Fix duplicate ACME challenge paths across ingress rules (#16259)

* Fix duplicate ACME challenge paths across ingress rules

When a Service has traffic tags, the Route controller was adding ALL
ACME challenge paths to EVERY external ingress rule. This caused each
challenge path to appear multiple times, leading to routing conflicts.

For example, with tags "blue" and "green", the challenge for
blue-app.example.com would incorrectly appear in both the blue and green
ingress rules.

Solution: Create a dedicated ingress rule for each ACME challenge domain.
Each rule contains only that challenge's path, preventing duplicates while
allowing the same domain to appear in both traffic and ACME rules.

* Remove outdated linting exclusions

Author: linkvt

pkg/http/trace.go

@@ -24,15 +24,13 @@ import (
 // ExtractTraceID extracts the trace ID from the request headers.
 // It supports both W3C Trace Context (traceparent) and B3 (X-B3-TraceId) formats.
 func ExtractTraceID(h http.Header) string {
-	//nolint:canonicalheader
 	if traceparent := h.Get("traceparent"); traceparent != "" {
 		parts := strings.SplitN(traceparent, "-", 3)
 		if len(parts) >= 2 {
 			return parts[1]
 		}
 	}
 
-	//nolint:canonicalheader
 	if b3TraceID := h.Get("X-B3-TraceId"); b3TraceID != "" {
 		return b3TraceID
 	}

pkg/http/trace_integration_test.go

@@ -146,7 +146,7 @@ func TestRequestLogTemplateWithTraceID(t *testing.T) {
 
 	// Test with W3C Trace Context
 	req := httptest.NewRequest(http.MethodPost, "http://example.com/api", nil)
-	//nolint:canonicalheader
+
 	req.Header.Set("traceparent", "00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01")
 
 	resp := httptest.NewRecorder()

pkg/reconciler/domainmapping/resources/ingress.go

@@ -19,7 +19,6 @@ package resources
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
-	"k8s.io/apimachinery/pkg/util/sets"
 
 	netapi "knative.dev/networking/pkg/apis/networking"
 	netv1alpha1 "knative.dev/networking/pkg/apis/networking/v1alpha1"
@@ -36,7 +35,34 @@ import (
 // KIngress).  The created ingress will contain a RewriteHost rule to cause the
 // given hostName to be used as the host.
 func MakeIngress(dm *servingv1beta1.DomainMapping, backendServiceName, hostName, ingressClass string, httpOption netv1alpha1.HTTPOption, tls []netv1alpha1.IngressTLS, acmeChallenges ...netv1alpha1.HTTP01Challenge) *netv1alpha1.Ingress {
-	paths, hosts := routeresources.MakeACMEIngressPaths(acmeChallenges, sets.New(dm.GetName()))
+	// Traffic rule
+	rules := []netv1alpha1.IngressRule{{
+		Hosts:      []string{dm.Name},
+		Visibility: netv1alpha1.IngressVisibilityExternalIP,
+		HTTP: &netv1alpha1.HTTPIngressRuleValue{
+			Paths: []netv1alpha1.HTTPIngressPath{{
+				RewriteHost: hostName,
+				Splits: []netv1alpha1.IngressBackendSplit{{
+					Percent: 100,
+					AppendHeaders: map[string]string{
+						netheader.OriginalHostKey: dm.Name,
+					},
+					IngressBackend: netv1alpha1.IngressBackend{
+						ServiceNamespace: dm.Namespace,
+						ServiceName:      backendServiceName,
+						ServicePort:      intstr.FromInt(80),
+					},
+				}},
+			}},
+		},
+	}}
+
+	// Add dedicated ACME challenge rules
+	if len(acmeChallenges) > 0 {
+		acmeRules := routeresources.MakeACMEChallengeRules(acmeChallenges)
+		rules = append(rules, acmeRules...)
+	}
+
 	return &netv1alpha1.Ingress{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      kmeta.ChildName(dm.GetName(), ""),
@@ -53,28 +79,7 @@ func MakeIngress(dm *servingv1beta1.DomainMapping, backendServiceName, hostName,
 		Spec: netv1alpha1.IngressSpec{
 			HTTPOption: httpOption,
 			TLS:        tls,
-			Rules: []netv1alpha1.IngressRule{{
-				Hosts:      append(hosts, dm.Name),
-				Visibility: netv1alpha1.IngressVisibilityExternalIP,
-				HTTP: &netv1alpha1.HTTPIngressRuleValue{
-					// The order of the paths is sensitive, always put tls challenge first
-					Paths: append(paths,
-						[]netv1alpha1.HTTPIngressPath{{
-							RewriteHost: hostName,
-							Splits: []netv1alpha1.IngressBackendSplit{{
-								Percent: 100,
-								AppendHeaders: map[string]string{
-									netheader.OriginalHostKey: dm.Name,
-								},
-								IngressBackend: netv1alpha1.IngressBackend{
-									ServiceNamespace: dm.Namespace,
-									ServiceName:      backendServiceName,
-									ServicePort:      intstr.FromInt(80),
-								},
-							}},
-						}}...),
-				},
-			}},
+			Rules:      rules,
 		},
 	}
 }

pkg/reconciler/domainmapping/resources/ingress_test.go

@@ -194,6 +194,25 @@ func TestMakeIngress(t *testing.T) {
 			Spec: netv1alpha1.IngressSpec{
 				HTTPOption: netv1alpha1.HTTPOptionEnabled,
 				Rules: []netv1alpha1.IngressRule{{
+					Hosts:      []string{"mapping.com"},
+					Visibility: netv1alpha1.IngressVisibilityExternalIP,
+					HTTP: &netv1alpha1.HTTPIngressRuleValue{
+						Paths: []netv1alpha1.HTTPIngressPath{{
+							RewriteHost: "the-rewrite-host",
+							Splits: []netv1alpha1.IngressBackendSplit{{
+								Percent: 100,
+								AppendHeaders: map[string]string{
+									netheader.OriginalHostKey: "mapping.com",
+								},
+								IngressBackend: netv1alpha1.IngressBackend{
+									ServiceName:      "the-target-svc",
+									ServiceNamespace: "the-namespace",
+									ServicePort:      intstr.FromInt(80),
+								},
+							}},
+						}},
+					},
+				}, {
 					Hosts:      []string{"mapping.com"},
 					Visibility: netv1alpha1.IngressVisibilityExternalIP,
 					HTTP: &netv1alpha1.HTTPIngressRuleValue{
@@ -207,7 +226,51 @@ func TestMakeIngress(t *testing.T) {
 								},
 								Percent: 100,
 							}},
-						}, {
+						}},
+					},
+				}},
+			},
+		},
+	}, {
+		name: "challenge with non-matching host",
+		dm: v1beta1.DomainMapping{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "mapping.com",
+				Namespace: "the-namespace",
+				UID:       types.UID("the-uid"),
+			},
+			Spec: v1beta1.DomainMappingSpec{
+				Ref: duckv1.KReference{
+					Namespace: "the-namespace",
+					Name:      "the-name",
+				},
+			},
+		},
+		acmeChallenges: []netv1alpha1.HTTP01Challenge{{
+			ServiceNamespace: "test-ns",
+			ServiceName:      "cm-solver",
+			ServicePort:      intstr.FromInt(8090),
+			URL: &apis.URL{
+				Scheme: "http",
+				Path:   "/.well-known/acme-challenge/token",
+				Host:   "truncated.example.com", // Different from mapping.com
+			},
+		}},
+		want: netv1alpha1.Ingress{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "mapping.com",
+				Namespace: "the-namespace",
+				Annotations: map[string]string{
+					netapi.IngressClassAnnotationKey: "the-ingress-class",
+				},
+			},
+			Spec: netv1alpha1.IngressSpec{
+				HTTPOption: netv1alpha1.HTTPOptionEnabled,
+				Rules: []netv1alpha1.IngressRule{{
+					Hosts:      []string{"mapping.com"},
+					Visibility: netv1alpha1.IngressVisibilityExternalIP,
+					HTTP: &netv1alpha1.HTTPIngressRuleValue{
+						Paths: []netv1alpha1.HTTPIngressPath{{
 							RewriteHost: "the-rewrite-host",
 							Splits: []netv1alpha1.IngressBackendSplit{{
 								Percent: 100,
@@ -222,6 +285,22 @@ func TestMakeIngress(t *testing.T) {
 							}},
 						}},
 					},
+				}, {
+					Hosts:      []string{"truncated.example.com"},
+					Visibility: netv1alpha1.IngressVisibilityExternalIP,
+					HTTP: &netv1alpha1.HTTPIngressRuleValue{
+						Paths: []netv1alpha1.HTTPIngressPath{{
+							Path: "/.well-known/acme-challenge/token",
+							Splits: []netv1alpha1.IngressBackendSplit{{
+								IngressBackend: netv1alpha1.IngressBackend{
+									ServiceNamespace: "test-ns",
+									ServiceName:      "cm-solver",
+									ServicePort:      intstr.FromInt(8090),
+								},
+								Percent: 100,
+							}},
+						}},
+					},
 				}},
 			},
 		},

pkg/reconciler/route/resources/ingress.go

@@ -181,16 +181,16 @@ func makeIngressSpec(
 					rule.HTTP.Paths[0].AppendHeaders[netheader.RouteTagKey] = name
 				}
 			}
-			// If this is a public rule, we need to configure ACME challenge paths.
-			if visibility == netv1alpha1.IngressVisibilityExternalIP {
-				paths, hosts := MakeACMEIngressPaths(acmeChallenges, domains)
-				rule.Hosts = append(hosts, rule.Hosts...)
-				rule.HTTP.Paths = append(paths, rule.HTTP.Paths...)
-			}
 			rules = append(rules, rule)
 		}
 	}
 
+	// Create dedicated rules for ACME challenges
+	if len(acmeChallenges) > 0 {
+		acmeRules := MakeACMEChallengeRules(acmeChallenges)
+		rules = append(rules, acmeRules...)
+	}
+
 	httpOption, err := servingnetworking.GetHTTPOption(ctx, config.FromContext(ctx).Network, r.GetAnnotations())
 	if err != nil {
 		return netv1alpha1.IngressSpec{}, err
@@ -203,30 +203,31 @@ func makeIngressSpec(
 	}, nil
 }
 
-// MakeACMEIngressPaths returns a set of netv1alpha1.HTTPIngressPath
-// that can be used to perform ACME challenges.
-func MakeACMEIngressPaths(acmeChallenges []netv1alpha1.HTTP01Challenge, domains sets.Set[string]) ([]netv1alpha1.HTTPIngressPath, []string) {
-	paths := make([]netv1alpha1.HTTPIngressPath, 0, len(acmeChallenges))
-	var extraHosts []string
+// MakeACMEChallengeRules creates one dedicated rule per ACME challenge domain.
+func MakeACMEChallengeRules(acmeChallenges []netv1alpha1.HTTP01Challenge) []netv1alpha1.IngressRule {
+	rules := make([]netv1alpha1.IngressRule, 0, len(acmeChallenges))
 
 	for _, challenge := range acmeChallenges {
-		if !domains.Has(challenge.URL.Host) {
-			extraHosts = append(extraHosts, challenge.URL.Host)
-		}
-
-		paths = append(paths, netv1alpha1.HTTPIngressPath{
-			Splits: []netv1alpha1.IngressBackendSplit{{
-				IngressBackend: netv1alpha1.IngressBackend{
-					ServiceNamespace: challenge.ServiceNamespace,
-					ServiceName:      challenge.ServiceName,
-					ServicePort:      challenge.ServicePort,
-				},
-				Percent: 100,
-			}},
-			Path: challenge.URL.Path,
+		rules = append(rules, netv1alpha1.IngressRule{
+			Hosts:      []string{challenge.URL.Host},
+			Visibility: netv1alpha1.IngressVisibilityExternalIP,
+			HTTP: &netv1alpha1.HTTPIngressRuleValue{
+				Paths: []netv1alpha1.HTTPIngressPath{{
+					Splits: []netv1alpha1.IngressBackendSplit{{
+						IngressBackend: netv1alpha1.IngressBackend{
+							ServiceNamespace: challenge.ServiceNamespace,
+							ServiceName:      challenge.ServiceName,
+							ServicePort:      challenge.ServicePort,
+						},
+						Percent: 100,
+					}},
+					Path: challenge.URL.Path,
+				}},
+			},
 		})
 	}
-	return paths, extraHosts
+
+	return rules
 }
 
 func makeIngressRule(domains sets.Set[string], ns string,