search

Kong / kubernetes-ingress-controller

:gorilla: Kong for Kubernetes: The official Ingress Controller for Kubernetes.
https://docs.konghq.com/kubernetes-ingress-controller/
Apache License 2.0
2.16k stars 592 forks source link

Subdomain wildcard certificate domains not working with HTTPS #6216

Open pawandhiman10 opened 2 weeks ago

pawandhiman10 commented 2 weeks ago

Is there an existing issue for this?

Current Behavior

We have added multiple wildcard certificates to the same gateway as below:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: test-gateway
  namespace: test-gateway
spec:
  gatewayClassName: test-gateway
  listeners:
  - name: proxy
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: All
  - name: gateway-ssl-certs-one-internal-tls
    port: 443
    protocol: HTTPS
    hostname: "*.one.internal.example.com"
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        group: ""
        name: gateway-ssl-certs-one-internal
        namespace: secrets
    allowedRoutes:
      namespaces:
        from: All
  - name: gateway-ssl-certs-one-tls
    port: 443
    protocol: HTTPS
    hostname: "*.one.example.com"
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        group: ""
        name: gateway-ssl-certs-one
        namespace: secrets
    allowedRoutes:
      namespaces:
        from: All
  - name: gateway-ssl-certs-tls
    port: 443
    protocol: HTTPS
    hostname: "*.[example.com](http://example.com/)"
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        group: ""
        name: gateway-ssl-certs
        namespace: secrets
    allowedRoutes:
      namespaces:
        from: All

But HTTPS is only running successfully if we pass *.example.com domain and failing for others. It is not working for both wildcard subdomain certificates (one level and two level).

Expected Behavior

HTTPS to work successfully with *.one.example.com and *.one.internal.example.com domains.

Steps To Reproduce

Have shared the yaml code as above.

Kong Ingress Controller version

v3.2.x (from Helm Chart 2.39.0 https://artifacthub.io/packages/helm/kong/kong)

Kubernetes version

GKE cluster v1.29.4-gke.1043002
Gateway API v1.0.0

Anything else?

No response

pawandhiman10 commented 6 days ago

It displays this certificate.

Screenshot 2024-07-01 at 8 22 55 PM