OCPBUGS-74511: remove RouteExternalCertificate feature gate

[jcmoraisjr]

RouteExternalCertificate is enabled by default, this is the second half of the changes to remove it and should be merged only after openshift/cluster-ingress-operator#1355 being merged.

Jira: https://issues.redhat.com/browse/OCPBUGS-74511

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Hello @jcmoraisjr! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[openshift-ci-robot]

@jcmoraisjr: This pull request references Jira Issue OCPBUGS-74511, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @melvinjoseph86

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

RouteExternalCertificate is enabled by default, this is the second half of the changes to remove it and should be merged only after openshift/cluster-ingress-operator#1355 being merged.

Jira: https://issues.redhat.com/browse/OCPBUGS-74511

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request removes the RouteExternalCertificate feature gate across the codebase and manifests. Changes include deleting the exported feature gate declaration and its legacy entries, removing the feature from multiple feature-gate YAML payloads and features.md, removing OpenShift feature-gate annotations and the feature-gated validation in route/v1 types and proto, and deleting the feature from generated CRD manifests and related tests. No other feature gates or public API signatures (beyond TLSConfig validation annotation adjustments) were added or modified.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: removing the RouteExternalCertificate feature gate across multiple files.
Description check	✅ Passed	The description is directly related to the changeset, explaining that RouteExternalCertificate is being removed and noting it is the second half of changes with a dependency.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[qodo-code-review]

Review Summary by Qodo

Remove RouteExternalCertificate feature gate from all profiles

✨ Enhancement

Walkthroughs

Description

• Remove RouteExternalCertificate feature gate completely
• Update feature gate definitions across all deployment profiles
• Clean up generated OpenAPI and feature documentation
• Simplify feature flag configuration by removing deprecated gate

Diagram

flowchart LR
  A["RouteExternalCertificate<br/>Feature Gate"] -->|Remove| B["Feature Definitions"]
  B -->|Update| C["All Deployment Profiles"]
  C -->|Regenerate| D["OpenAPI & Docs"]

Loading

File Changes

1. features/features.go ✨ Enhancement +0/-8

Remove RouteExternalCertificate gate definition

features/features.go

---

2. features.md 📝 Documentation +0/-1

Update feature documentation

features.md

---

3. openapi/generated_openapi/zz_generated.openapi.go Miscellaneous +345/-69428

Regenerate OpenAPI definitions

openapi/generated_openapi/zz_generated.openapi.go

---

View more (8)

4. payload-manifests/featuregates/featureGate-SelfManagedHA-OKD.yaml ⚙️ Configuration changes +0/-3

Remove gate from OKD profile

payload-manifests/featuregates/featureGate-SelfManagedHA-OKD.yaml

---

5. payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml ⚙️ Configuration changes +0/-3

Remove gate from default profile

payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml

---

6. payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml ⚙️ Configuration changes +0/-3

Remove gate from Hypershift preview

payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml

---

7. payload-manifests/featuregates/featureGate-Hypershift-OKD.yaml ⚙️ Configuration changes +0/-3

Remove gate from Hypershift OKD

payload-manifests/featuregates/featureGate-Hypershift-OKD.yaml

---

8. payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml ⚙️ Configuration changes +0/-3

Remove gate from self-managed preview

payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml

---

9. payload-manifests/featuregates/featureGate-Hypershift-Default.yaml ⚙️ Configuration changes +0/-3

Remove gate from Hypershift default

payload-manifests/featuregates/featureGate-Hypershift-Default.yaml

---

10. payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml ⚙️ Configuration changes +0/-3

Remove gate from Hypershift tech preview

payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml

---

11. payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml ⚙️ Configuration changes +0/-3

Remove gate from self-managed tech preview

payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml

---

[jcmoraisjr]

/hold

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Gate removal inconsistent 🐞 Bug ✓ Correctness

Description

• RouteExternalCertificate was removed from the FeatureGate payload manifests (and the features
  registry), but the route API still declares fields/validations behind RouteExternalCertificate and
  the repo still carries generated featuregated CRD metadata and integration tests for it.
• This inconsistency makes the feature’s actual enablement unclear: clusters can no longer enable
  the gate via FeatureSet manifests, yet API schema/tests/docs still treat it as a live feature gate.
• Result is high risk of confusing behavior (feature appears supported in API artifacts but is not
  enable-able via cluster FeatureGates), and ongoing maintenance burden (stale tests/docs).

Code

payload-manifests/featuregates/featureGate-Hypershift-Default.yaml[L320-322]

-                    {
-                        "name": "RouteExternalCertificate"
-                    },

Evidence

The FeatureGate payload manifests no longer list RouteExternalCertificate as enabled/disabled, but
the route API and generated/test artifacts still reference it as an active feature gate. That
mismatch strongly suggests the repo is only partially updated: configuration-level enablement was
removed, but API gating and associated generated/test/doc artifacts weren’t cleaned up or migrated.

payload-manifests/featuregates/featureGate-Hypershift-Default.yaml[317-323]
payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml[315-323]
route/v1/types.go[422-480]
route/v1/zz_generated.featuregated-crd-manifests.yaml[1-10]
route/v1/tests/routes.route.openshift.io/RouteExternalCertificate.yaml[1-6]
README.md[55-82]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`RouteExternalCertificate` is removed from FeatureGate payload manifests / registration, but the route API and generated/test/doc artifacts still treat it as an active feature gate. This leaves the repo in an inconsistent state where the gate appears to exist for API gating/tests/docs, but is not enable-able via FeatureSet manifests.

## Issue Context
Evidence shows:
- FeatureGate manifests no longer include `RouteExternalCertificate`.
- Route API types still declare `ExternalCertificate` behind `+openshift:enable:FeatureGate=RouteExternalCertificate` and have FeatureGate-aware validation for it.
- Generated featuregated CRD metadata and integration tests still reference `RouteExternalCertificate`.
- README still uses it as the canonical example.

Decide intended outcome:
- **If the feature gate is being retired**: remove/ungate the API markers and delete/regenerate featuregated CRD/test/doc references.
- **If the feature gate is still intended to be supported**: restore FeatureGate registration + payload-manifest entries.

## Fix Focus Areas
- payload-manifests/featuregates/featureGate-Hypershift-Default.yaml[317-323]
- payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml[315-323]
- route/v1/types.go[422-480]
- route/v1/zz_generated.featuregated-crd-manifests.yaml[1-10]
- route/v1/tests/routes.route.openshift.io/RouteExternalCertificate.yaml[1-6]
- README.md[55-82]
- features/features.go[150-170]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Stale legacy allowlist 🐞 Bug ⛯ Reliability

Description

• RouteExternalCertificate remains in legacyFeatureGates allowlists used to bypass enhancement-PR
  enforcement for ‘legacy’ gates.
• After removing the gate from the FeatureGate catalog/FeatureSets, keeping it in the allowlist
  makes it easier to accidentally reintroduce the gate without an enhancement link and obscures which
  gates are actually supported.
• This is a maintainability/process risk: it weakens the guardrail intended to prevent new,
  undocumented feature gates.

Code

features/features.go[L158-164]

-	FeatureGateRouteExternalCertificate = newFeatureGate("RouteExternalCertificate").
-						reportProblemsToJiraComponent("router").
-						contactPerson("chiragkyal").
-						productScope(ocpSpecific).
-						enhancementPR(legacyFeatureGateWithoutEnhancement).
-						enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
-						mustRegister()

Evidence

The repo still treats RouteExternalCertificate as a legacy gate in two different allowlists. Those
allowlists are explicitly used as a bypass when a feature gate registers with the
legacy/no-enhancement marker. Once the gate is removed elsewhere, leaving it in the allowlist is
inconsistent and reduces protection against accidental reintroduction.

features/legacyfeaturegates.go[84-90]
payload-command/render/legacyfeaturegates.go[88-95]
features/util.go[128-133]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`RouteExternalCertificate` remains on the legacy feature gate allowlists even though the PR removes the gate from the FeatureGate catalog/FeatureSets. These allowlists are used to bypass enhancement PR enforcement, so keeping a removed gate there weakens the guardrail and increases risk of accidental reintroduction.

## Issue Context
`legacyFeatureGates` is explicitly used when `enhancementPRURL == legacyFeatureGateWithoutEnhancement` to decide whether a gate may bypass the enhancement requirement.

## Fix Focus Areas
- features/legacyfeaturegates.go[84-90]
- payload-command/render/legacyfeaturegates.go[88-95]
- features/util.go[128-133]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[openshift-ci]

@jcmoraisjr: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/minor-e2e-upgrade-minor	6d76650	link	true	/test minor-e2e-upgrade-minor
ci/prow/verify	6d76650	link	true	/test verify
ci/prow/integration	6d76650	link	true	/test integration

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.