OCPBUGS-74511: remove RouteExternalCertificate feature gate #2693

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

jcmoraisjr wants to merge 1 commit into openshift:master from jcmoraisjr:OCPBUGS-74511-remove-featuregate

features.md

-Original file line number
+Diff line change
@@ Expand Up / @@ -101,7 +101,6 @@ @@
     | MetricsCollectionProfiles| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
     | OpenShiftPodSecurityAdmission| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
     | PinnedImages| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
-    | RouteExternalCertificate| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
     | ServiceAccountTokenNodeBinding| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
     | SigstoreImageVerification| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
     | SigstoreImageVerificationPKI| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
@@ Expand Down @@

features/features.go

-Original file line number
+Diff line change
@@ Expand Up / @@ -155,14 +155,6 @@ var ( @@
     					enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
     					mustRegister()
-    	FeatureGateRouteExternalCertificate = newFeatureGate("RouteExternalCertificate").
-    						reportProblemsToJiraComponent("router").
-    						contactPerson("chiragkyal").
-    						productScope(ocpSpecific).
-    						enhancementPR(legacyFeatureGateWithoutEnhancement).
-    						enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
-    						mustRegister()
     	FeatureGateCPMSMachineNamePrefix = newFeatureGate("CPMSMachineNamePrefix").
     						reportProblemsToJiraComponent("Cloud Compute / ControlPlaneMachineSet").
     						contactPerson("chiragkyal").
@@ Expand Down @@

features/legacyfeaturegates.go

-Original file line number
+Diff line change
@@ Expand Up / @@ -85,8 +85,6 @@ var legacyFeatureGates = sets.New( @@
     	// never add to this list, if you think you have an exception ask @deads2k
     	"PrivateHostedZoneAWS",
     	// never add to this list, if you think you have an exception ask @deads2k
-    	"RouteExternalCertificate",
-    	// never add to this list, if you think you have an exception ask @deads2k
     	"SetEIPForNLBIngressController",
     	// never add to this list, if you think you have an exception ask @deads2k
     	"SignatureStores",
@@ Expand Down @@

payload-command/render/legacyfeaturegates.go

-Original file line number
+Diff line change
@@ Expand Up / @@ -89,8 +89,6 @@ var legacyFeatureGates = sets.New( @@
     	// never add to this list, if you think you have an exception ask @deads2k
     	"PrivateHostedZoneAWS",
     	// never add to this list, if you think you have an exception ask @deads2k
-    	"RouteExternalCertificate",
-    	// never add to this list, if you think you have an exception ask @deads2k
     	"SetEIPForNLBIngressController",
     	// never add to this list, if you think you have an exception ask @deads2k
     	"SignatureStores",
@@ Expand Down @@

payload-manifests/featuregates/featureGate-Hypershift-Default.yaml

-Original file line number
+Diff line change
@@ Expand Up / @@ -317,9 +317,6 @@ @@
                         {
                             "name": "PinnedImages"
                         },
-                        {
-                            "name": "RouteExternalCertificate"
-                        },
                         {
                             "name": "ServiceAccountTokenNodeBinding"
                         },
@@ Expand Down @@

payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml

-Original file line number
+Diff line change
@@ Expand Up / @@ -301,9 +301,6 @@ @@
                         {
                             "name": "ProvisioningRequestAvailable"
                         },
-                        {
-                            "name": "RouteExternalCertificate"
-                        },
                         {
                             "name": "SELinuxMount"
                         },
@@ Expand Down @@

payload-manifests/featuregates/featureGate-Hypershift-OKD.yaml

-Original file line number
+Diff line change
@@ Expand Up / @@ -319,9 +319,6 @@ @@
                         {
                             "name": "PinnedImages"
                         },
-                        {
-                            "name": "RouteExternalCertificate"
-                        },
                         {
                             "name": "ServiceAccountTokenNodeBinding"
                         },
@@ Expand Down @@

payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml

-Original file line number
+Diff line change
@@ Expand Up / @@ -301,9 +301,6 @@ @@
                         {
                             "name": "PinnedImages"
                         },
-                        {
-                            "name": "RouteExternalCertificate"
-                        },
                         {
                             "name": "SELinuxMount"
                         },
@@ Expand Down @@

payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml

-Original file line number
+Diff line change
@@ Expand Up / @@ -317,9 +317,6 @@ @@
                         {
                             "name": "PinnedImages"
                         },
-                        {
-                            "name": "RouteExternalCertificate"
-                        },
                         {
                             "name": "ServiceAccountTokenNodeBinding"
                         },
@@ Expand Down @@

payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml

-Original file line number
+Diff line change
@@ Expand Up / @@ -301,9 +301,6 @@ @@
                         {
                             "name": "ProvisioningRequestAvailable"
                         },
-                        {
-                            "name": "RouteExternalCertificate"
-                        },
                         {
                             "name": "SELinuxMount"
                         },
@@ Expand Down @@

payload-manifests/featuregates/featureGate-SelfManagedHA-OKD.yaml

-Original file line number
+Diff line change
@@ Expand Up / @@ -319,9 +319,6 @@ @@
                         {
                             "name": "PinnedImages"
                         },
-                        {
-                            "name": "RouteExternalCertificate"
-                        },
                         {
                             "name": "ServiceAccountTokenNodeBinding"
                         },
@@ Expand Down @@

payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml

-Original file line number
+Diff line change
@@ Expand Up / @@ -301,9 +301,6 @@ @@
                         {
                             "name": "PinnedImages"
                         },
-                        {
-                            "name": "RouteExternalCertificate"
-                        },
                         {
                             "name": "SELinuxMount"
                         },
@@ Expand Down @@

route/v1/generated.proto

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

route/v1/tests/routes.route.openshift.io/RouteExternalCertificate.yaml

-Original file line number
+Diff line change
@@ -1,8 +1,6 @@
     apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
     name: "Route"
     crdName: routes.route.openshift.io
-    featureGates:
-    - RouteExternalCertificate
     tests:
       onCreate:
         - name: Should be able to create a minimal Route
@@ Expand Down @@

route/v1/types.go

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -422,7 +422,7 @@ type RouterShard struct {
  
    // TLSConfig defines config used to secure a route and provide termination

    //

    // +kubebuilder:validation:XValidation:rule="has(self.termination) && has(self.insecureEdgeTerminationPolicy) ? !((self.termination=='passthrough') && (self.insecureEdgeTerminationPolicy=='Allow')) : true", message="cannot have both spec.tls.termination: passthrough and spec.tls.insecureEdgeTerminationPolicy: Allow"

    // +openshift:validation:FeatureGateAwareXValidation:featureGate=RouteExternalCertificate,rule="!(has(self.certificate) && has(self.externalCertificate))", message="cannot have both spec.tls.certificate and spec.tls.externalCertificate"

    // +kubebuilder:validation:XValidation:rule="!(has(self.certificate) && has(self.externalCertificate))", message="cannot have both spec.tls.certificate and spec.tls.externalCertificate"

    type TLSConfig struct {

    	// termination indicates the TLS termination type.

    	//

    @@ -475,7 +475,6 @@ type TLSConfig struct {
  
    	// The router service account needs to be granted with read-only access to this secret,

    	// please refer to openshift docs for additional details.

    	//

    	// +openshift:enable:FeatureGate=RouteExternalCertificate

    	// +optional

    	ExternalCertificate *LocalObjectReference `json:"externalCertificate,omitempty" protobuf:"bytes,7,opt,name=externalCertificate"`

    }

route/v1/zz_generated.crd-manifests/routes.crd.yaml

-Original file line number
+Diff line change
@@ Expand Up / @@ -558,13 +558,13 @@ spec: @@
                     - termination
                     type: object
                     x-kubernetes-validations:
-                    - message: cannot have both spec.tls.certificate and spec.tls.externalCertificate
-                      rule: '!(has(self.certificate) && has(self.externalCertificate))'
                     - message: 'cannot have both spec.tls.termination: passthrough and
                         spec.tls.insecureEdgeTerminationPolicy: Allow'
                       rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy)
                         ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow''))
                         : true'
+                    - message: cannot have both spec.tls.certificate and spec.tls.externalCertificate
+                      rule: '!(has(self.certificate) && has(self.externalCertificate))'
                   to:
                     description: |-
                       to is an object the route should use as the primary backend. Only the Service kind
@@ Expand Down @@

route/v1/zz_generated.featuregated-crd-manifests.yaml

-Original file line number
+Diff line change
@@ Expand Up / @@ -4,8 +4,7 @@ routes.route.openshift.io: @@
       CRDName: routes.route.openshift.io
       Capability: ""
       Category: ""
-      FeatureGates:
-      - RouteExternalCertificate
+      FeatureGates: []
       FilenameOperatorName: ""
       FilenameOperatorOrdering: ""
       FilenameRunLevel: ""
@@ Expand Down @@

route/v1/zz_generated.featuregated-crd-manifests/routes.route.openshift.io/AAA_ungated.yaml

-Original file line number
+Diff line change
@@ Expand Up / @@ -443,6 +443,23 @@ spec: @@
                           the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically
                           verify.
                         type: string
+                      externalCertificate:
+                        description: |-
+                          externalCertificate provides certificate contents as a secret reference.
+                          This should be a single serving certificate, not a certificate
+                          chain. Do not include a CA certificate. The secret referenced should
+                          be present in the same namespace as that of the Route.
+                          Forbidden when `certificate` is set.
+                          The router service account needs to be granted with read-only access to this secret,
+                          please refer to openshift docs for additional details.
+                        properties:
+                          name:
+                            description: |-
+                              name of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            type: string
+                        type: object
+                        x-kubernetes-map-type: atomic
                       insecureEdgeTerminationPolicy:
                         description: |-
                           insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While
@@ Expand Down Expand Up / @@ -489,6 +506,8 @@ spec: @@
                       rule: 'has(self.termination) && has(self.insecureEdgeTerminationPolicy)
                         ? !((self.termination==''passthrough'') && (self.insecureEdgeTerminationPolicy==''Allow''))
                         : true'
+                    - message: cannot have both spec.tls.certificate and spec.tls.externalCertificate
+                      rule: '!(has(self.certificate) && has(self.externalCertificate))'
                   to:
                     description: |-
                       to is an object the route should use as the primary backend. Only the Service kind
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OCPBUGS-74511: remove RouteExternalCertificate feature gate #2693

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

OCPBUGS-74511: remove RouteExternalCertificate feature gate #2693

Are you sure you want to change the base?

Uh oh!

OCPBUGS-74511: remove RouteExternalCertificate feature gate #2693

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!