-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.19.z
-
Quality / Stability / Reliability
-
False
-
-
None
-
Moderate
-
None
-
None
-
None
-
Rejected
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
When using the Gateway API on an on-premise IPI cluster, the in-cluster CoreDNS incorrectly resolves hostnames for Gateway API routes. Instead of resolving to the Gateway's LoadBalancer IP, CoreDNS falls back to the wildcard *.apps record, which points to the default OpenShift router's IP. This forces all in-cluster traffic (e.g., pod-to-route) to the wrong ingress controller, breaking functionality for any services exposed via the Gateway API. External resolution (from outside the cluster) works correctly, as it relies on the upstream DNS server.
Version-Release number of selected component (if applicable):
How reproducible:
Always
Steps to Reproduce:
1. Prepare Environment: Deploy an OpenShift 4.19 IPI cluster on-premise. Install and configure the MetalLB Operator.
2. Configure Gateway API: https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/ingress_and_load_balancing/configuring-ingress-cluster-traffic#nw-ingress-gateway-api-enable_ingress-gateway-api
3. Configure Upstream DNS: In your external DNS provider (not in the cluster), create two wildcard A records
*.apps.{$BASEDOMAIN} -> 10.xx.xx.68
*.gwapi.apps.{$BASEDOMAIN} -> 10.xx.xx.67
4. Check the resolution from bastion and same from node:
dig test.gwapi.apps.{$BASEDOMAIN}
Actual results:
From within a cluster node, the dig command resolves test.gwapi.apps.{$BASEDOMAIN} to 10.xx.xx.68 (the default *.apps IP).
Expected results:
From within a cluster node, the dig command should resolve test.gwapi.apps.{$BASEDOMAIN} to 10.xx.xx.67 (the Gateway API IP), honoring the more specific DNS record.
Additional info:
Output from the worker node: # dig +search test.gwapi.apps.vdcluster.hcpexample.com ; <<>> DiG 9.16.23-RH <<>> +search test.gwapi.apps.vdcluster.hcpexample.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46619 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ; COOKIE: 9f5e593c6b9a786e (echoed) ;; QUESTION SECTION: ;test.gwapi.apps.vdcluster.hcpexample.com. IN A;; ANSWER SECTION: test.gwapi.apps.vdcluster.hcpexample.com. 30 IN A 10.xx.xx.68;; Query time: 0 msec ;; SERVER: 10.xx.xx.80#53(10.xx.xx.80) ;; WHEN: Tue Oct 07 15:04:13 UTC 2025 ;; MSG SIZE rcvd: 137 # dig test.gwapi.apps.vdcluster.hcpexample.com @10.74.232.203 ; <<>> DiG 9.16.23-RH <<>> test.gwapi.apps.vdcluster.hcpexample.com @10.74.232.203 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36761 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 2b5e47e154f26fcb0100000068e52c684c5648b14626bd6d (good) ;; QUESTION SECTION: ;test.gwapi.apps.vdcluster.hcpexample.com. IN A;; ANSWER SECTION: test.gwapi.apps.vdcluster.hcpexample.com. 604800 IN A 10.xx.xx.67;; Query time: 4 msec ;; SERVER: 10.74.232.203#53(10.74.232.203) ;; WHEN: Tue Oct 07 15:06:16 UTC 2025 ;; MSG SIZE rcvd: 113 # cat /etc/resolv.conf # Generated by KNI resolv prepender NM dispatcher script search vdcluster.hcpexample.com gsslab.pnq2.redhat.com pnq2.redhat.com redhat.com nameserver 10.xx.xx.80 nameserver 10.74.232.203 nameserver 10.xx.xx.25 #nameserver 10.xx.xx.26
