ClientTrafficPolicy reports "failed to get crl from ref" even though the secret and permissions exist

[464d41]

Description:
ClientTrafficPolicy reports "failed to get crl from ref" even though the secret and permissions exist.

At the same time CTP happily picks up caCertificateRef from the same ns.

kubectl describe ctp envoy-gateway-mtls
...
Status:
  Ancestors:
    Ancestor Ref:
      Group:         gateway.networking.k8s.io
      Kind:          Gateway
      Name:          envoy-gateway-envoy-gateway
    Conditions:
      Last Transition Time:  2025-12-23T19:29:09Z
      Message:               TLS: failed to get crl from ref: secret myns/envoy-gateway-crl-mtls does not exist.
      Observed Generation:   7
      Reason:                Invalid
      Status:                False
      Type:                  Accepted
    Controller Name:         gateway.envoyproxy.io/gatewayclass-controller
...

Environment:
Gatway controller runs in namespaced mode (envoy-gateway-system, myns). Both namespaces are listed as watched.

kubectl get pods -n envoy-gateway-system envoy-gateway-f598b7788-nfkdx -o jsonpath='{.spec.containers[0].image}'
docker.io/envoyproxy/gateway:v1.6.0

Repro steps:

$kubectl get ctp envoy-gateway-mtls -o yaml
  ...
  tls:
    clientValidation:
      caCertificateRefs:
      - group: ""
        kind: Secret
        name: envoy-gateway-mtls
      crl:
        refs:
        - group: ""
          kind: Secret
          name: envoy-gateway-crl-mtls
...

$kubectl get secret envoy-gateway-crl-mtls -o yaml
apiVersion: v1
data:
  ca.crl: LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1...
metadata:  
  name: envoy-gateway-crl-mtls
  namespace: myns
type: Opaque

kubectl get role envoy-gateway-helm-envoy-gateway-role -o yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: envoy-gateway-helm-envoy-gateway-role
  namespace: myns
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - secrets
  - services
  verbs:
  - get
  - list
  - watch

kubectl get rolebinding envoy-gateway-helm-envoy-gateway-rolebinding -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: envoy-gateway-helm-envoy-gateway-rolebinding
  namespace: myns
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: envoy-gateway-helm-envoy-gateway-role
subjects:
- kind: ServiceAccount
  name: envoy-gateway
  namespace: envoy-gateway-system

[Aditya7880900936]

Hi maintainers,
I’d like to work on this issue and take ownership if it’s still unassigned.

I’ll start by comparing how caCertificateRefs and crl.refs are resolved in the gateway controller, particularly around namespace scoping and watched namespaces.

I’ll share my findings or open a PR once I identify the root cause.
Thanks!

[arkodg]

cc @rudrakhp

[rudrakhp]

@464d41 can you test the latest version to test out your setup and verify if the fix works? Image is docker pull envoyproxy/gateway-dev:latest or docker pull envoyproxy/gateway-dev:fe57c70