404 error for having same tls certificate for 2 different sections of allowed routes in kubernetes gatewayΒ #3718
Description
When two allowed routes in a gateway use the same TLS certificate, with one being a wildcard (e.g., *.google.com) and the other a specific domain (google.com), I encounter 404 errors when my UI runs on google.com and the backend is on api.google.com. I suspect this happens because the browser, using HTTP/2, tries to reuse the same connection for both google.com and api.google.com since they share the same certificate and host. Is there a workaround or a way to configure multiple hosts within the same section?
This is the gateway example am using:
`apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: istio-ingressgateway
namespace: istio-system
spec:
gatewayClassName: istio
listeners:
- hostname: "*.example.com"
name: https-wildcard
port: 443
protocol: HTTPS
tls:
certificateRefs:- kind: Secret
name: example-wildcard-tls
mode: Terminate
- kind: Secret
- hostname: "example.com"
name: https-apex
port: 443
protocol: HTTPS
tls:
certificateRefs:- kind: Secret
name: example-wildcard-tls
mode: Terminate`
- kind: Secret
Expected Behavior
Each request should be routed correctly based on the Host header, even when HTTP/2 connection reuse occurs.
Observed Behavior
example.com loads first as it hosts the UI.
The UI makes a fetch request to api.example.com, but due to HTTP/2 connection reuse, the request gets routed incorrectly.
Results in intermittent "404 Route Not Found" errors.
Issue does not occur with curl (which does not reuse HTTP/2 connections by default).