ClientTrafficPolicy: Single expired client certificate CA in caCertificateRefs breaks gateway

[quality-leftovers]

Description:

Expired CAs in client trust bundle cause gateway to stop working. All incoming requests are rejected with bad status code ("direct reponse").

Background Info: We have an gateway with multiple "client CAs" configured. When a CA is renewed both the old and new CA are configured for the gateway and at some point the old one will expire and later on be removed.We observed that after a CA expired the gateway stopped working.

Repro steps:

Configure gateway with currently valid and expired CA.

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: ClientTrafficPolicy
metadata:
  name: enable-mtls
  namespace: mygwns
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: mygw
  headers:
    xForwardedClientCert:
      mode: SanitizeSet
      certDetailsToAdd: ["Cert"] # can be Subject, Cert, Chain, DNS, URI
    requestID: PreserveOrGenerate
  tls:
    clientValidation:
      optional: true # the client can provide no certificate
      caCertificateRefs:
        - kind: "Secret"
          group: ""
          name: "gateway-mtls-trustbundle" # contains multiple CA certificates

After removing the expired CA the gateway started working again. I can try to provide a minimal repro sample. But wanted to post the problem now, in case someone else runs into it.

Environment:

• Hosted on Azure Kubernetes Service.
• Envoy gateway helm release 1.5.3

Logs:

In the logs we saw incoming requests being answereed with a response_code_details: direct_response, and response_code: 500 without error flags or any information pointing to the underlying problem.

{
    /* snippy */
    ":authority": "example.com",
    "bytes_received": 0,
    "bytes_sent": 0,
    "connection_termination_details": null,
    "downstream_local_address": "1.2.3.4:10443",
    "downstream_remote_address": "2.3.4.5:50384",
    "duration": 0,
    "method": "POST",
    "protocol": "HTTP/1.1",
    "requested_server_name": "example.com",
    "response_code": 500,
    "response_code_details": "direct_response",
    "response_flags": "-",
    "route_name": "httproute/myapp/myroute/rule/0/match/0/myrule",
    "start_time": "2025-11-26T09:33:13.915Z",
    "upstream_cluster": null,
    "upstream_host": null,
    "upstream_local_address": null
}

[kkk777-7]

/assign

[kkk777-7]

Hi @quality-leftovers , thanks for raising this issue!
Cloud you share ClientTrafficPolicy status?

[arkodg]

@kkk777-7 the errors from

gateway/internal/gatewayapi/clienttrafficpolicy.go

Line 824 in 68be5bf

if err := validateCertificates(caCertBytes); err != nil {

we need to gracefully continue instead of return

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days.