Merged Gateway HTTPRoute path matching doesn't respect priority as defined in API docs

[mark-webster-catalyst]

I'm using a merged gateway with cert-manager http01 solver. My main HTTPRoute has a PathPrefix match on /. When cert-manager create a HTTPRoute it creates an Exact match for /.well-known[...]. According the the API docs, when two HTTPRoutes provide a match the following should happen:

Across all rules specified on applicable Routes, precedence must be
given to the match having:
"Exact" path match.
"Prefix" path match with largest number of characters.
Method match.

Unless I'm reading that wrong, the Exact match should take priority. However, the gateway is matching on the PathPrefix and sending the requests to my service pods rather than the cert-manager pod.

[arkodg]

which version is this on ?

can you also share a config thats reproducible so someone in the community can triage this further

[mark-webster-catalyst]

Still present in v1.7.0

I've done some more experimenting, and it seems the issue is only present when using a ClusterIssuer that has a different Gateway name defined than the main site. I've just tried it using an Issuer in the same namespace as my site and using the same Gateway and it works as expected.

From this I gather the issue is as follows:

• Have a GatewayClass with an associated EnvoyProxy with mergeGateways: true
• Define a cert-manager Gateway that uses this class
• Define a ClusterIssuer with a HTTP-01 challenge that references the cert-manager Gateway
• Define another Gateway in another namespace that uses the merged GatewayClass
• Define a HTTPRoute with PathPrefix of / for the second Gateway

I'm guessing that because the Gateway the cert-manager HTTPRoute uses is different to the Gateway the site HTTPRoute uses, that there isn't technically a conflict as defined in the API docs, therefore the first route to be defined wins?

Still, it would be good if merged gateways took all routes for a URL into account, regardless of the Gateway resource.

[arkodg]

do you see this issue if you enable https://gateway.envoyproxy.io/docs/tasks/extensibility/envoy-patch-policy/#xds-name-scheme-v2