Duplicate ACME challenge paths across ingress

[linkvt]

Problem

When a Service has traffic tags, the Route controller adds ALL ACME challenges to EVERY external ingress rule, creating duplicate domain entries. Kourier rejects this with error from kourier-controller logs.

This likely causes kourier-stable test failures: https://testgrid.k8s.io/r/knative-own-testgrid/serving#kourier-stable

Root Cause

pkg/reconciler/route/resources/ingress.go lines ~185-188 add all challenges to every external rule in a loop, causing duplicates when multiple certificates exist.

Expected Behavior

Each ACME challenge path should appear only in one rule.

Constraint

Must preserve PR #13637 - allowing challenges for domains that don't match the route (e.g., truncated long domains).

Example KIngress Spec

KIngress Spec

spec:
  httpOption: Enabled
  rules:
  - hosts:
    - tls-test.tls-repro
    - tls-test.tls-repro.svc
    - tls-test.tls-repro.svc.cluster.local
    http:
      paths:
      - splits:
        - appendHeaders:
            Knative-Serving-Namespace: tls-repro
            Knative-Serving-Revision: tls-test-00001
          percent: 100
          serviceName: tls-test-00001
          serviceNamespace: tls-repro
          servicePort: 80
    visibility: ClusterLocal
  - hosts:
    - blue-tls-test.tls-repro.127.0.0.1.sslip.io
    - green-tls-test.tls-repro.127.0.0.1.sslip.io
    - tls-test.tls-repro.127.0.0.1.sslip.io
    http:
      paths:
      - path: /.well-known/acme-challenge/ylYCkxEjlDTt6VdzN42T9U6qVhlts9qX3DJEEJn8KWc
        splits:
        - percent: 100
          serviceName: cm-acme-http-solver-fh87z
          serviceNamespace: tls-repro
          servicePort: 8089
      - path: /.well-known/acme-challenge/Y_L7A1a_RLos4WL8Dc_MYQ1bovfmQKYNLmv6POZLacU
        splits:
        - percent: 100
          serviceName: cm-acme-http-solver-wpqqm
          serviceNamespace: tls-repro
          servicePort: 8089
      - path: /.well-known/acme-challenge/IZTj12TkOzUPMUduwlGgbeiN-kVXBqRpzY3OsGedfRg
        splits:
        - percent: 100
          serviceName: cm-acme-http-solver-l9g2v
          serviceNamespace: tls-repro
          servicePort: 8089
      - splits:
        - appendHeaders:
            Knative-Serving-Namespace: tls-repro
            Knative-Serving-Revision: tls-test-00001
          percent: 100
          serviceName: tls-test-00001
          serviceNamespace: tls-repro
          servicePort: 80
    visibility: ExternalIP
  - hosts:
    - blue-tls-test.tls-repro
    - blue-tls-test.tls-repro.svc
    - blue-tls-test.tls-repro.svc.cluster.local
    http:
      paths:
      - splits:
        - appendHeaders:
            Knative-Serving-Namespace: tls-repro
            Knative-Serving-Revision: tls-test-00001
          percent: 100
          serviceName: tls-test-00001
          serviceNamespace: tls-repro
          servicePort: 80
    visibility: ClusterLocal
  - hosts:
    - green-tls-test.tls-repro.127.0.0.1.sslip.io
    - tls-test.tls-repro.127.0.0.1.sslip.io
    - blue-tls-test.tls-repro.127.0.0.1.sslip.io
    http:
      paths:
      - path: /.well-known/acme-challenge/ylYCkxEjlDTt6VdzN42T9U6qVhlts9qX3DJEEJn8KWc
        splits:
        - percent: 100
          serviceName: cm-acme-http-solver-fh87z
          serviceNamespace: tls-repro
          servicePort: 8089
      - path: /.well-known/acme-challenge/Y_L7A1a_RLos4WL8Dc_MYQ1bovfmQKYNLmv6POZLacU
        splits:
        - percent: 100
          serviceName: cm-acme-http-solver-wpqqm
          serviceNamespace: tls-repro
          servicePort: 8089
      - path: /.well-known/acme-challenge/IZTj12TkOzUPMUduwlGgbeiN-kVXBqRpzY3OsGedfRg
        splits:
        - percent: 100
          serviceName: cm-acme-http-solver-l9g2v
          serviceNamespace: tls-repro
          servicePort: 8089
      - splits:
        - appendHeaders:
            Knative-Serving-Namespace: tls-repro
            Knative-Serving-Revision: tls-test-00001
          percent: 100
          serviceName: tls-test-00001
          serviceNamespace: tls-repro
          servicePort: 80
    visibility: ExternalIP
  - hosts:
    - green-tls-test.tls-repro
    - green-tls-test.tls-repro.svc
    - green-tls-test.tls-repro.svc.cluster.local
    http:
      paths:
      - splits:
        - appendHeaders:
            Knative-Serving-Namespace: tls-repro
            Knative-Serving-Revision: tls-test-00001
          percent: 100
          serviceName: tls-test-00001
          serviceNamespace: tls-repro
          servicePort: 80
    visibility: ClusterLocal
  - hosts:
    - blue-tls-test.tls-repro.127.0.0.1.sslip.io
    - tls-test.tls-repro.127.0.0.1.sslip.io
    - green-tls-test.tls-repro.127.0.0.1.sslip.io
    http:
      paths:
      - path: /.well-known/acme-challenge/ylYCkxEjlDTt6VdzN42T9U6qVhlts9qX3DJEEJn8KWc
        splits:
        - percent: 100
          serviceName: cm-acme-http-solver-fh87z
          serviceNamespace: tls-repro
          servicePort: 8089
      - path: /.well-known/acme-challenge/Y_L7A1a_RLos4WL8Dc_MYQ1bovfmQKYNLmv6POZLacU
        splits:
        - percent: 100
          serviceName: cm-acme-http-solver-wpqqm
          serviceNamespace: tls-repro
          servicePort: 8089
      - path: /.well-known/acme-challenge/IZTj12TkOzUPMUduwlGgbeiN-kVXBqRpzY3OsGedfRg
        splits:
        - percent: 100
          serviceName: cm-acme-http-solver-l9g2v
          serviceNamespace: tls-repro
          servicePort: 8089
      - splits:
        - appendHeaders:
            Knative-Serving-Namespace: tls-repro
            Knative-Serving-Revision: tls-test-00001
          percent: 100
          serviceName: tls-test-00001
          serviceNamespace: tls-repro
          servicePort: 80
    visibility: ExternalIP

/kind bug
/assign