[Gateway API] HTTPRoute Attachment/Acceptance Fails for ALL parentRefs when 1 or more is Reason: NoMatchingListenerHostname #4499
Description
Bug Description
HTTPRoute Attachment/Acceptance Fails for ALL parentRefs when 1 or more is Reason: NoMatchingListenerHostname
Steps to Reproduce
- Step-by-step guide to reproduce the bug:
- Create a Gateway with both exact and wildcard hostname listeners. I.e.
foo.barand*.foo.bar - Attach a HTTPRoute via parentRefs for both listeners above with
spec.hostnamesthat matches the wildcard but not exact listener section:dev.foo.bar
- Create a Gateway with both exact and wildcard hostname listeners. I.e.
- Manifests applied while reproducing the issue:
apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: annotations: cert-manager.io/cluster-issuer: letsencrypt finalizers: - gateway.k8s.aws/alb generation: 1 name: ingress-alb namespace: gateway-system spec: gatewayClassName: aws-alb infrastructure: parametersRef: group: gateway.k8s.aws kind: LoadBalancerConfiguration name: internet-facing listeners: - allowedRoutes: namespaces: from: Same name: http port: 80 protocol: HTTP - allowedRoutes: namespaces: from: All hostname: dev.foo.bar name: https port: 443 protocol: HTTPS tls: certificateRefs: - group: "" kind: Secret name: ingress-cert mode: Terminate - allowedRoutes: namespaces: from: All hostname: '*.dev.foo.bar' name: https-wildcard port: 443 protocol: HTTPS tls: certificateRefs: - group: "" kind: Secret name: ingress-cert mode: Terminate - allowedRoutes: namespaces: from: All hostname: dev.foo.bar name: otel-grpc port: 4317 protocol: HTTPS tls: certificateRefs: - group: "" kind: Secret name: ingress-cert mode: Terminate - allowedRoutes: namespaces: from: All hostname: dev.foo.bar name: otel-https port: 4318 protocol: HTTPS tls: certificateRefs: - group: "" kind: Secret name: ingress-cert mode: Terminate - allowedRoutes: namespaces: from: All hostname: '*.dev.foo.bar' name: otel-grpc-wildcard port: 4317 protocol: HTTPS tls: certificateRefs: - group: "" kind: Secret name: ingress-cert mode: Terminate - allowedRoutes: namespaces: from: All hostname: '*.dev.foo.bar' name: otel-https-wildcard port: 4318 protocol: HTTPS tls: certificateRefs: - group: "" kind: Secret name: ingress-cert mode: Terminate status: addresses: - type: Hostname value: k8s-gateways-ingressa-xxx-1248315603.us-west-2.elb.amazonaws.com conditions: - lastTransitionTime: "2025-12-11T22:17:38Z" message: "" observedGeneration: 1 reason: Accepted status: "True" type: Accepted - lastTransitionTime: "2025-12-11T22:21:41Z" message: arn:aws:elasticloadbalancing:us-west-2:xxx:loadbalancer/app/k8s-gateways-ingressa-xxx/4493152b42a716f3 observedGeneration: 1 reason: Programmed status: "True" type: Programmed listeners: - attachedRoutes: 1 conditions: - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener has no conflict. observedGeneration: 1 reason: NoConflicts status: "True" type: Conflicted - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener is accepted. observedGeneration: 1 reason: Accepted status: "True" type: Accepted - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener has all refs resolved. observedGeneration: 1 reason: ResolvedRefs status: "True" type: ResolvedRefs - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener is programmed. observedGeneration: 1 reason: Programmed status: "True" type: Programmed name: http supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute - attachedRoutes: 3 conditions: - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener has no conflict. observedGeneration: 1 reason: NoConflicts status: "True" type: Conflicted - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener is accepted. observedGeneration: 1 reason: Accepted status: "True" type: Accepted - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener has all refs resolved. observedGeneration: 1 reason: ResolvedRefs status: "True" type: ResolvedRefs - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener is programmed. observedGeneration: 1 reason: Programmed status: "True" type: Programmed name: https supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute - group: gateway.networking.k8s.io kind: GRPCRoute - attachedRoutes: 0 conditions: - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener has no conflict. observedGeneration: 1 reason: NoConflicts status: "True" type: Conflicted - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener is accepted. observedGeneration: 1 reason: Accepted status: "True" type: Accepted - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener has all refs resolved. observedGeneration: 1 reason: ResolvedRefs status: "True" type: ResolvedRefs - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener is programmed. observedGeneration: 1 reason: Programmed status: "True" type: Programmed name: https-wildcard supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute - group: gateway.networking.k8s.io kind: GRPCRoute - attachedRoutes: 1 conditions: - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener has no conflict. observedGeneration: 1 reason: NoConflicts status: "True" type: Conflicted - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener is accepted. observedGeneration: 1 reason: Accepted status: "True" type: Accepted - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener has all refs resolved. observedGeneration: 1 reason: ResolvedRefs status: "True" type: ResolvedRefs - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener is programmed. observedGeneration: 1 reason: Programmed status: "True" type: Programmed name: otel-grpc supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute - group: gateway.networking.k8s.io kind: GRPCRoute - attachedRoutes: 0 conditions: - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener has no conflict. observedGeneration: 1 reason: NoConflicts status: "True" type: Conflicted - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener is accepted. observedGeneration: 1 reason: Accepted status: "True" type: Accepted - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener has all refs resolved. observedGeneration: 1 reason: ResolvedRefs status: "True" type: ResolvedRefs - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener is programmed. observedGeneration: 1 reason: Programmed status: "True" type: Programmed name: otel-grpc-wildcard supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute - group: gateway.networking.k8s.io kind: GRPCRoute - attachedRoutes: 1 conditions: - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener has no conflict. observedGeneration: 1 reason: NoConflicts status: "True" type: Conflicted - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener is accepted. observedGeneration: 1 reason: Accepted status: "True" type: Accepted - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener has all refs resolved. observedGeneration: 1 reason: ResolvedRefs status: "True" type: ResolvedRefs - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener is programmed. observedGeneration: 1 reason: Programmed status: "True" type: Programmed name: otel-https supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute - group: gateway.networking.k8s.io kind: GRPCRoute - attachedRoutes: 0 conditions: - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener has no conflict. observedGeneration: 1 reason: NoConflicts status: "True" type: Conflicted - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener is accepted. observedGeneration: 1 reason: Accepted status: "True" type: Accepted - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener has all refs resolved. observedGeneration: 1 reason: ResolvedRefs status: "True" type: ResolvedRefs - lastTransitionTime: "2025-12-11T22:21:41Z" message: Listener is programmed. observedGeneration: 1 reason: Programmed status: "True" type: Programmed name: otel-https-wildcard supportedKinds: - group: gateway.networking.k8s.io kind: HTTPRoute - group: gateway.networking.k8s.io kind: GRPCRoute --- apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: http-input-otel namespace: app-system spec: hostnames: - app.dev.foo.bar parentRefs: - group: gateway.networking.k8s.io kind: Gateway name: ingress-alb namespace: gateway-system sectionName: otel-grpc - group: gateway.networking.k8s.io kind: Gateway name: ingress-alb namespace: gateway-system sectionName: otel-https - group: gateway.networking.k8s.io kind: Gateway name: ingress-alb namespace: gateway-system sectionName: otel-grpc-wildcard - group: gateway.networking.k8s.io kind: Gateway name: ingress-alb namespace: gateway-system sectionName: otel-https-wildcard rules: - backendRefs: - group: "" kind: Service name: http-input port: 4317 weight: 1 matches: - path: type: PathPrefix value: / status: parents: - conditions: - lastTransitionTime: "2025-12-12T19:49:05Z" message: Listener does not allow route attachment, no matching hostname observedGeneration: 5 reason: NoMatchingListenerHostname status: "False" type: Accepted - lastTransitionTime: "2025-12-12T19:49:05Z" message: "" observedGeneration: 5 reason: Accepted status: "True" type: ResolvedRefs controllerName: gateway.k8s.aws/alb parentRef: group: gateway.networking.k8s.io kind: Gateway name: ingress-alb namespace: gateway-system sectionName: otel-grpc - conditions: - lastTransitionTime: "2025-12-12T19:49:05Z" message: Listener does not allow route attachment, no matching hostname observedGeneration: 5 reason: NoMatchingListenerHostname status: "False" type: Accepted - lastTransitionTime: "2025-12-12T19:49:05Z" message: "" observedGeneration: 5 reason: Accepted status: "True" type: ResolvedRefs controllerName: gateway.k8s.aws/alb parentRef: group: gateway.networking.k8s.io kind: Gateway name: ingress-alb namespace: gateway-system sectionName: otel-https - conditions: - lastTransitionTime: "2025-12-12T19:49:05Z" message: Listener does not allow route attachment, no matching hostname observedGeneration: 5 reason: NoMatchingListenerHostname status: "False" type: Accepted - lastTransitionTime: "2025-12-12T19:49:05Z" message: "" observedGeneration: 5 reason: Accepted status: "True" type: ResolvedRefs controllerName: gateway.k8s.aws/alb parentRef: group: gateway.networking.k8s.io kind: Gateway name: ingress-alb namespace: gateway-system sectionName: otel-grpc-wildcard - conditions: - lastTransitionTime: "2025-12-12T19:49:05Z" message: Listener does not allow route attachment, no matching hostname observedGeneration: 5 reason: NoMatchingListenerHostname status: "False" type: Accepted - lastTransitionTime: "2025-12-12T19:49:05Z" message: "" observedGeneration: 5 reason: Accepted status: "True" type: ResolvedRefs controllerName: gateway.k8s.aws/alb parentRef: group: gateway.networking.k8s.io kind: Gateway name: ingress-alb namespace: gateway-system sectionName: otel-https-wildcard
- Controller logs/error messages while reproducing the issue:
Expected Behavior
- ONLY parentRefs that do not match listener hostnames should fail with Reason: NoMatchingListenerHostname, others should be accepted successfully
Actual Behavior
- All parentRefs fail with Reason: NoMatchingListenerHostname when 1 or more parentRefs do not match any listener hostnames
- Removing the non-matching parentRefs allows all remaining parentRefs to be accepted successfully
Regression
Was the functionality working correctly in a previous version ? [Yes / No]
If yes, specify the last version where it worked as expected
Current Workarounds
- Removing the non-matching parentRefs allows all remaining parentRefs to be accepted successfully
Environment
- AWS Load Balancer controller version:
v2.16.0 - Kubernetes version:
v1.34.1 - Using EKS (yes/no), if so version?:
Platform version eks.9 - Using Service or Ingress:
Service - AWS region:
us-west-2
Possible Solution (Optional)
Contribution Intention (Optional)
- Yes, I'm willing to submit a PR to fix this issue
- No, I cannot work on a PR at this time
Additional Context
Metadata
Metadata
Assignees
Labels
No labels