There is an issue the address space control, if the user doesn't provide their own trust on the authentication service CR, copies the container's trust store /etc/ssl/certs/ca-bundle.crt and stores this in a secret authservice-ca.${INFRA_UUID}. There's nothing in the operator that reconciles the contents of this secret, so if the container's trust changes, this won't ever be reflected in the secret until the next update is made to the address space's configuration that causes the update branch of CreateController#reconcileActive() causes the resources to be recreated.
The controller really ought to be considering the equality of the key material from the source with the desired on its update check. It should also be using the injected trust from the OpenShift platform rather than relying on the trust from the container image (edit: retracted last part - that would have broken use-cases where the external auth service is dialling out to a service secured by a public CA).
Describe the bug
There is an issue the address space control, if the user doesn't provide their own trust on the authentication service CR, copies the container's trust store /etc/ssl/certs/ca-bundle.crt and stores this in a secret authservice-ca.${INFRA_UUID}. There's nothing in the operator that reconciles the contents of this secret, so if the container's trust changes, this won't ever be reflected in the secret until the next update is made to the address space's configuration that causes the update branch of CreateController#reconcileActive() causes the resources to be recreated.
The controller really ought to be considering the equality of the key material from the source with the desired on its update check.
It should also be using the injected trust from the OpenShift platform rather than relying on the trust from the container image(edit: retracted last part - that would have broken use-cases where the external auth service is dialling out to a service secured by a public CA).