Rename auto-tls to external-domain-tls (#14482)

* Rename auto-tls to external-domain-tls * Fix lint warnings
2023-10-20 18:06:18 +02:00 · 2023-10-20 18:06:18 +02:00 · 2c0b8dcb38
parent 425abcb95f
commit 2c0b8dcb38
34 changed files with 421 additions and 408 deletions
--- a/docs/encryption/knative-encryption.md
+++ b/docs/encryption/knative-encryption.md
@ -25,7 +25,7 @@ The different parts are independent of each other and (can) use different Certif
 * These certificates are either [provided manually](https://knative.dev/docs/serving/using-a-tls-cert/) or by using an implementation to the [Knative Certificate abstraction](https://github.com/knative/networking/blob/main/pkg/apis/networking/v1alpha1/certificate_types.go#L34). Currently, we support two implementations:
  * [net-certmanager](https://github.com/knative-extensions/net-certmanager) 
  * [net-http01](https://github.com/knative-extensions/net-http01)
-* Please refer to the [documentation](https://knative.dev/docs/serving/using-auto-tls/) for more information.
+* Please refer to the [documentation](https://knative.dev/docs/serving/using-external-domain-tls/) for more information.


 ### (2) Cluster-local certificates
--- a/pkg/apis/serving/v1/route_lifecycle.go
+++ b/pkg/apis/serving/v1/route_lifecycle.go
@ -190,10 +190,10 @@ func (rs *RouteStatus) MarkCertificateNotOwned(name string) {
 }

 const (
-	// AutoTLSNotEnabledMessage is the message which is set on the
+	// ExternalDomainTLSNotEnabledMessage is the message which is set on the
 	// RouteConditionCertificateProvisioned condition when it is set to True
-	// because AutoTLS was not enabled.
-	AutoTLSNotEnabledMessage = "auto-tls is not enabled"
+	// because external-domain-tls was not enabled.
+	ExternalDomainTLSNotEnabledMessage = "external-domain-tls is not enabled"

 	// TLSNotEnabledForClusterLocalMessage is the message which is set on the
 	// RouteConditionCertificateProvisioned condition when it is set to True
@ -202,7 +202,7 @@ const (
 )

 // MarkTLSNotEnabled sets RouteConditionCertificateProvisioned to true when
-// certificate config such as auto-tls is not enabled or private cluster-local service.
+// certificate config such as external-domain-tls is not enabled or private cluster-local service.
 func (rs *RouteStatus) MarkTLSNotEnabled(msg string) {
 	routeCondSet.Manage(rs).MarkTrueWithReason(RouteConditionCertificateProvisioned,
 		"TLSNotEnabled", msg)
--- a/pkg/apis/serving/v1/route_lifecycle_test.go
+++ b/pkg/apis/serving/v1/route_lifecycle_test.go
@ -253,7 +253,7 @@ func TestTypicalRouteFlow(t *testing.T) {
 	apistest.CheckConditionOngoing(r, RouteConditionReady, t)

 	r.MarkTrafficAssigned()
-	r.MarkTLSNotEnabled(AutoTLSNotEnabledMessage)
+	r.MarkTLSNotEnabled(ExternalDomainTLSNotEnabledMessage)
 	apistest.CheckConditionSucceeded(r, RouteConditionAllTrafficAssigned, t)
 	apistest.CheckConditionOngoing(r, RouteConditionIngressReady, t)
 	apistest.CheckConditionOngoing(r, RouteConditionReady, t)
@ -367,7 +367,7 @@ func TestIngressFailureRecovery(t *testing.T) {
 	apistest.CheckConditionOngoing(r, RouteConditionReady, t)

 	r.MarkTrafficAssigned()
-	r.MarkTLSNotEnabled(AutoTLSNotEnabledMessage)
+	r.MarkTLSNotEnabled(ExternalDomainTLSNotEnabledMessage)
 	r.PropagateIngressStatus(netv1alpha1.IngressStatus{
 		Status: duckv1.Status{
 			Conditions: duckv1.Conditions{{
@ -467,10 +467,10 @@ func TestEndpointNotOwned(t *testing.T) {
 	apistest.CheckConditionFailed(r, RouteConditionIngressReady, t)
 }

-func TestRouteAutoTLSNotEnabled(t *testing.T) {
+func TestRouteExternalDomainTLSNotEnabled(t *testing.T) {
 	r := &RouteStatus{}
 	r.InitializeConditions()
-	r.MarkTLSNotEnabled(AutoTLSNotEnabledMessage)
+	r.MarkTLSNotEnabled(ExternalDomainTLSNotEnabledMessage)

 	apistest.CheckConditionSucceeded(r, RouteConditionCertificateProvisioned, t)
 }
--- a/pkg/apis/serving/v1beta1/domainmapping_lifecycle.go
+++ b/pkg/apis/serving/v1beta1/domainmapping_lifecycle.go
@ -59,10 +59,10 @@ func (dms *DomainMappingStatus) InitializeConditions() {
 }

 const (
-	// AutoTLSNotEnabledMessage is the message which is set on the
+	// ExternalDomainTLSNotEnabledMessage is the message which is set on the
 	// DomainMappingConditionCertificateProvisioned condition when it is set to True
-	// because AutoTLS was not enabled.
-	AutoTLSNotEnabledMessage = "auto-tls is not enabled"
+	// because external-domain-tls was not enabled.
+	ExternalDomainTLSNotEnabledMessage = "external-domain-tls is not enabled"
 	// TLSCertificateProvidedExternally indicates that a TLS secret won't be created or managed
 	// instead a reference to an existing TLS secret should have been provided in the DomainMapping spec
 	TLSCertificateProvidedExternally = "TLS certificate was provided externally"
--- a/pkg/apis/serving/v1beta1/domainmapping_lifecycle_test.go
+++ b/pkg/apis/serving/v1beta1/domainmapping_lifecycle_test.go
@ -71,7 +71,7 @@ func TestDomainClaimConditions(t *testing.T) {
 	dms := &DomainMappingStatus{}

 	dms.InitializeConditions()
-	dms.MarkTLSNotEnabled("AutoTLS not yet available for DomainMapping")
+	dms.MarkTLSNotEnabled("external-domain-tls not yet available for DomainMapping")
 	apistest.CheckConditionOngoing(dms, DomainMappingConditionDomainClaimed, t)
 	apistest.CheckConditionOngoing(dms, DomainMappingConditionReady, t)

@ -103,7 +103,7 @@ func TestReferenceResolvedCondition(t *testing.T) {
 	dms := &DomainMappingStatus{}

 	dms.InitializeConditions()
-	dms.MarkTLSNotEnabled("AutoTLS not yet available for DomainMapping")
+	dms.MarkTLSNotEnabled("external-domain-tls not yet available for DomainMapping")
 	apistest.CheckConditionOngoing(dms, DomainMappingConditionReferenceResolved, t)
 	apistest.CheckConditionOngoing(dms, DomainMappingConditionReady, t)

@ -157,10 +157,10 @@ func TestDomainMappingNotOwnCertificate(t *testing.T) {
 	apistest.CheckConditionFailed(dms, DomainMappingConditionCertificateProvisioned, t)
 }

-func TestDomainMappingAutoTLSNotEnabled(t *testing.T) {
+func TestDomainMappingExternalDomainTLSNotEnabled(t *testing.T) {
 	dms := &DomainMappingStatus{}
 	dms.InitializeConditions()
-	dms.MarkTLSNotEnabled(AutoTLSNotEnabledMessage)
+	dms.MarkTLSNotEnabled(ExternalDomainTLSNotEnabledMessage)

 	apistest.CheckConditionSucceeded(dms, DomainMappingConditionCertificateProvisioned, t)
 }
@ -177,7 +177,7 @@ func TestPropagateIngressStatus(t *testing.T) {
 	dms := &DomainMappingStatus{}

 	dms.InitializeConditions()
-	dms.MarkTLSNotEnabled("AutoTLS not yet available for DomainMapping")
+	dms.MarkTLSNotEnabled("external-domain-tls not yet available for DomainMapping")
 	apistest.CheckConditionOngoing(dms, DomainMappingConditionIngressReady, t)
 	apistest.CheckConditionOngoing(dms, DomainMappingConditionReady, t)

--- a/pkg/reconciler/domainmapping/reconciler.go
+++ b/pkg/reconciler/domainmapping/reconciler.go
@ -171,18 +171,18 @@ func (r *Reconciler) FinalizeKind(ctx context.Context, dm *v1beta1.DomainMapping
 	return r.netclient.NetworkingV1alpha1().ClusterDomainClaims().Delete(ctx, dm.Name, metav1.DeleteOptions{})
 }

-func autoTLSEnabled(ctx context.Context, dm *v1beta1.DomainMapping) bool {
-	if !config.FromContext(ctx).Network.AutoTLS {
+func externalDomainTLSEnabled(ctx context.Context, dm *v1beta1.DomainMapping) bool {
+	if !config.FromContext(ctx).Network.ExternalDomainTLS {
 		return false
 	}
-	annotationValue := netapi.GetDisableAutoTLS(dm.Annotations)
+	annotationValue := netapi.GetDisableExternalDomainTLS(dm.Annotations)
 	disabledByAnnotation, err := strconv.ParseBool(annotationValue)
 	if annotationValue != "" && err != nil {
 		logger := logging.FromContext(ctx)
 		// Validation should've caught an invalid value here.
 		// If we have one anyway, assume not disabled and log a warning.
 		logger.Warnf("DM.Annotations[%s] = %q is invalid",
-			netapi.DisableAutoTLSAnnotationKey, annotationValue)
+			netapi.DisableExternalDomainTLSAnnotation, annotationValue)
 	}

 	return !disabledByAnnotation
@ -203,8 +203,8 @@ func (r *Reconciler) tls(ctx context.Context, dm *v1beta1.DomainMapping) ([]netv
 		}}, nil, nil
 	}

-	if !autoTLSEnabled(ctx, dm) {
-		dm.Status.MarkTLSNotEnabled(v1.AutoTLSNotEnabledMessage)
+	if !externalDomainTLSEnabled(ctx, dm) {
+		dm.Status.MarkTLSNotEnabled(v1.ExternalDomainTLSNotEnabledMessage)
 		return nil, nil, nil
 	}

--- a/pkg/reconciler/domainmapping/reconciler_test.go
+++ b/pkg/reconciler/domainmapping/reconciler_test.go
@ -25,65 +25,65 @@ import (
 	"knative.dev/serving/pkg/reconciler/domainmapping/config"
 )

-func TestAutoTLSEnabled(t *testing.T) {
+func TestExternalDomainTLSEnabled(t *testing.T) {
 	dm := domainMapping("test-ns", "test-route")

 	for _, tc := range []struct {
-		name                  string
-		configAutoTLSEnabled  bool
-		tlsDisabledAnnotation string
-		wantAutoTLSEnabled    bool
+		name                           string
+		configExternalDomainTLSEnabled bool
+		tlsDisabledAnnotation          string
+		wantExternalDomainTLSEnabled   bool
 	}{{
-		name:                 "AutoTLS enabled by config, not disabled by annotation",
-		configAutoTLSEnabled: true,
-		wantAutoTLSEnabled:   true,
+		name:                           "ExternalDomainTLS enabled by config, not disabled by annotation",
+		configExternalDomainTLSEnabled: true,
+		wantExternalDomainTLSEnabled:   true,
 	}, {
-		name:                  "AutoTLS enabled by config, disabled by annotation",
-		configAutoTLSEnabled:  true,
-		tlsDisabledAnnotation: "true",
-		wantAutoTLSEnabled:    false,
+		name:                           "ExternalDomainTLS enabled by config, disabled by annotation",
+		configExternalDomainTLSEnabled: true,
+		tlsDisabledAnnotation:          "true",
+		wantExternalDomainTLSEnabled:   false,
 	}, {
-		name:                 "AutoTLS disabled by config, not disabled by annotation",
-		configAutoTLSEnabled: false,
-		wantAutoTLSEnabled:   false,
+		name:                           "ExternalDomainTLS disabled by config, not disabled by annotation",
+		configExternalDomainTLSEnabled: false,
+		wantExternalDomainTLSEnabled:   false,
 	}, {
-		name:                  "AutoTLS disabled by config, disabled by annotation",
-		configAutoTLSEnabled:  false,
-		tlsDisabledAnnotation: "true",
-		wantAutoTLSEnabled:    false,
+		name:                           "ExternalDomainTLS disabled by config, disabled by annotation",
+		configExternalDomainTLSEnabled: false,
+		tlsDisabledAnnotation:          "true",
+		wantExternalDomainTLSEnabled:   false,
 	}, {
-		name:                  "AutoTLS enabled by config, invalid annotation",
-		configAutoTLSEnabled:  true,
-		tlsDisabledAnnotation: "foo",
-		wantAutoTLSEnabled:    true,
+		name:                           "ExternalDomainTLS enabled by config, invalid annotation",
+		configExternalDomainTLSEnabled: true,
+		tlsDisabledAnnotation:          "foo",
+		wantExternalDomainTLSEnabled:   true,
 	}, {
-		name:                  "AutoTLS disabled by config, invalid annotation",
-		configAutoTLSEnabled:  false,
-		tlsDisabledAnnotation: "foo",
-		wantAutoTLSEnabled:    false,
+		name:                           "ExternalDomainTLS disabled by config, invalid annotation",
+		configExternalDomainTLSEnabled: false,
+		tlsDisabledAnnotation:          "foo",
+		wantExternalDomainTLSEnabled:   false,
 	}, {
-		name:                 "AutoTLS disabled by config nil annotations",
-		configAutoTLSEnabled: false,
-		wantAutoTLSEnabled:   false,
+		name:                           "ExternalDomainTLS disabled by config nil annotations",
+		configExternalDomainTLSEnabled: false,
+		wantExternalDomainTLSEnabled:   false,
 	}, {
-		name:                 "AutoTLS enabled by config, nil annotations",
-		configAutoTLSEnabled: true,
-		wantAutoTLSEnabled:   true,
+		name:                           "ExternalDomainTLS enabled by config, nil annotations",
+		configExternalDomainTLSEnabled: true,
+		wantExternalDomainTLSEnabled:   true,
 	}} {
 		t.Run(tc.name, func(t *testing.T) {
 			ctx := logtesting.TestContextWithLogger(t)
 			ctx = config.ToContext(ctx, &config.Config{
 				Network: &netcfg.Config{
-					AutoTLS: tc.configAutoTLSEnabled,
+					ExternalDomainTLS: tc.configExternalDomainTLSEnabled,
 				},
 			})
 			if tc.tlsDisabledAnnotation != "" {
 				dm.Annotations = map[string]string{
-					netapi.DisableAutoTLSAnnotationKey: tc.tlsDisabledAnnotation,
+					netapi.DisableExternalDomainTLSAnnotationKey: tc.tlsDisabledAnnotation,
 				}
 			}
-			if got := autoTLSEnabled(ctx, dm); got != tc.wantAutoTLSEnabled {
-				t.Errorf("autoTLSEnabled = %t, want %t", got, tc.wantAutoTLSEnabled)
+			if got := externalDomainTLSEnabled(ctx, dm); got != tc.wantExternalDomainTLSEnabled {
+				t.Errorf("externalDomainTLSEnabled = %t, want %t", got, tc.wantExternalDomainTLSEnabled)
 			}
 		})
 	}
--- a/pkg/reconciler/domainmapping/table_test.go
+++ b/pkg/reconciler/domainmapping/table_test.go
@ -1251,7 +1251,7 @@ func TestReconcileTLSEnabled(t *testing.T) {
 					Network: &netcfg.Config{
 						DefaultIngressClass:     "the-ingress-class",
 						DefaultCertificateClass: "the-cert-class",
-						AutoTLS:                 true,
+						ExternalDomainTLS:       true,
 						HTTPProtocol:            netcfg.HTTPRedirected,
 						DefaultExternalScheme:   "http",
 					},
@ -1318,7 +1318,7 @@ func TestReconcileTLSEnabledButDowngraded(t *testing.T) {
 					Network: &netcfg.Config{
 						DefaultIngressClass:     "the-ingress-class",
 						DefaultCertificateClass: "the-cert-class",
-						AutoTLS:                 true,
+						ExternalDomainTLS:       true,
 						HTTPProtocol:            netcfg.HTTPEnabled,
 						DefaultExternalScheme:   "http",
 					},
@ -1425,7 +1425,7 @@ func withInitDomainMappingConditions(dm *v1beta1.DomainMapping) {
 }

 func withTLSNotEnabled(dm *v1beta1.DomainMapping) {
-	dm.Status.MarkTLSNotEnabled(servingv1.AutoTLSNotEnabledMessage)
+	dm.Status.MarkTLSNotEnabled(servingv1.ExternalDomainTLSNotEnabledMessage)
 }

 func withCertificateNotReady(dm *v1beta1.DomainMapping) {
--- a/pkg/reconciler/nscert/nscert_test.go
+++ b/pkg/reconciler/nscert/nscert_test.go
@ -99,8 +99,8 @@ func newTestSetup(t *testing.T, configs ...*corev1.ConfigMap) (
 			Namespace: system.Namespace(),
 		},
 		Data: map[string]string{
-			"domain-template": defaultDomainTemplate,
-			"auto-tls":        "true",
+			"domain-template":     defaultDomainTemplate,
+			"external-domain-tls": "true",
 			// Apply to all namespaces
 			"namespace-wildcard-cert-selector": "{}",
 		},
@ -323,7 +323,7 @@ func TestUpdateDomainTemplate(t *testing.T) {
 		},
 		Data: map[string]string{
 			"namespace-wildcard-cert-selector": "{}",
-			"auto-tls":                         "Enabled",
+			"external-domain-tls":              "Enabled",
 		},
 	}
 	ctx, cancel, certEvents, watcher := newTestSetup(t, netCfg)
@ -348,7 +348,7 @@ func TestUpdateDomainTemplate(t *testing.T) {
 		Data: map[string]string{
 			"domain-template":                  "{{.Name}}-suffix.{{.Namespace}}.{{.Domain}}",
 			"namespace-wildcard-cert-selector": "{}",
-			"auto-tls":                         "Enabled",
+			"external-domain-tls":              "Enabled",
 		},
 	}
 	watcher.OnChange(netCfg)
@ -369,7 +369,7 @@ func TestUpdateDomainTemplate(t *testing.T) {
 		Data: map[string]string{
 			"domain-template":                  "{{.Name}}.subdomain.{{.Namespace}}.{{.Domain}}",
 			"namespace-wildcard-cert-selector": `{}`,
-			"auto-tls":                         "Enabled",
+			"external-domain-tls":              "Enabled",
 		},
 	}
 	watcher.OnChange(netCfg)
@ -389,8 +389,8 @@ func TestUpdateDomainTemplate(t *testing.T) {
 			Namespace: system.Namespace(),
 		},
 		Data: map[string]string{
-			"domain-template": "{{.Namespace}}.{{.Name}}.{{.Domain}}",
-			"auto-tls":        "Enabled",
+			"domain-template":     "{{.Namespace}}.{{.Name}}.{{.Domain}}",
+			"external-domain-tls": "Enabled",
 		},
 	}
 	watcher.OnChange(netCfg)
@ -416,7 +416,7 @@ func TestChangeDefaultDomain(t *testing.T) {
 			Namespace: system.Namespace(),
 		},
 		Data: map[string]string{
-			"auto-tls":                         "Enabled",
+			"external-domain-tls":              "Enabled",
 			"namespace-wildcard-cert-selector": "{}",
 		},
 	}
@ -472,7 +472,7 @@ func TestDomainConfigDomain(t *testing.T) {
 		name:      "no domainmapping without config",
 		domainCfg: map[string]string{},
 		netCfg: map[string]string{
-			"auto-tls": "Enabled",
+			"external-domain-tls": "Enabled",
 		},
 	}, {
 		name: "default domain",
@ -480,7 +480,7 @@ func TestDomainConfigDomain(t *testing.T) {
 			"other.com": "selector:\n app: dev",
 		},
 		netCfg: map[string]string{
-			"auto-tls":                         "Enabled",
+			"external-domain-tls":              "Enabled",
 			"namespace-wildcard-cert-selector": "{}",
 		},
 		wantCertName: "testns.svc.cluster.local",
@ -491,7 +491,7 @@ func TestDomainConfigDomain(t *testing.T) {
 			"default.com": "",
 		},
 		netCfg: map[string]string{
-			"auto-tls":                         "Enabled",
+			"external-domain-tls":              "Enabled",
 			"namespace-wildcard-cert-selector": "{}",
 		},
 		wantCertName: "testns.default.com",
@ -614,7 +614,7 @@ func kubeNamespaceWithLabelValue(name string, labels map[string]string) *corev1.
 func networkConfig() *netcfg.Config {
 	return &netcfg.Config{
 		DomainTemplate:                defaultDomainTemplate,
-		AutoTLS:                       true,
+		ExternalDomainTLS:             true,
 		DefaultCertificateClass:       testCertClass,
 		NamespaceWildcardCertSelector: &metav1.LabelSelector{},
 	}
--- a/pkg/reconciler/route/route.go
+++ b/pkg/reconciler/route/route.go
@ -184,8 +184,8 @@ func (c *Reconciler) tls(ctx context.Context, host string, r *v1.Route, traffic
 	logger := logging.FromContext(ctx)

 	tls := []netv1alpha1.IngressTLS{}
-	if !autoTLSEnabled(ctx, r) {
-		r.Status.MarkTLSNotEnabled(v1.AutoTLSNotEnabledMessage)
+	if !externalDomainTLSEnabled(ctx, r) {
+		r.Status.MarkTLSNotEnabled(v1.ExternalDomainTLSNotEnabledMessage)
 		return tls, nil, nil
 	}

@ -268,7 +268,7 @@ func (c *Reconciler) tls(ctx context.Context, host string, r *v1.Route, traffic
 			r.Status.MarkCertificateNotReady(cert.Name)
 			// When httpProtocol is enabled, downgrade http scheme.
 			// Explicitly not using the override settings here as to not to muck with
-			// AutoTLS semantics.
+			// external-domain-tls semantics.
 			if config.FromContext(ctx).Network.HTTPProtocol == netcfg.HTTPEnabled {
 				if dnsNames.Has(host) {
 					r.Status.URL = &apis.URL{
@ -491,20 +491,20 @@ func setTargetsScheme(rs *v1.RouteStatus, dnsNames []string, scheme string) {
 	}
 }

-func autoTLSEnabled(ctx context.Context, r *v1.Route) bool {
-	if !config.FromContext(ctx).Network.AutoTLS {
+func externalDomainTLSEnabled(ctx context.Context, r *v1.Route) bool {
+	if !config.FromContext(ctx).Network.ExternalDomainTLS {
 		return false
 	}

 	logger := logging.FromContext(ctx)
-	annotationValue := networking.GetDisableAutoTLS(r.Annotations)
+	annotationValue := networking.GetDisableExternalDomainTLS(r.Annotations)

 	disabledByAnnotation, err := strconv.ParseBool(annotationValue)
 	if annotationValue != "" && err != nil {
 		// validation should've caught an invalid value here.
-		// if we have one anyways, assume not disabled and log a warning.
+		// if we have one anyway, assume not disabled and log a warning.
 		logger.Warnf("Invalid annotation value for %q. Value: %q",
-			networking.DisableAutoTLSAnnotationKey, annotationValue)
+			networking.DisableExternalDomainTLSAnnotationKey, annotationValue)
 	}

 	return !disabledByAnnotation
--- a/pkg/reconciler/route/route_test.go
+++ b/pkg/reconciler/route/route_test.go
@ -1588,40 +1588,40 @@ func TestRouteDomain(t *testing.T) {
 	}
 }

-func TestAutoTLSEnabled(t *testing.T) {
+func TestExternalDomainTLSEnabled(t *testing.T) {
 	tests := []struct {
-		name                  string
-		configAutoTLSEnabled  bool
-		tlsDisabledAnnotation string
-		wantAutoTLSEnabled    bool
+		name                           string
+		configExternalDomainTLSEnabled bool
+		tlsDisabledAnnotation          string
+		wantExternalDomainTLSEnabled   bool
 	}{{
-		name:                 "AutoTLS enabled by config, not disabled by annotation",
-		configAutoTLSEnabled: true,
-		wantAutoTLSEnabled:   true,
+		name:                           "ExternalDomainTLS enabled by config, not disabled by annotation",
+		configExternalDomainTLSEnabled: true,
+		wantExternalDomainTLSEnabled:   true,
 	}, {
-		name:                  "AutoTLS enabled by config, disabled by annotation",
-		configAutoTLSEnabled:  true,
-		tlsDisabledAnnotation: "true",
-		wantAutoTLSEnabled:    false,
+		name:                           "ExternalDomainTLS enabled by config, disabled by annotation",
+		configExternalDomainTLSEnabled: true,
+		tlsDisabledAnnotation:          "true",
+		wantExternalDomainTLSEnabled:   false,
 	}, {
-		name:                 "AutoTLS disabled by config, not disabled by annotation",
-		configAutoTLSEnabled: false,
-		wantAutoTLSEnabled:   false,
+		name:                           "ExternalDomainTLS disabled by config, not disabled by annotation",
+		configExternalDomainTLSEnabled: false,
+		wantExternalDomainTLSEnabled:   false,
 	}, {
-		name:                  "AutoTLS disabled by config, disabled by annotation",
-		configAutoTLSEnabled:  false,
-		tlsDisabledAnnotation: "true",
-		wantAutoTLSEnabled:    false,
+		name:                           "ExternalDomainTLS disabled by config, disabled by annotation",
+		configExternalDomainTLSEnabled: false,
+		tlsDisabledAnnotation:          "true",
+		wantExternalDomainTLSEnabled:   false,
 	}, {
-		name:                  "AutoTLS enabled by config, invalid annotation",
-		configAutoTLSEnabled:  true,
-		tlsDisabledAnnotation: "foo",
-		wantAutoTLSEnabled:    true,
+		name:                           "ExternalDomainTLS enabled by config, invalid annotation",
+		configExternalDomainTLSEnabled: true,
+		tlsDisabledAnnotation:          "foo",
+		wantExternalDomainTLSEnabled:   true,
 	}, {
-		name:                  "AutoTLS disabled by config, invalid annotation",
-		configAutoTLSEnabled:  false,
-		tlsDisabledAnnotation: "foo",
-		wantAutoTLSEnabled:    false,
+		name:                           "ExternalDomainTLS disabled by config, invalid annotation",
+		configExternalDomainTLSEnabled: false,
+		tlsDisabledAnnotation:          "foo",
+		wantExternalDomainTLSEnabled:   false,
 	}}

 	r := Route("test-ns", "test-route")
@ -1632,14 +1632,14 @@ func TestAutoTLSEnabled(t *testing.T) {
 			ctx := logtesting.TestContextWithLogger(t)
 			ctx = config.ToContext(ctx, &config.Config{
 				Network: &netcfg.Config{
-					AutoTLS: test.configAutoTLSEnabled,
+					ExternalDomainTLS: test.configExternalDomainTLSEnabled,
 				},
 			})

-			r.Annotations[networking.DisableAutoTLSAnnotationKey] = test.tlsDisabledAnnotation
+			r.Annotations[networking.DisableExternalDomainTLSAnnotationKey] = test.tlsDisabledAnnotation

-			if got := autoTLSEnabled(ctx, r); got != test.wantAutoTLSEnabled {
-				t.Errorf("autoTLSEnabled = %t, want %t", got, test.wantAutoTLSEnabled)
+			if got := externalDomainTLSEnabled(ctx, r); got != test.wantExternalDomainTLSEnabled {
+				t.Errorf("externalDomainTLSEnabled = %t, want %t", got, test.wantExternalDomainTLSEnabled)
 			}
 		})
 	}
--- a/pkg/reconciler/route/table_test.go
+++ b/pkg/reconciler/route/table_test.go
@ -73,7 +73,7 @@ type key int
 const (
 	rolloutDurationKey key = iota
 	externalSchemeKey
-	enableAutoTLSKey
+	enableExternalDomainTLSKey
 )

 // This is heavily based on the way the OpenShift Ingress controller tests its reconciliation method.
@ -177,7 +177,7 @@ func TestReconcile(t *testing.T) {
 			Object: Route("default", "becomes-ready", WithConfigTarget("ing-unknown"),
 				WithRouteUID("12-34"), WithRouteGeneration(1955), WithRouteObservedGeneration,
 				// Populated by reconciliation when all traffic has been assigned.
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled,
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled,
 				MarkTrafficAssigned, MarkIngressNotConfigured, WithStatusTraffic(
 					v1.TrafficTarget{
 						RevisionName:   "ing-unknown-00001",
@ -222,7 +222,7 @@ func TestReconcile(t *testing.T) {
 			Object: Route("default", "ingress-failed", WithConfigTarget("config"),
 				WithRouteUID("12-34"), WithRouteGeneration(1), WithRouteObservedGeneration,
 				// Populated by reconciliation when all traffic has been assigned.
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled, WithInitRouteConditions,
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled, WithInitRouteConditions,
 				MarkTrafficAssigned,
 				WithStatusTraffic(
 					v1.TrafficTarget{
@ -273,7 +273,7 @@ func TestReconcile(t *testing.T) {
 				WithRouteUID("12-34"), WithIngressClass("custom-ingress-class"),
 				WithRouteGeneration(1), WithRouteObservedGeneration,
 				// Populated by reconciliation when all traffic has been assigned.
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled,
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled,
 				MarkTrafficAssigned, MarkIngressNotConfigured, WithStatusTraffic(
 					v1.TrafficTarget{
 						RevisionName:   "config-00001",
@ -329,7 +329,7 @@ func TestReconcile(t *testing.T) {
 			Object: Route("default", "becomes-ready", WithConfigTarget("config"),
 				WithRouteUID("65-23"), WithRouteGeneration(1), WithRouteObservedGeneration,
 				// Populated by reconciliation when all traffic has been assigned.
-				WithLocalDomain, WithAddress, WithRouteConditionsAutoTLSDisabled,
+				WithLocalDomain, WithAddress, WithRouteConditionsExternalDomainTLSDisabled,
 				WithRouteLabel(map[string]string{netapi.VisibilityLabelKey: "cluster-local"}),
 				MarkTrafficAssigned, MarkIngressNotConfigured, WithStatusTraffic(
 					v1.TrafficTarget{
@ -376,7 +376,7 @@ func TestReconcile(t *testing.T) {
 		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
 			Object: Route("default", "becomes-ready", WithConfigTarget("config"),
 				// Populated by reconciliation when the route becomes ready.
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled,
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled,
 				WithRouteGeneration(2009), WithRouteObservedGeneration,
 				MarkTrafficAssigned, MarkIngressReady, WithStatusTraffic(
 					v1.TrafficTarget{
@ -475,7 +475,7 @@ func TestReconcile(t *testing.T) {
 		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
 			Object: Route("default", "becomes-ready", WithConfigTarget("config"),
 				// Populated by reconciliation when the route becomes ready.
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled,
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled,
 				WithRouteGeneration(2009), WithRouteObservedGeneration,
 				MarkTrafficAssigned, MarkInRollout, WithStatusTraffic(
 					v1.TrafficTarget{
@ -559,7 +559,7 @@ func TestReconcile(t *testing.T) {
 		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
 			Object: Route("default", "becomes-ready", WithConfigTarget("config"),
 				// Populated by reconciliation when the route becomes ready.
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled,
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled,
 				WithRouteGeneration(2009), WithRouteObservedGeneration,
 				MarkTrafficAssigned, MarkIngressReady, WithStatusTraffic(
 					v1.TrafficTarget{
@ -660,7 +660,7 @@ func TestReconcile(t *testing.T) {
 				WithRouteFinalizer, WithRouteGeneration(1),
 				MarkIngressNotConfigured, WithRouteObservedGeneration,
 				// Populated by reconciliation when we fail to create the ingress.
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled,
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled,
 				MarkTrafficAssigned, WithStatusTraffic(
 					v1.TrafficTarget{
 						RevisionName:   "config-00001",
@ -678,7 +678,7 @@ func TestReconcile(t *testing.T) {
 		Name: "steady state",
 		Objects: []runtime.Object{
 			Route("default", "steady-state", WithConfigTarget("config"),
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled,
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled,
 				MarkTrafficAssigned, MarkIngressReady, WithRouteGeneration(1), WithRouteObservedGeneration,
 				WithRouteFinalizer, WithStatusTraffic(
 					v1.TrafficTarget{
@ -717,7 +717,7 @@ func TestReconcile(t *testing.T) {
 		WantErr: true,
 		Objects: []runtime.Object{
 			Route("default", "unhappy-owner", WithConfigTarget("config"),
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled, WithRouteGeneration(1),
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled, WithRouteGeneration(1),
 				MarkTrafficAssigned, MarkIngressReady, WithRouteObservedGeneration, WithRouteFinalizer, WithStatusTraffic(
 					v1.TrafficTarget{
 						RevisionName: "config-00001",
@ -734,7 +734,7 @@ func TestReconcile(t *testing.T) {
 		},
 		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
 			Object: Route("default", "unhappy-owner", WithConfigTarget("config"),
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled, WithRouteGeneration(1),
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled, WithRouteGeneration(1),
 				MarkTrafficAssigned, MarkIngressReady, WithRouteObservedGeneration, WithRouteFinalizer, WithStatusTraffic(
 					v1.TrafficTarget{
 						RevisionName:   "config-00001",
@ -756,7 +756,7 @@ func TestReconcile(t *testing.T) {
 		Objects: []runtime.Object{
 			Route("default", "different-domain", WithConfigTarget("config"),
 				WithAnotherDomain, WithAddress, WithRouteGeneration(1), WithRouteObservedGeneration,
-				WithRouteConditionsAutoTLSDisabled, MarkTrafficAssigned, MarkIngressReady,
+				WithRouteConditionsExternalDomainTLSDisabled, MarkTrafficAssigned, MarkIngressReady,
 				WithRouteFinalizer, WithStatusTraffic(
 					v1.TrafficTarget{
 						RevisionName:   "config-00001",
@ -813,7 +813,7 @@ func TestReconcile(t *testing.T) {
 		Name: "new latest created revision",
 		Objects: []runtime.Object{
 			Route("default", "new-latest-created", WithConfigTarget("config"),
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled, WithRouteGeneration(1),
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled, WithRouteGeneration(1),
 				MarkTrafficAssigned, MarkIngressReady, WithRouteObservedGeneration, WithRouteFinalizer, WithStatusTraffic(
 					v1.TrafficTarget{
 						RevisionName:   "config-00001",
@ -852,7 +852,7 @@ func TestReconcile(t *testing.T) {
 		Ctx:  context.WithValue(context.Background(), rolloutDurationKey, 120),
 		Objects: []runtime.Object{
 			Route("default", "new-latest-ready", WithConfigTarget("config"),
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled, WithRouteGeneration(1),
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled, WithRouteGeneration(1),
 				MarkTrafficAssigned, MarkIngressReady, WithRouteObservedGeneration, WithRouteFinalizer, WithStatusTraffic(
 					v1.TrafficTarget{
 						RevisionName: "config-00001",
@ -923,7 +923,7 @@ func TestReconcile(t *testing.T) {
 		}},
 		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
 			Object: Route("default", "new-latest-ready", WithConfigTarget("config"),
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled, WithRouteGeneration(1),
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled, WithRouteGeneration(1),
 				MarkTrafficAssigned, MarkInRollout, WithRouteObservedGeneration, WithRouteFinalizer, WithStatusTraffic(
 					v1.TrafficTarget{
 						RevisionName:   "config-00001",
@ -941,7 +941,7 @@ func TestReconcile(t *testing.T) {
 		Name: "new latest ready revision, rollout disabled",
 		Objects: []runtime.Object{
 			Route("default", "new-latest-ready", WithConfigTarget("config"),
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled, WithRouteGeneration(1),
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled, WithRouteGeneration(1),
 				MarkTrafficAssigned, MarkIngressReady, WithRouteObservedGeneration, WithRouteFinalizer, WithStatusTraffic(
 					v1.TrafficTarget{
 						RevisionName: "config-00001",
@ -995,7 +995,7 @@ func TestReconcile(t *testing.T) {
 		}},
 		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
 			Object: Route("default", "new-latest-ready", WithConfigTarget("config"),
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled, WithRouteGeneration(1),
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled, WithRouteGeneration(1),
 				MarkTrafficAssigned, MarkIngressReady, WithRouteObservedGeneration, WithRouteFinalizer, WithStatusTraffic(
 					v1.TrafficTarget{
 						RevisionName:   "config-00002",
@ -1058,7 +1058,7 @@ func TestReconcile(t *testing.T) {
 			Object: Route("default", "becomes-local", WithConfigTarget("config"),
 				WithRouteUID("65-23"), WithRouteGeneration(1), WithRouteObservedGeneration,
 				MarkTrafficAssigned, MarkIngressNotConfigured,
-				WithLocalDomain, WithAddress, WithRouteConditionsAutoTLSDisabled,
+				WithLocalDomain, WithAddress, WithRouteConditionsExternalDomainTLSDisabled,
 				WithRouteLabel(map[string]string{netapi.VisibilityLabelKey: "cluster-local"}),
 				WithStatusTraffic(
 					v1.TrafficTarget{
@ -1120,7 +1120,7 @@ func TestReconcile(t *testing.T) {
 			Object: Route("default", "becomes-public", WithConfigTarget("config"),
 				WithRouteUID("65-23"), WithRouteGeneration(1), WithRouteObservedGeneration,
 				MarkTrafficAssigned, MarkIngressNotConfigured,
-				WithAddress, WithRouteConditionsAutoTLSDisabled, WithURL,
+				WithAddress, WithRouteConditionsExternalDomainTLSDisabled, WithURL,
 				WithStatusTraffic(
 					v1.TrafficTarget{
 						RevisionName:   "config-00001",
@ -1138,7 +1138,7 @@ func TestReconcile(t *testing.T) {
 		},
 		Objects: []runtime.Object{
 			Route("default", "update-ci-failure", WithConfigTarget("config"),
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled, WithRouteGeneration(1),
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled, WithRouteGeneration(1),
 				MarkTrafficAssigned, MarkIngressReady, WithRouteObservedGeneration, WithRouteFinalizer, WithStatusTraffic(
 					v1.TrafficTarget{
 						RevisionName: "config-00001",
@ -1191,7 +1191,7 @@ func TestReconcile(t *testing.T) {
 		}},
 		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
 			Object: Route("default", "update-ci-failure", WithConfigTarget("config"),
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled, WithRouteGeneration(1),
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled, WithRouteGeneration(1),
 				MarkTrafficAssigned, MarkIngressReady, WithRouteObservedGeneration, WithRouteFinalizer, WithStatusTraffic(
 					v1.TrafficTarget{
 						RevisionName:   "config-00002",
@ -1207,7 +1207,7 @@ func TestReconcile(t *testing.T) {
 		Name: "reconcile service mutation",
 		Objects: []runtime.Object{
 			Route("default", "svc-mutation", WithConfigTarget("config"),
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled, WithRouteGeneration(1),
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled, WithRouteGeneration(1),
 				MarkTrafficAssigned, MarkIngressReady, WithRouteObservedGeneration, WithRouteFinalizer, WithStatusTraffic(
 					v1.TrafficTarget{
 						RevisionName:   "config-00001",
@ -1252,7 +1252,7 @@ func TestReconcile(t *testing.T) {
 		},
 		Objects: []runtime.Object{
 			Route("default", "svc-mutation", WithConfigTarget("config"), WithRouteFinalizer,
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled, WithRouteGeneration(1),
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled, WithRouteGeneration(1),
 				MarkTrafficAssigned, MarkIngressReady, WithRouteObservedGeneration, WithStatusTraffic(
 					v1.TrafficTarget{
 						RevisionName:   "config-00001",
@ -1298,7 +1298,7 @@ func TestReconcile(t *testing.T) {
 		Name: "drop cluster ip",
 		Objects: []runtime.Object{
 			Route("default", "cluster-ip", WithConfigTarget("config"), WithRouteFinalizer,
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled, WithRouteGeneration(1),
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled, WithRouteGeneration(1),
 				MarkTrafficAssigned, MarkIngressReady, WithRouteObservedGeneration, WithStatusTraffic(
 					v1.TrafficTarget{
 						RevisionName:   "config-00001",
@ -1339,7 +1339,7 @@ func TestReconcile(t *testing.T) {
 		Name: "preserve the cluster ip of the service on steady state",
 		Objects: []runtime.Object{
 			Route("default", "preserve-cluster-ip", WithConfigTarget("config"), WithRouteFinalizer,
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled, WithRouteGeneration(1),
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled, WithRouteGeneration(1),
 				MarkTrafficAssigned, MarkIngressReady, WithRouteObservedGeneration, WithStatusTraffic(
 					v1.TrafficTarget{
 						RevisionName:   "config-00001",
@ -1397,7 +1397,7 @@ func TestReconcile(t *testing.T) {
 		Name: "fix external name",
 		Objects: []runtime.Object{
 			Route("default", "external-name", WithConfigTarget("config"), WithRouteFinalizer,
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled, WithRouteGeneration(1),
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled, WithRouteGeneration(1),
 				MarkTrafficAssigned, MarkIngressReady, WithRouteObservedGeneration, WithStatusTraffic(
 					v1.TrafficTarget{
 						RevisionName:   "config-00001",
@ -1437,7 +1437,7 @@ func TestReconcile(t *testing.T) {
 		Name: "reconcile ingress mutation",
 		Objects: []runtime.Object{
 			Route("default", "ingress-mutation", WithConfigTarget("config"), WithRouteFinalizer,
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled, WithRouteGeneration(1),
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled, WithRouteGeneration(1),
 				MarkTrafficAssigned, MarkIngressReady, WithRouteObservedGeneration, WithStatusTraffic(
 					v1.TrafficTarget{
 						RevisionName:   "config-00001",
@ -1561,7 +1561,7 @@ func TestReconcile(t *testing.T) {
 			Object: Route("default", "pinned-becomes-ready",
 				// Use the Revision name from the config
 				WithRevTarget("config-00001"), WithRouteFinalizer, WithRouteGeneration(1),
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled,
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled,
 				MarkTrafficAssigned, MarkIngressReady, WithRouteObservedGeneration, WithStatusTraffic(
 					v1.TrafficTarget{
 						RevisionName:   "config-00001",
@ -1643,7 +1643,7 @@ func TestReconcile(t *testing.T) {
 					ConfigurationName: "green",
 					Percent:           ptr.Int64(50),
 				}), WithRouteUID("34-78"),
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled,
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled,
 				MarkTrafficAssigned, MarkIngressNotConfigured, WithStatusTraffic(
 					v1.TrafficTarget{
 						RevisionName:   "blue-00001",
@ -1780,7 +1780,7 @@ func TestReconcile(t *testing.T) {
 						RevisionName: "gray-00001",
 						Percent:      ptr.Int64(50),
 					}), WithRouteUID("1-2"), WithRouteFinalizer,
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled,
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled,
 				MarkTrafficAssigned, MarkIngressNotConfigured, WithStatusTraffic(
 					v1.TrafficTarget{
 						Tag:            "gray",
@ -1815,7 +1815,7 @@ func TestReconcile(t *testing.T) {
 		// Start from a steady state referencing "blue", and modify the route spec to point to "green" instead.
 		Objects: []runtime.Object{
 			Route("default", "switch-configs", WithConfigTarget("green"),
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled,
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled,
 				MarkTrafficAssigned, MarkIngressReady, WithRouteGeneration(1984), WithRouteObservedGeneration,
 				WithStatusTraffic(
 					v1.TrafficTarget{
@ -1872,7 +1872,7 @@ func TestReconcile(t *testing.T) {
 		}},
 		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
 			Object: Route("default", "switch-configs", WithConfigTarget("green"),
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled,
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled,
 				WithRouteGeneration(1984), MarkTrafficAssigned, MarkIngressReady,
 				WithRouteObservedGeneration, WithStatusTraffic(
 					v1.TrafficTarget{
@ -1939,7 +1939,7 @@ func TestReconcile(t *testing.T) {
 		Name: "deletes service when route no longer references service",
 		Objects: []runtime.Object{
 			Route("default", "my-route", WithConfigTarget("config"),
-				WithURL, WithAddress, WithRouteConditionsAutoTLSDisabled,
+				WithURL, WithAddress, WithRouteConditionsExternalDomainTLSDisabled,
 				MarkTrafficAssigned, MarkIngressReady,
 				WithRouteGeneration(1), WithRouteObservedGeneration,
 				WithRouteFinalizer,
@ -2057,7 +2057,7 @@ func TestReconcile(t *testing.T) {
 		Ctx:  context.WithValue(context.Background(), externalSchemeKey, "https"),
 		Objects: []runtime.Object{
 			Route("default", "steady-state", WithConfigTarget("config"),
-				WithHTTPSDomain, WithAddress, WithRouteConditionsAutoTLSDisabled,
+				WithHTTPSDomain, WithAddress, WithRouteConditionsExternalDomainTLSDisabled,
 				MarkTrafficAssigned, MarkIngressReady, WithRouteGeneration(1), WithRouteObservedGeneration,
 				WithRouteFinalizer, WithStatusTraffic(
 					v1.TrafficTarget{
@ -2097,7 +2097,7 @@ func TestReconcile(t *testing.T) {
 		Objects: []runtime.Object{
 			Route("default", "steady-state", WithConfigTarget("config"),
 				WithRouteLabel(map[string]string{netapi.VisibilityLabelKey: serving.VisibilityClusterLocal}),
-				WithLocalDomain, WithAddress, WithRouteConditionsAutoTLSDisabled,
+				WithLocalDomain, WithAddress, WithRouteConditionsExternalDomainTLSDisabled,
 				MarkTrafficAssigned, MarkIngressReady, WithRouteGeneration(1), WithRouteObservedGeneration,
 				WithRouteFinalizer, WithStatusTraffic(
 					v1.TrafficTarget{
@ -2150,7 +2150,7 @@ func TestReconcile_ServiceLifecycle(t *testing.T) {
 		WithRouteUID("12-34"),
 		WithAddress,
 		WithURL,
-		WithRouteConditionsAutoTLSDisabled,
+		WithRouteConditionsExternalDomainTLSDisabled,
 		MarkTrafficAssigned,
 		MarkIngressReady,
 		WithRouteObservedGeneration,
@ -2342,7 +2342,7 @@ func TestReconcile_ServiceLifecycle(t *testing.T) {
 	table.Test(t, MakeFactory(NewTestReconciler))
 }

-func TestReconcileEnableAutoTLS(t *testing.T) {
+func TestReconcileEnableExternalDomainTLS(t *testing.T) {
 	table := TableTest{{
 		Name: "check that existing wildcard cert is used when creating a Route",
 		Objects: []runtime.Object{
@ -3121,8 +3121,8 @@ func TestReconcileEnableAutoTLS(t *testing.T) {
 		}},
 		Key: "default/becomes-ready",
 	}, {
-		// This test is a same with "public becomes cluster local" above, but confirm it does not create certs with auto-tls for cluster-local.
-		Name: "public becomes cluster local w/ auto-tls",
+		// This test is a same with "public becomes cluster local" above, but confirm it does not create certs with external-domain-tls for cluster-local.
+		Name: "public becomes cluster local w/ external-domain-tls",
 		Objects: []runtime.Object{
 			Route("default", "becomes-local", WithConfigTarget("config"), WithRouteGeneration(1),
 				WithRouteLabel(map[string]string{netapi.VisibilityLabelKey: serving.VisibilityClusterLocal}),
@ -3192,7 +3192,7 @@ func TestReconcileEnableAutoTLS(t *testing.T) {
 		if row.Ctx == nil {
 			row.Ctx = context.Background()
 		}
-		table[i].Ctx = context.WithValue(row.Ctx, enableAutoTLSKey, true)
+		table[i].Ctx = context.WithValue(row.Ctx, enableExternalDomainTLSKey, true)
 	}
 	table.Test(t, MakeFactory(NewTestReconciler))
 }
@ -3214,8 +3214,8 @@ func NewTestReconciler(ctx context.Context, listers *Listers, cmw configmap.Watc
 	}

 	cfg := reconcilerTestConfig()
-	if v := ctx.Value(enableAutoTLSKey); v != nil {
-		cfg.Network.AutoTLS = v.(bool)
+	if v := ctx.Value(enableExternalDomainTLSKey); v != nil {
+		cfg.Network.ExternalDomainTLS = v.(bool)
 	}
 	if v := ctx.Value(rolloutDurationKey); v != nil {
 		cfg.Network.RolloutDurationSecs = v.(int)
--- a/pkg/testing/v1/route.go
+++ b/pkg/testing/v1/route.go
@ -173,11 +173,11 @@ func WithInitRouteConditions(rt *v1.Route) {
 	rt.Status.InitializeConditions()
 }

-// WithRouteConditionsAutoTLSDisabled calls MarkTLSNotEnabled with AutoTLSNotEnabledMessage
+// WithRouteConditionsExternalDomainTLSDisabled calls MarkTLSNotEnabled with ExternalDomainTLSNotEnabledMessage
 // after initialized the Service's conditions.
-func WithRouteConditionsAutoTLSDisabled(rt *v1.Route) {
+func WithRouteConditionsExternalDomainTLSDisabled(rt *v1.Route) {
 	rt.Status.InitializeConditions()
-	rt.Status.MarkTLSNotEnabled(v1.AutoTLSNotEnabledMessage)
+	rt.Status.MarkTLSNotEnabled(v1.ExternalDomainTLSNotEnabledMessage)
 }

 // WithRouteConditionsTLSNotEnabledForClusterLocalMessage calls
--- a/test/config/externaldomaintls/certmanager/caissuer/config-certmanager.yaml
+++ b/test/config/externaldomaintls/certmanager/caissuer/config-certmanager.yaml
--- a/test/config/externaldomaintls/certmanager/caissuer/generate.sh
+++ b/test/config/externaldomaintls/certmanager/caissuer/generate.sh
@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-# This script generates test/config/autotls/certmanager/caissuer/secret.yaml.
+# This script generates test/config/externaldomaintls/certmanager/caissuer/secret.yaml.

 openssl genrsa -out rootCAKey.pem 2048
 openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 36500 -out rootCACert.pem  -subj '/CN=example.com/O=Knative Community/C=US'
--- a/test/config/externaldomaintls/certmanager/caissuer/issuer.yaml
+++ b/test/config/externaldomaintls/certmanager/caissuer/issuer.yaml
--- a/test/config/externaldomaintls/certmanager/caissuer/secret.yaml
+++ b/test/config/externaldomaintls/certmanager/caissuer/secret.yaml
--- a/test/config/externaldomaintls/certmanager/http01/config-certmanager.yaml
+++ b/test/config/externaldomaintls/certmanager/http01/config-certmanager.yaml
--- a/test/config/externaldomaintls/certmanager/http01/issuer.yaml
+++ b/test/config/externaldomaintls/certmanager/http01/issuer.yaml
--- a/test/config/externaldomaintls/certmanager/http01/mesh-issuer.yaml
+++ b/test/config/externaldomaintls/certmanager/http01/mesh-issuer.yaml
--- a/test/config/externaldomaintls/certmanager/selfsigned/config-certmanager.yaml
+++ b/test/config/externaldomaintls/certmanager/selfsigned/config-certmanager.yaml
--- a/test/config/externaldomaintls/certmanager/selfsigned/issuer.yaml
+++ b/test/config/externaldomaintls/certmanager/selfsigned/issuer.yaml
--- a/test/e2e-auto-tls-tests.sh
+++ b/test/e2e-auto-tls-tests.sh
@ -1,214 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright 2020 The Knative Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-source $(dirname "$0")/e2e-common.sh
-
-function setup_auto_tls_env_variables() {
-  # DNS zone for the testing domain.
-  export AUTO_TLS_TEST_DNS_ZONE="knative-e2e"
-  # Google Cloud project that hosts the DNS server for the testing domain `kn-e2e.dev`
-  export AUTO_TLS_TEST_CLOUD_DNS_PROJECT="knative-e2e-dns"
-  # The service account credential file used to access the DNS server.
-  export AUTO_TLS_TEST_CLOUD_DNS_SERVICE_ACCOUNT_KEY_FILE="${GOOGLE_APPLICATION_CREDENTIALS}"
-
-  export AUTO_TLS_TEST_DOMAIN_NAME="kn-e2e.dev"
-
-  export CUSTOM_DOMAIN_SUFFIX="$(($RANDOM % 10000)).${E2E_PROJECT_ID}.${AUTO_TLS_TEST_DOMAIN_NAME}"
-
-  export TLS_TEST_NAMESPACE="tls"
-
-  local INGRESS_NAMESPACE=${GATEWAY_NAMESPACE_OVERRIDE}
-  if [[ -z "${GATEWAY_NAMESPACE_OVERRIDE}" ]]; then
-    INGRESS_NAMESPACE="istio-system"
-  fi
-  local INGRESS_SERVICE=${GATEWAY_OVERRIDE}
-  if [[ -z "${GATEWAY_OVERRIDE}" ]]; then
-    INGRESS_SERVICE="istio-ingressgateway"
-  fi
-  local IP=$(kubectl get svc -n ${INGRESS_NAMESPACE} ${INGRESS_SERVICE} -o jsonpath="{.status.loadBalancer.ingress[0].ip}")
-  export AUTO_TLS_TEST_INGRESS_IP=${IP}
-}
-
-function setup_custom_domain() {
-  echo ">> Configuring custom domain for Auto TLS tests: ${CUSTOM_DOMAIN_SUFFIX}"
-  cat <<EOF | kubectl apply -f -
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: config-domain
-  namespace: ${SYSTEM_NAMESPACE}
-  labels:
-    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: devel
-data:
-  ${CUSTOM_DOMAIN_SUFFIX}: ""
-EOF
-}
-
-function cleanup_custom_domain() {
-  kubectl delete ConfigMap config-domain -n ${SYSTEM_NAMESPACE}
-}
-
-function setup_auto_tls_common() {
-  setup_auto_tls_env_variables
-
-  setup_custom_domain
-
-  toggle_feature auto-tls Enabled config-network
-  toggle_feature autocreate-cluster-domain-claims true config-network
-}
-
-function cleanup_auto_tls_common() {
-  cleanup_custom_domain
-
-  toggle_feature auto-tls Disabled config-network
-  toggle_feature autocreate-cluster-domain-claims false config-network
-  toggle_feature namespace-wildcard-cert-selector "" config-network
-  kubectl delete kcert --all -n "${TLS_TEST_NAMESPACE}"
-}
-
-function setup_http01_auto_tls() {
-    # The name of the test, lowercase to avoid hyphenation of the test name.
-  export AUTO_TLS_TEST_NAME="http01"
-  # Rely on the built-in naming (for logstream)
-  unset TLS_SERVICE_NAME
-  # The full host name of the Knative Service. This is used to configure the DNS record.
-  export AUTO_TLS_TEST_FULL_HOST_NAME="*.${CUSTOM_DOMAIN_SUFFIX}"
-
-  kubectl delete kcert --all -n "${TLS_TEST_NAMESPACE}"
-
-  if [[ -z "${MESH}" ]]; then
-    echo "Install cert-manager no-mesh ClusterIssuer"
-    kubectl apply -f "${E2E_YAML_DIR}"/test/config/autotls/certmanager/http01/issuer.yaml
-  else
-    echo "Install cert-manager mesh ClusterIssuer"
-    kubectl apply -f "${E2E_YAML_DIR}"/test/config/autotls/certmanager/http01/mesh-issuer.yaml
-  fi
-  kubectl apply -f "${E2E_YAML_DIR}"/test/config/autotls/certmanager/http01/config-certmanager.yaml
-  setup_dns_record
-}
-
-function setup_selfsigned_per_ksvc_auto_tls() {
-  # The name of the test.
-  export AUTO_TLS_TEST_NAME="SelfSignedPerKsvc"
-  # The name of the Knative Service deployed in Auto TLS E2E test.
-  export TLS_SERVICE_NAME="self-per-ksvc"
-
-  kubectl delete kcert --all -n "${TLS_TEST_NAMESPACE}"
-  kubectl apply -f ${E2E_YAML_DIR}/test/config/autotls/certmanager/selfsigned/
-}
-
-function setup_selfsigned_per_namespace_auto_tls() {
-  # The name of the test.
-  export AUTO_TLS_TEST_NAME="SelfSignedPerNamespace"
-  # The name of the Knative Service deployed in Auto TLS E2E test.
-  export TLS_SERVICE_NAME="self-per-namespace"
-
-  kubectl delete kcert --all -n "${TLS_TEST_NAMESPACE}"
-
-  # Enable namespace certificate only for "${TLS_TEST_NAMESPACE}" namespaces
-  selector="matchExpressions:
-  - key: kubernetes.io/metadata.name
-    operator: In
-    values: [${TLS_TEST_NAMESPACE}]
-  "
-  toggle_feature namespace-wildcard-cert-selector "$selector" config-network
-
-  kubectl apply -f ${E2E_YAML_DIR}/test/config/autotls/certmanager/selfsigned/
-
-}
-
-function cleanup_per_selfsigned_namespace_auto_tls() {
-  # Disable namespace cert for all namespaces
-  toggle_feature namespace-wildcard-cert-selector "" config-network
-
-  kubectl delete -f ${E2E_YAML_DIR}/test/config/autotls/certmanager/selfsigned/ --ignore-not-found=true
-}
-
-function setup_dns_record() {
-  go run ./test/e2e/autotls/config/dnssetup/
-  if [ $? -eq 0 ]; then
-    echo "Successfully set up DNS record"
-  else
-    echo "Error setting up DNS record"
-    exit 1
-  fi
-}
-
-function delete_dns_record() {
-  go run ./test/e2e/autotls/config/dnscleanup/
-  if [ $? -eq 0 ]; then
-    echo "Successfully tore down DNS record"
-  else
-    echo "Error deleting up DNS record"
-    exit 1
-  fi
-}
-
-# Script entry point.
-initialize "$@" --num-nodes=4 --enable-ha --cluster-version=1.26
-
-# Run the tests
-header "Running tests"
-
-failed=0
-
-# Currently only Istio, Contour and Kourier implement the alpha features.
-alpha=""
-if [[ -z "${INGRESS_CLASS}" \
-  || "${INGRESS_CLASS}" == "istio.ingress.networking.knative.dev" \
-  || "${INGRESS_CLASS}" == "contour.ingress.networking.knative.dev" \
-  || "${INGRESS_CLASS}" == "kourier.ingress.networking.knative.dev" ]]; then
-  alpha="--enable-alpha"
-fi
-
-AUTO_TLS_TEST_OPTIONS="${AUTO_TLS_TEST_OPTIONS:-${alpha} --enable-beta}"
-
-# Auto TLS E2E tests mutate the cluster and must be ran separately
-# because they need auto-tls and cert-manager specific configurations
-subheader "Setup auto tls"
-setup_auto_tls_common
-add_trap "cleanup_auto_tls_common" EXIT SIGKILL SIGTERM SIGQUIT
-
-subheader "Auto TLS test for per-ksvc certificate provision using self-signed CA"
-setup_selfsigned_per_ksvc_auto_tls
-go_test_e2e -timeout=10m ./test/e2e/autotls/ ${AUTO_TLS_TEST_OPTIONS} || failed=1
-kubectl delete -f ${E2E_YAML_DIR}/test/config/autotls/certmanager/selfsigned/
-
-subheader "Auto TLS test for per-namespace certificate provision using self-signed CA"
-setup_selfsigned_per_namespace_auto_tls
-add_trap "cleanup_per_selfsigned_namespace_auto_tls" SIGKILL SIGTERM SIGQUIT
-go_test_e2e -timeout=10m ./test/e2e/autotls/ ${AUTO_TLS_TEST_OPTIONS} || failed=1
-cleanup_per_selfsigned_namespace_auto_tls
-
-if [[ ${RUN_HTTP01_AUTO_TLS_TESTS} -eq 1 ]]; then
-  subheader "Auto TLS test for per-ksvc certificate provision using HTTP01 challenge"
-  setup_http01_auto_tls
-  add_trap "delete_dns_record" SIGKILL SIGTERM SIGQUIT
-  go_test_e2e -timeout=10m ./test/e2e/autotls/ ${AUTO_TLS_TEST_OPTIONS} || failed=1
-  kubectl delete -f ${E2E_YAML_DIR}/test/config/autotls/certmanager/http01/
-  delete_dns_record
-fi
-
-(( failed )) && fail_test
-
-subheader "Cleanup auto tls"
-cleanup_auto_tls_common
-
-# Remove the kail log file if the test flow passes.
-# This is for preventing too many large log files to be uploaded to GCS in CI.
-rm "${ARTIFACTS}/k8s.log-$(basename "${E2E_SCRIPT}").txt"
-success
--- a/test/e2e-auto-tls-tests.sh
+++ b/test/e2e-auto-tls-tests.sh
@ -0,0 +1 @@
+e2e-external-domain-tls-tests.sh
--- a/test/e2e-common.sh
+++ b/test/e2e-common.sh
@ -30,7 +30,7 @@ export CERTIFICATE_CLASS=${CERTIFICATE_CLASS:-""}
 # Only build linux/amd64 bit images
 export KO_FLAGS="${KO_FLAGS:---platform=linux/amd64}"

-export RUN_HTTP01_AUTO_TLS_TESTS=${RUN_HTTP01_AUTO_TLS_TESTS:-0}
+export RUN_HTTP01_EXTERNAL_DOMAIN_TLS_TESTS=${RUN_HTTP01_EXTERNAL_DOMAIN_TLS_TESTS:-0}
 export HTTPS=${HTTPS:-0}
 export SHORT=${SHORT:-0}
 export ENABLE_HA=${ENABLE_HA:-0}
@ -118,8 +118,14 @@ function parse_flags() {
      readonly CERTIFICATE_CLASS="cert-manager.certificate.networking.knative.dev"
      return 2
      ;;
+# BEGIN: reverse compatibility - drop this after updating knative/infra
    --run-http01-auto-tls-tests)
-      readonly RUN_HTTP01_AUTO_TLS_TESTS=1
+      readonly RUN_HTTP01_EXTERNAL_DOMAIN_TLS_TESTS=1
+      return 1
+      ;;
+# END
+    --run-http01-external-domain-tls-tests)
+      readonly RUN_HTTP01_EXTERNAL_DOMAIN_TLS_TESTS=1
      return 1
      ;;
    --mesh)
--- a/test/e2e-external-domain-tls-tests.sh
+++ b/test/e2e-external-domain-tls-tests.sh
@ -0,0 +1,214 @@
+#!/usr/bin/env bash
+
+# Copyright 2020 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+source $(dirname "$0")/e2e-common.sh
+
+function setup_external_domain_tls_env_variables() {
+  # DNS zone for the testing domain.
+  export EXTERNAL_DOMAIN_TLS_TEST_DNS_ZONE="knative-e2e"
+  # Google Cloud project that hosts the DNS server for the testing domain `kn-e2e.dev`
+  export EXTERNAL_DOMAIN_TLS_TEST_CLOUD_DNS_PROJECT="knative-e2e-dns"
+  # The service account credential file used to access the DNS server.
+  export EXTERNAL_DOMAIN_TLS_TEST_CLOUD_DNS_SERVICE_ACCOUNT_KEY_FILE="${GOOGLE_APPLICATION_CREDENTIALS}"
+
+  export EXTERNAL_DOMAIN_TLS_TEST_DOMAIN_NAME="kn-e2e.dev"
+
+  export CUSTOM_DOMAIN_SUFFIX="$(($RANDOM % 10000)).${E2E_PROJECT_ID}.${EXTERNAL_DOMAIN_TLS_TEST_DOMAIN_NAME}"
+
+  export TLS_TEST_NAMESPACE="tls"
+
+  local INGRESS_NAMESPACE=${GATEWAY_NAMESPACE_OVERRIDE}
+  if [[ -z "${GATEWAY_NAMESPACE_OVERRIDE}" ]]; then
+    INGRESS_NAMESPACE="istio-system"
+  fi
+  local INGRESS_SERVICE=${GATEWAY_OVERRIDE}
+  if [[ -z "${GATEWAY_OVERRIDE}" ]]; then
+    INGRESS_SERVICE="istio-ingressgateway"
+  fi
+  local IP=$(kubectl get svc -n ${INGRESS_NAMESPACE} ${INGRESS_SERVICE} -o jsonpath="{.status.loadBalancer.ingress[0].ip}")
+  export EXTERNAL_DOMAIN_TLS_TEST_INGRESS_IP=${IP}
+}
+
+function setup_custom_domain() {
+  echo ">> Configuring custom domain for External Domain TLS tests: ${CUSTOM_DOMAIN_SUFFIX}"
+  cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config-domain
+  namespace: ${SYSTEM_NAMESPACE}
+  labels:
+    app.kubernetes.io/name: knative-serving
+    app.kubernetes.io/version: devel
+data:
+  ${CUSTOM_DOMAIN_SUFFIX}: ""
+EOF
+}
+
+function cleanup_custom_domain() {
+  kubectl delete ConfigMap config-domain -n ${SYSTEM_NAMESPACE}
+}
+
+function setup_external_domain_tls_common() {
+  setup_external_domain_tls_env_variables
+
+  setup_custom_domain
+
+  toggle_feature external-domain-tls Enabled config-network
+  toggle_feature autocreate-cluster-domain-claims true config-network
+}
+
+function cleanup_external_domain_tls_common() {
+  cleanup_custom_domain
+
+  toggle_feature external-domain-tls Disabled config-network
+  toggle_feature autocreate-cluster-domain-claims false config-network
+  toggle_feature namespace-wildcard-cert-selector "" config-network
+  kubectl delete kcert --all -n "${TLS_TEST_NAMESPACE}"
+}
+
+function setup_http01_external_domain_tls() {
+    # The name of the test, lowercase to avoid hyphenation of the test name.
+  export EXTERNAL_DOMAIN_TLS_TEST_NAME="http01"
+  # Rely on the built-in naming (for logstream)
+  unset TLS_SERVICE_NAME
+  # The full host name of the Knative Service. This is used to configure the DNS record.
+  export EXTERNAL_DOMAIN_TLS_TEST_FULL_HOST_NAME="*.${CUSTOM_DOMAIN_SUFFIX}"
+
+  kubectl delete kcert --all -n "${TLS_TEST_NAMESPACE}"
+
+  if [[ -z "${MESH}" ]]; then
+    echo "Install cert-manager no-mesh ClusterIssuer"
+    kubectl apply -f "${E2E_YAML_DIR}"/test/config/externaldomaintls/certmanager/http01/issuer.yaml
+  else
+    echo "Install cert-manager mesh ClusterIssuer"
+    kubectl apply -f "${E2E_YAML_DIR}"/test/config/externaldomaintls/certmanager/http01/mesh-issuer.yaml
+  fi
+  kubectl apply -f "${E2E_YAML_DIR}"/test/config/externaldomaintls/certmanager/http01/config-certmanager.yaml
+  setup_dns_record
+}
+
+function setup_selfsigned_per_ksvc_external_domain_tls() {
+  # The name of the test.
+  export EXTERNAL_DOMAIN_TLS_TEST_NAME="SelfSignedPerKsvc"
+  # The name of the Knative Service deployed in External Domain TLS E2E test.
+  export TLS_SERVICE_NAME="self-per-ksvc"
+
+  kubectl delete kcert --all -n "${TLS_TEST_NAMESPACE}"
+  kubectl apply -f ${E2E_YAML_DIR}/test/config/externaldomaintls/certmanager/selfsigned/
+}
+
+function setup_selfsigned_per_namespace_external_domain_tls() {
+  # The name of the test.
+  export EXTERNAL_DOMAIN_TLS_TEST_NAME="SelfSignedPerNamespace"
+  # The name of the Knative Service deployed in External Domain TLS E2E test.
+  export TLS_SERVICE_NAME="self-per-namespace"
+
+  kubectl delete kcert --all -n "${TLS_TEST_NAMESPACE}"
+
+  # Enable namespace certificate only for "${TLS_TEST_NAMESPACE}" namespaces
+  selector="matchExpressions:
+  - key: kubernetes.io/metadata.name
+    operator: In
+    values: [${TLS_TEST_NAMESPACE}]
+  "
+  toggle_feature namespace-wildcard-cert-selector "$selector" config-network
+
+  kubectl apply -f ${E2E_YAML_DIR}/test/config/externaldomaintls/certmanager/selfsigned/
+
+}
+
+function cleanup_per_selfsigned_namespace_external_domain_tls() {
+  # Disable namespace cert for all namespaces
+  toggle_feature namespace-wildcard-cert-selector "" config-network
+
+  kubectl delete -f ${E2E_YAML_DIR}/test/config/externaldomaintls/certmanager/selfsigned/ --ignore-not-found=true
+}
+
+function setup_dns_record() {
+  go run ./test/e2e/externaldomaintls/config/dnssetup/
+  if [ $? -eq 0 ]; then
+    echo "Successfully set up DNS record"
+  else
+    echo "Error setting up DNS record"
+    exit 1
+  fi
+}
+
+function delete_dns_record() {
+  go run ./test/e2e/externaldomaintls/config/dnscleanup/
+  if [ $? -eq 0 ]; then
+    echo "Successfully tore down DNS record"
+  else
+    echo "Error deleting up DNS record"
+    exit 1
+  fi
+}
+
+# Script entry point.
+initialize "$@" --num-nodes=4 --enable-ha --cluster-version=1.26
+
+# Run the tests
+header "Running tests"
+
+failed=0
+
+# Currently only Istio, Contour and Kourier implement the alpha features.
+alpha=""
+if [[ -z "${INGRESS_CLASS}" \
+  || "${INGRESS_CLASS}" == "istio.ingress.networking.knative.dev" \
+  || "${INGRESS_CLASS}" == "contour.ingress.networking.knative.dev" \
+  || "${INGRESS_CLASS}" == "kourier.ingress.networking.knative.dev" ]]; then
+  alpha="--enable-alpha"
+fi
+
+EXTERNAL_DOMAIN_TLS_TEST_OPTIONS="${EXTERNAL_DOMAIN_TLS_TEST_OPTIONS:-${alpha} --enable-beta}"
+
+# External Domain TLS E2E tests mutate the cluster and must be ran separately
+# because they need external-domain-tls and cert-manager specific configurations
+subheader "Setup external-domain tls"
+setup_external_domain_tls_common
+add_trap "cleanup_external_domain_tls_common" EXIT SIGKILL SIGTERM SIGQUIT
+
+subheader "External Domain TLS test for per-ksvc certificate provision using self-signed CA"
+setup_selfsigned_per_ksvc_external_domain_tls
+go_test_e2e -timeout=10m ./test/e2e/externaldomaintls/ ${EXTERNAL_DOMAIN_TLS_TEST_OPTIONS} || failed=1
+kubectl delete -f ${E2E_YAML_DIR}/test/config/externaldomaintls/certmanager/selfsigned/
+
+subheader "External Domain TLS test for per-namespace certificate provision using self-signed CA"
+setup_selfsigned_per_namespace_external_domain_tls
+add_trap "cleanup_per_selfsigned_namespace_external_domain_tls" SIGKILL SIGTERM SIGQUIT
+go_test_e2e -timeout=10m ./test/e2e/externaldomaintls/ ${EXTERNAL_DOMAIN_TLS_TEST_OPTIONS} || failed=1
+cleanup_per_selfsigned_namespace_external_domain_tls
+
+if [[ ${RUN_HTTP01_EXTERNAL_DOMAIN_TLS_TESTS} -eq 1 ]]; then
+  subheader "External Domain TLS test for per-ksvc certificate provision using HTTP01 challenge"
+  setup_http01_external_domain_tls
+  add_trap "delete_dns_record" SIGKILL SIGTERM SIGQUIT
+  go_test_e2e -timeout=10m ./test/e2e/externaldomaintls/ ${EXTERNAL_DOMAIN_TLS_TEST_OPTIONS} || failed=1
+  kubectl delete -f ${E2E_YAML_DIR}/test/config/externaldomaintls/certmanager/http01/
+  delete_dns_record
+fi
+
+(( failed )) && fail_test
+
+subheader "Cleanup external domain tls"
+cleanup_external_domain_tls_common
+
+# Remove the kail log file if the test flow passes.
+# This is for preventing too many large log files to be uploaded to GCS in CI.
+rm "${ARTIFACTS}/k8s.log-$(basename "${E2E_SCRIPT}").txt"
+success
--- a/test/e2e-tests.sh
+++ b/test/e2e-tests.sh
@ -50,9 +50,9 @@ fi

 if (( HTTPS )); then
  E2E_TEST_FLAGS+=" -https"
-  toggle_feature auto-tls Enabled config-network
-  kubectl apply -f "${E2E_YAML_DIR}"/test/config/autotls/certmanager/caissuer/
-  add_trap "kubectl delete -f ${E2E_YAML_DIR}/test/config/autotls/certmanager/caissuer/ --ignore-not-found" SIGKILL SIGTERM SIGQUIT
+  toggle_feature external-domain-tls Enabled config-network
+  kubectl apply -f "${E2E_YAML_DIR}"/test/config/externaldomaintls/certmanager/caissuer/
+  add_trap "kubectl delete -f ${E2E_YAML_DIR}/test/config/externaldomaintls/certmanager/caissuer/ --ignore-not-found" SIGKILL SIGTERM SIGQUIT
 fi

 if (( MESH )); then
@ -138,8 +138,8 @@ go_test_e2e -timeout=25m -failfast -parallel=1 ./test/ha \
  -spoofinterval="10ms" || failed=1

 if (( HTTPS )); then
-  kubectl delete -f ${E2E_YAML_DIR}/test/config/autotls/certmanager/caissuer/ --ignore-not-found
-  toggle_feature auto-tls Disabled config-network
+  kubectl delete -f ${E2E_YAML_DIR}/test/config/externaldomaintls/certmanager/caissuer/ --ignore-not-found
+  toggle_feature external-domain-tls Disabled config-network
 fi

 (( failed )) && fail_test
--- a/test/e2e/externaldomaintls/README.md
+++ b/test/e2e/externaldomaintls/README.md
@ -1,27 +1,32 @@
-This is the instruction about how to run Auto TLS E2E test under different
-configurations to test different use cases. For more details about Auto TLS
-feature, check out the
-[Auto TLS](https://knative.dev/docs/serving/using-auto-tls/) feature
-documentation.
+This is the instruction about how to run External Domain TLS E2E test under different
+configurations to test different use cases. For more details about External Domain TLS
+feature, check out the [External Domain TLS](https://knative.dev/docs/serving/using-external-domain-tls/)
+feature documentation.

-To run Auto TLS E2E test locally, run the following commands:
+# Prerequisites
+* Have `cert-manager` installed
+* Have `net-certmanager` installed
+* Upload test images with `./test/upload-test-images.sh`
+* Enable `external-domain-tls` with `kubectl patch cm config-network -n knative-serving -p '{"data":{"external-domain-tls": "enabled"}}'`
+
+To run External Domain TLS E2E test locally, run the following commands:

 1. test case 1: testing per ksvc certificate provision with self-signed CA
   1. Run `kubectl patch cm config-network -n knative-serving -p '{"data":{"namespace-wildcard-cert-selector": ""}}'` to disable wildcards for namespaces
   1. `kubectl delete kcert --all -n serving-tests`
-   1. `kubectl apply -f test/config/autotls/certmanager/selfsigned/`
-   1. `go test -v -tags=e2e -count=1 -timeout=600s ./test/e2e/autotls/... -run ^TestTLS`
+   1. `kubectl apply -f test/config/externaldomaintls/certmanager/selfsigned/`
+   1. `go test -v -tags=e2e -count=1 -timeout=600s ./test/e2e/externaldomaintls/... -run ^TestTLS`
 1. test case 2: testing per namespace certificate provision with self-signed CA
   1. `kubectl delete kcert --all -n serving-tests`
-   1. `kubectl apply -f test/config/autotls/certmanager/selfsigned/`
+   1. `kubectl apply -f test/config/externaldomaintls/certmanager/selfsigned/`
   1. Run `kubectl patch cm config-network -n knative-serving -p '{"data":{"namespace-wildcard-cert-selector": "{}"}}'` to enable wildcards for all namespaces
-   1. `go test -v -tags=e2e -count=1 -timeout=600s ./test/e2e/autotls/... -run ^TestTLS`
+   1. `go test -v -tags=e2e -count=1 -timeout=600s ./test/e2e/externaldomaintls/... -run ^TestTLS`
 1. test case 3: testing per ksvc certificate provision with HTTP challenge
   1. Run `kubectl patch cm config-network -n knative-serving -p '{"data":{"namespace-wildcard-cert-selector": ""}}'` to disable wildcards for namespaces
   1. `kubectl delete kcert --all -n serving-tests`
-   1. `kubectl apply -f test/config/autotls/certmanager/http01/`
+   1. `kubectl apply -f test/config/externaldomaintls/certmanager/http01/`
   1. `export SERVICE_NAME=http01`
   1. `kubectl patch cm config-domain -n knative-serving -p '{"data":{"<your-custom-domain>":""}}'`
   1. Add a DNS A record to map host `http01.serving-tests.<your-custom-domain>`
      to the Ingress IP.
-   1. `go test -v -tags=e2e -count=1 -timeout=600s ./test/e2e/autotls/... -run ^TestTLS`
+   1. `go test -v -tags=e2e -count=1 -timeout=600s ./test/e2e/externaldomaintls/... -run ^TestTLS`
--- a/test/e2e/externaldomaintls/auto_tls_test.go
+++ b/test/e2e/externaldomaintls/auto_tls_test.go
@ -17,7 +17,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-package autotls
+package externaldomaintls

 import (
 	"context"
@ -45,8 +45,8 @@ type config struct {
 	// It is not required for self-signed CA or for the HTTP01 challenge when wildcard domain
 	// is mapped to the Ingress IP.
 	TLSServiceName string `envconfig:"tls_service_name" required:"false"`
-	// AutoTLSTestName is the name of the auto tls. It is not required for local test.
-	AutoTLSTestName string `envconfig:"auto_tls_test_name" required:"false" default:"TestAutoTLS"`
+	// ExternalDomainTLSTestName is the name of the external domain tls test. It is not required for local test.
+	ExternalDomainTLSTestName string `envconfig:"external_domain_tls_test_name" required:"false" default:"TestExternalDomainTLS"`
 }

 var env config
@ -55,7 +55,7 @@ func TestTLS(t *testing.T) {
 	if err := envconfig.Process("", &env); err != nil {
 		t.Fatalf("Failed to process environment variable: %v.", err)
 	}
-	t.Run(env.AutoTLSTestName, testAutoTLS)
+	t.Run(env.ExternalDomainTLSTestName, testExternalDomainTLS)
 }

 func TestTLSDisabledWithAnnotation(t *testing.T) {
@ -67,7 +67,7 @@ func TestTLSDisabledWithAnnotation(t *testing.T) {
 	}
 	test.EnsureTearDown(t, clients, &names)

-	objects, err := v1test.CreateServiceReady(t, clients, &names, rtesting.WithServiceAnnotations(map[string]string{networking.DisableAutoTLSAnnotationKey: "true"}))
+	objects, err := v1test.CreateServiceReady(t, clients, &names, rtesting.WithServiceAnnotations(map[string]string{networking.DisableExternalDomainTLSAnnotationKey: "true"}))
 	if err != nil {
 		t.Fatalf("Failed to create initial Service: %v: %v", names.Service, err)
 	}
@ -84,7 +84,7 @@ func TestTLSDisabledWithAnnotation(t *testing.T) {
 	RuntimeRequest(context.Background(), t, httpClient, objects.Route.Status.URL.String())
 }

-func testAutoTLS(t *testing.T) {
+func testExternalDomainTLS(t *testing.T) {
 	clients := test.Setup(t, test.Options{Namespace: test.ServingFlags.TLSTestNamespace})

 	names := test.ResourceNames{
--- a/test/e2e/externaldomaintls/config/dnscleanup/main.go
+++ b/test/e2e/externaldomaintls/config/dnscleanup/main.go
@ -21,13 +21,13 @@ import (

 	"github.com/kelseyhightower/envconfig"

-	"knative.dev/serving/test/e2e/autotls/config"
+	"knative.dev/serving/test/e2e/externaldomaintls/config"
 )

 var env config.EnvConfig

 func main() {
-	if err := envconfig.Process("auto_tls_test", &env); err != nil {
+	if err := envconfig.Process("external_domain_tls_test", &env); err != nil {
 		log.Fatalf("Failed to process environment variable: %v.", err)
 	}
 	record := &config.DNSRecord{
--- a/test/e2e/externaldomaintls/config/dnssetup/main.go
+++ b/test/e2e/externaldomaintls/config/dnssetup/main.go
@ -30,7 +30,7 @@ import (

 	"k8s.io/apimachinery/pkg/util/wait"

-	"knative.dev/serving/test/e2e/autotls/config"
+	"knative.dev/serving/test/e2e/externaldomaintls/config"
 )

 var env config.EnvConfig
--- a/test/e2e/externaldomaintls/config/util.go
+++ b/test/e2e/externaldomaintls/config/util.go
--- a/test/e2e/externaldomaintls/domain_mapping_test.go
+++ b/test/e2e/externaldomaintls/domain_mapping_test.go
@ -17,7 +17,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-package autotls
+package externaldomaintls

 import (
 	"context"
@ -26,6 +26,7 @@ import (
 	"github.com/kelseyhightower/envconfig"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
+	"knative.dev/networking/pkg/apis/networking"
 	duckv1 "knative.dev/pkg/apis/duck/v1"
 	"knative.dev/pkg/reconciler"
 	v1 "knative.dev/serving/pkg/apis/serving/v1"
@ -45,7 +46,7 @@ type dmConfig struct {
 	CustomDomainSuffix string `envconfig:"custom_domain_suffix" required:"false"`
 }

-func TestDomainMappingAutoTLS(t *testing.T) {
+func TestDomainMappingExternalDomainTLS(t *testing.T) {
 	if !test.ServingFlags.EnableBetaFeatures {
 		t.Skip("Beta features not enabled")
 	}
@ -75,7 +76,7 @@ func TestDomainMappingAutoTLS(t *testing.T) {
 	// Set up initial Service.
 	svc, err := v1test.CreateServiceReady(t, clients, &names,
 		func(service *v1.Service) {
-			service.Annotations = map[string]string{"networking.knative.dev/disableAutoTLS": "True"}
+			service.Annotations = map[string]string{networking.DisableExternalDomainTLSAnnotationKey: "true"}
 		})
 	if err != nil {
 		t.Fatalf("Failed to create initial Service %q: %v", names.Service, err)
--- a/test/e2e/externaldomaintls/http_redirect_test.go
+++ b/test/e2e/externaldomaintls/http_redirect_test.go
@ -17,7 +17,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-package autotls
+package externaldomaintls

 import (
 	"context"
--- a/test/e2e/externaldomaintls/util_test.go
+++ b/test/e2e/externaldomaintls/util_test.go
@ -17,7 +17,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-package autotls
+package externaldomaintls

 import (
 	"context"