envoyproxy · zirain · Oct 24, 2025 · Oct 21, 2025 · Oct 21, 2025 · Oct 21, 2025
@@ -19,6 +19,11 @@ backendTLSPolicies:
         kind: Gateway
         name: eg
       conditions:
+      - lastTransitionTime: null
+        message: Resolved all the Object references.
+        reason: ResolvedRefs
+        status: "True"
+        type: ResolvedRefs
       - lastTransitionTime: null
         message: Policy has been accepted.
         reason: Accepted

@@ -6,9 +6,11 @@
 package gatewayapi
 
 import (
+	"errors"
 	"fmt"
 	"reflect"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/utils/ptr"
 	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
@@ -19,6 +21,8 @@ import (
 	"github.com/envoyproxy/gateway/internal/ir"
 )
 
+var ErrBackendTLSPolicyInvalidKind = fmt.Errorf("no CA bundle found in referenced ConfigMap, Secret, or ClusterTrustBundle")
+
 // ProcessBackendTLSPolicyStatus is called to post-process Backend TLS Policy status
 // after they were applied in all relevant translations.
 func (t *Translator) ProcessBackendTLSPolicyStatus(btlsp []*gwapiv1.BackendTLSPolicy) {
@@ -158,14 +162,42 @@ func (t *Translator) processBackendTLSPolicy(
 	ancestorRefs = append(ancestorRefs, &parent)
 
 	if err != nil {
-		status.SetTranslationErrorForPolicyAncestors(&policy.Status,
+		status.SetConditionForPolicyAncestors(&policy.Status,
 			ancestorRefs,
 			t.GatewayControllerName,
+			gwapiv1.PolicyConditionAccepted,
+			metav1.ConditionFalse,
+			gwapiv1.BackendTLSPolicyReasonNoValidCACertificate,
+			status.Error2ConditionMsg(err),
 			policy.Generation,
+		)
+
+		reason := gwapiv1.BackendTLSPolicyReasonInvalidCACertificateRef
+		if errors.Is(err, ErrBackendTLSPolicyInvalidKind) {
+			reason = gwapiv1.BackendTLSPolicyReasonInvalidKind
+		}
+
+		status.SetConditionForPolicyAncestors(&policy.Status,
+			ancestorRefs,
+			t.GatewayControllerName,
+			gwapiv1.BackendTLSPolicyConditionResolvedRefs,
+			metav1.ConditionFalse,
+			reason,
 			status.Error2ConditionMsg(err),
+			policy.Generation,
 		)
+
 		return nil, err
 	}
+	status.SetConditionForPolicyAncestors(&policy.Status,
+		ancestorRefs,
+		t.GatewayControllerName,
+		gwapiv1.BackendTLSPolicyConditionResolvedRefs,
+		metav1.ConditionTrue,
+		gwapiv1.BackendTLSPolicyReasonResolvedRefs,
+		"Resolved all the Object references.",
+		policy.Generation,
+	)
 	status.SetAcceptedForPolicyAncestors(&policy.Status, ancestorRefs, t.GatewayControllerName, policy.Generation)
 	return tlsBundle, nil
 }
@@ -345,7 +377,7 @@ func getCaCertsFromCARefs(namespace string, caCertificates []gwapiv1.LocalObject
 	}
 
 	if ca == "" {
-		return nil, fmt.Errorf("no ca found in referred ConfigMap or Secret")
+		return nil, ErrBackendTLSPolicyInvalidKind
 	}
 	return []byte(ca), nil
 }

@@ -14,34 +14,20 @@ import (
 
 // SkipTests is a list of tests that are skipped in the conformance suite.
 func SkipTests(gatewayNamespaceMode bool) []suite.ConformanceTest {
-	if gatewayNamespaceMode {
-		return []suite.ConformanceTest{
-			tests.GatewayStaticAddresses,
-
-			tests.BackendTLSPolicyInvalidCACertificateRef,
-			tests.BackendTLSPolicyInvalidKind,
-			tests.BackendTLSPolicySANValidation,
-			tests.BackendTLSPolicyConflictResolution,
-			tests.BackendTLSPolicy,
-			tests.BackendTLSPolicyObservedGenerationBump,
-			tests.TLSRouteInvalidReferenceGrant,
-			tests.TLSRouteSimpleSameNamespace,
-		}
-	}
-
-	return []suite.ConformanceTest{
+	skipTests := []suite.ConformanceTest{
 		tests.GatewayStaticAddresses,
-		tests.GatewayInfrastructure,
 
-		tests.BackendTLSPolicyInvalidCACertificateRef,
-		tests.BackendTLSPolicyInvalidKind,
-		tests.BackendTLSPolicySANValidation,
+		// TODO: fix me
 		tests.BackendTLSPolicyConflictResolution,
-		tests.BackendTLSPolicy,
-		tests.BackendTLSPolicyObservedGenerationBump,
-		tests.TLSRouteInvalidReferenceGrant,
-		tests.TLSRouteSimpleSameNamespace,
 	}
+
+	if gatewayNamespaceMode {
+		return skipTests
+	}
+
+	skipTests = append(skipTests, tests.GatewayInfrastructure)
+
+	return skipTests
 }
 
 // SkipFeatures is a list of features that are skipped in the conformance report.

@@ -1598,6 +1598,25 @@ func (t *Translator) processDestination(name string, backendRefContext BackendRe
 
 	protocol := inspectAppProtocolByRouteKind(routeType)
 
+	// Process BackendTLSPolicy first to ensure status is set.
+	tls, tlsErr := t.applyBackendTLSSetting(
+		backendRef.BackendObjectReference,
+		backendNamespace,
+		gwapiv1.ParentReference{
+			Group:       parentRef.Group,
+			Kind:        parentRef.Kind,
+			Namespace:   parentRef.Namespace,
+			Name:        parentRef.Name,
+			SectionName: parentRef.SectionName,
+			Port:        parentRef.Port,
+		},
+		resources,
+		envoyProxy,
+	)
+	if tlsErr != nil {
+		return nil, nil, status.NewRouteStatusError(tlsErr, status.RouteReasonInvalidBackendTLS)
+	}
+
 	switch KindDerefOr(backendRef.Kind, resource.KindService) {
 	case resource.KindServiceImport:
 		ds, err = t.processServiceImportDestinationSetting(name, backendRef.BackendObjectReference, backendNamespace, protocol, resources, envoyProxy)
@@ -1612,7 +1631,6 @@ func (t *Translator) processDestination(name string, backendRefContext BackendRe
 		svc := resources.GetService(backendNamespace, string(backendRef.Name))
 		ds.IPFamily = getServiceIPFamily(svc)
 		ds.PreferLocal = processPreferLocalZone(svc)
-
 	case egv1a1.KindBackend:
 		ds = t.processBackendDestinationSetting(name, backendRef.BackendObjectReference, backendNamespace, protocol, resources)
 	default:
@@ -1640,24 +1658,7 @@ func (t *Translator) processDestination(name string, backendRefContext BackendRe
 		}
 	}
 
-	var tlsErr error
-	ds.TLS, tlsErr = t.applyBackendTLSSetting(
-		backendRef.BackendObjectReference,
-		backendNamespace,
-		gwapiv1.ParentReference{
-			Group:       parentRef.Group,
-			Kind:        parentRef.Kind,
-			Namespace:   parentRef.Namespace,
-			Name:        parentRef.Name,
-			SectionName: parentRef.SectionName,
-			Port:        parentRef.Port,
-		},
-		resources,
-		envoyProxy,
-	)
-	if tlsErr != nil {
-		return nil, nil, status.NewRouteStatusError(tlsErr, status.RouteReasonInvalidBackendTLS)
-	}
+	ds.TLS = tls
 
 	var filtersErr error
 	ds.Filters, filtersErr = t.processDestinationFilters(routeType, backendRefContext, parentRef, route, resources)

@@ -26,6 +26,11 @@ backendTLSPolicies:
         name: gateway-1
         namespace: envoy-gateway
       conditions:
+      - lastTransitionTime: null
+        message: Resolved all the Object references.
+        reason: ResolvedRefs
+        status: "True"
+        type: ResolvedRefs
       - lastTransitionTime: null
         message: Policy has been accepted.
         reason: Accepted

@@ -23,6 +23,11 @@ backendTLSPolicies:
         name: gateway-1
         namespace: envoy-gateway
       conditions:
+      - lastTransitionTime: null
+        message: Resolved all the Object references.
+        reason: ResolvedRefs
+        status: "True"
+        type: ResolvedRefs
       - lastTransitionTime: null
         message: Policy has been accepted.
         reason: Accepted
@@ -48,6 +53,11 @@ backendTLSPolicies:
         name: gateway-1
         namespace: envoy-gateway
       conditions:
+      - lastTransitionTime: null
+        message: Resolved all the Object references.
+        reason: ResolvedRefs
+        status: "True"
+        type: ResolvedRefs
       - lastTransitionTime: null
         message: Policy has been accepted.
         reason: Accepted
@@ -74,6 +84,11 @@ backendTLSPolicies:
         name: gateway-1
         namespace: envoy-gateway
       conditions:
+      - lastTransitionTime: null
+        message: Resolved all the Object references.
+        reason: ResolvedRefs
+        status: "True"
+        type: ResolvedRefs
       - lastTransitionTime: null
         message: Policy has been accepted.
         reason: Accepted

@@ -30,6 +30,11 @@ backendTLSPolicies:
         namespace: envoy-gateway
         sectionName: http
       conditions:
+      - lastTransitionTime: null
+        message: Resolved all the Object references.
+        reason: ResolvedRefs
+        status: "True"
+        type: ResolvedRefs
       - lastTransitionTime: null
         message: Policy has been accepted.
         reason: Accepted

@@ -22,6 +22,11 @@ backendTLSPolicies:
         namespace: envoy-gateway
         sectionName: http
       conditions:
+      - lastTransitionTime: null
+        message: Resolved all the Object references.
+        reason: ResolvedRefs
+        status: "True"
+        type: ResolvedRefs
       - lastTransitionTime: null
         message: Policy has been accepted.
         reason: Accepted

@@ -23,6 +23,11 @@ backendTLSPolicies:
         namespace: envoy-gateway
         sectionName: http
       conditions:
+      - lastTransitionTime: null
+        message: Resolved all the Object references.
+        reason: ResolvedRefs
+        status: "True"
+        type: ResolvedRefs
       - lastTransitionTime: null
         message: Policy has been accepted.
         reason: Accepted

@@ -23,6 +23,11 @@ backendTLSPolicies:
         namespace: envoy-gateway
         sectionName: http
       conditions:
+      - lastTransitionTime: null
+        message: Resolved all the Object references.
+        reason: ResolvedRefs
+        status: "True"
+        type: ResolvedRefs
       - lastTransitionTime: null
         message: Policy has been accepted.
         reason: Accepted

@@ -23,6 +23,11 @@ backendTLSPolicies:
         namespace: envoy-gateway
         sectionName: http
       conditions:
+      - lastTransitionTime: null
+        message: Resolved all the Object references.
+        reason: ResolvedRefs
+        status: "True"
+        type: ResolvedRefs
       - lastTransitionTime: null
         message: Policy has been accepted.
         reason: Accepted

@@ -26,6 +26,11 @@ backendTLSPolicies:
         namespace: envoy-gateway
         sectionName: http
       conditions:
+      - lastTransitionTime: null
+        message: Resolved all the Object references.
+        reason: ResolvedRefs
+        status: "True"
+        type: ResolvedRefs
       - lastTransitionTime: null
         message: Policy has been accepted.
         reason: Accepted
@@ -37,6 +42,11 @@ backendTLSPolicies:
         namespace: envoy-gateway
         sectionName: http
       conditions:
+      - lastTransitionTime: null
+        message: Resolved all the Object references.
+        reason: ResolvedRefs
+        status: "True"
+        type: ResolvedRefs
       - lastTransitionTime: null
         message: Policy has been accepted.
         reason: Accepted

@@ -23,6 +23,11 @@ backendTLSPolicies:
         namespace: envoy-gateway
         sectionName: http
       conditions:
+      - lastTransitionTime: null
+        message: Resolved all the Object references.
+        reason: ResolvedRefs
+        status: "True"
+        type: ResolvedRefs
       - lastTransitionTime: null
         message: Policy has been accepted.
         reason: Accepted
@@ -52,6 +57,11 @@ backendTLSPolicies:
         namespace: envoy-gateway
         sectionName: http
       conditions:
+      - lastTransitionTime: null
+        message: Resolved all the Object references.
+        reason: ResolvedRefs
+        status: "True"
+        type: ResolvedRefs
       - lastTransitionTime: null
         message: Policy has been accepted.
         reason: Accepted