Route tls reencrypt return host doesn't exist

[wuyexixi]

Describe the bug Route report host doesn't exist error when using TLS re-encrypt.

Version

okd 4.14.0-0.okd-2024-01-06-084517 How reproducible

Route:

kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: keycloak
  namespace: devops-keycloak
  uid: e03da40c-1b79-4458-8ee4-0e02f2ce2915
  resourceVersion: '1925767'
  creationTimestamp: '2024-01-19T08:27:55Z'
  labels:
    app: keycloak
  annotations:
    openshift.io/host.generated: 'true'
  managedFields:
    - manager: Mozilla
      operation: Update
      apiVersion: route.openshift.io/v1
      time: '2024-01-19T08:27:55Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:metadata':
          'f:labels':
            .: {}
            'f:app': {}
        'f:spec':
          'f:port':
            .: {}
            'f:targetPort': {}
          'f:tls':
            .: {}
            'f:insecureEdgeTerminationPolicy': {}
            'f:termination': {}
          'f:to':
            'f:kind': {}
            'f:name': {}
            'f:weight': {}
          'f:wildcardPolicy': {}
    - manager: openshift-router
      operation: Update
      apiVersion: route.openshift.io/v1
      time: '2024-01-19T08:27:55Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:status':
          'f:ingress': {}
      subresource: status
spec:
  host: keycloak-devops-keycloak.apps.okd.devops.philips-healthsuitechina.com.cn
  to:
    kind: Service
    name: keycloak
    weight: 100
  port:
    targetPort: keycloak
  tls:
    termination: reencrypt
    insecureEdgeTerminationPolicy: Redirect
  wildcardPolicy: None
status:
  ingress:
    - host: keycloak-devops-keycloak.apps.okd.devops.philips-healthsuitechina.com.cn
      routerName: default
      conditions:
        - type: Admitted
          status: 'True'
          lastTransitionTime: '2024-01-19T08:27:55Z'
      wildcardPolicy: None
      routerCanonicalHostname: router-default.apps.okd.devops.philips-healthsuitechina.com.cn

Log bundle

haproxy configuration

backend be_secure:devops-keycloak:keycloak
  mode http
  option redispatch
  option forwardfor
  balance random

  timeout check 5000ms
  http-request add-header X-Forwarded-Host %[req.hdr(host)]
  http-request add-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto http if !{ ssl_fc }
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 }
  http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)]
  cookie 2cc6690bc18e4639e5c6158a6a1aa67f insert indirect nocache httponly secure attr SameSite=None
  server pod:keycloak-1:keycloak:keycloak:10.129.2.47:8443 10.129.2.47:8443 cookie 47733c2ffe35df2777b2038b04b2ce5f weight 1 ssl verifyhost keycloak.devops-keycloak.svc verify required ca-file /var/run/configmaps/service-ca/service-ca.crt check inter 5000ms
  server pod:keycloak-0:keycloak:keycloak:10.131.0.206:8443 10.131.0.206:8443 cookie 1106decc3c177028f6417ffbf2a2383c weight 1 ssl verifyhost keycloak.devops-keycloak.svc verify required ca-file /var/run/configmaps/service-ca/service-ca.crt check inter 5000ms

[vrutkovs]

I don't understand steps to reproduce or expected result. Could you attach the output of oc get route -o yaml of this route?

Also this haproxy config snippet - is it the snipper generated on openshift router or a receiver for your route