-
Notifications
You must be signed in to change notification settings - Fork 129
Description
Is your enhancement request related to a problem? Please describe.
Currently an HTTPS listener in NGINX Gateway Fabric supports only a single tls.certificateRef
. This is limiting when we need to serve multiple certificates (e.g., a wildcard certificate plus a specific SAN certificate, or during certificate rotations/Let’s Encrypt renewals) on the same listener/port. To work around this, we must create multiple listeners on the same port, one per hostname, which adds configuration duplication and complexity.
What would you like to be added:
Allow an HTTPS listener to use multiple TLS certificates. Ideally NGF would honor all entries in tls.certificateRefs
(aligned with the Gateway API spec), loading each secret and selecting the correct certificate via SNI at runtime.
Why this is needed:
- Simplifies configuration: one listener can cover multiple hostnames/certs instead of duplicating listeners.
- Supports smooth certificate rotation (old + new cert simultaneously).
- Aligns with Gateway API semantics where
certificateRefs
is a list. - Reduces risk of misconfiguration by consolidating related hostnames under a single listener block.
Additional context
Example desired configuration:
listeners:
- name: https
port: 443
protocol: HTTPS
hostname: "*.example.com"
tls:
certificateRefs:
- kind: Secret
name: wildcard-example-com
- kind: Secret
name: special-app-cert
NGF would load both secrets and select the appropriate cert via SNI. If only partial support is feasible initially, even allowing two refs (for rotation) would be helpful.
Metadata
Metadata
Assignees
Labels
Type
Projects
Status