BackendTLSPolicy hostname field ignored when validating certificates

[vondrt4]

Describe the bug
I'm testing a scenario where NGF should re-encrypt traffic to a backend. The backend has a different hostname than the listener at the Gateway. Traffic does not pass and I'm seeing validation errors is the gateway Pod logs showing that it's trying to validate using the backend certificate using the listener hostname.

To Reproduce
I'm attaching my demo setup's YAML.

Expected behavior
If I have this in my BackendTLSPolicy, I expect not only the Host header and SNI to be set to the hostname, but also the certificate validation to take it into account.
spec:
validation:
caCertificateRefs:
- kind: Secret
name: ca-root-secret
hostname: https-portal-2.app-ns2.svc.local

Your environment

• Version of the NGINX Gateway Fabric: 2.0.0 with experimental API enabled
• Version of Kubernetes: 1.32
• Kubernetes platform: Azure AKS
• Details on how you expose the NGINX Gateway Fabric Pod: Service of type LoadBalancer

[nginx-bot]

Hi @vondrt4! Welcome to the project! 🎉

Thanks for opening this issue!
Be sure to check out our Contributing Guidelines and the Issue Lifecycle while you wait for someone on the team to take a look at this.

[vondrt4]

reencryption-demo.tar.gz

[sjberman]

@vondrt4 Can you share the nginx configuration (specifically the server/location section for this route)?

kubectl exec -it <nginx-pod-name> -- nginx -T

What we want to see is the line proxy_ssl_name https-portal-2.app-ns2.svc.local.

[vondrt4]

As expected, it reads wrongly 'proxy_ssl_name https-service-2.example.com;'

nginx-t.txt

[vondrt4]

But it was my fault because the BackendTLS policy wasn't uprated properly on the cluster. I have re-created it, now it even updates when I 'kubectl apply' a new version.

[sjberman]

@vondrt4 Thanks for the update, glad it's all working now!