Description:
What issue is being seen? Describe what should be happening instead of
the bug, for example: The expected value isn't returned, etc.
Some logic was added in #5777 to detect overlapping certificate SANs in listeners. I've noticed the following in the gateway logs:
The certificate SAN testing-api.foo.dev overlaps with the certificate SAN api.foo.dev in listener api.foo.dev. ALPN will default to HTTP/1.1 to prevent HTTP/2 connection coalescing, unless explicitly configured via ClientTrafficPolicy
This looks like a bug, since the hostname testing-api.foo.dev does not actually overlap api.foo.dev.
Repro steps:
- Add a listener for
testing-api.foo.dev and api.foo.dev.
- Use cert-manager to issue certs for them (note that a wildcard certificate should not be used)
- Look in the logs to see a warning about overlapping SANs
Environment:
Envoy Gateway version 1.4.1
Logs:
{"type":"OverlappingTLSConfig","status":"True","observedGeneration":1,"lastTransitionTime":"2025-06-06T14:33:26Z","reason":"OverlappingCertificates","message":"The certificate SAN test-api.foo.dev overlaps with the certificate SAN api.foo.dev in listener api.foo.dev. ALPN will default to HTTP/1.1 to prevent HTTP/2 connection coalescing, unless explicitly configured via ClientTrafficPolicy"}
Description:
Some logic was added in #5777 to detect overlapping certificate SANs in listeners. I've noticed the following in the gateway logs:
This looks like a bug, since the hostname
testing-api.foo.devdoes not actually overlapapi.foo.dev.Repro steps:
testing-api.foo.devandapi.foo.dev.Environment:
Envoy Gateway version 1.4.1
Logs: