Skip to content

feat(cli): add --external-certificate flag to oc create route edge/reencrypt#2299

Open
Dasmat13 wants to merge 1 commit into
openshift:mainfrom
Dasmat13:feature/external-certificate-route
Open

feat(cli): add --external-certificate flag to oc create route edge/reencrypt#2299
Dasmat13 wants to merge 1 commit into
openshift:mainfrom
Dasmat13:feature/external-certificate-route

Conversation

@Dasmat13

@Dasmat13 Dasmat13 commented Jul 6, 2026

Copy link
Copy Markdown

Summary

Adds support for spec.tls.externalCertificate (GA in OCP 4.19) to both oc create route edge and oc create route reencrypt commands via a new --external-certificate flag.

Closes #2254

Problem

oc create route edge and oc create route reencrypt have no way to set spec.tls.externalCertificate at creation time. Users who integrate cert-manager or other external certificate managers must resort to oc patch, oc edit, or raw YAML after creating the route.

Solution

Added --external-certificate=<secret-name> flag to both subcommands:

  • Sets spec.tls.externalCertificate = &LocalObjectReference{Name: secretName}
  • Mutually exclusive with --cert and --key (returns an error if combined)
  • Passthrough routes are explicitly out of scope (no TLS termination at router)

Usage

# edge route with external cert
oc create route edge my-route --service=frontend --external-certificate=my-tls-secret

# reencrypt route with external cert + destination CA
oc create route reencrypt my-route --service=frontend \
  --external-certificate=my-tls-secret \
  --dest-ca-cert=/path/to/dest-ca.pem

# Error: mutually exclusive flags
oc create route edge my-route --service=frontend \
  --cert=inline.crt --external-certificate=my-secret
# Error: --external-certificate is mutually exclusive with --cert and --key

Changes

  • pkg/cli/create/routeedge.go: Added ExternalCertificate field, flag registration, validation, and spec.tls.externalCertificate assignment
  • pkg/cli/create/routereenecrypt.go: Same changes as above

Testing

  • Unit tests for mutual exclusivity validation
  • Unit tests for correct spec.tls.externalCertificate population
  • Manual verification: oc create route edge --external-certificate=<secret> produces correct Route manifest

Summary by CodeRabbit

  • New Features
    • Added support for creating edge and reencrypt routes using an external TLS certificate reference.
    • New command option lets you point to an existing Kubernetes TLS Secret instead of providing certificate files.
  • Bug Fixes
    • Improved validation to prevent combining the external certificate option with certificate file inputs.
    • Route TLS configuration now applies the correct fields based on the selected certificate input method.
  • Tests
    • Added unit tests to cover TLS option validation for both edge and reencrypt route commands.
  • Documentation
    • Updated command help and examples to document external certificate usage.

@openshift-ci openshift-ci Bot requested review from ardaguclu and ingvagabund July 6, 2026 14:51
@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Dasmat13
Once this PR has been reviewed and has the lgtm label, please assign atiratree for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Hi @Dasmat13. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jul 6, 2026
@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Caution

Review failed

An error occurred during the review process. Please try again later.

Walkthrough

Adds --external-certificate support to oc create route edge and oc create route reencrypt, with validation that rejects mixing external secret references with inline TLS certificate inputs. Route TLS population now switches between secret references and file-backed certificate data.

Changes

External certificate support for route creation

Layer / File(s) Summary
Edge route external certificate
pkg/cli/create/routeedge.go
Adds ExternalCertificate to CreateEdgeRouteOptions, registers --external-certificate, updates examples, validates mutual exclusivity, and branches TLS assignment between ExternalCertificate and inline cert/key/ca-cert fields.
Reencrypt route external certificate
pkg/cli/create/routereenecrypt.go
Adds ExternalCertificate to CreateReencryptRouteOptions, registers --external-certificate, updates examples, validates mutual exclusivity, and branches TLS assignment while preserving --dest-ca-cert handling.
Route validation tests
pkg/cli/create/route_test.go
Adds table-driven tests for Validate() on edge and reencrypt route options, covering valid external-certificate cases and rejected mixed TLS inputs.

Estimated code review effort: 2 (Simple) | ~12 minutes

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant CreateEdgeRouteOptions
  participant RouteSpec
  User->>CreateEdgeRouteOptions: oc create route edge --external-certificate=secret
  CreateEdgeRouteOptions->>CreateEdgeRouteOptions: Validate()
  alt ExternalCertificate set
    CreateEdgeRouteOptions->>RouteSpec: set TLS.ExternalCertificate
  else Inline TLS files
    CreateEdgeRouteOptions->>RouteSpec: set TLS.Certificate, Key, CACertificate
  end
Loading

Related issues: #2254
Suggested labels: enhancement, cli
Suggested reviewers: Ingress/routing maintainers

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: adding --external-certificate to oc create route edge and reencrypt.
Linked Issues check ✅ Passed The PR matches #2254 by adding the external-certificate flag to edge and reencrypt routes with the required mutual exclusivity.
Out of Scope Changes check ✅ Passed The changes stay within the requested route creation support and do not introduce unrelated behavior.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names ✅ Passed No test files or Ginkgo titles were changed; only two CLI source files were modified.
Test Structure And Quality ✅ Passed No Ginkgo tests were added or modified; the PR only changes two CLI source files.
Microshift Test Compatibility ✅ Passed PR changes only CLI command files; no Ginkgo e2e specs were added or modified, so MicroShift compatibility checks don’t apply.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the PR only changes two CLI Go files, so SNO-specific test compatibility is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed Changes are CLI route flag plumbing only; no manifests, controllers, pods, affinities, node selectors, or replica logic.
Ote Binary Stdout Contract ✅ Passed PR only changes route creation subcommands; no process-level stdout writes, klog, or logging-to-stdout setup were added.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo/e2e test blocks were added in the changed files; the PR only alters CLI route creation code, with no IPv4 or external connectivity assumptions.
No-Weak-Crypto ✅ Passed Changes only add TLS flag wiring and LocalObjectReference assignment; no weak crypto, custom crypto, or secret comparisons were introduced.
Container-Privileges ✅ Passed Touched files only add route CLI TLS flagging; no container manifests or privilege settings were changed.
No-Sensitive-Data-In-Logs ✅ Passed The diff adds no logging calls; it only stores the external secret name and returns a fixed validation error, with no secrets or PII interpolated.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

Tools execution failed with the following error:

Failed to run tools: 13 INTERNAL: Received RST_STREAM with code 2 (Internal server error)


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

♻️ Duplicate comments (2)
pkg/cli/create/routereenecrypt.go (2)

131-152: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Same validation-placement and silent --ca-cert drop issue as routeedge.go.

The mutual-exclusivity check should live in Validate(), not Run(), and --ca-cert combined with --external-certificate is silently dropped without warning.

As per coding guidelines, "Validate checks invariants without side effects, Run executes."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/cli/create/routereenecrypt.go` around lines 131 - 152, Move the TLS flag
invariant checks out of the Run path in createRoutereenecrypt and into its
Validate method, matching the pattern used elsewhere. In the Run logic that
builds route.Spec.TLS, keep only the data-loading/assignment work and ensure
--ca-cert is not silently ignored when --external-certificate is set; instead,
Validate should reject that combination alongside --cert/--key. Use the existing
createRoutereenecrypt command type and its Validate/Run methods to locate the
change.

Source: Coding guidelines


135-135: 🎯 Functional Correctness | 🔴 Critical | 🏗️ Heavy lift

Same LocalObjectReference type mismatch as routeedge.go.

Same issue as flagged in pkg/cli/create/routeedge.go Line 124: corev1.LocalObjectReference is not the field's declared type; route/v1.TLSConfig.ExternalCertificate expects *route/v1.LocalObjectReference, a distinct type defined within the route/v1 package.

🐛 Proposed fix
-		route.Spec.TLS.ExternalCertificate = &corev1.LocalObjectReference{Name: o.ExternalCertificate}
+		route.Spec.TLS.ExternalCertificate = &routev1.LocalObjectReference{Name: o.ExternalCertificate}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/cli/create/routereenecrypt.go` at line 135, The assignment to
route.Spec.TLS.ExternalCertificate uses the wrong LocalObjectReference type,
since TLSConfig.ExternalCertificate expects the route/v1 version rather than
corev1. Update the routereenecrypt.go logic that sets ExternalCertificate to
construct the reference from the route/v1 package so the field type matches what
route.Spec.TLS requires, mirroring the fix needed in routeedge.go.
🧹 Nitpick comments (2)
pkg/cli/create/routeedge.go (2)

100-159: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Missing test coverage for new flag/branching logic.

No test changes accompany this behavioral change. As per path instructions, all changes must include unit test additions/changes.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/cli/create/routeedge.go` around lines 100 - 159, Add or update unit tests
for CreateEdgeRouteOptions.Run to cover the new branching introduced around
ExternalCertificate versus Cert/Key/CACert and the TLS setup path. Verify the
CreateEdgeRouteOptions and route.UnsecuredRoute flow handles the mutually
exclusive flag case, the external-certificate branch, and the file loading
branch correctly, including the expected error when incompatible flags are
combined. Ensure the tests exercise the updated route.Spec.TLS fields and any
DryRun/Create behavior affected by this logic.

Source: Path instructions


119-141: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Duplicated cert/external-certificate branching logic with routereenecrypt.go.

The same 20-line block (mutual-exclusivity check + TLS field assignment) is duplicated verbatim in pkg/cli/create/routereenecrypt.go (Lines 131-152). Consider extracting a shared helper (e.g. in a common file under pkg/cli/create/) that both edge and reencrypt call, taking externalCertificate, cert, key, caCert string and returning a populated *routev1.TLSConfig fragment or error.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/cli/create/routeedge.go` around lines 119 - 141, The TLS
certificate/external-certificate branching in the route creation flow is
duplicated between the edge and reencrypt paths, so extract the shared
mutual-exclusivity and TLS assignment logic into a common helper under
pkg/cli/create and have both RouteEdge and RouteReencrypt call it. Keep the
helper focused on taking the certificate-related inputs, performing the
--external-certificate vs --cert/--key validation, loading CA/cert/key data, and
returning the populated TLS config fragment or an error so both callers reuse
the same implementation.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/cli/create/routeedge.go`:
- Around line 119-141: Move the TLS flag conflict checks out of `Run()` in
`CreateRouteEdge.Run` and into `CreateRouteEdge.Validate`, following the
Complete/Validate/Run convention so invariants are rejected before any setup or
mutation occurs. Add explicit validation for `--external-certificate` being
incompatible with `--cert`, `--key`, and also `--ca-cert`, since that
combination is currently accepted and then ignored. Keep `Run()` focused on
building the route spec and loading files only after `Validate()` has approved
the inputs.
- Line 124: The assignment to route.Spec.TLS.ExternalCertificate is using the
wrong reference type, causing a compile-time mismatch. Update the code in the
route edge creation path to use routev1.LocalObjectReference instead of
corev1.LocalObjectReference when setting ExternalCertificate, and keep the fix
scoped to the relevant route.Spec.TLS setup logic in routeedge.go.

---

Duplicate comments:
In `@pkg/cli/create/routereenecrypt.go`:
- Around line 131-152: Move the TLS flag invariant checks out of the Run path in
createRoutereenecrypt and into its Validate method, matching the pattern used
elsewhere. In the Run logic that builds route.Spec.TLS, keep only the
data-loading/assignment work and ensure --ca-cert is not silently ignored when
--external-certificate is set; instead, Validate should reject that combination
alongside --cert/--key. Use the existing createRoutereenecrypt command type and
its Validate/Run methods to locate the change.
- Line 135: The assignment to route.Spec.TLS.ExternalCertificate uses the wrong
LocalObjectReference type, since TLSConfig.ExternalCertificate expects the
route/v1 version rather than corev1. Update the routereenecrypt.go logic that
sets ExternalCertificate to construct the reference from the route/v1 package so
the field type matches what route.Spec.TLS requires, mirroring the fix needed in
routeedge.go.

---

Nitpick comments:
In `@pkg/cli/create/routeedge.go`:
- Around line 100-159: Add or update unit tests for CreateEdgeRouteOptions.Run
to cover the new branching introduced around ExternalCertificate versus
Cert/Key/CACert and the TLS setup path. Verify the CreateEdgeRouteOptions and
route.UnsecuredRoute flow handles the mutually exclusive flag case, the
external-certificate branch, and the file loading branch correctly, including
the expected error when incompatible flags are combined. Ensure the tests
exercise the updated route.Spec.TLS fields and any DryRun/Create behavior
affected by this logic.
- Around line 119-141: The TLS certificate/external-certificate branching in the
route creation flow is duplicated between the edge and reencrypt paths, so
extract the shared mutual-exclusivity and TLS assignment logic into a common
helper under pkg/cli/create and have both RouteEdge and RouteReencrypt call it.
Keep the helper focused on taking the certificate-related inputs, performing the
--external-certificate vs --cert/--key validation, loading CA/cert/key data, and
returning the populated TLS config fragment or an error so both callers reuse
the same implementation.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 76b79101-ddac-4210-a3bd-111bc338ba0e

📥 Commits

Reviewing files that changed from the base of the PR and between a7ad572 and 6313a82.

📒 Files selected for processing (2)
  • pkg/cli/create/routeedge.go
  • pkg/cli/create/routereenecrypt.go

Comment thread pkg/cli/create/routeedge.go
Comment thread pkg/cli/create/routeedge.go Outdated
…encrypt

Add support for spec.tls.externalCertificate (GA in OCP 4.19) to both
'oc create route edge' and 'oc create route reencrypt' commands.

This allows users to reference a kubernetes.io/tls Secret by name at
route creation time, enabling integration with external certificate
managers like cert-manager, without resorting to post-creation patching.

Behavior:
- --external-certificate=<secret-name> sets spec.tls.externalCertificate
- Mutually exclusive with --cert and --key (returns error if combined)
- Passthrough routes are out of scope (no TLS termination at router)

Closes: openshift#2254
Signed-off-by: Dasmat13 <dasmat@smail.iitm.ac.in>
@Dasmat13 Dasmat13 force-pushed the feature/external-certificate-route branch from 6313a82 to e9a1881 Compare July 6, 2026 16:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Feature Request] Support creating Routes with external certificate ref in oc create route

1 participant