Keep ALPN configuration for listeners with overlapping certificates when ALPN is explicitly set via ClientTrafficPolicy (envoyproxy#6217)

zhaohuabing · web-flow · commit de816a6c639b · 2025-05-30T23:29:31.000-07:00
Keep ALPN configuration for listeners with overlapping certificates when ALPN is explicitly set in ClientTrafficPolicy

Signed-off-by: Huabing (Robin) Zhao &lt;zhaohuabing@gmail.com&gt;
diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go
@@ -270,14 +270,14 @@ func checkOverlappingHostnames(httpsListeners []*ListenerContext) {
 			if gateway1.Name == gateway2.Name &&
 				gateway1.Namespace == gateway2.Namespace {
 				message = fmt.Sprintf(
-					"The hostname %s overlaps with the hostname %s in listener %s. ALPN is set to HTTP/1.1 to prevent HTTP/2 connection coalescing",
+					"The hostname %s overlaps with the hostname %s in listener %s. ALPN will default to HTTP/1.1 to prevent HTTP/2 connection coalescing, unless explicitly configured via ClientTrafficPolicy",
 					overlappingListeners[i].hostname1,
 					overlappingListeners[i].hostname2,
 					overlappingListeners[i].listener2,
 				)
 			} else {
 				message = fmt.Sprintf(
-					"The hostname %s overlaps with the hostname %s in listener %s of gateway %s. ALPN is set to HTTP/1.1 to prevent HTTP/2 connection coalescing",
+					"The hostname %s overlaps with the hostname %s in listener %s of gateway %s. ALPN will default to HTTP/1.1 to prevent HTTP/2 connection coalescing, unless explicitly configured via ClientTrafficPolicy",
 					overlappingListeners[i].hostname1,
 					overlappingListeners[i].hostname2,
 					overlappingListeners[i].listener2,
@@ -355,14 +355,14 @@ func checkOverlappingCertificates(httpsListeners []*ListenerContext) {
 			if gateway1.Name == gateway2.Name &&
 				gateway1.Namespace == gateway2.Namespace {
 				message = fmt.Sprintf(
-					"The certificate san %s overlaps with the certificate san %s in listener %s. ALPN is set to HTTP/1.1 to prevent HTTP/2 connection coalescing",
+					"The certificate SAN %s overlaps with the certificate SAN %s in listener %s. ALPN will default to HTTP/1.1 to prevent HTTP/2 connection coalescing, unless explicitly configured via ClientTrafficPolicy",
 					overlappingListeners[i].san1,
 					overlappingListeners[i].san2,
 					overlappingListeners[i].listener2,
 				)
 			} else {
 				message = fmt.Sprintf(
-					"The certificate san %s overlaps with the certificate san %s in listener %s of gateway %s. ALPN is set to HTTP/1.1 to prevent HTTP/2 connection coalescing",
+					"The certificate SAN %s overlaps with the certificate SAN %s in listener %s of gateway %s. ALPN will default to HTTP/1.1 to prevent HTTP/2 connection coalescing, unless explicitly configured via ClientTrafficPolicy",
 					overlappingListeners[i].san1,
 					overlappingListeners[i].san2,
 					overlappingListeners[i].listener2,
diff --git a/internal/gatewayapi/listener_test.go b/internal/gatewayapi/listener_test.go
@@ -453,14 +453,14 @@ func TestCheckOverlappingCertificates(t *testing.T) {
 					condition:    gwapiv1.ListenerConditionOverlappingTLSConfig,
 					status:       metav1.ConditionTrue,
 					reason:       gwapiv1.ListenerReasonOverlappingCertificates,
-					message:      "The certificate san foo.example.com overlaps with the certificate san foo.example.com in listener listener-2. ALPN is set to HTTP/1.1 to prevent HTTP/2 connection coalescing",
+					message:      "The certificate SAN foo.example.com overlaps with the certificate SAN foo.example.com in listener listener-2. ALPN will default to HTTP/1.1 to prevent HTTP/2 connection coalescing, unless explicitly configured via ClientTrafficPolicy",
 				},
 				{
 					listenerName: "listener-2",
 					condition:    gwapiv1.ListenerConditionOverlappingTLSConfig,
 					status:       metav1.ConditionTrue,
 					reason:       gwapiv1.ListenerReasonOverlappingCertificates,
-					message:      "The certificate san foo.example.com overlaps with the certificate san foo.example.com in listener listener-1. ALPN is set to HTTP/1.1 to prevent HTTP/2 connection coalescing",
+					message:      "The certificate SAN foo.example.com overlaps with the certificate SAN foo.example.com in listener listener-1. ALPN will default to HTTP/1.1 to prevent HTTP/2 connection coalescing, unless explicitly configured via ClientTrafficPolicy",
 				},
 			},
 		},
@@ -516,14 +516,14 @@ func TestCheckOverlappingCertificates(t *testing.T) {
 					condition:    gwapiv1.ListenerConditionOverlappingTLSConfig,
 					status:       metav1.ConditionTrue,
 					reason:       gwapiv1.ListenerReasonOverlappingCertificates,
-					message:      "The certificate san *.example.com overlaps with the certificate san foo.example.com in listener listener-2. ALPN is set to HTTP/1.1 to prevent HTTP/2 connection coalescing",
+					message:      "The certificate SAN *.example.com overlaps with the certificate SAN foo.example.com in listener listener-2. ALPN will default to HTTP/1.1 to prevent HTTP/2 connection coalescing, unless explicitly configured via ClientTrafficPolicy",
 				},
 				{
 					listenerName: "listener-2",
 					condition:    gwapiv1.ListenerConditionOverlappingTLSConfig,
 					status:       metav1.ConditionTrue,
 					reason:       gwapiv1.ListenerReasonOverlappingCertificates,
-					message:      "The certificate san foo.example.com overlaps with the certificate san *.example.com in listener listener-1. ALPN is set to HTTP/1.1 to prevent HTTP/2 connection coalescing",
+					message:      "The certificate SAN foo.example.com overlaps with the certificate SAN *.example.com in listener listener-1. ALPN will default to HTTP/1.1 to prevent HTTP/2 connection coalescing, unless explicitly configured via ClientTrafficPolicy",
 				},
 			},
 		},
@@ -555,14 +555,14 @@ func TestCheckOverlappingCertificates(t *testing.T) {
 					condition:    gwapiv1.ListenerConditionOverlappingTLSConfig,
 					status:       metav1.ConditionTrue,
 					reason:       gwapiv1.ListenerReasonOverlappingCertificates,
-					message:      "The certificate san bar.example.org overlaps with the certificate san *.example.org in listener listener-2. ALPN is set to HTTP/1.1 to prevent HTTP/2 connection coalescing",
+					message:      "The certificate SAN bar.example.org overlaps with the certificate SAN *.example.org in listener listener-2. ALPN will default to HTTP/1.1 to prevent HTTP/2 connection coalescing, unless explicitly configured via ClientTrafficPolicy",
 				},
 				{
 					listenerName: "listener-2",
 					condition:    gwapiv1.ListenerConditionOverlappingTLSConfig,
 					status:       metav1.ConditionTrue,
 					reason:       gwapiv1.ListenerReasonOverlappingCertificates,
-					message:      "The certificate san *.example.org overlaps with the certificate san bar.example.org in listener listener-1. ALPN is set to HTTP/1.1 to prevent HTTP/2 connection coalescing",
+					message:      "The certificate SAN *.example.org overlaps with the certificate SAN bar.example.org in listener listener-1. ALPN will default to HTTP/1.1 to prevent HTTP/2 connection coalescing, unless explicitly configured via ClientTrafficPolicy",
 				},
 			},
 		},
diff --git a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-certs.out.yaml b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-certs.out.yaml
@@ -67,9 +67,9 @@ gateways:
         status: "True"
         type: ResolvedRefs
       - lastTransitionTime: null
-        message: The certificate san *.example.com overlaps with the certificate san
-          bar.example.com in listener https-2. ALPN is set to HTTP/1.1 to prevent
-          HTTP/2 connection coalescing
+        message: The certificate SAN *.example.com overlaps with the certificate SAN
+          bar.example.com in listener https-2. ALPN will default to HTTP/1.1 to prevent
+          HTTP/2 connection coalescing, unless explicitly configured via ClientTrafficPolicy
         reason: OverlappingCertificates
         status: "True"
         type: OverlappingTLSConfig
@@ -97,9 +97,9 @@ gateways:
         status: "True"
         type: ResolvedRefs
       - lastTransitionTime: null
-        message: The certificate san bar.example.com overlaps with the certificate
-          san *.example.com in listener https-1. ALPN is set to HTTP/1.1 to prevent
-          HTTP/2 connection coalescing
+        message: The certificate SAN bar.example.com overlaps with the certificate
+          SAN *.example.com in listener https-1. ALPN will default to HTTP/1.1 to
+          prevent HTTP/2 connection coalescing, unless explicitly configured via ClientTrafficPolicy
         reason: OverlappingCertificates
         status: "True"
         type: OverlappingTLSConfig
diff --git a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.out.yaml b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs-merged-gateways.out.yaml
@@ -41,9 +41,10 @@ gateways:
         status: "True"
         type: ResolvedRefs
       - lastTransitionTime: null
-        message: The certificate san *.example.com overlaps with the certificate san
-          bar.example.com in listener https-1 of gateway gateway-2. ALPN is set to
-          HTTP/1.1 to prevent HTTP/2 connection coalescing
+        message: The certificate SAN *.example.com overlaps with the certificate SAN
+          bar.example.com in listener https-1 of gateway gateway-2. ALPN will default
+          to HTTP/1.1 to prevent HTTP/2 connection coalescing, unless explicitly configured
+          via ClientTrafficPolicy
         reason: OverlappingCertificates
         status: "True"
         type: OverlappingTLSConfig
@@ -95,9 +96,10 @@ gateways:
         status: "True"
         type: ResolvedRefs
       - lastTransitionTime: null
-        message: The certificate san bar.example.com overlaps with the certificate
-          san *.example.com in listener https-1 of gateway gateway-1. ALPN is set
-          to HTTP/1.1 to prevent HTTP/2 connection coalescing
+        message: The certificate SAN bar.example.com overlaps with the certificate
+          SAN *.example.com in listener https-1 of gateway gateway-1. ALPN will default
+          to HTTP/1.1 to prevent HTTP/2 connection coalescing, unless explicitly configured
+          via ClientTrafficPolicy
         reason: OverlappingCertificates
         status: "True"
         type: OverlappingTLSConfig
diff --git a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs.out.yaml b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-and-certs.out.yaml
@@ -54,9 +54,9 @@ gateways:
         status: "True"
         type: ResolvedRefs
       - lastTransitionTime: null
-        message: The certificate san *.example.com overlaps with the certificate san
-          bar.example.com in listener https-2. ALPN is set to HTTP/1.1 to prevent
-          HTTP/2 connection coalescing
+        message: The certificate SAN *.example.com overlaps with the certificate SAN
+          bar.example.com in listener https-2. ALPN will default to HTTP/1.1 to prevent
+          HTTP/2 connection coalescing, unless explicitly configured via ClientTrafficPolicy
         reason: OverlappingCertificates
         status: "True"
         type: OverlappingTLSConfig
@@ -84,9 +84,9 @@ gateways:
         status: "True"
         type: ResolvedRefs
       - lastTransitionTime: null
-        message: The certificate san bar.example.com overlaps with the certificate
-          san *.example.com in listener https-1. ALPN is set to HTTP/1.1 to prevent
-          HTTP/2 connection coalescing
+        message: The certificate SAN bar.example.com overlaps with the certificate
+          SAN *.example.com in listener https-1. ALPN will default to HTTP/1.1 to
+          prevent HTTP/2 connection coalescing, unless explicitly configured via ClientTrafficPolicy
         reason: OverlappingCertificates
         status: "True"
         type: OverlappingTLSConfig
diff --git a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.out.yaml b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames-merged-gateways.out.yaml
@@ -42,8 +42,9 @@ gateways:
         type: ResolvedRefs
       - lastTransitionTime: null
         message: The hostname foo.example.com overlaps with the hostname *.example.com
-          in listener https-1 of gateway gateway-2. ALPN is set to HTTP/1.1 to prevent
-          HTTP/2 connection coalescing
+          in listener https-1 of gateway gateway-2. ALPN will default to HTTP/1.1
+          to prevent HTTP/2 connection coalescing, unless explicitly configured via
+          ClientTrafficPolicy
         reason: OverlappingHostnames
         status: "True"
         type: OverlappingTLSConfig
@@ -109,8 +110,9 @@ gateways:
         type: ResolvedRefs
       - lastTransitionTime: null
         message: The hostname *.example.com overlaps with the hostname foo.example.com
-          in listener https-1 of gateway gateway-1. ALPN is set to HTTP/1.1 to prevent
-          HTTP/2 connection coalescing
+          in listener https-1 of gateway gateway-1. ALPN will default to HTTP/1.1
+          to prevent HTTP/2 connection coalescing, unless explicitly configured via
+          ClientTrafficPolicy
         reason: OverlappingHostnames
         status: "True"
         type: OverlappingTLSConfig
diff --git a/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames.out.yaml b/internal/gatewayapi/testdata/gateway-with-multiple-https-listeners-with-overlapping-hostnames.out.yaml
@@ -68,8 +68,8 @@ gateways:
         type: ResolvedRefs
       - lastTransitionTime: null
         message: The hostname foo.example.com overlaps with the hostname *.example.com
-          in listener https-2. ALPN is set to HTTP/1.1 to prevent HTTP/2 connection
-          coalescing
+          in listener https-2. ALPN will default to HTTP/1.1 to prevent HTTP/2 connection
+          coalescing, unless explicitly configured via ClientTrafficPolicy
         reason: OverlappingHostnames
         status: "True"
         type: OverlappingTLSConfig
@@ -98,8 +98,8 @@ gateways:
         type: ResolvedRefs
       - lastTransitionTime: null
         message: The hostname *.example.com overlaps with the hostname foo.example.com
-          in listener https-1. ALPN is set to HTTP/1.1 to prevent HTTP/2 connection
-          coalescing
+          in listener https-1. ALPN will default to HTTP/1.1 to prevent HTTP/2 connection
+          coalescing, unless explicitly configured via ClientTrafficPolicy
         reason: OverlappingHostnames
         status: "True"
         type: OverlappingTLSConfig
diff --git a/internal/xds/translator/listener.go b/internal/xds/translator/listener.go
@@ -423,7 +423,8 @@ func (t *Translator) addHCMToXDSListener(xdsListener *listenerv3.Listener, irLis
 			config := irListener.TLS.DeepCopy()
 			// If the listener has overlapping TLS config with other listeners, we need to disable HTTP/2
 			// to avoid the HTTP/2 Connection Coalescing issue (see https://gateway-api.sigs.k8s.io/geps/gep-3567/)
-			if irListener.TLSOverlaps {
+			// Note: if ALPN is explicitly set by the user using ClientTrafficPolicy, we keep it as is
+			if irListener.TLSOverlaps && config.ALPNProtocols == nil {
 				config.ALPNProtocols = []string{"http/1.1"}
 			}
 			tSocket, err = buildXdsDownstreamTLSSocket(config)
diff --git a/internal/xds/translator/testdata/in/xds-ir/listener-overlapping-tls-config.yaml b/internal/xds/translator/testdata/in/xds-ir/listener-overlapping-tls-config.yaml
@@ -38,7 +38,7 @@ http:
   tls:
     alpnProtocols: null
     certificates:
-    - name: envoy-gateway/tls-secret-example-com
+    - name: envoy-gateway/tls-secret-foo-example-com
       privateKey: '[redacted]'
       certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMyRENDQWNBQ0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkoKYm1NdU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweU5UQTBNakV3T1RFd05ETmFGdzB6TlRBMApNVGt3T1RFd05ETmFNRGN4RmpBVUJnTlZCQU1NRFNvdVpYaGhiWEJzWlM1amIyMHhIVEFiQmdOVkJBb01GR1Y0CllXMXdiR1VnYjNKbllXNXBlbUYwYVc5dU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0MKQVFFQXY0anl4TUh1YzQzMHdvWkk4M1JSMXVxU2gvbm9MVWVPdDZnMkNKaFVFYXNaeUNOMzN3bFRRRDE0SEhkSwpOb1k4SThWd1pOZFZCNGpjRzlnb3dDVmVQY3lqRzZPaGl1aUZNWnU2NzV6dWZEWnRlRTNEY3lTbFgrY2lSbVZZCkNuSmk3QkV3NlJMUUJ0bVV6WGxtYmRpVXE5djJwalVBL2R3ZnRLRHRZTHFrVytvTSt5MWg3cjRJV0JVK2RVcU0KcGtTem5VSCtKN1JoRkFsdytmRWlVSFRLemlCMkVtdjc3Mi91bS96NHdMWnJIeWNGbmc4L1FCM0JIUktXVTV4eQp3bWNTQ2xrVlMvWWNpMFVXcnR2eGhwck9wTUhQUGR2QkZ2M2NaWGNpUUJjb0ZNcGxsQzV0UURvdWJ0dEV1d3JpCi8rVktKWkUrSVl4ei9YeUd3Y3dJRnIzWG13SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBU3VLaE8KcGtwL1VSclphbEU0OUlnc0xkN3hSTlBhREVkQ1RWZ3Qvc3praUhnSDB1NDBVaVV6KzVzaDRpdlJOazRqTm1zRwprb3FwQlBVS3pvVmtrSTcxUWQ4bHh1VzF2dkxZMXVvM0RIS2svdDFpUWVZWWpERlk3YzUxVG1BT015WUdKTlhxCi9EbW84UWgzaFB1RnI3a29kUjBLSkJyc0RsMEhoWVBjUnpWOW1sQ2lrU1B4THJGTUNwZGx0QUw2UEprSVpucUgKc1g5dEtVZk1uYW5jMkpHZTZVTDE1ODBEV2xQTUcrMU1qRElCVXdxWWYzaWNKb0NYclAwbzNmckRKcTE2VnpidApkalRtVGswakx1bGkvQ2JCZzh4dWp4emo4bmRPcVNkd05kd091OWoxSmZ2Q0I1RjZ4S0VTenowOVo5TzlOZUM5CjMrd1pLTlRSOXVEdDRKNksKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
   tlsOverlaps: true
@@ -85,3 +85,47 @@ http:
       privateKey: '[redacted]'
       certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMyRENDQWNBQ0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkoKYm1NdU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweU5UQTBNakV3T1RFd05ETmFGdzB6TlRBMApNVGt3T1RFd05ETmFNRGN4RmpBVUJnTlZCQU1NRFNvdVpYaGhiWEJzWlM1amIyMHhIVEFiQmdOVkJBb01GR1Y0CllXMXdiR1VnYjNKbllXNXBlbUYwYVc5dU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0MKQVFFQXY0anl4TUh1YzQzMHdvWkk4M1JSMXVxU2gvbm9MVWVPdDZnMkNKaFVFYXNaeUNOMzN3bFRRRDE0SEhkSwpOb1k4SThWd1pOZFZCNGpjRzlnb3dDVmVQY3lqRzZPaGl1aUZNWnU2NzV6dWZEWnRlRTNEY3lTbFgrY2lSbVZZCkNuSmk3QkV3NlJMUUJ0bVV6WGxtYmRpVXE5djJwalVBL2R3ZnRLRHRZTHFrVytvTSt5MWg3cjRJV0JVK2RVcU0KcGtTem5VSCtKN1JoRkFsdytmRWlVSFRLemlCMkVtdjc3Mi91bS96NHdMWnJIeWNGbmc4L1FCM0JIUktXVTV4eQp3bWNTQ2xrVlMvWWNpMFVXcnR2eGhwck9wTUhQUGR2QkZ2M2NaWGNpUUJjb0ZNcGxsQzV0UURvdWJ0dEV1d3JpCi8rVktKWkUrSVl4ei9YeUd3Y3dJRnIzWG13SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBU3VLaE8KcGtwL1VSclphbEU0OUlnc0xkN3hSTlBhREVkQ1RWZ3Qvc3praUhnSDB1NDBVaVV6KzVzaDRpdlJOazRqTm1zRwprb3FwQlBVS3pvVmtrSTcxUWQ4bHh1VzF2dkxZMXVvM0RIS2svdDFpUWVZWWpERlk3YzUxVG1BT015WUdKTlhxCi9EbW84UWgzaFB1RnI3a29kUjBLSkJyc0RsMEhoWVBjUnpWOW1sQ2lrU1B4THJGTUNwZGx0QUw2UEprSVpucUgKc1g5dEtVZk1uYW5jMkpHZTZVTDE1ODBEV2xQTUcrMU1qRElCVXdxWWYzaWNKb0NYclAwbzNmckRKcTE2VnpidApkalRtVGswakx1bGkvQ2JCZzh4dWp4emo4bmRPcVNkd05kd091OWoxSmZ2Q0I1RjZ4S0VTenowOVo5TzlOZUM5CjMrd1pLTlRSOXVEdDRKNksKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
   tlsOverlaps: true
+- address: 0.0.0.0   # this listener should keep the ALPN because it's explictily set
+  hostnames:
+  - bar.example.com
+  isHTTP2: false
+  metadata:
+    kind: Gateway
+    name: gateway-1
+    namespace: envoy-gateway
+    sectionName: https-1
+  name: envoy-gateway/gateway-1/https-1
+  path:
+    escapedSlashesAction: UnescapeAndRedirect
+    mergeSlashes: true
+  port: 8443
+  routes:
+  - destination:
+      name: httproute/envoy-gateway/httproute-1/rule/0
+      settings:
+      - addressType: IP
+        endpoints:
+        - host: 7.7.7.7
+          port: 8080
+        name: httproute/envoy-gateway/httproute-1/rule/0/backend/0
+        protocol: HTTP
+        weight: 1
+    hostname: foo.example.com
+    isHTTP2: false
+    metadata:
+      kind: HTTPRoute
+      name: httproute-1
+      namespace: envoy-gateway
+    name: httproute/envoy-gateway/httproute-1/rule/0/match/0/foo_example_com
+    pathMatch:
+      distinct: false
+      name: ""
+      prefix: /
+  tls:
+    alpnProtocols:
+    - h2
+    certificates:
+    - name: envoy-gateway/tls-secret-bar-example-com
+      privateKey: '[redacted]'
+      certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMyRENDQWNBQ0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkoKYm1NdU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweU5UQTBNakV3T1RFd05ETmFGdzB6TlRBMApNVGt3T1RFd05ETmFNRGN4RmpBVUJnTlZCQU1NRFNvdVpYaGhiWEJzWlM1amIyMHhIVEFiQmdOVkJBb01GR1Y0CllXMXdiR1VnYjNKbllXNXBlbUYwYVc5dU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0MKQVFFQXY0anl4TUh1YzQzMHdvWkk4M1JSMXVxU2gvbm9MVWVPdDZnMkNKaFVFYXNaeUNOMzN3bFRRRDE0SEhkSwpOb1k4SThWd1pOZFZCNGpjRzlnb3dDVmVQY3lqRzZPaGl1aUZNWnU2NzV6dWZEWnRlRTNEY3lTbFgrY2lSbVZZCkNuSmk3QkV3NlJMUUJ0bVV6WGxtYmRpVXE5djJwalVBL2R3ZnRLRHRZTHFrVytvTSt5MWg3cjRJV0JVK2RVcU0KcGtTem5VSCtKN1JoRkFsdytmRWlVSFRLemlCMkVtdjc3Mi91bS96NHdMWnJIeWNGbmc4L1FCM0JIUktXVTV4eQp3bWNTQ2xrVlMvWWNpMFVXcnR2eGhwck9wTUhQUGR2QkZ2M2NaWGNpUUJjb0ZNcGxsQzV0UURvdWJ0dEV1d3JpCi8rVktKWkUrSVl4ei9YeUd3Y3dJRnIzWG13SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBU3VLaE8KcGtwL1VSclphbEU0OUlnc0xkN3hSTlBhREVkQ1RWZ3Qvc3praUhnSDB1NDBVaVV6KzVzaDRpdlJOazRqTm1zRwprb3FwQlBVS3pvVmtrSTcxUWQ4bHh1VzF2dkxZMXVvM0RIS2svdDFpUWVZWWpERlk3YzUxVG1BT015WUdKTlhxCi9EbW84UWgzaFB1RnI3a29kUjBLSkJyc0RsMEhoWVBjUnpWOW1sQ2lrU1B4THJGTUNwZGx0QUw2UEprSVpucUgKc1g5dEtVZk1uYW5jMkpHZTZVTDE1ODBEV2xQTUcrMU1qRElCVXdxWWYzaWNKb0NYclAwbzNmckRKcTE2VnpidApkalRtVGswakx1bGkvQ2JCZzh4dWp4emo4bmRPcVNkd05kd091OWoxSmZ2Q0I1RjZ4S0VTenowOVo5TzlOZUM5CjMrd1pLTlRSOXVEdDRKNksKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  tlsOverlaps: true
diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-overlapping-tls-config.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-overlapping-tls-config.listeners.yaml
diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-overlapping-tls-config.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-overlapping-tls-config.routes.yaml
diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-overlapping-tls-config.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-overlapping-tls-config.secrets.yaml
diff --git a/release-notes/current.yaml b/release-notes/current.yaml
