Is there an existing issue for this?
Current Behavior
When using Kong Ingress Controller with router_flavor: traditional_compatible, routes with pathType: Exact are not correctly prioritized over routes with pathType: Prefix on the same host.
This causes cert-manager ACME HTTP-01 challenges to fail because the temporary solver ingress (pathType: Exact on /.well-known/acme-challenge/<token>) is shadowed by the application ingress (pathType: Prefix on /).
Requests to /.well-known/acme-challenge/TOKEN are sporadically routed to the application service instead of the cert-manager solver pod. The behavior is inconsistent:
- Some requests correctly reach the ACME solver
- Some requests incorrectly hit the application service
- Most often, the application receives several requests first, then requests eventually start routing to the ACME solver
This violates the Kubernetes Ingress specification which states:
If multiple paths match a request, precedence will be given first to the longest matching path and then to Exact path type over Prefix path type.
Expected Behavior
The request to /.well-known/acme-challenge/TOKEN should be routed to the cert-manager solver service because:
pathType: Exact should take precedence over pathType: Prefix per the Kubernetes Ingress spec- The exact path
/.well-known/acme-challenge/TOKEN is more specific than the prefix /
Steps To Reproduce
1. Deploy Kong Ingress Controller with `router_flavor: traditional_compatible`
2. Create an application ingress with `pathType: Prefix` on path `/`:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app-ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt
konghq.com/strip-path: "true"
spec:
ingressClassName: kong
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-service
port:
number: 80
tls:
- hosts:
- example.com
secretName: example-tls
3. Wait for cert-manager to create a temporary ACME solver ingress with `pathType: Exact`:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cm-acme-http-solver-xxxxx
spec:
ingressClassName: kong
rules:
- host: example.com
http:
paths:
- path: /.well-known/acme-challenge/TOKEN
pathType: Exact
backend:
service:
name: cm-acme-http-solver-xxxxx
port:
number: 8089
4. Observe that requests to `http://example.com/.well-known/acme-challenge/TOKEN` are sporadically routed to `app-service` instead of `cm-acme-http-solver-xxxxx` (typically the first several requests hit the application, then routing eventually switches to the solver)Kong Ingress Controller version
Kubernetes version
Server Version: v1.33.5-gke.1956000 (GKE)
Anything else?
Root Cause Analysis:
Based on investigation, KIC appears to convert pathType: Exact routes into regex routes (e.g., /.well-known/acme-challenge/TOKEN$). In Kong's traditional_compatible router, regex routes are evaluated by regex_priority rather than being automatically prioritized over prefix routes based on specificity.
This means the prefix route / can match before the exact route is evaluated, despite the Kubernetes Ingress spec requiring Exact to take precedence.
Environment Details:
- Kong Helm Chart version: 2.47.0 (deployed via Flux HelmRelease)
- Kong Gateway version: 3.9
- cert-manager version: v1.19.0
- Platform: GKE (Google Kubernetes Engine)
- Router flavor:
traditional_compatible
Workarounds Attempted:
router_flavor: expressions - This router handles priority correctly but caused other routing issues in our setup
Related Issues:
- cert-manager #2980 - "Ingress Priority - CM Ingress being ignored"
- cert-manager #4371 - "Ingress routes for challenges created with pathType: Exact"
Is there an existing issue for this?
Current Behavior
When using Kong Ingress Controller with
router_flavor: traditional_compatible, routes withpathType: Exactare not correctly prioritized over routes withpathType: Prefixon the same host.This causes cert-manager ACME HTTP-01 challenges to fail because the temporary solver ingress (
pathType: Exacton/.well-known/acme-challenge/<token>) is shadowed by the application ingress (pathType: Prefixon/).Requests to
/.well-known/acme-challenge/TOKENare sporadically routed to the application service instead of the cert-manager solver pod. The behavior is inconsistent:This violates the Kubernetes Ingress specification which states:
Expected Behavior
The request to
/.well-known/acme-challenge/TOKENshould be routed to the cert-manager solver service because:pathType: Exactshould take precedence overpathType: Prefixper the Kubernetes Ingress spec/.well-known/acme-challenge/TOKENis more specific than the prefix/Steps To Reproduce
Kong Ingress Controller version
Kubernetes version
Anything else?
Root Cause Analysis:
Based on investigation, KIC appears to convert
pathType: Exactroutes into regex routes (e.g.,/.well-known/acme-challenge/TOKEN$). In Kong'straditional_compatiblerouter, regex routes are evaluated byregex_priorityrather than being automatically prioritized over prefix routes based on specificity.This means the prefix route
/can match before the exact route is evaluated, despite the Kubernetes Ingress spec requiringExactto take precedence.Environment Details:
traditional_compatibleWorkarounds Attempted:
router_flavor: expressions- This router handles priority correctly but caused other routing issues in our setupRelated Issues: