diff --git a/pkg/operator2/ca.go b/pkg/operator2/ca.go
index 8e7984e3be..bd8a96e8ec 100644
--- a/pkg/operator2/ca.go
+++ b/pkg/operator2/ca.go
@@ -15,18 +15,19 @@ const (
 	injectCABundleAnnotationValue = "true"
 )
 
-func (c *authOperator) handleServiceCA() (*corev1.ConfigMap, error) {
+func (c *authOperator) handleServiceCA() (*corev1.ConfigMap, *corev1.Secret, error) {
 	cm := c.configMaps.ConfigMaps(targetName)
+	secret := c.secrets.Secrets(targetName)
 	serviceCA, err := cm.Get(serviceCAName, metav1.GetOptions{})
 	if errors.IsNotFound(err) {
 		serviceCA, err = cm.Create(defaultServiceCA())
 	}
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	if len(serviceCA.Data[serviceCAKey]) == 0 {
-		return nil, fmt.Errorf("config map has no service ca data: %#v", serviceCA)
+		return nil, nil, fmt.Errorf("config map has no service ca data: %#v", serviceCA)
 	}
 
 	if err := isValidServiceCA(serviceCA); err != nil {
@@ -36,10 +37,15 @@ func (c *authOperator) handleServiceCA() (*corev1.ConfigMap, error) {
 		if err := cm.Delete(serviceCA.Name, opts); err != nil && !errors.IsNotFound(err) {
 			glog.Infof("failed to delete invalid service CA config map: %v", err)
 		}
-		return nil, err
+		return nil, nil, err
 	}
 
-	return serviceCA, nil
+	servingCert, err := secret.Get(servingCertName, metav1.GetOptions{})
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return serviceCA, servingCert, nil
 }
 
 func isValidServiceCA(ca *corev1.ConfigMap) error {
diff --git a/pkg/operator2/configmap.go b/pkg/operator2/configmap.go
index 00e187f71b..f04661c636 100644
--- a/pkg/operator2/configmap.go
+++ b/pkg/operator2/configmap.go
@@ -44,7 +44,7 @@ func getMetadata(route *routev1.Route) string {
 
 func getMetadataConfigMap(route *routev1.Route) *corev1.ConfigMap {
 	meta := defaultMeta()
-	meta.Namespace = machineConfigNamespace
+	meta.Name = oauthMetadataName
 	return &corev1.ConfigMap{
 		ObjectMeta: meta,
 		Data: map[string]string{
diff --git a/pkg/operator2/operator.go b/pkg/operator2/operator.go
index 89b4f404b7..e4f9d6818c 100644
--- a/pkg/operator2/operator.go
+++ b/pkg/operator2/operator.go
@@ -67,6 +67,8 @@ const (
 	cliConfigMount      = systemConfigPathConfigMaps + "/" + cliConfigNameAndKey
 	cliConfigPath       = cliConfigMount + "/" + cliConfigNameAndKey
 
+	oauthMetadataName = systemConfigPrefix + "metadata"
+
 	userConfigPath = "/var/config/user"
 
 	servicePort   = 443
@@ -180,12 +182,7 @@ func (c *authOperator) handleSync(operatorConfig *operatorv1.Authentication) err
 	}
 	resourceVersions = append(resourceVersions, route.GetResourceVersion())
 
-	serviceCA, err := c.handleServiceCA()
-	if err != nil {
-		return err
-	}
-	resourceVersions = append(resourceVersions, serviceCA.GetResourceVersion())
-
+	// make sure API server sees our metadata as soon as we've got a route with a host
 	metadata, _, err := resourceapply.ApplyConfigMap(c.configMaps, c.recorder, getMetadataConfigMap(route))
 	if err != nil {
 		return err
@@ -198,6 +195,12 @@ func (c *authOperator) handleSync(operatorConfig *operatorv1.Authentication) err
 	}
 	resourceVersions = append(resourceVersions, authConfig.GetResourceVersion())
 
+	serviceCA, servingCert, err := c.handleServiceCA()
+	if err != nil {
+		return err
+	}
+	resourceVersions = append(resourceVersions, serviceCA.GetResourceVersion(), servingCert.GetResourceVersion())
+
 	service, _, err := resourceapply.ApplyService(c.services, c.recorder, defaultService())
 	if err != nil {
 		return err
@@ -235,9 +238,14 @@ func (c *authOperator) handleSync(operatorConfig *operatorv1.Authentication) err
 	}
 	resourceVersions = append(resourceVersions, cliConfig.GetResourceVersion())
 
+	operatorDeployment, err := c.deployments.Deployments(targetNameOperator).Get(targetNameOperator, metav1.GetOptions{})
+	if err != nil {
+		return err
+	}
+	resourceVersions = append(resourceVersions, operatorDeployment.GetResourceVersion())
+
 	// deployment, have RV of all resources
 	// TODO use ExpectedDeploymentGeneration func
-	// TODO we also need the RV for the serving-cert secret (servingCertName)
 	expectedDeployment := defaultDeployment(
 		operatorConfig,
 		syncData,
diff --git a/pkg/operator2/starter.go b/pkg/operator2/starter.go
index 5d00f4f864..e1cff56e60 100644
--- a/pkg/operator2/starter.go
+++ b/pkg/operator2/starter.go
@@ -112,7 +112,12 @@ func RunOperator(ctx *controllercmd.ControllerContext) error {
 		v1helpers.EnsureOperatorConfigExists(dynamicClient, []byte(resource), gvr)
 	}
 
-	resourceSyncerInformers := v1helpers.NewKubeInformersForNamespaces(kubeClient, targetName, userConfigNamespace)
+	resourceSyncerInformers := v1helpers.NewKubeInformersForNamespaces(
+		kubeClient,
+		targetName,
+		userConfigNamespace,
+		machineConfigNamespace,
+	)
 
 	operatorClient := &OperatorClient{
 		authOperatorConfigInformers,
@@ -127,6 +132,14 @@ func RunOperator(ctx *controllercmd.ControllerContext) error {
 		ctx.EventRecorder,
 	)
 
+	// add syncing for the OAuth metadata ConfigMap
+	if err := resourceSyncer.SyncConfigMap(
+		resourcesynccontroller.ResourceLocation{Namespace: machineConfigNamespace, Name: targetName},
+		resourcesynccontroller.ResourceLocation{Namespace: targetName, Name: oauthMetadataName},
+	); err != nil {
+		return err
+	}
+
 	operator := NewAuthenticationOperator(
 		*operatorClient,
 		kubeInformersNamespaced,