Problem statement
The OpenShift Route API supports spec.tls.externalCertificate (TP-ed in 4.16, GA-ed in 4.19), which allows a Route to reference a kubernetes.io/tls Secret by name instead of embedding certificate content inline. This enables integration with external certificate managers like cert-manager.
Relevant EP: https://github.com/openshift/enhancements/blob/master/enhancements/ingress/route-secret-injection-for-external-certificate-management.md
RH docs: https://docs.redhat.com/en/documentation/openshift_container_platform/4.21/html/ingress_and_load_balancing/routes#nw-ingress-route-secret-load-external-cert_creating-advanced-routes
However, oc create route edge and oc create route reencrypt lack support of setting this field. Users must resort to oc patch, oc edit, or raw YAML manifests to use external certificates at route creation time.
# Add external certificate to an existing route
oc patch route my-route --type merge -p '{"spec":{"tls":{"externalCertificate":{"name":"my-secret"}}}}'
# Or edit interactively
oc edit route my-route
# Or apply a full manifest
oc apply -f route.yaml
Proposed solution
Add a new flag (--external-certificate) to both oc create route edge and oc create route reencrypt that accepts the name of a Secret containing TLS certificate and key data.
Passthrough routes are out of scope (they don't terminate TLS at the router).
End-user scenarios
# Create an edge route referencing a TLS secret
oc create route edge my-route --service=my-svc --external-certificate=my-tls-secret
# Create a reencrypt route with an external certificate and destination CA
oc create route reencrypt my-route --service=my-svc \
--external-certificate=my-tls-secret \
--dest-ca-cert=/path/to/dest-ca.pem
# [Negative] Should be mutually exclusive with `--cert` or `--key` (cannot provide both inline and external certificates)
oc create route edge my-route --service=my-svc \
--cert=inline.crt --external-certificate=my-secret # → error
Problem statement
The OpenShift Route API supports
spec.tls.externalCertificate(TP-ed in 4.16, GA-ed in 4.19), which allows a Route to reference akubernetes.io/tlsSecret by name instead of embedding certificate content inline. This enables integration with external certificate managers like cert-manager.Relevant EP: https://github.com/openshift/enhancements/blob/master/enhancements/ingress/route-secret-injection-for-external-certificate-management.md
RH docs: https://docs.redhat.com/en/documentation/openshift_container_platform/4.21/html/ingress_and_load_balancing/routes#nw-ingress-route-secret-load-external-cert_creating-advanced-routes
However,
oc create route edgeandoc create route reencryptlack support of setting this field. Users must resort tooc patch,oc edit, or raw YAML manifests to use external certificates at route creation time.Proposed solution
Add a new flag (
--external-certificate) to bothoc create route edgeandoc create route reencryptthat accepts the name of a Secret containing TLS certificate and key data.Passthrough routes are out of scope (they don't terminate TLS at the router).
End-user scenarios