OCPBUGS-9037, OCPBUGS-64565: Ensure canary cert matches the default ingress controller's cert

[rfredette]

Add the canary certificate controller, which makes sure the certificate used for the ingress canary is the same as the default ingress controller's certificate.

This is part of the fix for OCPBUGS-9037 and OCPBUGS-64565

[openshift-ci-robot]

@rfredette: This pull request references Jira Issue OCPBUGS-9037, which is invalid:

• expected the bug to target either version "4.22." or "openshift-4.22.", but it targets "4.21.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

This pull request references Jira Issue OCPBUGS-64565, which is invalid:

• expected the bug to target either version "4.22." or "openshift-4.22.", but it targets "4.21.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Add the canary certificate controller, which makes sure the certificate used for the ingress canary is the same as the default ingress controller's certificate.

This is part of the fix for OCPBUGS-9037 and OCPBUGS-64565

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[Miciah]

/assign

[candita]

Does this replace #1155?

[rfredette]

Does this replace #1155?

Yes, it does. It was failing all e2e tests, so I wanted to wait until it's not totally unsound before obsoleting that PR.

[rfredette]

/jira refresh

[openshift-ci-robot]

@rfredette: This pull request references Jira Issue OCPBUGS-9037, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lihongan

This pull request references Jira Issue OCPBUGS-64565, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lihongan

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[candita]

/assign

[candita]

/approve

Hold for @Miciah to tag with lgtm.
/hold

[Miciah]

The lack of EquateEmpty is the only thing I noticed that might have some functional impact. Other comments and suggestions concern trivial stylistic issues. Feel free to accept or drop those suggestions.

/lgtm

[Miciah]

Excellent! Thanks!

/lgtm

/hold cancel

[lihongan]

/retest

[rfredette]

/retest-required

[lihongan]

/verified by @lihongan

$ oc get co/ingress
NAME      VERSION                                                AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
ingress   4.22.0-0-2026-01-26-021051-test-ci-ln-66tbq2k-latest   True        False         False      42m     

// with this change, the server certificate looks like
$ curl https://canary-openshift-ingress-canary.apps.ci-ln-66tbq2k-76ef8.aws-2.ci.openshift.org -kv
<......>
* Server certificate:
*  subject: CN=*.apps.ci-ln-66tbq2k-76ef8.aws-2.ci.openshift.org
*  start date: Jan 26 02:31:55 2026 GMT
*  expire date: Jan 26 02:31:56 2028 GMT
*  issuer: CN=ingress-operator@1769394712
 
// without the change, canary route uses certificate issued by openshift-service-serving-signer
* Server certificate:
*  subject: CN=ingress-canary.openshift-ingress-canary.svc
*  start date: Jan 26 06:50:35 2026 GMT
*  expire date: Jan 26 06:50:36 2028 GMT
*  issuer: CN=openshift-service-serving-signer@1769410009

[openshift-ci-robot]

@lihongan: This PR has been marked as verified by @lihongan.

Details

In response to this:

/verified by @lihongan

$ oc get co/ingress
NAME      VERSION                                                AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
ingress   4.22.0-0-2026-01-26-021051-test-ci-ln-66tbq2k-latest   True        False         False      42m     

// with this change, the server certificate looks like
$ curl https://canary-openshift-ingress-canary.apps.ci-ln-66tbq2k-76ef8.aws-2.ci.openshift.org -kv
<......>
* Server certificate:
*  subject: CN=*.apps.ci-ln-66tbq2k-76ef8.aws-2.ci.openshift.org
*  start date: Jan 26 02:31:55 2026 GMT
*  expire date: Jan 26 02:31:56 2028 GMT
*  issuer: CN=ingress-operator@1769394712

// without the change, canary route uses certificate issued by openshift-service-serving-signer
* Server certificate:
*  subject: CN=ingress-canary.openshift-ingress-canary.svc
*  start date: Jan 26 06:50:35 2026 GMT
*  expire date: Jan 26 06:50:36 2028 GMT
*  issuer: CN=openshift-service-serving-signer@1769410009

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD f97a448 and 2 for PR HEAD cbd2ce5 in total

[rikatz]

pending merge of #1142

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 6ea8127 and 1 for PR HEAD cbd2ce5 in total

[rikatz]

@rfredette maybe it is worth rebasing over master as Grant's fix has merged

edit: nevermind, it is passing now 🥳

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD ea67a8c and 0 for PR HEAD cbd2ce5 in total

[openshift-ci-robot]

/hold

Revision cbd2ce5 was retested 3 times: holding

[melvinjoseph86]

/retest

[rikatz]

/hold cancel

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 9963c95 and 2 for PR HEAD cbd2ce5 in total

[openshift-ci]

@rfredette: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@rfredette: Jira Issue OCPBUGS-9037: All pull requests linked via external trackers have merged:

• openshift/origin#28301
• openshift/cluster-ingress-operator#978
• openshift/cluster-ingress-operator#1334

Jira Issue OCPBUGS-9037 has been moved to the MODIFIED state.

Jira Issue Verification Checks: Jira Issue OCPBUGS-64565
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-64565 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Add the canary certificate controller, which makes sure the certificate used for the ingress canary is the same as the default ingress controller's certificate.

This is part of the fix for OCPBUGS-9037 and OCPBUGS-64565

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-robot]

Fix included in accepted release 4.22.0-0.nightly-2026-01-28-225830