fix(ingress): deduplicate TLS hostnames to allow same hostname on multiple ports

When multiple ingress rules use the same hostname pattern (e.g., wildcard
`*.example.com`) on different ports, Caddy would fail with:

  "cannot apply more than one automation policy to host: *.example.com"

This happened because each TLS rule added the hostname to the automation
policy subjects, causing duplicates.

The fix deduplicates TLS hostnames before generating the Caddy config,
allowing use cases like:
- `{instance}.host.kernel.sh:443` → instance:80
- `{instance}.host.kernel.sh:3000` → instance:3000
- `{instance}.host.kernel.sh:8080` → instance:8080

All sharing the same wildcard TLS certificate.

Author: hiroTamada

lib/ingress/config.go

@@ -432,11 +432,14 @@ func (g *CaddyConfigGenerator) buildConfig(ctx context.Context, ingresses []Ingr
 	}
 
 	// Add TLS automation if we have TLS hostnames
+	// Deduplicate hostnames to avoid "cannot apply more than one automation policy to host" error
+	// This can happen when multiple ingress rules use the same hostname pattern on different ports
 	if len(tlsHostnames) > 0 && g.acme.IsTLSConfigured() {
+		uniqueTLSHostnames := deduplicateStrings(tlsHostnames)
 		if config["apps"] == nil {
 			config["apps"] = map[string]interface{}{}
 		}
-		config["apps"].(map[string]interface{})["tls"] = g.buildTLSConfig(tlsHostnames)
+		config["apps"].(map[string]interface{})["tls"] = g.buildTLSConfig(uniqueTLSHostnames)
 	}
 
 	// Configure Caddy storage paths
@@ -579,3 +582,17 @@ func HasTLSRules(ingresses []Ingress) bool {
 	}
 	return false
 }
+
+// deduplicateStrings returns a new slice with duplicate strings removed.
+// Order is preserved (first occurrence is kept).
+func deduplicateStrings(s []string) []string {
+	seen := make(map[string]bool)
+	result := make([]string, 0, len(s))
+	for _, v := range s {
+		if !seen[v] {
+			seen[v] = true
+			result = append(result, v)
+		}
+	}
+	return result
+}

lib/ingress/config_test.go

@@ -810,6 +810,135 @@ func TestGenerateConfig_PatternHostname(t *testing.T) {
 	assert.Contains(t, configStr, "http.request.host.labels")
 }
 
+func TestGenerateConfig_TLSHostnameDeduplication(t *testing.T) {
+	// Test that duplicate TLS hostnames (same hostname on different ports) don't cause
+	// Caddy to fail with "cannot apply more than one automation policy to host"
+	tmpDir, err := os.MkdirTemp("", "ingress-config-tls-dedup-test-*")
+	require.NoError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	p := paths.New(tmpDir)
+	require.NoError(t, os.MkdirAll(p.CaddyDir(), 0755))
+	require.NoError(t, os.MkdirAll(p.CaddyDataDir(), 0755))
+
+	// Create generator with ACME configured
+	acmeConfig := ACMEConfig{
+		Email:              "admin@example.com",
+		DNSProvider:        DNSProviderCloudflare,
+		CloudflareAPIToken: "test-token",
+		AllowedDomains:     "*.example.com",
+	}
+	generator := NewCaddyConfigGenerator(p, "0.0.0.0", "127.0.0.1", 2019, acmeConfig, APIIngressConfig{}, 5353)
+
+	ctx := context.Background()
+	// Create two ingresses with the same wildcard hostname pattern on different ports
+	ingresses := []Ingress{
+		{
+			ID:   "ing-port-443",
+			Name: "wildcard-443",
+			Rules: []IngressRule{
+				{
+					Match:  IngressMatch{Hostname: "{instance}.example.com", Port: 443},
+					Target: IngressTarget{Instance: "{instance}", Port: 80},
+					TLS:    true,
+				},
+			},
+		},
+		{
+			ID:   "ing-port-3000",
+			Name: "wildcard-3000",
+			Rules: []IngressRule{
+				{
+					Match:  IngressMatch{Hostname: "{instance}.example.com", Port: 3000},
+					Target: IngressTarget{Instance: "{instance}", Port: 3000},
+					TLS:    true,
+				},
+			},
+		},
+		{
+			ID:   "ing-port-8080",
+			Name: "wildcard-8080",
+			Rules: []IngressRule{
+				{
+					Match:  IngressMatch{Hostname: "{instance}.example.com", Port: 8080},
+					Target: IngressTarget{Instance: "{instance}", Port: 8080},
+					TLS:    true,
+				},
+			},
+		},
+	}
+
+	data, err := generator.GenerateConfig(ctx, ingresses)
+	require.NoError(t, err)
+
+	// Parse the config to verify TLS subjects are deduplicated
+	var config map[string]interface{}
+	err = json.Unmarshal(data, &config)
+	require.NoError(t, err)
+
+	// Navigate to TLS automation policies
+	apps := config["apps"].(map[string]interface{})
+	tlsApp := apps["tls"].(map[string]interface{})
+	automation := tlsApp["automation"].(map[string]interface{})
+	policies := automation["policies"].([]interface{})
+
+	require.Len(t, policies, 1, "should have exactly one policy")
+
+	policy := policies[0].(map[string]interface{})
+	subjects := policy["subjects"].([]interface{})
+
+	// Should have only ONE entry for *.example.com (deduplicated)
+	assert.Len(t, subjects, 1, "TLS subjects should be deduplicated")
+	assert.Equal(t, "*.example.com", subjects[0].(string))
+
+	// Verify all three ports are in listen addresses
+	configStr := string(data)
+	assert.Contains(t, configStr, ":443")
+	assert.Contains(t, configStr, ":3000")
+	assert.Contains(t, configStr, ":8080")
+}
+
+func TestDeduplicateStrings(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    []string
+		expected []string
+	}{
+		{
+			name:     "empty",
+			input:    []string{},
+			expected: []string{},
+		},
+		{
+			name:     "no duplicates",
+			input:    []string{"a", "b", "c"},
+			expected: []string{"a", "b", "c"},
+		},
+		{
+			name:     "with duplicates",
+			input:    []string{"a", "b", "a", "c", "b"},
+			expected: []string{"a", "b", "c"},
+		},
+		{
+			name:     "all same",
+			input:    []string{"x", "x", "x"},
+			expected: []string{"x"},
+		},
+		{
+			name:     "preserves order",
+			input:    []string{"c", "a", "b", "a", "c"},
+			expected: []string{"c", "a", "b"},
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			result := deduplicateStrings(tc.input)
+			assert.Equal(t, tc.expected, result)
+		})
+	}
+}
+
 func TestGenerateConfig_DynamicUpstreams(t *testing.T) {
 	// Create temp dir
 	tmpDir, err := os.MkdirTemp("", "ingress-config-dynamic-test-*")