/run/secrets/serving-cert/tls.key" certDetail="\"metrics.openshift-service-ca-operator.svc\" [serving] validServingFor=[metrics.openshift-service-ca-operator.svc,metrics.openshift-service-ca-operator.svc.cluster.local] issuer=\"openshift-service-serving-signer@1774436388\" (2026-03-25 11:00:01 +0000 UTC to 2028-03-24 11:00:02 +0000 UTC (now=2026-03-25 11:04:24.414273319 +0000 UTC))"
I0325 11:04:24.414443       1 named_certificates.go:53] "Loaded SNI cert" index=0 certName="self-signed loopback" certDetail="\"apiserver-loopback-client@1774436664\" [serving] validServingFor=[apiserver-loopback-client] issuer=\"apiserver-loopback-client-ca@1774436663\" (2026-03-25 10:04:22 +0000 UTC to 2027-03-25 10:04:22 +0000 UTC (now=2026-03-25 11:04:24.414431002 +0000 UTC))"
I0325 11:04:24.414603       1 tlsconfig.go:181] "Loaded client CA" index=0 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"kube-control-plane-signer\" [] issuer=\"<self>\" (2026-03-25 10:43:58 +0000 UTC to 2036-03-22 10:43:58 +0000 UTC (now=2026-03-25 11:04:24.414584088 +0000 UTC))"
I0325 11:04:24.414637       1 tlsconfig.go:181] "Loaded client CA" index=1 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"kube-apiserver-to-kubelet-signer\" [] issuer=\"<self>\" (2026-03-25 10:44:00 +0000 UTC to 2036-03-22 10:44:00 +0000 UTC (now=2026-03-25 11:04:24.414620133 +0000 UTC))"
I0325 11:04:24.414668       1 tlsconfig.go:181] "Loaded client CA" index=2 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"admin-kubeconfig-signer\" [] issuer=\"<self>\" (2026-03-25 10:44:02 +0000 UTC to 2036-03-22 10:44:02 +0000 UTC (now=2026-03-25 11:04:24.414650081 +0000 UTC))"
I0325 11:04:24.414693       1 tlsconfig.go:181] "Loaded client CA" index=3 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"hcco-signer\" [] issuer=\"<self>\" (2026-03-25 10:44:04 +0000 UTC to 2036-03-22 10:44:04 +0000 UTC (now=2026-03-25 11:04:24.41467986 +0000 UTC))"
I0325 11:04:24.414728       1 tlsconfig.go:181] "Loaded client CA" index=4 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"kube-csr-signer\" [] issuer=\"<self>\" (2026-03-25 10:44:07 +0000 UTC to 2036-03-22 10:44:07 +0000 UTC (now=2026-03-25 11:04:24.414706388 +0000 UTC))"
I0325 11:04:24.414757       1 tlsconfig.go:181] "Loaded client CA" index=5 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"ocm-production-2p8mq24lsf2m58q3itf4qvcrijjq5nr6-kx-5c86e8a29e_customer-system-admin-signer@1774435610\" [] issuer=\"<self>\" (2026-03-25 10:46:53 +0000 UTC to 2026-04-01 10:46:54 +0000 UTC (now=2026-03-25 11:04:24.414741546 +0000 UTC))"
I0325 11:04:24.414785       1 tlsconfig.go:181] "Loaded client CA" index=6 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"ocm-production-2p8mq24lsf2m58q3itf4qvcrijjq5nr6-kx-5c86e8a29e_sre-system-admin-signer@1774435610\" [] issuer=\"<self>\" (2026-03-25 10:46:50 +0000 UTC to 2026-04-01 10:46:51 +0000 UTC (now=2026-03-25 11:04:24.414771637 +0000 UTC))"
I0325 11:04:24.414813       1 tlsconfig.go:181] "Loaded client CA" index=7 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"aggregator-signer\" [] issuer=\"<self>\" (2026-03-25 10:43:57 +0000 UTC to 2036-03-22 10:43:57 +0000 UTC (now=2026-03-25 11:04:24.414800225 +0000 UTC))"
I0325 11:04:24.415048       1 tlsconfig.go:203] "Loaded serving cert" certName="serving-cert::/var/run/secrets/serving-cert/tls.crt::/var/run/secrets/serving-cert/tls.key" certDetail="\"metrics.openshift-service-ca-operator.svc\" [serving] validServingFor=[metrics.openshift-service-ca-operator.svc,metrics.openshift-service-ca-operator.svc.cluster.local] issuer=\"openshift-service-serving-signer@1774436388\" (2026-03-25 11:00:01 +0000 UTC to 2028-03-24 11:00:02 +0000 UTC (now=2026-03-25 11:04:24.415034788 +0000 UTC))"
I0325 11:04:24.415427       1 named_certificates.go:53] "Loaded SNI cert" index=0 certName="self-signed loopback" certDetail="\"apiserver-loopback-client@1774436664\" [serving] validServingFor=[apiserver-loopback-client] issuer=\"apiserver-loopback-client-ca@1774436663\" (2026-03-25 10:04:22 +0000 UTC to 2027-03-25 10:04:22 +0000 UTC (now=2026-03-25 11:04:24.415402464 +0000 UTC))"
I0325 11:07:46.604067       1 leaderelection.go:271] successfully acquired lease openshift-service-ca-operator/service-ca-operator-lock
I0325 11:07:46.604104       1 event.go:377] Event(v1.ObjectReference{Kind:"Lease", Namespace:"openshift-service-ca-operator", Name:"service-ca-operator-lock", UID:"5edeb03b-3dbe-4cdc-89ef-9bcd20049e4d", APIVersion:"coordination.k8s.io/v1", ResourceVersion:"16116", FieldPath:""}): type: 'Normal' reason: 'LeaderElection' service-ca-operator-7f694b5f95-426r2_e063e6a6-8f07-4679-abf6-3c5b210f999a became leader
I0325 11:07:46.604922       1 starter.go:111] Fetching FeatureGates
I0325 11:07:46.605066       1 simple_featuregate_reader.go:171] Starting feature-gate-detector
I0325 11:07:46.608584       1 reflector.go:376] Caches populated for *v1.FeatureGate from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0325 11:07:46.608655       1 reflector.go:376] Caches populated for *v1.ClusterVersion from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0325 11:07:46.608784       1 event.go:377] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-service-ca-operator", Name:"service-ca-operator", UID:"bafd3430-6718-4853-a3b9-95e4ea1a98e0", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'FeatureGatesInitialized' FeatureGates updated to featuregates.Features{Enabled:[]v1.FeatureGateName{"AdditionalRoutingCapabilities", "AdminNetworkPolicy", "AlibabaPlatform", "AzureWorkloadIdentity", "BuildCSIVolumes", "CPMSMachineNamePrefix", "ConsolePluginContentSecurityPolicy", "ExternalOIDC", "ExternalOIDCWithUIDAndExtraClaimMappings", "GatewayAPI", "GatewayAPIController", "HighlyAvailableArbiter", "ImageVolume", "IngressControllerLBSubnetsAWS", "KMSv1", "MachineConfigNodes", "ManagedBootImages", "ManagedBootImagesAWS", "MetricsCollectionProfiles", "NetworkDiagnosticsConfig", "NetworkLiveMigration", "NetworkSegmentation", "PinnedImages", "ProcMountType", "RouteAdvertisements", "RouteExternalCertificate", "ServiceAccountTokenNodeBinding", "SetEIPForNLBIngressController", "SigstoreImageVerification", "StoragePerformantSecurityPolicy", "UpgradeStatus", "UserNamespacesPodSecurityStandards", "UserNamespacesSupport", "VSphereMultiDisk", "VSphereMultiNetworks"}, Disabled:[]v1.FeatureGateName{"AWSClusterHostedDNS", "AWSClusterHostedDNSInstall", "AWSDedicatedHosts", "AWSServiceLBNetworkSecurityGroup", "AutomatedEtcdBackup", "AzureClusterHostedDNSInstall", "AzureDedicatedHosts", "AzureMultiDisk", "BootImageSkewEnforcement", "BootcNodeManagement", "ClusterAPIInstall", "ClusterAPIInstallIBMCloud", "ClusterMonitoringConfig", "ClusterVersionOperatorConfiguration", "DNSNameResolver", "DualReplica", "DyanmicServiceEndpointIBMCloud", "DynamicResourceAllocation", "EtcdBackendQuota", "EventedPLEG", "Example", "Example2", "ExternalSnapshotMetadata", "GCPClusterHostedDNS", "GCPClusterHostedDNSInstall", "GCPCustomAPIEndpoints", "GCPCustomAPIEndpointsInstall", "ImageModeStatusReporting", "ImageStreamImportMode", "IngressControllerDynamicConfigurationManager", "InsightsConfig", "InsightsConfigAPI", "InsightsOnDemandDataGather", "IrreconcilableMachineConfig", "KMSEncryptionProvider", "MachineAPIMigration", "MachineAPIOperatorDisableMachineHealthCheckController", "ManagedBootImagesAzure", "ManagedBootImagesvSphere", "MaxUnavailableStatefulSet", "MinimumKubeletVersion", "MixedCPUsAllocation", "MultiArchInstallAzure", "MultiDiskSetup", "MutatingAdmissionPolicy", "NewOLM", "NewOLMCatalogdAPIV1Metas", "NewOLMOwnSingleNamespace", "NewOLMPreflightPermissionChecks", "NewOLMWebhookProviderOpenshiftServiceCA", "NoRegistryClusterOperations", "NodeSwap", "NutanixMultiSubnets", "OVNObservability", "OpenShiftPodSecurityAdmission", "PreconfiguredUDNAddresses", "SELinuxMount", "ShortCertRotation", "SignatureStores", "SigstoreImageVerificationPKI", "TranslateStreamCloseWebsocketRequests", "VSphereConfigurableMaxAllowedBlockVolumesPerNode", "VSphereHostVMGroupZonal", "VSphereMixedNodeEnv", "VolumeAttributesClass", "VolumeGroupSnapshot"}}
I0325 11:07:46.608811       1 starter.go:160] Setting signing certificate lifetime to 18960h0m0s, minimum trust duration to 9480h0m0s
I0325 11:07:46.609039       1 base_controller.go:76] Waiting for caches to sync for resource-sync
I0325 11:07:46.609299       1 base_controller.go:76] Waiting for caches to sync for ServiceCAOperator
I0325 11:07:46.609325       1 base_controller.go:76] Waiting for caches to sync for LoggingSyncer
I0325 11:07:46.609952       1 base_controller.go:76] Waiting for caches to sync for StatusSyncer_service-ca
I0325 11:07:46.614835       1 reflector.go:376] Caches populated for *v1.Secret from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0325 11:07:46.615837       1 reflector.go:376] Caches populated for *v1.Infrastructure from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0325 11:07:46.615949       1 reflector.go:376] Caches populated for *v1.ConfigMap from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0325 11:07:46.616158       1 reflector.go:376] Caches populated for *v1.Secret from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0325 11:07:46.616219       1 reflector.go:376] Caches populated for *v1.ClusterOperator from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0325 11:07:46.616237       1 reflector.go:376] Caches populated for *v1.ServiceAccount from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0325 11:07:46.616308       1 reflector.go:376] Caches populated for *v1.ConfigMap from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0325 11:07:46.616821       1 reflector.go:376] Caches populated for *v1.Secret from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0325 11:07:46.616852       1 reflector.go:376] Caches populated for *v1.ConfigMap from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0325 11:07:46.616863       1 reflector.go:376] Caches populated for *v1.Deployment from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0325 11:07:46.617112       1 reflector.go:376] Caches populated for *v1.ServiceCA from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0325 11:07:46.617701       1 reflector.go:376] Caches populated for *v1.Secret from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0325 11:07:46.618790       1 reflector.go:376] Caches populated for *v1.Namespace from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0325 11:07:46.631688       1 reflector.go:376] Caches populated for *v1.ConfigMap from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0325 11:07:46.710065       1 base_controller.go:82] Caches are synced for LoggingSyncer 
I0325 11:07:46.710091       1 base_controller.go:119] Starting #1 worker of LoggingSyncer controller ...
I0325 11:07:46.710170       1 base_controller.go:82] Caches are synced for StatusSyncer_service-ca 
I0325 11:07:46.710178       1 base_controller.go:119] Starting #1 worker of StatusSyncer_service-ca controller ...
I0325 11:07:46.812251       1 reflector.go:376] Caches populated for *v1.ConfigMap from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0325 11:07:46.909588       1 base_controller.go:82] Caches are synced for ServiceCAOperator 
I0325 11:07:46.909618       1 base_controller.go:119] Starting #1 worker of ServiceCAOperator controller ...
I0325 11:07:47.013059       1 reflector.go:376] Caches populated for *v1.Secret from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0325 11:07:47.109792       1 base_controller.go:82] Caches are synced for resource-sync 
I0325 11:07:47.109817       1 base_controller.go:119] Starting #1 worker of resource-sync controller ...