To evaluate the current behavior of various gateway implementations, I performed a test using envoy-gateway, kgateway, nginx-gateway-fabric and the airlock-microgateway. The goal was to observe how each reacts when a BackendTLSPolicy is configured with a CertificateRefs that points to a resource which does not exist, e.g.:

    caCertificateRefs:
      - kind: ConfigMap
        group: ""
        name: does-not-exist

Result:

    - ancestorRef:
        group: gateway.networking.k8s.io
        kind: Gateway
        name: envoy-gateway
        namespace: envoy
      conditions:
      - lastTransitionTime: "2025-07-22T06:07:05Z"
        message: No ca found in referred configmaps.
        observedGeneration: 1
        reason: Invalid
        status: "False"
        type: Accepted
      controllerName: gateway.envoyproxy.io/gatewayclass-controller
    - ancestorRef:
        group: ""
        kind: Service
        name: backend
      conditions:
      - lastTransitionTime: "2025-07-22T06:09:33Z"
        message: 'Policy error: "configmap default/does-not-exist not found"'
        reason: Invalid
        status: "False"
        type: Accepted
      controllerName: kgateway.dev/kgateway
    - ancestorRef:
        group: gateway.networking.k8s.io
        kind: Gateway
        name: airlock-microgateway
        namespace: airlock
      conditions:
      - lastTransitionTime: "2025-07-22T06:10:31Z"
        message: |-
          Resolving BackendTLSPolicy failed
          Missing referenced ConfigMap 'does-not-exist'
        observedGeneration: 1
        reason: Invalid
        status: "False"
        type: Accepted
      controllerName: microgateway.airlock.com/gatewayclass-controller

Observations:

• kgateway sets ancestorRef to the target Service, others set it to the Gateway.
• All implementations (except nginx-gateway-fabric) set Accepted condition to False with reason Invalid for missing resources.
• envoy-gateway accepts the policy if at least one CertificateRefs is valid.
• envoy-gateway and kgateway overwrite each other’s status updates.
• nginx-gateway-fabric sets an implementation-specific reason on the ResolvedRefs condition on the HTTPRoute's status:

        - lastTransitionTime: "2025-07-22T06:07:05Z"
          message: 'Failed to process route rule 0 backendRef 0: no ca found in referred
            configmaps.'
          observedGeneration: 1
          reason: InvalidBackendTLS
          status: "False"
          type: ResolvedRefs
        controllerName: gateway.envoyproxy.io/gatewayclass-controller
  

• In cases where the BackendTLSPolicy is invalid envoy-gateway, nginx-gateway-fabric and airlock-microgateway respond to incoming traffic with an HTTP 500 error. In contrast, kgateway proceeds to connect to the backend over plaintext, despite the invalid policy.

Conclusion:
IMO the behavior of BackendTLSPolicy in cases where CertificateRefs point to non-existent resources should not be left to implementation-specific handling. Allowing each implementation to behave differently leads to confusion for the user. To ensure consistency, it is important that we define an opinionated design for this scenario, providing a predictable and well-defined API behavior.

Thanks @snorwin, this is a great reference point!

• kgateway sets ancestorRef to the target Service, others set it to the Gateway.

It seems like we should settle on Gateway as the ancestor as that's the thing that's truly unique. With that said, if all Gateways for a given controllerName are guaranteed to have the same behavior, I'd recommend

• All implementations (except nginx-gateway-fabric) set Accepted condition to False with reason Invalid for missing resources.

To clarify, is this only true when all refs are invalid, or is it also true when there's a mix of valid and invalid refs?

• envoy-gateway accepts the policy if at least one CertificateRefs is valid.

This seems correct to me and lines up with my related comment.

• envoy-gateway and kgateway overwrite each other’s status updates.

This feels like it could benefit from some conformance test coverage as I doubt they're the only ones doing this.

• nginx-gateway-fabric sets an implementation-specific reason on the ResolvedRefs condition on the HTTPRoute's status

Interesting, maybe our docs aren't sufficiently clear on recommended status?

• In cases where the BackendTLSPolicy is invalid envoy-gateway, nginx-gateway-fabric and airlock-microgateway respond to incoming traffic with an HTTP 500 error. In contrast, kgateway proceeds to connect to the backend over plaintext, despite the invalid policy.

I believe spec requires HTTP 500, definitely worth some conformance test coverage to ensure consistency here.

/cc @arkodg @danehans

@robscott I created a follow-up issue (#3953) to cover PolicyAncestorStatus handling in the conformance tests.

It seems like we should settle on Gateway as the ancestor as that's the thing that's truly unique. With that said, if all Gateways for a given controllerName are guaranteed to have the same behavior, I'd recommend

I think you missed the rest of this sentence @robscott...

I agree with @snorwin and @robscott about a few things:

• If you support BackendTLSPolicy, then there absolutely should be no fallback for BackendTLSPolicy-covered Services.
• ResolvedRefs Condition should be included and will be set to false if at least one CACertificateRef contains an error.
• The entire Route should only not be Accepted if no CA certificates are readable (all CACertificateRefs are invalid)
• No status should require decoding the certificates, whether they are in CACertificateRefs or the System ones.
• Implementations MUST NOT change any other status than their own. (We need conformance tests about this for many other things as well)
• We must specify what happens when a BackendTLSPolicy is configured and references a Service, but there is no valid CA config referenced; This should be either the exact status code 500 or at least a 500-class response. I prefer the former.

@youngnick, regarding

• The entire Route should only not be Accepted if no CA certificates are readable (all CACertificateRefs are invalid)

You do mean, the BackendTLSPolicy, not the Route, right?

Yes, sorry. I was also thinking about partial Route invalidity.

As much as I'd like to see this get into v1.4.0, at this stage in the release cycle, I'd like to take the pulse of the community. For any implementations that pass current conformance tests, this change would require new conformance tests that they may not pass for v1.4.0.

/hold

Okay, I guess I wasn't clear before, so I'll try to be more clear now.

To me, adding the ResolvedRefs Condition is a requirement for Standard because:

• it makes troubleshooting for end users much easier
• it forces us to clarify what happens in various error cases (for example, one invalid CertificateRef vs all invalid)
• Adding this after this transition point is actually worse for implementations, because they may end up accepting things that turn out to be invalid later

We only get one shot at this transition, it's better to do the work here to make it happen, and implementations can catch up after the fact. It's better to front-load big changes all into one change than to do them piecemeal, in this case.

For the details of the ResolvedRefs Condition, for some of the feedback:

• I don't agree that 400-class errors are appropriate here - if a certificate is misconfigured, then that is exactly what a 500-class error is intended to describe. In the case that the Gateway implementation attempts to connect to a backend and fails because it does not have the correct TLS details (which is what will happen when a CertificateReference is invalid), then a 500-class error is appropriate. (tbh in that case, a 503 feels right to me, since this is an internal server error from the client's POV).
• Once we add the ResolvedRefs condition, we are locking in partial validity - which I think is good. But we should be clear about the rules: a data path MUST NOT use a certificate that is invalid at all, and MUST reject any connection that uses it.
• Implementations MAY decode certificates to further check validity, and if they do, they MUST mark certificates that fail their own validity checks by setting ResolvedRefs to false, and use a domain-prefixed implementation specific reason (like implementation.io/InvalidKeys, for example) in addition to specifying the invalid references in the message field. This functionality will be ImplementationSpecific support and will not be conformance tested.
• For message, the message is specifically not intended to be machine-parseable, so we can really only say that the message SHOULD contain the details of the invalid references, not MUST.
• The way to distinguish between any or all references being invalid is then: if any CertificateRef is not valid, but at least one CertificateRef is valid, then ResolvedRefs is present and the BackendTrafficPolicy is Accepted. If zero CertificateRefs are valid, then ResolvedRefs is present and the BackendTrafficPolicy is NOT Accepted. (This may actually be different behavior to what the conformance tests currently reflect for HTTPRoute partial validity, but I think it makes more sense.

I've added some specific comments to the file with some wording here.

I think this is very close, and then folks can get on to writing more conformance tests to check these behaviors.

/label tide/merge-method-squash

We talked about this on the community call today:

There was general agreement on the call that in terms of WHAT is implemented, there's a preference for the mixed-mode where some misconfigured certificates are tolerated, and statuses to reflect the misconfiguration are propagated.

Depending on whether we can get this done before code freeze for v1.4.0 (August 26th), we may soon need to make a decision whether we consider this critical to release BackendTLSPolicy to Standard, or whether it can be added in a later release.

@snorwin would you consider requiring a 502 rather than 500 error response?

@candita, from a Gateway API perspective, I would argue that the semantics of an invalid backend reference should be similar to those of a backend reference with an invalid BackendTLSPolicy. In that cases, an HTTP 500 error would be appropriate, which is also the behavior adopted by most current implementations.

From an Envoy perspective, however, an HTTP 503 might be more suitable, as it is equal to the case where TLS validation for an upstream connection fails.

In general, achieving a specific HTTP status code can be cumbersome, depending on the technology and implementation. Therefore, I would leave it to implementers to decide whether they prefer returning 500, 503, or even 502.

@shaneutt if we can get this PR merged by the end of the week, I’ll be able to prepare the spec changes and propose the necessary conformance tests in time (before the code freeze). IMO we should aim to include this in v1.4.0.

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kl52752, shaneutt, snorwin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Thanks @snorwin!

/lgtm

@shaneutt if we can get this PR merged by the end of the week, I’ll be able to prepare the spec changes and propose the necessary conformance tests in time (before the code freeze). IMO we should aim to include this in v1.4.0.

Sounds good, thank you very much. If you wouldn't mind creating an issue for this last part of the effort so I can sub-task it under #1897 for tracking, I would appreciate it. 🖖