ryan-b-gibson
commented
1 month ago I just ran into this issue and was able to address it by removing group: core from the certificateRefs block. For example,
tls:
mode: Terminate
certificateRefs:
- name: example-com-tls
# group: core # either don't provide the group or leave it empty (empty string)Per the error in the original issue #6196:
... Listener "https" is invalid, err: You specified {Group: core, Kind: Secret} in the certificate reference, {Group: , Kind: Secret} are the supported values.you can see that the Gateway implementation doesn't know what the "core" Group is, but does recognize the "" Group.
Also, per the gateway-api spec:
type SecretObjectReference struct {
// Group is the group of the referent. For example, "gateway.networking.k8s.io".
// When unspecified or empty string, core API group is inferred.
//
// +optional
// +kubebuilder:default=""
Group *Group `json:"group"`
...
}the "core" API group is inferred by effectively leaving the group undefined. I assume this is because the core API group name is "" under the hood.
Perhaps Gateway implementations are inconsistent, but it might be worth updating the Annotated Gateway resource docs to indicate that the group should be empty for certain Gateways (e.g., Kong).
Environment:
- AWS EKS v1.30
- Kong gateway-operator v1.3
- cert-manager v1.15.1
Re-opening #6196 as it is still relevant.
All details are identical. Not using ManagedCertificate