TLS curves configuration feature gate

[richardsonnick]

Adds feature gate for TLS curves configuration in API config.

Enhancement PR: openshift/enhancements#1894
Implementation PR: #2583

[coderabbitai]

Walkthrough

Adds a new public feature gate FeatureGateTLSCurvesConfiguration and updates documentation and multiple FeatureGate payload manifests to include the new gate (enabled in DevPreviewNoUpgrade where applicable, otherwise listed as disabled).

Changes

Cohort / File(s)	Summary
Feature gate declaration & docs features/features.go, features.md	Adds public FeatureGateTLSCurvesConfiguration to allFeatureGates with name "TLSCurvesConfiguration", Jira component "Networking", contact "davidesalerno", product scope ocpSpecific, enhancement PR "https://github.com/openshift/enhancements/pull/1894", enabledIn configv1.DevPreviewNoUpgrade, and mustRegister. Also adds a corresponding row in features.md.
Payload manifests — Hypershift variants payload-manifests/featuregates/featureGate-Hypershift-Default.yaml, payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml, payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml	Inserts TLSCurvesConfiguration into Hypershift FeatureGate YAMLs: enabled in DevPreviewNoUpgrade manifest; listed as disabled in Default and TechPreviewNoUpgrade manifests.
Payload manifests — SelfManagedHA variants payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml, payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml, payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml	Inserts TLSCurvesConfiguration into SelfManagedHA FeatureGate YAMLs: enabled in DevPreviewNoUpgrade manifest; listed as disabled in Default and TechPreviewNoUpgrade manifests.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify the enhancement PR URL and metadata (Jira component, contact) match project records.
• Confirm the gate is placed in the correct enablement lists for each manifest (enabled only in DevPreviewNoUpgrade).
• Ensure formatting and ordering in manifest YAMLs and features.md follow existing patterns.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 524928d and b1e173a.

📒 Files selected for processing (8)

• features.md (1 hunks)
• features/features.go (1 hunks)
• payload-manifests/featuregates/featureGate-Hypershift-Default.yaml (1 hunks)
• payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml (1 hunks)
• payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml (1 hunks)
• payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml (1 hunks)
• payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml (1 hunks)
• payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• features.md
• payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml
• payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml
• features/features.go
• payload-manifests/featuregates/featureGate-Hypershift-Default.yaml

🧬 Code graph analysis (1)

features/features.go (1)

config/v1/types_feature.go (1)

• DevPreviewNoUpgrade (49-49)

🔇 Additional comments (8)

payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml (1)

328-330: TLSCurvesConfiguration correctly enabled for Hypershift DevPreviewNoUpgrade

Entry is placed in the enabled list for DevPreviewNoUpgrade, matching the Go feature gate definition and the features.md table for Hypershift.

payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml (1)

55-58: TLSCurvesConfiguration disabled for SelfManagedHA TechPreviewNoUpgrade is consistent

Keeping this gate in the disabled list for TechPreviewNoUpgrade aligns with the Go registry (enabled only for DevPreviewNoUpgrade) and the documentation table.

payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml (1)

219-221: Explicitly disabling TLSCurvesConfiguration in SelfManagedHA Default matches registry

The gate is only enabled for DevPreviewNoUpgrade in the Go registry, so listing it as disabled for the Default feature set is accurate and keeps manifests explicit.

payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml (1)

70-73: TLSCurvesConfiguration disabled for Hypershift TechPreviewNoUpgrade is correct

This keeps TechPreview aligned with the Go feature definition (DevPreview-only enablement) and the documented feature matrix.

payload-manifests/featuregates/featureGate-Hypershift-Default.yaml (1)

222-224: Default Hypershift manifest correctly lists TLSCurvesConfiguration as disabled

The gate is not enabled for Default in the registry, so explicitly marking it disabled here is accurate and consistent with other manifests.

payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml (1)

328-330: TLSCurvesConfiguration enabled for SelfManagedHA DevPreviewNoUpgrade as intended

This mirrors the Go feature gate (DevPreviewNoUpgrade-only) and keeps SelfManagedHA in sync with Hypershift and the documented feature matrix.

features.md (1)

19-19: Feature matrix entry for TLSCurvesConfiguration matches implementation

The row correctly marks TLSCurvesConfiguration as Enabled only for DevPreviewNoUpgrade on both Hypershift and SelfManagedHA, matching the Go feature registration and payload manifests.

features/features.go (1)

949-955: TLSCurvesConfiguration feature gate registration is consistent and well‑scoped

The new FeatureGateTLSCurvesConfiguration follows existing patterns (metadata, enhancement link, mustRegister) and enables the gate only for DevPreviewNoUpgrade, which matches the updated manifests and documentation.

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hello @richardsonnick! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[openshift-ci-robot]

Pipeline controller notification
This repository is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[everettraven]

Why should problems be reported to this component?

[everettraven]

To clarify, I'm asking because I don't see any stakeholders from the team responsible for this component represented in the enhancement proposal as reviewers or having signed off on being on the hook for bugs and issues related to this feature.

[richardsonnick]

Hey @everettraven,
Sorry for the confusion, I'm working with @davidesalerno to add supporting docs for the new feature introduced here: #2583

We decided Networking was the best component.

[everettraven]

@richardsonnick Looks like this may need a rebase and it looks like you are missing the generated file updates here.

Running PROTO_OPTIONAL=true make update should re-generate everything you need.

[richardsonnick]

@richardsonnick Looks like this may need a rebase and it looks like you are missing the generated file updates here.

Running PROTO_OPTIONAL=true make update should re-generate everything you need.

Rebased and updated generated files. Thanks for the review

[everettraven]

/lgtm

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance
/test e2e-aws-ovn-techpreview
/test e2e-aws-serial-1of2
/test e2e-aws-serial-2of2
/test e2e-aws-serial-techpreview-1of2
/test e2e-aws-serial-techpreview-2of2
/test e2e-azure
/test e2e-gcp
/test e2e-upgrade
/test e2e-upgrade-out-of-change

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: everettraven

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [everettraven]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@richardsonnick: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-serial-techpreview-1of2	b1e173a	link	true	/test e2e-aws-serial-techpreview-1of2
ci/prow/e2e-aws-serial-1of2	b1e173a	link	true	/test e2e-aws-serial-1of2
ci/prow/e2e-aws-ovn-hypershift	b1e173a	link	true	/test e2e-aws-ovn-hypershift

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[davidesalerno]

As discussed with @richardsonnick I need to verify if Jira component and contact person values are the right ones.

Should we also add some tests (see here)?

/hold