If I have an Ingress with
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: frontend
spec:
ingressClassName: nginx
rules:
- host: '*.example.com'
http:
paths:
- backend:
service:
name: http-echo
port:
number: 5678
path: /path
pathType: Prefix
everything works as expected: I can access https://hello.example.com/path and https://bye.example.com/path and get a http-echo response. As soon as I add an exact host with
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: frontend
spec:
ingressClassName: nginx
rules:
- host: '*.example.com'
http:
paths:
- backend:
service:
name: http-echo
port:
number: 5678
path: /path
pathType: Prefix
- host: hello.example.com
http:
paths:
- backend:
service:
name: http-echo
port:
number: 5678
path: /otherpath
pathType: Prefix
I can no longer access paths which are covered by the wildcard host. I get a 404 from upstream-default-backend at https://hello.example.com/path. Obviously the exact hostname match prevents other hostnames from being evaluated even if they'd match.
This might be prevented by working against the tool and adding all paths from the wildcard host under the exact host as well, however this solution breaks if there's any other ingress present with an exact host matching the wildcard host which is often the case for ingress created by cert-manager. Maybe this can also be fixed by sinking time even more time into configuring cert-manager to create ingresses differently to prevent that.
This all seems undocumented and it's not like Kubernetes tools to be so uncooperative in terms of use cases and behave so unintuitively, so I'm wondering if I'm missing some docs. Also I'm wondering if preventing exact hostname ingresses matching the wildcard hosts is worth taking a look at. Any also how Gateway API would solve this issue, assuming it can.
I'm using ingress-nginx 1.10.1 from Helm chart 4.10.1 on Kubernetes 1.27 on GKE.
