I0320 11:12:10.808800       1 cmd.go:253] Using service-serving-cert provided certificates
I0320 11:12:10.808913       1 leaderelection.go:121] The leader election gives 4 retries and allows for 30s of clock skew. The kube-apiserver downtime tolerance is 78s. Worst non-graceful lease acquisition is 2m43s. Worst graceful lease acquisition is {26s}.
I0320 11:12:10.809241       1 observer_polling.go:159] Starting file observer
I0320 11:12:10.809300       1 envvar.go:172] "Feature gate default state" feature="ClientsAllowCBOR" enabled=false
I0320 11:12:10.809312       1 envvar.go:172] "Feature gate default state" feature="ClientsPreferCBOR" enabled=false
I0320 11:12:10.809316       1 envvar.go:172] "Feature gate default state" feature="InformerResourceVersion" enabled=false
I0320 11:12:10.809320       1 envvar.go:172] "Feature gate default state" feature="WatchListClient" enabled=false
I0320 11:12:10.834205       1 builder.go:304] service-ca-operator version -
I0320 11:12:10.834756       1 dynamic_serving_content.go:116] "Loaded a new cert/key pair" name="serving-cert::/var/run/secrets/serving-cert/tls.crt::/var/run/secrets/serving-cert/tls.key"
I0320 11:12:11.446904       1 requestheader_controller.go:255] Loaded a new request header values for RequestHeaderAuthRequestController
I0320 11:12:11.453146       1 maxinflight.go:139] "Initialized nonMutatingChan" len=400
I0320 11:12:11.453164       1 maxinflight.go:145] "Initialized mutatingChan" len=200
I0320 11:12:11.453191       1 maxinflight.go:116] "Set denominator for readonly requests" limit=400
I0320 11:12:11.453198       1 maxinflight.go:120] "Set denominator for mutating requests" limit=200
I0320 11:12:11.456320       1 secure_serving.go:57] Forcing use of http/1.1 only
I0320 11:12:11.456335       1 genericapiserver.go:535] MuxAndDiscoveryComplete has all endpoints registered and discovery information is complete
W0320 11:12:11.456341       1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256' detected.
W0320 11:12:11.456353       1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' detected.
W0320 11:12:11.456358       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_128_GCM_SHA256' detected.
W0320 11:12:11.456361       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_256_GCM_SHA384' detected.
W0320 11:12:11.456363       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_128_CBC_SHA' detected.
W0320 11:12:11.456366       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_256_CBC_SHA' detected.
I0320 11:12:11.462011       1 requestheader_controller.go:180] Starting RequestHeaderAuthRequestController
I0320 11:12:11.462034       1 shared_informer.go:313] Waiting for caches to sync for RequestHeaderAuthRequestController
I0320 11:12:11.462041       1 configmap_cafile_content.go:205] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file"
I0320 11:12:11.462056       1 shared_informer.go:313] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0320 11:12:11.462038       1 configmap_cafile_content.go:205] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::client-ca-file"
I0320 11:12:11.462074       1 shared_informer.go:313] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0320 11:12:11.462340       1 dynamic_serving_content.go:135] "Starting controller" name="serving-cert::/var/run/secrets/serving-cert/tls.crt::/var/run/secrets/serving-cert/tls.key"
I0320 11:12:11.462458       1 tlsconfig.go:203] "Loaded serving cert" certName="serving-cert::/var/run/secrets/serving-cert/tls.crt::/var/run/secrets/serving-cert/tls.key" certDetail="\"metrics.openshift-service-ca-operator.svc\" [serving] validServingFor=[metrics.openshift-service-ca-operator.svc,metrics.openshift-service-ca-operator.svc.cluster.local] issuer=\"openshift-service-serving-signer@1774005046\" (2026-03-20 11:10:58 +0000 UTC to 2028-03-19 11:10:59 +0000 UTC (now=2026-03-20 11:12:11.462430373 +0000 UTC))"
I0320 11:12:11.462682       1 named_certificates.go:53] "Loaded SNI cert" index=0 certName="self-signed loopback" certDetail="\"apiserver-loopback-client@1774005131\" [serving] validServingFor=[apiserver-loopback-client] issuer=\"apiserver-loopback-client-ca@1774005131\" (2026-03-20 10:12:10 +0000 UTC to 2027-03-20 10:12:10 +0000 UTC (now=2026-03-20 11:12:11.462667191 +0000 UTC))"
I0320 11:12:11.462702       1 secure_serving.go:213] Serving securely on [::]:8443
I0320 11:12:11.462721       1 genericapiserver.go:685] [graceful-termination] waiting for shutdown to be initiated
I0320 11:12:11.462736       1 tlsconfig.go:243] "Starting DynamicServingCertificateController"
I0320 11:12:11.465058       1 reflector.go:376] Caches populated for *v1.ConfigMap from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0320 11:12:11.465159       1 leaderelection.go:257] attempting to acquire leader lease openshift-service-ca-operator/service-ca-operator-lock...
I0320 11:12:11.465695       1 reflector.go:376] Caches populated for *v1.ConfigMap from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0320 11:12:11.466807       1 reflector.go:376] Caches populated for *v1.ConfigMap from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0320 11:12:11.478899       1 leaderelection.go:271] successfully acquired lease openshift-service-ca-operator/service-ca-operator-lock
I0320 11:12:11.478951       1 event.go:377] Event(v1.ObjectReference{Kind:"Lease", Namespace:"openshift-service-ca-operator", Name:"service-ca-operator-lock", UID:"32a12533-37da-468b-969a-9d3b372bdacf", APIVersion:"coordination.k8s.io/v1", ResourceVersion:"14735", FieldPath:""}): type: 'Normal' reason: 'LeaderElection' service-ca-operator-7f694b5f95-hvdns_18d0064d-ac98-4ef2-8a6f-29c4d8f43f31 became leader
I0320 11:12:11.479675       1 starter.go:111] Fetching FeatureGates
I0320 11:12:11.479736       1 simple_featuregate_reader.go:171] Starting feature-gate-detector
I0320 11:12:11.483911       1 reflector.go:376] Caches populated for *v1.FeatureGate from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0320 11:12:11.484124       1 starter.go:160] Setting signing certificate lifetime to 18960h0m0s, minimum trust duration to 9480h0m0s
I0320 11:12:11.484190       1 event.go:377] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-service-ca-operator", Name:"service-ca-operator", UID:"d1443ed4-aa95-4187-b56b-36c3c980ea6d", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'FeatureGatesInitialized' FeatureGates updated to featuregates.Features{Enabled:[]v1.FeatureGateName{"AdditionalRoutingCapabilities", "AdminNetworkPolicy", "AlibabaPlatform", "AzureWorkloadIdentity", "BuildCSIVolumes", "CPMSMachineNamePrefix", "ConsolePluginContentSecurityPolicy", "ExternalOIDC", "ExternalOIDCWithUIDAndExtraClaimMappings", "GatewayAPI", "GatewayAPIController", "HighlyAvailableArbiter", "ImageVolume", "IngressControllerLBSubnetsAWS", "KMSv1", "MachineConfigNodes", "ManagedBootImages", "ManagedBootImagesAWS", "MetricsCollectionProfiles", "NetworkDiagnosticsConfig", "NetworkLiveMigration", "NetworkSegmentation", "PinnedImages", "ProcMountType", "RouteAdvertisements", "RouteExternalCertificate", "ServiceAccountTokenNodeBinding", "SetEIPForNLBIngressController", "SigstoreImageVerification", "StoragePerformantSecurityPolicy", "UpgradeStatus", "UserNamespacesPodSecurityStandards", "UserNamespacesSupport", "VSphereMultiDisk", "VSphereMultiNetworks"}, Disabled:[]v1.FeatureGateName{"AWSClusterHostedDNS", "AWSClusterHostedDNSInstall", "AWSDedicatedHosts", "AWSServiceLBNetworkSecurityGroup", "AutomatedEtcdBackup", "AzureClusterHostedDNSInstall", "AzureDedicatedHosts", "AzureMultiDisk", "BootImageSkewEnforcement", "BootcNodeManagement", "ClusterAPIInstall", "ClusterAPIInstallIBMCloud", "ClusterMonitoringConfig", "ClusterVersionOperatorConfiguration", "DNSNameResolver", "DualReplica", "DyanmicServiceEndpointIBMCloud", "DynamicResourceAllocation", "EtcdBackendQuota", "EventedPLEG", "Example", "Example2", "ExternalSnapshotMetadata", "GCPClusterHostedDNS", "GCPClusterHostedDNSInstall", "GCPCustomAPIEndpoints", "GCPCustomAPIEndpointsInstall", "ImageModeStatusReporting", "ImageStreamImportMode", "IngressControllerDynamicConfigurationManager", "InsightsConfig", "InsightsConfigAPI", "InsightsOnDemandDataGather", "IrreconcilableMachineConfig", "KMSEncryptionProvider", "MachineAPIMigration", "MachineAPIOperatorDisableMachineHealthCheckController", "ManagedBootImagesAzure", "ManagedBootImagesvSphere", "MaxUnavailableStatefulSet", "MinimumKubeletVersion", "MixedCPUsAllocation", "MultiArchInstallAzure", "MultiDiskSetup", "MutatingAdmissionPolicy", "NewOLM", "NewOLMCatalogdAPIV1Metas", "NewOLMOwnSingleNamespace", "NewOLMPreflightPermissionChecks", "NewOLMWebhookProviderOpenshiftServiceCA", "NoRegistryClusterOperations", "NodeSwap", "NutanixMultiSubnets", "OVNObservability", "OpenShiftPodSecurityAdmission", "PreconfiguredUDNAddresses", "SELinuxMount", "ShortCertRotation", "SignatureStores", "SigstoreImageVerificationPKI", "TranslateStreamCloseWebsocketRequests", "VSphereConfigurableMaxAllowedBlockVolumesPerNode", "VSphereHostVMGroupZonal", "VSphereMixedNodeEnv", "VolumeAttributesClass", "VolumeGroupSnapshot"}}
I0320 11:12:11.484293       1 reflector.go:376] Caches populated for *v1.ClusterVersion from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0320 11:12:11.484410       1 base_controller.go:76] Waiting for caches to sync for resource-sync
I0320 11:12:11.484592       1 base_controller.go:76] Waiting for caches to sync for ServiceCAOperator
I0320 11:12:11.484620       1 base_controller.go:76] Waiting for caches to sync for LoggingSyncer
I0320 11:12:11.484641       1 base_controller.go:76] Waiting for caches to sync for StatusSyncer_service-ca
I0320 11:12:11.490300       1 reflector.go:376] Caches populated for *v1.ConfigMap from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0320 11:12:11.490593       1 reflector.go:376] Caches populated for *v1.ClusterOperator from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0320 11:12:11.490617       1 reflector.go:376] Caches populated for *v1.ConfigMap from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0320 11:12:11.490648       1 reflector.go:376] Caches populated for *v1.ServiceCA from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0320 11:12:11.491114       1 reflector.go:376] Caches populated for *v1.ServiceAccount from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0320 11:12:11.491301       1 reflector.go:376] Caches populated for *v1.Secret from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0320 11:12:11.491542       1 reflector.go:376] Caches populated for *v1.ConfigMap from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0320 11:12:11.491608       1 reflector.go:376] Caches populated for *v1.Deployment from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0320 11:12:11.491595       1 reflector.go:376] Caches populated for *v1.Secret from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0320 11:12:11.491704       1 reflector.go:376] Caches populated for *v1.ConfigMap from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0320 11:12:11.491724       1 reflector.go:376] Caches populated for *v1.Infrastructure from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0320 11:12:11.492345       1 reflector.go:376] Caches populated for *v1.Secret from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0320 11:12:11.492764       1 reflector.go:376] Caches populated for *v1.Secret from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0320 11:12:11.506008       1 reflector.go:376] Caches populated for *v1.ConfigMap from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0320 11:12:11.562648       1 shared_informer.go:320] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0320 11:12:11.562654       1 shared_informer.go:320] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0320 11:12:11.562675       1 shared_informer.go:320] Caches are synced for RequestHeaderAuthRequestController
I0320 11:12:11.562825       1 tlsconfig.go:181] "Loaded client CA" index=0 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"aggregator-signer\" [] issuer=\"<self>\" (2026-03-20 10:54:24 +0000 UTC to 2036-03-17 10:54:24 +0000 UTC (now=2026-03-20 11:12:11.562796629 +0000 UTC))"
I0320 11:12:11.563024       1 tlsconfig.go:203] "Loaded serving cert" certName="serving-cert::/var/run/secrets/serving-cert/tls.crt::/var/run/secrets/serving-cert/tls.key" certDetail="\"metrics.openshift-service-ca-operator.svc\" [serving] validServingFor=[metrics.openshift-service-ca-operator.svc,metrics.openshift-service-ca-operator.svc.cluster.local] issuer=\"openshift-service-serving-signer@1774005046\" (2026-03-20 11:10:58 +0000 UTC to 2028-03-19 11:10:59 +0000 UTC (now=2026-03-20 11:12:11.563009889 +0000 UTC))"
I0320 11:12:11.563190       1 named_certificates.go:53] "Loaded SNI cert" index=0 certName="self-signed loopback" certDetail="\"apiserver-loopback-client@1774005131\" [serving] validServingFor=[apiserver-loopback-client] issuer=\"apiserver-loopback-client-ca@1774005131\" (2026-03-20 10:12:10 +0000 UTC to 2027-03-20 10:12:10 +0000 UTC (now=2026-03-20 11:12:11.563178815 +0000 UTC))"
I0320 11:12:11.563324       1 tlsconfig.go:181] "Loaded client CA" index=0 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"kube-control-plane-signer\" [] issuer=\"<self>\" (2026-03-20 10:54:26 +0000 UTC to 2036-03-17 10:54:26 +0000 UTC (now=2026-03-20 11:12:11.563312305 +0000 UTC))"
I0320 11:12:11.563344       1 tlsconfig.go:181] "Loaded client CA" index=1 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"kube-apiserver-to-kubelet-signer\" [] issuer=\"<self>\" (2026-03-20 10:54:34 +0000 UTC to 2036-03-17 10:54:34 +0000 UTC (now=2026-03-20 11:12:11.563335145 +0000 UTC))"
I0320 11:12:11.563366       1 tlsconfig.go:181] "Loaded client CA" index=2 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"admin-kubeconfig-signer\" [] issuer=\"<self>\" (2026-03-20 10:54:35 +0000 UTC to 2036-03-17 10:54:35 +0000 UTC (now=2026-03-20 11:12:11.563353315 +0000 UTC))"
I0320 11:12:11.563384       1 tlsconfig.go:181] "Loaded client CA" index=3 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"hcco-signer\" [] issuer=\"<self>\" (2026-03-20 10:54:36 +0000 UTC to 2036-03-17 10:54:36 +0000 UTC (now=2026-03-20 11:12:11.563376377 +0000 UTC))"
I0320 11:12:11.563424       1 tlsconfig.go:181] "Loaded client CA" index=4 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"kube-csr-signer\" [] issuer=\"<self>\" (2026-03-20 10:54:38 +0000 UTC to 2036-03-17 10:54:38 +0000 UTC (now=2026-03-20 11:12:11.5633928 +0000 UTC))"
I0320 11:12:11.563445       1 tlsconfig.go:181] "Loaded client CA" index=5 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"ocm-production-2p5dfcelbjmq73badkbo2r5352k8gh7f-kx-9c46f017c8_customer-system-admin-signer@1774004192\" [] issuer=\"<self>\" (2026-03-20 10:56:32 +0000 UTC to 2026-03-27 10:56:33 +0000 UTC (now=2026-03-20 11:12:11.563434868 +0000 UTC))"
I0320 11:12:11.563462       1 tlsconfig.go:181] "Loaded client CA" index=6 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"ocm-production-2p5dfcelbjmq73badkbo2r5352k8gh7f-kx-9c46f017c8_sre-system-admin-signer@1774004192\" [] issuer=\"<self>\" (2026-03-20 10:56:32 +0000 UTC to 2026-03-27 10:56:33 +0000 UTC (now=2026-03-20 11:12:11.563453623 +0000 UTC))"
I0320 11:12:11.563493       1 tlsconfig.go:181] "Loaded client CA" index=7 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"aggregator-signer\" [] issuer=\"<self>\" (2026-03-20 10:54:24 +0000 UTC to 2036-03-17 10:54:24 +0000 UTC (now=2026-03-20 11:12:11.563471043 +0000 UTC))"
I0320 11:12:11.563668       1 tlsconfig.go:203] "Loaded serving cert" certName="serving-cert::/var/run/secrets/serving-cert/tls.crt::/var/run/secrets/serving-cert/tls.key" certDetail="\"metrics.openshift-service-ca-operator.svc\" [serving] validServingFor=[metrics.openshift-service-ca-operator.svc,metrics.openshift-service-ca-operator.svc.cluster.local] issuer=\"openshift-service-serving-signer@1774005046\" (2026-03-20 11:10:58 +0000 UTC to 2028-03-19 11:10:59 +0000 UTC (now=2026-03-20 11:12:11.563656096 +0000 UTC))"
I0320 11:12:11.563825       1 named_certificates.go:53] "Loaded SNI cert" index=0 certName="self-signed loopback" certDetail="\"apiserver-loopback-client@1774005131\" [serving] validServingFor=[apiserver-loopback-client] issuer=\"apiserver-loopback-client-ca@1774005131\" (2026-03-20 10:12:10 +0000 UTC to 2027-03-20 10:12:10 +0000 UTC (now=2026-03-20 11:12:11.563815609 +0000 UTC))"
I0320 11:12:11.584857       1 base_controller.go:82] Caches are synced for LoggingSyncer 
I0320 11:12:11.584869       1 base_controller.go:82] Caches are synced for StatusSyncer_service-ca 
I0320 11:12:11.584874       1 base_controller.go:119] Starting #1 worker of LoggingSyncer controller ...
I0320 11:12:11.584879       1 base_controller.go:119] Starting #1 worker of StatusSyncer_service-ca controller ...
I0320 11:12:11.689940       1 reflector.go:376] Caches populated for *v1.Namespace from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0320 11:12:11.785514       1 base_controller.go:82] Caches are synced for ServiceCAOperator 
I0320 11:12:11.785533       1 base_controller.go:119] Starting #1 worker of ServiceCAOperator controller ...
I0320 11:12:11.888341       1 reflector.go:376] Caches populated for *v1.Secret from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251
I0320 11:12:11.984519       1 base_controller.go:82] Caches are synced for resource-sync 
I0320 11:12:11.984536       1 base_controller.go:119] Starting #1 worker of resource-sync controller ...