Skip to content

ClientTrafficPolicy with invalid TLS cipher is marked as "Accepted" instead of being rejected #7400

Description

@guoard

Description:
When applying a ClientTrafficPolicy with an invalid TLS cipher, Envoy Gateway marks the policy as Accepted, even though Envoy later fails to apply the configuration due to the invalid cipher.

Expected behavior:
The ClientTrafficPolicy should not be marked as Accepted if it contains invalid TLS cipher suites. The controller should validate the cipher list and report a validation or reconciliation error, preventing invalid configurations from reaching Envoy.

Actual behavior:
The policy is accepted by the controller:

status:
  ancestors:
  - ancestorRef:
      group: gateway.networking.k8s.io
      kind: Gateway
      name: eg
      namespace: gateway-envoy
    conditions:
    - lastTransitionTime: "2025-10-31T16:14:11Z"
      message: Policy has been accepted.
      observedGeneration: 20
      reason: Accepted
      status: "True"
      type: Accepted

However, Envoy rejects the listener configuration with an error indicating the cipher is invalid.

Repro steps:

  1. Create a ClientTrafficPolicy with an invalid cipher name:

    apiVersion: gateway.envoyproxy.io/v1alpha1
    kind: ClientTrafficPolicy
    metadata:
      name: eg
      namespace: gateway-envoy
    spec:
      targetRefs:
        - group: gateway.networking.k8s.io
          kind: Gateway
          name: eg
      tls:
        minVersion: "1.0"
        ciphers:
          - "ECDHE-ECDSA-AES128-GCM-SHA256"
          - "WRONG"
  2. Apply the manifest:

    kubectl apply -f client-traffic-policy.yaml
  3. Check the policy status:

    kubectl -n gateway-envoy get ClientTrafficPolicy eg -o yaml

    → The policy shows as Accepted.

  4. Check the Envoy Gateway controller logs, you will see an Envoy xDS error:

    ERROR  Envoy rejected the last update with code 13 and message:
    Error adding/updating listener(s) gateway-envoy/eg/https:
    Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:WRONG.
    The following ciphers were rejected when tried individually: WRONG
    

Environment:
gateway-helm-v1.5.4
image: envoyproxy/envoy:v1.35.6

Logs:

2025-10-31T16:25:42.094Z ERROR xds cache/snapshotcache.go:352 Envoy rejected the last update with code 13 and message Error adding/updating listener(s) gateway-envoy/eg/https: Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:WRONG. The following ciphers were rejected when tried individually: WRONG

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions