OCPBUGS-74511: remove RouteExternalCertificate feature gate

[jcmoraisjr]

RouteExternalCertificate is enabled by default, this is the first half of the change to remove it. After merging, its declaration should be removed from openshift/api as well.

Jira: https://issues.redhat.com/browse/OCPBUGS-74511

[openshift-ci-robot]

@jcmoraisjr: This pull request references Jira Issue OCPBUGS-74511, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @melvinjoseph86

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Jira: https://issues.redhat.com/browse/OCPBUGS-74511

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[melvinjoseph86]

/retest

[melvinjoseph86]

@jcmoraisjr i think we need a API PR also to test..
today i tested with this PR and it seems the 'RouteExternalCertificate' is still enabled in the featuregate

[openshift-ci-robot]

@jcmoraisjr: This pull request references Jira Issue OCPBUGS-74511, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @melvinjoseph86

Details

In response to this:

RouteExternalCertificate is enabled by default, this is the first half of the change to remove it. After merging, its declaration should be removed from openshift/api as well.

Jira: https://issues.redhat.com/browse/OCPBUGS-74511

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jcmoraisjr]

/retest

[chiragkyal]

I was wondering what if we completely drop this environment variable, now that it's default value is true

The only consumer of this environment is here: https://github.com/openshift/router/blob/d2db065ae452ecfdb482f0ac4c6778b0c0e48b7f/pkg/cmd/infra/router/router.go#L115

So, should we remove the logic from o/router first, then here?

/cc @Miciah @alebedev87

[jcmoraisjr]

Router change in case this is the way to go: openshift/router#730

[alebedev87]

I was wondering what if we completely drop this environment variable

After an internal discussion we agreed on keeping the existing envvar as the safest way forward.

[melvinjoseph86]

Verified using cluster bot
Installed a cluster using all the PRs
launch 4.22,openshift/api#2693,#1355,openshift/kubernetes#2585,openshift/openshift-apiserver#604,openshift/library-go#2122,openshift/router#730 aws

➜  oc get featuregates.config.openshift.io cluster -oyaml
apiVersion: config.openshift.io/v1
kind: FeatureGate
metadata:
  annotations:
    include.release.openshift.io/self-managed-high-availability: "true"
  creationTimestamp: "2026-02-10T14:47:19Z"
  generation: 1
  name: cluster
  resourceVersion: "693"
  uid: b82ab7c5-7557-4ebf-beca-696bb6ea69cd
spec: {}
status:
  featureGates:
<-----snipp----->
    enabled:
    - name: AzureWorkloadIdentity
    - name: BuildCSIVolumes
    - name: CPMSMachineNamePrefix
    - name: ConsolePluginContentSecurityPolicy
    - name: ExternalOIDC
    - name: ExternalOIDCWithUIDAndExtraClaimMappings
    - name: GCPClusterHostedDNSInstall
    - name: GatewayAPI
    - name: GatewayAPIController
    - name: HighlyAvailableArbiter
    - name: ImageStreamImportMode
    - name: ImageVolume
    - name: KMSv1
    - name: MachineConfigNodes
    - name: ManagedBootImages
    - name: ManagedBootImagesAWS
    - name: ManagedBootImagesAzure
    - name: ManagedBootImagesCPMS
    - name: ManagedBootImagesvSphere
    - name: MetricsCollectionProfiles
    - name: MutableCSINodeAllocatableCount
    - name: NewOLM
    - name: NewOLMOwnSingleNamespace
    - name: NewOLMWebhookProviderOpenshiftServiceCA
    - name: OpenShiftPodSecurityAdmission
    - name: PinnedImages
    - name: ServiceAccountTokenNodeBinding
    - name: SigstoreImageVerification
    - name: SigstoreImageVerificationPKI
    - name: StoragePerformantSecurityPolicy
    - name: UpgradeStatus
    - name: UserNamespacesPodSecurityStandards
    - name: UserNamespacesSupport
    - name: VSphereMultiDisk
    - name: VSphereMultiNetworks
    version: 4.22.0-0-2026-02-10-142923-test-ci-ln-6krqtdk-latest

The RouteExternalCertificate is not visible in feature gate enable status.
Also the QE test case of RouteExternalCertificate is passing without any issue

passed: (1m43s) 2026-02-10T16:18:55 "[sig-network-edge] Network_Edge Component_Router Author:hongli-ROSA-OSD_CCS-ARO-High-73771-router can load secret"
Writing JUnit report to junit_e2e_20260210-161855.xml
1 pass, 0 skip (1m43s)

Hence marking as verified
/verified by @mjoseph

[openshift-ci-robot]

@melvinjoseph86: This PR has been marked as verified by @mjoseph.

Details

In response to this:

Verified using cluster bot
Installed a cluster using all the PRs
launch 4.22,openshift/api#2693,#1355,openshift/kubernetes#2585,openshift/openshift-apiserver#604,openshift/library-go#2122,openshift/router#730 aws

➜  oc get featuregates.config.openshift.io cluster -oyaml
apiVersion: config.openshift.io/v1
kind: FeatureGate
metadata:
 annotations:
   include.release.openshift.io/self-managed-high-availability: "true"
 creationTimestamp: "2026-02-10T14:47:19Z"
 generation: 1
 name: cluster
 resourceVersion: "693"
 uid: b82ab7c5-7557-4ebf-beca-696bb6ea69cd
spec: {}
status:
 featureGates:
<-----snipp----->
   enabled:
   - name: AzureWorkloadIdentity
   - name: BuildCSIVolumes
   - name: CPMSMachineNamePrefix
   - name: ConsolePluginContentSecurityPolicy
   - name: ExternalOIDC
   - name: ExternalOIDCWithUIDAndExtraClaimMappings
   - name: GCPClusterHostedDNSInstall
   - name: GatewayAPI
   - name: GatewayAPIController
   - name: HighlyAvailableArbiter
   - name: ImageStreamImportMode
   - name: ImageVolume
   - name: KMSv1
   - name: MachineConfigNodes
   - name: ManagedBootImages
   - name: ManagedBootImagesAWS
   - name: ManagedBootImagesAzure
   - name: ManagedBootImagesCPMS
   - name: ManagedBootImagesvSphere
   - name: MetricsCollectionProfiles
   - name: MutableCSINodeAllocatableCount
   - name: NewOLM
   - name: NewOLMOwnSingleNamespace
   - name: NewOLMWebhookProviderOpenshiftServiceCA
   - name: OpenShiftPodSecurityAdmission
   - name: PinnedImages
   - name: ServiceAccountTokenNodeBinding
   - name: SigstoreImageVerification
   - name: SigstoreImageVerificationPKI
   - name: StoragePerformantSecurityPolicy
   - name: UpgradeStatus
   - name: UserNamespacesPodSecurityStandards
   - name: UserNamespacesSupport
   - name: VSphereMultiDisk
   - name: VSphereMultiNetworks
   version: 4.22.0-0-2026-02-10-142923-test-ci-ln-6krqtdk-latest

The RouteExternalCertificate is not visible in feature gate enable status.
Also the QE test case of RouteExternalCertificate is passing without any issue

passed: (1m43s) 2026-02-10T16:18:55 "[sig-network-edge] Network_Edge Component_Router Author:hongli-ROSA-OSD_CCS-ARO-High-73771-router can load secret"
Writing JUnit report to junit_e2e_20260210-161855.xml
1 pass, 0 skip (1m43s)

Hence marking as verified
/verified by @mjoseph

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jcmoraisjr]

/retest

[rikatz]

/assign
/cc

[alebedev87]

Now as we set this envvar unconditionally, this comment is the accurate one.

[jcmoraisjr]

Ow what a mess I did. Just addressed.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 898f1ff and 70bab84.

📒 Files selected for processing (4)

• pkg/operator/controller/ingress/controller.go
• pkg/operator/controller/ingress/deployment.go
• pkg/operator/controller/ingress/deployment_test.go
• pkg/operator/operator.go

---

📝 Walkthrough

Walkthrough

The changes remove the RouteExternalCertificateEnabled configuration field from the ingress controller setup. The ROUTER_ENABLE_EXTERNAL_CERTIFICATE environment variable is now unconditionally set to "true" in deployments, replacing the previous conditional logic that gated its inclusion. Feature flag computation for FeatureGateRouteExternalCertificate is removed from the operator initialization. Test coverage is simplified to validate only the scenario where external certificate support is enabled. These modifications consolidate the external certificate feature into a permanent, always-enabled state.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically identifies the main change: removing the RouteExternalCertificate feature gate. It is concise, relates directly to the changeset, and helps readers understand the primary modification.
Description check	✅ Passed	The description is directly related to the changeset, explaining that RouteExternalCertificate is now enabled by default and that this PR removes the feature gate. It references the Jira ticket and indicates this is the first part of a two-part change.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[alebedev87]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alebedev87

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [alebedev87]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[melvinjoseph86]

reapplying verified label based on #1355 (comment)
/verified later @mjoseph

[openshift-ci-robot]

@melvinjoseph86: This PR has been marked to be verified later by @mjoseph.

Details

In response to this:

reapplying verified label based on #1355 (comment)
/verified later @mjoseph

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[melvinjoseph86]

/retest

[jcmoraisjr]

/test e2e-gcp-operator

[openshift-ci]

@jcmoraisjr: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@jcmoraisjr: Jira Issue OCPBUGS-74511: Some pull requests linked via external trackers have merged:

• openshift/cluster-ingress-operator#1355

The following pull request, linked via external tracker, has not merged:

• openshift/api#2693 is open

All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-74511 has not been moved to the MODIFIED state.

This PR is marked as verified-later. Jira issue(s) in the title of this PR will require post-merge verification. After testing, it must be manually moved to the VERIFIED state.

Details

In response to this:

RouteExternalCertificate is enabled by default, this is the first half of the change to remove it. After merging, its declaration should be removed from openshift/api as well.

Jira: https://issues.redhat.com/browse/OCPBUGS-74511

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.