search

kubernetes-sigs / gateway-api

Repository for the next iteration of composite service (e.g. Ingress) and load balancing APIs.
https://gateway-api.sigs.k8s.io
Apache License 2.0
1.77k stars 458 forks source link

Subdomain wildcard certificate domains not working with HTTPS #3157

Open pawandhiman10 opened 3 months ago

pawandhiman10 commented 3 months ago

Setup: GKE cluster v1.29.4-gke.1043002 Gateway API v1.0.0 Running Kong using Helm. Secrets have been created with tls.cert and tls.key as the data parameters and ReferenceGrant has also been added to allow certificate secrets to be read from the different namespace as mentioned here.

What happened: We have added multiple wildcard certificates to the same gateway as below:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: test-gateway
  namespace: test-gateway
spec:
  gatewayClassName: test-gateway
  listeners:
  - name: proxy
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: All
  - name: gateway-ssl-certs-one-internal-tls
    port: 443
    protocol: HTTPS
    hostname: "*.one.internal.example.com"
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        group: ""
        name: gateway-ssl-certs-one-internal
        namespace: secrets
    allowedRoutes:
      namespaces:
        from: All
  - name: gateway-ssl-certs-one-tls
    port: 443
    protocol: HTTPS
    hostname: "*.one.example.com"
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        group: ""
        name: gateway-ssl-certs-one
        namespace: secrets
    allowedRoutes:
      namespaces:
        from: All
  - name: gateway-ssl-certs-tls
    port: 443
    protocol: HTTPS
    hostname: "*.example.com"
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        group: ""
        name: gateway-ssl-certs
        namespace: secrets
    allowedRoutes:
      namespaces:
        from: All

But HTTPS is only running successfully if we pass *.example.com domain and failing for others. It is not working for both wildcard subdomain certificates (one level and two level).

What you expected to happen: HTTPS to work successfully with *.one.example.com and *.one.internal.example.com domains.

How to reproduce it (as minimally and precisely as possible): Have shared the yaml code as above.

Have tried removing all domains, keeping only the *.one.example.com but still not working, initially we thought order matters but not getting the expected results. Please help in resolving this or some guidance on how to proceed here would be really helpful.

benhur-araujo commented 2 weeks ago

I'm facing the same issue

robscott commented 2 weeks ago

This is unfortunately reflecting a gap in our conformance tests, so we should keep something open to track that specific part of this problem. I think this specific issue would be better resolved by opening an issue on Kong's repo (I think https://github.com/Kong/kubernetes-ingress-controller is the right one).

@mlavacca can likely help this find the right place.