openshift · jhadvig · Jan 14, 2026
diff --git a/pkg/console/operator/operator.go b/pkg/console/operator/operator.go
@@ -250,7 +250,7 @@ func NewConsoleOperator(
 		factory.NamesFilter(api.OAuthClientName),
 		oauthClientSwitchedInformer.Informer(),
 	).WithFilteredEventsInformers(
-		util.IncludeNamesFilter(deployment.ConsoleOauthConfigName),
+		util.IncludeNamesFilter(deployment.ConsoleOauthConfigName, api.ConsoleServingCertName),
 		secretsInformer.Informer(),
 	).WithFilteredEventsInformers(
 		util.IncludeNamesFilter(telemetry.TelemetryConfigMapName),

diff --git a/pkg/console/operator/sync_v400.go b/pkg/console/operator/sync_v400.go
@@ -177,6 +177,12 @@ func (co *consoleOperator) sync_v400(ctx context.Context, controllerContext fact
 		return statusHandler.FlushAndReturn(secErr)
 	}
 
+	consoleServingCertSecret, servingCertErr := co.secretsLister.Secrets(api.TargetNamespace).Get(api.ConsoleServingCertName)
+	statusHandler.AddConditions(status.HandleProgressingOrDegraded("ConsoleServingCertSecretGet", "FailedGet", servingCertErr))
+	if servingCertErr != nil {
+		return statusHandler.FlushAndReturn(servingCertErr)
+	}
+
 	actualDeployment, depErrReason, depErr := co.SyncDeployment(
 		ctx,
 		set.Operator,
@@ -187,6 +193,7 @@ func (co *consoleOperator) sync_v400(ctx context.Context, controllerContext fact
 		trustedCAConfigMap,
 		clientSecret,
 		sessionSecret,
+		consoleServingCertSecret,
 		set.Proxy,
 		set.Infrastructure,
 		controllerContext.Recorder(),
@@ -274,6 +281,7 @@ func (co *consoleOperator) SyncDeployment(
 	trustedCAConfigMap *corev1.ConfigMap,
 	sec *corev1.Secret,
 	sessionSecret *corev1.Secret,
+	consoleServingCertSecret *corev1.Secret,
 	proxyConfig *configv1.Proxy,
 	infrastructureConfig *configv1.Infrastructure,
 	recorder events.Recorder,
@@ -288,6 +296,7 @@ func (co *consoleOperator) SyncDeployment(
 		trustedCAConfigMap,
 		sec,
 		sessionSecret,
+		consoleServingCertSecret,
 		proxyConfig,
 		infrastructureConfig,
 	)

diff --git a/pkg/console/subresource/deployment/deployment.go b/pkg/console/subresource/deployment/deployment.go
@@ -39,6 +39,7 @@ const (
 	authnConfigVersionAnnotation                   = "console.openshift.io/authentication-config-version"
 	authnCATrustConfigMapResourceVersionAnnotation = "console.openshift.io/authn-ca-trust-config-version"
 	sessionSecretRVAnnotation                      = "console.openshift.io/session-secret-version"
+	servingCertSecretResourceVersionAnnotation     = "console.openshift.io/serving-cert-secret-version"
 )
 
 var (
@@ -51,6 +52,7 @@ var (
 		trustedCAConfigMapResourceVersionAnnotation,
 		secretResourceVersionAnnotation,
 		consoleImageAnnotation,
+		servingCertSecretResourceVersionAnnotation,
 	}
 )
 
@@ -73,6 +75,7 @@ func DefaultDeployment(
 	trustedCAConfigMap *corev1.ConfigMap,
 	oAuthClientSecret *corev1.Secret,
 	sessionSecret *corev1.Secret,
+	consoleServingCertSecret *corev1.Secret,
 	proxyConfig *configv1.Proxy,
 	infrastructureConfig *configv1.Infrastructure,
 ) *appsv1.Deployment {
@@ -93,6 +96,7 @@ func DefaultDeployment(
 		trustedCAConfigMap,
 		oAuthClientSecret,
 		sessionSecret,
+		consoleServingCertSecret,
 		proxyConfig,
 		infrastructureConfig,
 	)
@@ -200,6 +204,7 @@ func withConsoleAnnotations(
 	trustedCAConfigMap *corev1.ConfigMap,
 	oAuthClientSecret *corev1.Secret,
 	sessionSecret *corev1.Secret,
+	consoleServingCertSecret *corev1.Secret,
 	proxyConfig *configv1.Proxy,
 	infrastructureConfig *configv1.Infrastructure,
 ) {
@@ -211,6 +216,7 @@ func withConsoleAnnotations(
 		infrastructureConfigResourceVersionAnnotation: infrastructureConfig.GetResourceVersion(),
 		secretResourceVersionAnnotation:               oAuthClientSecret.GetResourceVersion(),
 		consoleImageAnnotation:                        util.GetImageEnv("CONSOLE_IMAGE"),
+		servingCertSecretResourceVersionAnnotation:    consoleServingCertSecret.GetResourceVersion(),
 	}
 
 	if authServerCAConfigMap != nil {

diff --git a/pkg/console/subresource/deployment/deployment_test.go b/pkg/console/subresource/deployment/deployment_test.go
@@ -46,6 +46,7 @@ func TestDefaultDeployment(t *testing.T) {
 		trustedCAConfigMap             *corev1.ConfigMap
 		oAuthClientSecret              *corev1.Secret
 		sessionSecret                  *corev1.Secret
+		consoleServingCertSecret       *corev1.Secret
 		proxyConfig                    *configv1.Proxy
 		infrastructureConfig           *configv1.Infrastructure
 	}
@@ -82,6 +83,7 @@ func TestDefaultDeployment(t *testing.T) {
 			proxyConfigResourceVersionAnnotation:           "",
 			infrastructureConfigResourceVersionAnnotation:  "",
 			consoleImageAnnotation:                         "",
+			servingCertSecretResourceVersionAnnotation:     "",
 		},
 		OwnerReferences: []metav1.OwnerReference{{
 			APIVersion: "operator.openshift.io/v1",
@@ -136,6 +138,7 @@ func TestDefaultDeployment(t *testing.T) {
 		proxyConfigResourceVersionAnnotation:           "",
 		infrastructureConfigResourceVersionAnnotation:  "",
 		consoleImageAnnotation:                         "",
+		servingCertSecretResourceVersionAnnotation:     "",
 		workloadManagementAnnotation:                   workloadManagementAnnotationValue,
 		requiredSCCAnnotation:                          "restricted-v2",
 	}
@@ -213,8 +216,9 @@ func TestDefaultDeployment(t *testing.T) {
 					StringData: nil,
 					Type:       "",
 				},
-				proxyConfig:          proxyConfig,
-				infrastructureConfig: infrastructureConfigHighlyAvailable,
+				consoleServingCertSecret: &corev1.Secret{},
+				proxyConfig:              proxyConfig,
+				infrastructureConfig:     infrastructureConfigHighlyAvailable,
 			},
 			want: &appsv1.Deployment{
 				TypeMeta: metav1.TypeMeta{
@@ -292,8 +296,9 @@ func TestDefaultDeployment(t *testing.T) {
 					StringData: nil,
 					Type:       "",
 				},
-				proxyConfig:          proxyConfig,
-				infrastructureConfig: infrastructureConfigHighlyAvailable,
+				consoleServingCertSecret: &corev1.Secret{},
+				proxyConfig:              proxyConfig,
+				infrastructureConfig:     infrastructureConfigHighlyAvailable,
 			},
 			want: &appsv1.Deployment{
 				TypeMeta: metav1.TypeMeta{
@@ -370,8 +375,9 @@ func TestDefaultDeployment(t *testing.T) {
 					StringData: nil,
 					Type:       "",
 				},
-				proxyConfig:          proxyConfig,
-				infrastructureConfig: infrastructureConfigSingleReplica,
+				consoleServingCertSecret: &corev1.Secret{},
+				proxyConfig:              proxyConfig,
+				infrastructureConfig:     infrastructureConfigSingleReplica,
 			},
 			want: &appsv1.Deployment{
 				TypeMeta: metav1.TypeMeta{
@@ -441,8 +447,9 @@ func TestDefaultDeployment(t *testing.T) {
 					StringData: nil,
 					Type:       "",
 				},
-				proxyConfig:          proxyConfig,
-				infrastructureConfig: infrastructureConfigExternalTopologyMode,
+				consoleServingCertSecret: &corev1.Secret{},
+				proxyConfig:              proxyConfig,
+				infrastructureConfig:     infrastructureConfigExternalTopologyMode,
 			},
 			want: &appsv1.Deployment{
 				TypeMeta: metav1.TypeMeta{
@@ -514,6 +521,7 @@ func TestDefaultDeployment(t *testing.T) {
 				tt.args.trustedCAConfigMap,
 				tt.args.oAuthClientSecret,
 				tt.args.sessionSecret,
+				tt.args.consoleServingCertSecret,
 				tt.args.proxyConfig,
 				tt.args.infrastructureConfig,
 			), tt.want); diff != nil {
@@ -525,16 +533,17 @@ func TestDefaultDeployment(t *testing.T) {
 
 func TestWithConsoleAnnotations(t *testing.T) {
 	type args struct {
-		deployment            *appsv1.Deployment
-		consoleConfigMap      *corev1.ConfigMap
-		serviceCAConfigMap    *corev1.ConfigMap
-		authServerCAConfigMap *corev1.ConfigMap
-		trustedCAConfigMap    *corev1.ConfigMap
-		oAuthClientSecret     *corev1.Secret
-		sessionSecret         *corev1.Secret
-		proxyConfig           *configv1.Proxy
-		infrastructureConfig  *configv1.Infrastructure
-		authnConfig           *configv1.Authentication
+		deployment               *appsv1.Deployment
+		consoleConfigMap         *corev1.ConfigMap
+		serviceCAConfigMap       *corev1.ConfigMap
+		authServerCAConfigMap    *corev1.ConfigMap
+		trustedCAConfigMap       *corev1.ConfigMap
+		oAuthClientSecret        *corev1.Secret
+		sessionSecret            *corev1.Secret
+		consoleServingCertSecret *corev1.Secret
+		proxyConfig              *configv1.Proxy
+		infrastructureConfig     *configv1.Infrastructure
+		authnConfig              *configv1.Authentication
 	}
 
 	consoleConfigMap := &corev1.ConfigMap{
@@ -584,6 +593,12 @@ func TestWithConsoleAnnotations(t *testing.T) {
 		},
 	}
 
+	consoleServingCertSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			ResourceVersion: "202020",
+		},
+	}
+
 	tests := []struct {
 		name string
 		args args
@@ -606,13 +621,14 @@ func TestWithConsoleAnnotations(t *testing.T) {
 						},
 					},
 				},
-				consoleConfigMap:      consoleConfigMap,
-				serviceCAConfigMap:    serviceCAConfigMap,
-				authServerCAConfigMap: oauthServingCertConfigMap,
-				trustedCAConfigMap:    trustedCAConfigMap,
-				oAuthClientSecret:     oAuthClientSecret,
-				proxyConfig:           proxyConfig,
-				infrastructureConfig:  infrastructureConfig,
+				consoleConfigMap:         consoleConfigMap,
+				serviceCAConfigMap:       serviceCAConfigMap,
+				authServerCAConfigMap:    oauthServingCertConfigMap,
+				trustedCAConfigMap:       trustedCAConfigMap,
+				oAuthClientSecret:        oAuthClientSecret,
+				consoleServingCertSecret: consoleServingCertSecret,
+				proxyConfig:              proxyConfig,
+				infrastructureConfig:     infrastructureConfig,
 			},
 			want: &appsv1.Deployment{
 				ObjectMeta: metav1.ObjectMeta{
@@ -625,6 +641,7 @@ func TestWithConsoleAnnotations(t *testing.T) {
 						infrastructureConfigResourceVersionAnnotation:  infrastructureConfig.GetResourceVersion(),
 						secretResourceVersionAnnotation:                oAuthClientSecret.GetResourceVersion(),
 						consoleImageAnnotation:                         util.GetImageEnv("CONSOLE_IMAGE"),
+						servingCertSecretResourceVersionAnnotation:     consoleServingCertSecret.GetResourceVersion(),
 					},
 				},
 				Spec: appsv1.DeploymentSpec{
@@ -640,6 +657,7 @@ func TestWithConsoleAnnotations(t *testing.T) {
 								infrastructureConfigResourceVersionAnnotation:  infrastructureConfig.GetResourceVersion(),
 								secretResourceVersionAnnotation:                oAuthClientSecret.GetResourceVersion(),
 								consoleImageAnnotation:                         util.GetImageEnv("CONSOLE_IMAGE"),
+								servingCertSecretResourceVersionAnnotation:     consoleServingCertSecret.GetResourceVersion(),
 							},
 						},
 					},
@@ -649,7 +667,7 @@ func TestWithConsoleAnnotations(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			withConsoleAnnotations(tt.args.deployment, tt.args.consoleConfigMap, tt.args.serviceCAConfigMap, tt.args.authServerCAConfigMap, tt.args.trustedCAConfigMap, tt.args.oAuthClientSecret, tt.args.sessionSecret, tt.args.proxyConfig, tt.args.infrastructureConfig)
+			withConsoleAnnotations(tt.args.deployment, tt.args.consoleConfigMap, tt.args.serviceCAConfigMap, tt.args.authServerCAConfigMap, tt.args.trustedCAConfigMap, tt.args.oAuthClientSecret, tt.args.sessionSecret, tt.args.consoleServingCertSecret, tt.args.proxyConfig, tt.args.infrastructureConfig)
 			if diff := deep.Equal(tt.args.deployment, tt.want); diff != nil {
 				t.Error(diff)
 			}