Missing Secret in `backendTLS` causes EG to not create Envoy GW when defined in `Gateway` CR

[shamusx]

Description:
I have a EnvoyProxy config

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
  name: custom-proxy-mtls
  namespace: httpbin-tls
spec:
  backendTLS:
    clientCertificateRef: 
      kind: Secret
      name: envoygateway-client-cert
      namespace: httpbin-tls

If applied to a GatewayClass and secret doesn't exist yet, HTTPRoute resource indicates secret not found as expected and Gateway gets deployed.

      - lastTransitionTime: "2025-07-31T14:50:22Z"
        message: 'Failed to process route rule 0 backendRef 0: secret envoygateway-client-cert
          not found in namespace httpbin-tls.'
        observedGeneration: 1
        reason: InvalidBackendTLS
        status: "False"
        type: ResolvedRefs

But if EnvoyProxy applied against Gateway and secret doesn't exist yet, the Gateway deployment doesn't get created and EG controller presents error

 2025-07-31T14:41:11.244Z    ERROR    provider    kubernetes/controller.go:2296    failed to process CACertificateRef for BackendTLSPolicy    {"runner": "provider", "policy": {"kind":"BackendTLSPolicy","apiVersion":"gateway │
│ .networking.k8s.io/v1alpha3","metadata":{"name":"backend-mtls-policy","namespace":"httpbin-tls","uid":"b6cdd463-0331-4c68-a4b1-571f83d741d6","resourceVersion":"39287","generation":1,"creationTimestamp":"2025-07-31T14:39:27 │
│ Z","annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"gateway.networking.k8s.io/v1alpha3\",\"kind\":\"BackendTLSPolicy\",\"metadata\":{\"annotations\":{},\"name\":\"backend-mtls-policy\",\ │
│ "namespace\":\"httpbin-tls\"},\"spec\":{\"targetRefs\":[{\"group\":\"\",\"kind\":\"Service\",\"name\":\"httpbin-tls\",\"sectionName\":\"https\"}],\"validation\":{\"caCertificateRefs\":[{\"group\":\"\",\"kind\":\"Secret\",\ │
│ "name\":\"envoygateway-client-cert\"}],\"hostname\":\"httpbin-tls.httpbin-tls.svc.cluster.local\"}}}\n"},"managedFields":[{"manager":"kubectl-client-side-apply","operation":"Update","apiVersion":"gateway.networking.k8s.io/ │
│ v1alpha3","time":"2025-07-31T14:39:27Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}}},"f:spec":{".":{},"f:targetRefs":{},"f:validation": │
│ {".":{},"f:caCertificateRefs":{},"f:hostname":{}}}}}]},"spec":{"targetRefs":[{"group":"","kind":"Service","name":"httpbin-tls","sectionName":"https"}],"validation":{"caCertificateRefs":[{"group":"","kind":"Secret","name":" │
│ envoygateway-client-cert"}],"hostname":"httpbin-tls.httpbin-tls.svc.cluster.local"}},"status":{"ancestors":null}}, "caCertificateRef": "envoygateway-client-cert", "error": "Secret \"envoygateway-client-cert\" not found"}

Repro steps:
Create EnvoyProxy and Gateway without creating the secret.

---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
  name: custom-proxy-mtls
  namespace: httpbin-tls
spec:
  backendTLS:
    clientCertificateRef: 
      kind: Secret
      name: envoygateway-client-cert
      namespace: httpbin-tls
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: backend-mtls-gateway
  namespace: httpbin-tls
spec:
  infrastructure:
    parametersRef:
      group: gateway.envoyproxy.io
      kind: EnvoyProxy
      name: custom-proxy-mtls
  gatewayClassName: eg
  listeners:
  - name: http
    protocol: HTTP
    port: 18443
    hostname: "mtls-backend.demo.int"

Note: If there are privacy concerns, sanitize the data prior to
sharing.

Environment:
EG 1.4.2

[arkodg]

cc @zirain

[arkodg]

+1, the scope of failure can only be scoped to HTTPRoutes with attached BackendTrafficPolicies

a missing secret shouldnt stop the Gateway infrastructure from coming up, routes with no upstream TLS should function properly