Cluster issuer for HTTP-01 gatewayHTTPRoute should not require a gateway parentRef

[brandonp42]

Is your feature request related to a problem? Please describe.
I want to be able to create multiple gateways (with different host names) for separate applications & application environments but use a common cluster issuer. The problem is that cluster issuers require the spec.acme.solvers.http01.gatewayHTTPRoute.parentRefs[0].name field to be filled in. As far as I can tell this means I have to create a unique issuer per gateway anyway which seems like the cluster issuer isn't as useful versus the old style ingress cluster issuers.

Describe the solution you'd like
When I ask cert-manager to create certificates for a gateway I have to put annotations on the gateway anyway, so I'd like cert-manager to just harvest the gateway name from that CRD and use it instead of also having to specify it on a cluster issuer.

Describe alternatives you've considered
As described above - create a unique issuer for every gateway. Also I have not tested it but perhaps create gateways in different namespaces but the same name? It might also work to just create a single gateway across the whole system with many host names.

Additional context
The current implementation seems like an unnecessary limitation that may hamper adoption of Gateway API.

Environment details (remove if not applicable):

• Kubernetes version: 1.33.3
• Cloud-provider/provisioner: Proxmox / Talos / Cilium
• cert-manager version: 1.18.2
• Install method: helm chart

/kind feature

[hjoshi123]

@brandonp42 would love to know more about your issue. Why can't we reference multiple parentRefs within the same issuer?

[xorinzor]

@hjoshi123 I think the actual request here is that if no parentRefs are defined it will automatically work for all Gateways; just like it does with Ingresses.

Please also note the difference here with Issuer vs. ClusterIssuer.

[danil2308]

@brandonp42 would love to know more about your issue. Why can't we reference multiple parentRefs within the same issuer?

I'm facing the same situation, even though using multiple parentRefs solves the issue; it means we will end up with tons of entries depending on how much applications we have in the k8s cluster.

i.e.
This is how it'd look like if we have ten applications (which is a fair amount)

I'd rather not have to do it as the point of using a ClusterIssuer is that it is not bounded to a specific namespace; you can leave it there and share it across multiple applications.

[carneiroDotDev]

Looking for a solution for the exact same issue.

[hjoshi123]

@xorinzor @carneiroDotDev we discussed this issue in our weekly meeting and this seems something that needs to be investigated.. it seems reasonable that being a cluster issuer we should be able to gather all the gateways.

[maelvls]

OK, I see the annoying repetition:

1. Gateway points to one ClusterIssuer (cert-manager.io/cluster-issuer)
2. ClusterIssuer points to one or multiple Gateways (acme.http01.gatewayHTTPRoute.parentRefs[])

It feels to me like we could allow cert-manager to create the HTTPRoute with a parentRefs set to the value of the cert-manager.io/cluster-issuer annotation. This would only work if the annotation is present (i.e., the ACME issuer is used through the gateway shim mechanism).

The user would still need to set parentRefs in case they aren't using the gateway shim annotation... which makes me think it might be preferable to use a separate dedicated annotation to cover the use-case of standalone Certificate resources (i.e. without using the gateway shim).

I can't think of a scenario in which an attacker could do something bad by creating a Gateway resource (but can't edit/create ClusterIssuer, as it would be outside of the threat model of this feature IMO). As long as ClusterIssuer only allows to skip parentRefs when the given Gateway has the annotation, it seems safe.

Would someone be interested working on this feature?

[hjoshi123]

/assign

Assigning this to myself as the approach to fix ListenerSet parentRef bug would also fix this.

[maelvls]

@brandonp42 Hey. We have released v1.20.0-beta.0 with a fix for this issue (#8518). Would you be able to test it out? Thanks!

[lixin9311]

@hjoshi123 @maelvls Hey! It looks like #8518 introduced a regression affecting the standard Issuer.

With a standard Issuer, we used to explicitly specify parentRefs along with annotating the Gateway with cert-manager.io/issuer. However, after that PR, with a parentRef provided, parentRefs gets duplicated and triggers the following error:

E0312 04:14:15.376819       1 controller.go:155] "re-queuing item due to error processing" err="HTTPRoute.gateway.networking.k8s.io \"cm-acme-http-solver-p92h8\" is invalid: spec.parentRefs: Invalid value: \"array\": sectionName or port must be unique when parentRefs includes 2 or more references to the same parent" logger="cert-manager.controller"

It would be better if we could deduplicate the parentRefs or remove the API definition if it is no longer needed.