Gateway-API HTTP-01: HTTPRoute rejected when hostname is an IP address

[alviss7]

Describe the bug:
When using the ACME HTTP-01 solver with Gateway API and requesting a certificate for an IP address, cert-manager sets HTTPRoute.spec.hostnames[0] to that IP. For IPv6 this is immediately rejected by the API server, for example:

The HTTPRoute "httproute-test" is invalid: spec.hostnames[0]: Invalid value: "2001:db8::1": spec.hostnames[0] in body should match ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

Even if IPv4 (e.g. 192.0.2.1) can sometimes appear to work, the Gateway API spec explicitly says that hostname does not support IP literals: https://gateway-api.sigs.k8s.io/reference/spec/#hostname

The hostname field on HTTPRoute is optional, so for IP challenges it should be left unset.

Expected behaviour:
For HTTP-01 challenges where the target is an IP address (IPv4 or IPv6), cert-manager should not set HTTPRoute.spec.hostnames at all. The solver should still be able to complete HTTP-01 validation using a hostname-less HTTPRoute. For normal DNS names, the current behaviour (setting spec.hostnames to the DNS name) should remain unchanged.

Steps to reproduce the bug:

1. Install cert-manager with Gateway HTTP-01 enabled.
2. Create a Certificate that targets an IP address, for example:

   apiVersion: cert-manager.io/v1
   kind: Certificate
   metadata:
     name: ip-cert
   spec:
     ipAddresses:
       - 2001:db8::1
     issuerRef:
       name: letsencrypt-http01
       kind: ClusterIssuer
       group: cert-manager.io
     secretName: ip-cert

[maelvls]

Hey. Seems like a reasonable problem to fix. I'll review your PR asap.

[maelvls]

from what I understand, the use-case you detailed in kubernetes-sigs/gateway-api#4444 is DNS over HTTPS (although it doesn't really matter for the HTTP-01 use-case, but it does matter to understand the overall story).

@youngnick suggests in kubernetes-sigs/gateway-api#4444 (comment) to leave the HTTPRoute's hostname field empty for that purpose, with the caveat that leaving the HTTPRoute's hostname empty means it becomes possible to have two colliding paths if two rules have that same path in the same or different HTTPRoutes. And since the ACME URL path is random, it is pretty much impossible that two HTTPRoutes rules would collide for the ACME HTTP-01 use-case.

In that case, I agree with you: cert-manager needs to create HTTPRoutes with empty hostnames. Seems like a bug on the cert-manager side since it was never meant to be possible to create httproutes with hostnames set to IPs!!

[alviss7]

That's right.

For IP-based HTTP-01 challenges, leaving hostnames empty is the correct behavior and aligns with the Gateway API specification, which clearly states that IP literals are not supported in hostname. The risk of path collision only applies to HTTPRoutes created for IP certificates and is negligible given the randomness of ACME challenge paths. The behavior for hostname-based certificates remains unchanged.

If Gateway API ever adds support for IP literals in hostnames, it will likely come with a new API version, and cert-manager can be updated accordingly. Until then, following the current spec is the right approach.

[wallrj-cyberark]

📢 The fix or feature is now available for testing in an alpha release

• https://github.com/cert-manager/cert-manager/releases/tag/v1.20.0-alpha.1

Please test and report back.

[maelvls]

📢 This feature is now available in v1.20.0!