Hello! When adding API server certificate to the HostedCluster

apiVersion: hypershift.openshift.io/v1beta1
kind: HostedCluster
metadata:
  name: test
  namespace: test
spec:
  configuration:
    apiServer:
      servingCerts:
        namedCertificates:
        - servingCertificate:
            name: tls-secret

The bootstrap-kubeconfig is no longer trusted

Unable to connect to the server: tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "root-ca")

This seems to be a issue when adding new nodes (using kubevirt) to the cluster. They dont register/show up on the HostedCluster.

When not adding certificate to the apiServer the nodes register fine.

I resolved this by setting servicePublishingStrategy.loadBalancer.hostname to the apiServer's internal service URL.

The certificate-authority-data in bootstrap-kubeconfig is then trusted.

Reopening this issue
We are experiencing issues using the apiserver internal service url at a later stage in our deployment.

Ideally we would like to use the external apiserver fqdn in servicePublishingStrategy.loadBalancer.hostname. But adding apiserver certificate the bootstrap-kubeconfig is no longer trusted.

Is there any way to modify the bootstrap-kubeconfig?

I also found this issue that seems to be the same issue I am experiencing
https://issues.redhat.com/browse/OCPBUGS-19067

We have the same issue..

Same issue here, does anyone solved it?