I0423 19:51:53.731535 1 cmd.go:253] Using service-serving-cert provided certificates I0423 19:51:53.731604 1 leaderelection.go:121] The leader election gives 4 retries and allows for 30s of clock skew. The kube-apiserver downtime tolerance is 78s. Worst non-graceful lease acquisition is 2m43s. Worst graceful lease acquisition is {26s}. I0423 19:51:53.731969 1 observer_polling.go:159] Starting file observer I0423 19:51:53.732032 1 envvar.go:172] "Feature gate default state" feature="ClientsAllowCBOR" enabled=false I0423 19:51:53.732050 1 envvar.go:172] "Feature gate default state" feature="ClientsPreferCBOR" enabled=false I0423 19:51:53.732055 1 envvar.go:172] "Feature gate default state" feature="InformerResourceVersion" enabled=false I0423 19:51:53.732059 1 envvar.go:172] "Feature gate default state" feature="WatchListClient" enabled=false I0423 19:51:53.756425 1 builder.go:304] service-ca-operator version - I0423 19:51:53.756977 1 dynamic_serving_content.go:116] "Loaded a new cert/key pair" name="serving-cert::/var/run/secrets/serving-cert/tls.crt::/var/run/secrets/serving-cert/tls.key" I0423 19:51:54.396779 1 requestheader_controller.go:255] Loaded a new request header values for RequestHeaderAuthRequestController I0423 19:51:54.405004 1 maxinflight.go:139] "Initialized nonMutatingChan" len=400 I0423 19:51:54.405020 1 maxinflight.go:145] "Initialized mutatingChan" len=200 I0423 19:51:54.405045 1 maxinflight.go:116] "Set denominator for readonly requests" limit=400 I0423 19:51:54.405050 1 maxinflight.go:120] "Set denominator for mutating requests" limit=200 I0423 19:51:54.408101 1 secure_serving.go:57] Forcing use of http/1.1 only W0423 19:51:54.408118 1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256' detected. W0423 19:51:54.408122 1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' detected. W0423 19:51:54.408125 1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_128_GCM_SHA256' detected. W0423 19:51:54.408128 1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_256_GCM_SHA384' detected. W0423 19:51:54.408130 1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_128_CBC_SHA' detected. I0423 19:51:54.408121 1 genericapiserver.go:535] MuxAndDiscoveryComplete has all endpoints registered and discovery information is complete W0423 19:51:54.408132 1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_256_CBC_SHA' detected. I0423 19:51:54.419459 1 dynamic_serving_content.go:135] "Starting controller" name="serving-cert::/var/run/secrets/serving-cert/tls.crt::/var/run/secrets/serving-cert/tls.key" I0423 19:51:54.419476 1 configmap_cafile_content.go:205] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" I0423 19:51:54.419569 1 requestheader_controller.go:180] Starting RequestHeaderAuthRequestController I0423 19:51:54.420144 1 shared_informer.go:313] Waiting for caches to sync for RequestHeaderAuthRequestController I0423 19:51:54.420143 1 shared_informer.go:313] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file I0423 19:51:54.420178 1 configmap_cafile_content.go:205] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::client-ca-file" I0423 19:51:54.420194 1 shared_informer.go:313] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::client-ca-file I0423 19:51:54.420221 1 leaderelection.go:257] attempting to acquire leader lease openshift-service-ca-operator/service-ca-operator-lock... I0423 19:51:54.420422 1 tlsconfig.go:203] "Loaded serving cert" certName="serving-cert::/var/run/secrets/serving-cert/tls.crt::/var/run/secrets/serving-cert/tls.key" certDetail="\"metrics.openshift-service-ca-operator.svc\" [serving] validServingFor=[metrics.openshift-service-ca-operator.svc,metrics.openshift-service-ca-operator.svc.cluster.local] issuer=\"openshift-service-serving-signer@1776973840\" (2026-04-23 19:50:51 +0000 UTC to 2028-04-22 19:50:52 +0000 UTC (now=2026-04-23 19:51:54.42038916 +0000 UTC))" I0423 19:51:54.420618 1 named_certificates.go:53] "Loaded SNI cert" index=0 certName="self-signed loopback" certDetail="\"apiserver-loopback-client@1776973914\" [serving] validServingFor=[apiserver-loopback-client] issuer=\"apiserver-loopback-client-ca@1776973914\" (2026-04-23 18:51:53 +0000 UTC to 2027-04-23 18:51:53 +0000 UTC (now=2026-04-23 19:51:54.420600891 +0000 UTC))" I0423 19:51:54.420636 1 secure_serving.go:213] Serving securely on [::]:8443 I0423 19:51:54.420673 1 tlsconfig.go:243] "Starting DynamicServingCertificateController" I0423 19:51:54.420679 1 genericapiserver.go:685] [graceful-termination] waiting for shutdown to be initiated I0423 19:51:54.424335 1 reflector.go:376] Caches populated for *v1.ConfigMap from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251 I0423 19:51:54.424553 1 reflector.go:376] Caches populated for *v1.ConfigMap from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251 I0423 19:51:54.424713 1 reflector.go:376] Caches populated for *v1.ConfigMap from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251 I0423 19:51:54.434043 1 leaderelection.go:271] successfully acquired lease openshift-service-ca-operator/service-ca-operator-lock I0423 19:51:54.434089 1 event.go:377] Event(v1.ObjectReference{Kind:"Lease", Namespace:"openshift-service-ca-operator", Name:"service-ca-operator-lock", UID:"2dd1b4d6-a2b5-4e67-9e30-2fece845900d", APIVersion:"coordination.k8s.io/v1", ResourceVersion:"12684", FieldPath:""}): type: 'Normal' reason: 'LeaderElection' service-ca-operator-bc9564db4-xjj2n_394e25f7-5173-4c28-b466-bcc6c1e16fb3 became leader I0423 19:51:54.434750 1 starter.go:111] Fetching FeatureGates I0423 19:51:54.434804 1 simple_featuregate_reader.go:171] Starting feature-gate-detector I0423 19:51:54.439298 1 reflector.go:376] Caches populated for *v1.FeatureGate from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251 I0423 19:51:54.439404 1 reflector.go:376] Caches populated for *v1.ClusterVersion from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251 I0423 19:51:54.439482 1 starter.go:160] Setting signing certificate lifetime to 18960h0m0s, minimum trust duration to 9480h0m0s I0423 19:51:54.439491 1 event.go:377] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-service-ca-operator", Name:"service-ca-operator", UID:"7a164a13-84dc-4bf5-9029-0839276fada3", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'FeatureGatesInitialized' FeatureGates updated to featuregates.Features{Enabled:[]v1.FeatureGateName{"AdditionalRoutingCapabilities", "AdminNetworkPolicy", "AlibabaPlatform", "AzureWorkloadIdentity", "BuildCSIVolumes", "CPMSMachineNamePrefix", "ConsolePluginContentSecurityPolicy", "ExternalOIDC", "ExternalOIDCWithUIDAndExtraClaimMappings", "GCPClusterHostedDNSInstall", "GatewayAPI", "GatewayAPIController", "HighlyAvailableArbiter", "HyperShiftOnlyDynamicResourceAllocation", "ImageStreamImportMode", "ImageVolume", "KMSv1", "MachineConfigNodes", "ManagedBootImages", "ManagedBootImagesAWS", "ManagedBootImagesAzure", "ManagedBootImagesvSphere", "MetricsCollectionProfiles", "NetworkDiagnosticsConfig", "NetworkLiveMigration", "NetworkSegmentation", "PinnedImages", "PreconfiguredUDNAddresses", "ProcMountType", "RouteAdvertisements", "RouteExternalCertificate", "ServiceAccountTokenNodeBinding", "SigstoreImageVerification", "SigstoreImageVerificationPKI", "StoragePerformantSecurityPolicy", "UpgradeStatus", "UserNamespacesPodSecurityStandards", "UserNamespacesSupport", "VSphereMultiDisk", "VSphereMultiNetworks", "VolumeAttributesClass"}, Disabled:[]v1.FeatureGateName{"AWSClusterHostedDNS", "AWSClusterHostedDNSInstall", "AWSDedicatedHosts", "AWSDualStackInstall", "AWSServiceLBNetworkSecurityGroup", "AutomatedEtcdBackup", "AzureClusterHostedDNSInstall", "AzureDedicatedHosts", "AzureDualStackInstall", "AzureMultiDisk", "BootImageSkewEnforcement", "BootcNodeManagement", "CBORServingAndStorage", "CRDCompatibilityRequirementOperator", "ClientsAllowCBOR", "ClientsPreferCBOR", "ClusterAPIInstall", "ClusterAPIInstallIBMCloud", "ClusterAPIMachineManagement", "ClusterAPIMachineManagementVSphere", "ClusterMonitoringConfig", "ClusterVersionOperatorConfiguration", "DNSNameResolver", "DualReplica", "DyanmicServiceEndpointIBMCloud", "EtcdBackendQuota", "EventTTL", "EventedPLEG", "Example", "Example2", "ExternalSnapshotMetadata", "GCPClusterHostedDNS", "GCPCustomAPIEndpoints", "GCPCustomAPIEndpointsInstall", "GCPDualStackInstall", "ImageModeStatusReporting", "IngressControllerDynamicConfigurationManager", "InsightsConfig", "InsightsOnDemandDataGather", "IrreconcilableMachineConfig", "KMSEncryption", "KMSEncryptionProvider", "MachineAPIMigration", "MachineAPIOperatorDisableMachineHealthCheckController", "ManagedBootImagesCPMS", "MaxUnavailableStatefulSet", "MinimumKubeletVersion", "MixedCPUsAllocation", "MultiArchInstallAzure", "MultiDiskSetup", "MutableCSINodeAllocatableCount", "MutatingAdmissionPolicy", "NewOLM", "NewOLMBoxCutterRuntime", "NewOLMCatalogdAPIV1Metas", "NewOLMOwnSingleNamespace", "NewOLMPreflightPermissionChecks", "NewOLMWebhookProviderOpenshiftServiceCA", "NoRegistryClusterInstall", "NutanixMultiSubnets", "OSStreams", "OVNObservability", "OnPremDNSRecords", "OpenShiftPodSecurityAdmission", "ProvisioningRequestAvailable", "SELinuxMount", "ShortCertRotation", "SignatureStores", "TranslateStreamCloseWebsocketRequests", "VSphereConfigurableMaxAllowedBlockVolumesPerNode", "VSphereHostVMGroupZonal", "VSphereMixedNodeEnv", "VolumeGroupSnapshot"}} I0423 19:51:54.440726 1 base_controller.go:76] Waiting for caches to sync for LoggingSyncer I0423 19:51:54.440734 1 base_controller.go:76] Waiting for caches to sync for ServiceCAOperator I0423 19:51:54.440757 1 base_controller.go:76] Waiting for caches to sync for resource-sync I0423 19:51:54.442314 1 base_controller.go:76] Waiting for caches to sync for StatusSyncer_service-ca I0423 19:51:54.445431 1 reflector.go:376] Caches populated for *v1.ConfigMap from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251 I0423 19:51:54.445450 1 reflector.go:376] Caches populated for *v1.ServiceAccount from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251 I0423 19:51:54.445810 1 reflector.go:376] Caches populated for *v1.ClusterOperator from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251 I0423 19:51:54.446444 1 reflector.go:376] Caches populated for *v1.Secret from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251 I0423 19:51:54.447664 1 reflector.go:376] Caches populated for *v1.ConfigMap from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251 I0423 19:51:54.447801 1 reflector.go:376] Caches populated for *v1.Infrastructure from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251 I0423 19:51:54.447968 1 reflector.go:376] Caches populated for *v1.Secret from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251 I0423 19:51:54.448023 1 reflector.go:376] Caches populated for *v1.Secret from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251 I0423 19:51:54.448565 1 reflector.go:376] Caches populated for *v1.Namespace from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251 I0423 19:51:54.449358 1 reflector.go:376] Caches populated for *v1.ConfigMap from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251 I0423 19:51:54.449463 1 reflector.go:376] Caches populated for *v1.Deployment from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251 I0423 19:51:54.449693 1 reflector.go:376] Caches populated for *v1.Secret from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251 I0423 19:51:54.449859 1 reflector.go:376] Caches populated for *v1.ServiceCA from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251 I0423 19:51:54.462375 1 reflector.go:376] Caches populated for *v1.ConfigMap from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251 I0423 19:51:54.520992 1 shared_informer.go:320] Caches are synced for RequestHeaderAuthRequestController I0423 19:51:54.521012 1 shared_informer.go:320] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file I0423 19:51:54.521000 1 shared_informer.go:320] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::client-ca-file I0423 19:51:54.521145 1 tlsconfig.go:181] "Loaded client CA" index=0 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"aggregator-signer\" [] issuer=\"\" (2026-04-23 19:39:07 +0000 UTC to 2036-04-20 19:39:07 +0000 UTC (now=2026-04-23 19:51:54.521123473 +0000 UTC))" I0423 19:51:54.521335 1 tlsconfig.go:203] "Loaded serving cert" certName="serving-cert::/var/run/secrets/serving-cert/tls.crt::/var/run/secrets/serving-cert/tls.key" certDetail="\"metrics.openshift-service-ca-operator.svc\" [serving] validServingFor=[metrics.openshift-service-ca-operator.svc,metrics.openshift-service-ca-operator.svc.cluster.local] issuer=\"openshift-service-serving-signer@1776973840\" (2026-04-23 19:50:51 +0000 UTC to 2028-04-22 19:50:52 +0000 UTC (now=2026-04-23 19:51:54.521322694 +0000 UTC))" I0423 19:51:54.521489 1 named_certificates.go:53] "Loaded SNI cert" index=0 certName="self-signed loopback" certDetail="\"apiserver-loopback-client@1776973914\" [serving] validServingFor=[apiserver-loopback-client] issuer=\"apiserver-loopback-client-ca@1776973914\" (2026-04-23 18:51:53 +0000 UTC to 2027-04-23 18:51:53 +0000 UTC (now=2026-04-23 19:51:54.52147866 +0000 UTC))" I0423 19:51:54.521610 1 tlsconfig.go:181] "Loaded client CA" index=0 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"kube-control-plane-signer\" [] issuer=\"\" (2026-04-23 19:39:10 +0000 UTC to 2036-04-20 19:39:10 +0000 UTC (now=2026-04-23 19:51:54.521599707 +0000 UTC))" I0423 19:51:54.521635 1 tlsconfig.go:181] "Loaded client CA" index=1 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"kube-apiserver-to-kubelet-signer\" [] issuer=\"\" (2026-04-23 19:39:14 +0000 UTC to 2036-04-20 19:39:14 +0000 UTC (now=2026-04-23 19:51:54.521626461 +0000 UTC))" I0423 19:51:54.521667 1 tlsconfig.go:181] "Loaded client CA" index=2 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"admin-kubeconfig-signer\" [] issuer=\"\" (2026-04-23 19:39:16 +0000 UTC to 2036-04-20 19:39:16 +0000 UTC (now=2026-04-23 19:51:54.521659297 +0000 UTC))" I0423 19:51:54.521682 1 tlsconfig.go:181] "Loaded client CA" index=3 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"hcco-signer\" [] issuer=\"\" (2026-04-23 19:39:20 +0000 UTC to 2036-04-20 19:39:20 +0000 UTC (now=2026-04-23 19:51:54.521674728 +0000 UTC))" I0423 19:51:54.521698 1 tlsconfig.go:181] "Loaded client CA" index=4 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"kube-csr-signer\" [] issuer=\"\" (2026-04-23 19:39:22 +0000 UTC to 2036-04-20 19:39:22 +0000 UTC (now=2026-04-23 19:51:54.521690665 +0000 UTC))" I0423 19:51:54.521714 1 tlsconfig.go:181] "Loaded client CA" index=5 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"ocm-production-2ps2bve4hjh3ovu4l3oim6c2t962kfba-kx-d84a1f03e1_customer-system-admin-signer@1776973283\" [] issuer=\"\" (2026-04-23 19:41:23 +0000 UTC to 2026-04-30 19:41:24 +0000 UTC (now=2026-04-23 19:51:54.521704542 +0000 UTC))" I0423 19:51:54.521738 1 tlsconfig.go:181] "Loaded client CA" index=6 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"ocm-production-2ps2bve4hjh3ovu4l3oim6c2t962kfba-kx-d84a1f03e1_sre-system-admin-signer@1776973283\" [] issuer=\"\" (2026-04-23 19:41:23 +0000 UTC to 2026-04-30 19:41:24 +0000 UTC (now=2026-04-23 19:51:54.521722522 +0000 UTC))" I0423 19:51:54.521754 1 tlsconfig.go:181] "Loaded client CA" index=7 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"aggregator-signer\" [] issuer=\"\" (2026-04-23 19:39:07 +0000 UTC to 2036-04-20 19:39:07 +0000 UTC (now=2026-04-23 19:51:54.521747295 +0000 UTC))" I0423 19:51:54.521930 1 tlsconfig.go:203] "Loaded serving cert" certName="serving-cert::/var/run/secrets/serving-cert/tls.crt::/var/run/secrets/serving-cert/tls.key" certDetail="\"metrics.openshift-service-ca-operator.svc\" [serving] validServingFor=[metrics.openshift-service-ca-operator.svc,metrics.openshift-service-ca-operator.svc.cluster.local] issuer=\"openshift-service-serving-signer@1776973840\" (2026-04-23 19:50:51 +0000 UTC to 2028-04-22 19:50:52 +0000 UTC (now=2026-04-23 19:51:54.521918108 +0000 UTC))" I0423 19:51:54.522102 1 named_certificates.go:53] "Loaded SNI cert" index=0 certName="self-signed loopback" certDetail="\"apiserver-loopback-client@1776973914\" [serving] validServingFor=[apiserver-loopback-client] issuer=\"apiserver-loopback-client-ca@1776973914\" (2026-04-23 18:51:53 +0000 UTC to 2027-04-23 18:51:53 +0000 UTC (now=2026-04-23 19:51:54.522092244 +0000 UTC))" I0423 19:51:54.541217 1 base_controller.go:82] Caches are synced for ServiceCAOperator I0423 19:51:54.541228 1 base_controller.go:119] Starting #1 worker of ServiceCAOperator controller ... I0423 19:51:54.541235 1 base_controller.go:82] Caches are synced for LoggingSyncer I0423 19:51:54.541245 1 base_controller.go:119] Starting #1 worker of LoggingSyncer controller ... I0423 19:51:54.543400 1 base_controller.go:82] Caches are synced for StatusSyncer_service-ca I0423 19:51:54.543412 1 base_controller.go:119] Starting #1 worker of StatusSyncer_service-ca controller ... I0423 19:51:54.644283 1 reflector.go:376] Caches populated for *v1.Secret from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251 I0423 19:51:54.844232 1 reflector.go:376] Caches populated for *v1.ConfigMap from k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251 I0423 19:51:54.941476 1 base_controller.go:82] Caches are synced for resource-sync I0423 19:51:54.941489 1 base_controller.go:119] Starting #1 worker of resource-sync controller ...