Description:
When applying a ClientTrafficPolicy with an invalid TLS cipher, Envoy Gateway marks the policy as Accepted, even though Envoy later fails to apply the configuration due to the invalid cipher.
Expected behavior:
The ClientTrafficPolicy should not be marked as Accepted if it contains invalid TLS cipher suites. The controller should validate the cipher list and report a validation or reconciliation error, preventing invalid configurations from reaching Envoy.
Actual behavior:
The policy is accepted by the controller:
status:
ancestors:
- ancestorRef:
group: gateway.networking.k8s.io
kind: Gateway
name: eg
namespace: gateway-envoy
conditions:
- lastTransitionTime: "2025-10-31T16:14:11Z"
message: Policy has been accepted.
observedGeneration: 20
reason: Accepted
status: "True"
type: Accepted
However, Envoy rejects the listener configuration with an error indicating the cipher is invalid.
Repro steps:
-
Create a ClientTrafficPolicy with an invalid cipher name:
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: ClientTrafficPolicy
metadata:
name: eg
namespace: gateway-envoy
spec:
targetRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: eg
tls:
minVersion: "1.0"
ciphers:
- "ECDHE-ECDSA-AES128-GCM-SHA256"
- "WRONG"
-
Apply the manifest:
kubectl apply -f client-traffic-policy.yaml
-
Check the policy status:
kubectl -n gateway-envoy get ClientTrafficPolicy eg -o yaml
→ The policy shows as Accepted.
-
Check the Envoy Gateway controller logs, you will see an Envoy xDS error:
ERROR Envoy rejected the last update with code 13 and message:
Error adding/updating listener(s) gateway-envoy/eg/https:
Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:WRONG.
The following ciphers were rejected when tried individually: WRONG
Environment:
gateway-helm-v1.5.4
image: envoyproxy/envoy:v1.35.6
Logs:
2025-10-31T16:25:42.094Z ERROR xds cache/snapshotcache.go:352 Envoy rejected the last update with code 13 and message Error adding/updating listener(s) gateway-envoy/eg/https: Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:WRONG. The following ciphers were rejected when tried individually: WRONG
Description:
When applying a
ClientTrafficPolicywith an invalid TLS cipher, Envoy Gateway marks the policy as Accepted, even though Envoy later fails to apply the configuration due to the invalid cipher.Expected behavior:
The
ClientTrafficPolicyshould not be marked asAcceptedif it contains invalid TLS cipher suites. The controller should validate the cipher list and report a validation or reconciliation error, preventing invalid configurations from reaching Envoy.Actual behavior:
The policy is accepted by the controller:
However, Envoy rejects the listener configuration with an error indicating the cipher is invalid.
Repro steps:
Create a
ClientTrafficPolicywith an invalid cipher name:Apply the manifest:
Check the policy status:
→ The policy shows as
Accepted.Check the Envoy Gateway controller logs, you will see an Envoy xDS error:
Environment:
gateway-helm-v1.5.4image: envoyproxy/envoy:v1.35.6Logs: