fix(status): align BackendTLSPolicy ResolvedRefs reason with Gateway API

[Aditya7880900936]

What type of PR is this?

fix: correct BackendTLSPolicy ResolvedRefs reason

---

What this PR does / why we need it:

Envoy Gateway was setting the ResolvedRefs=False condition reason to
InvalidKind for BackendTLSPolicy when a referenced CA certificate could
not be resolved.

According to Gateway API conformance and the BackendTLSPolicy specification,
this scenario must use the InvalidCACertificateRef reason. This PR updates
the status reason and adjusts golden test outputs to align with the expected
behavior.

---

Which issue(s) this PR fixes:

Fixes #7790

---

Release Notes: No

[codecov]

Codecov Report

❌ Patch coverage is 94.11765% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 73.74%. Comparing base (a97d57a) to head (dd29001).
⚠️ Report is 85 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/gatewayapi/backendtlspolicy.go	94.11%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7793   +/-   ##
=======================================
  Coverage   73.73%   73.74%           
=======================================
  Files         237      237           
  Lines       35653    35712   +59     
=======================================
+ Hits        26290    26336   +46     
- Misses       7507     7520   +13     
  Partials     1856     1856           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Aditya7880900936]

The conformance test failures appear to be related to GatewayClass acceptance timing (proxy-config not found / context deadline exceeded) and not BackendTLSPolicy behavior.

My change only affects BackendTLSPolicy status reason mapping and does not touch GatewayClass, EnvoyProxy, or control-plane startup logic.

Happy to re-run or adjust if maintainers think this is related.

[arkodg]

instead of deleting the logic, is there an issue with the current logic of

	if errors.Is(err, ErrBackendTLSPolicyInvalidKind) {
			reason = gwapiv1.BackendTLSPolicyReasonInvalidKind
		}

is the right err being returned ?

[Aditya7880900936]

Hi @arkodg ,
Good question — the error is being returned, but it’s semantically overloaded.

ErrBackendTLSPolicyInvalidKind is currently returned from getCaCertsFromCARefs when no CA bundle could be resolved (e.g. missing key, missing object, empty result), not when the reference kind itself is invalid.

Because of that, the error does not reliably indicate an invalid reference kind per the Gateway API semantics. In practice it represents a CA resolution failure, which the spec and conformance tests map to InvalidCACertificateRef.

That’s why I removed the conditional mapping — keying ResolvedRefs on this error was causing valid CA-resolution failures to be reported as InvalidKind.

If you think we should distinguish these cases more explicitly, I’m happy to follow up with a separate change that introduces a dedicated error for truly invalid reference kinds.

[arkodg]

gateway/internal/gatewayapi/backendtlspolicy.go

Line 517 in 721e62d

if ca == "" {

needs to be improved to better decipher between invalid kind and other failure cases

[Aditya7880900936]

That makes sense 👍

I’ll update getCaCertsFromCARefs to explicitly return an error for truly invalid
reference kinds and use a separate error for CA resolution failures. That should
allow ResolvedRefs to correctly distinguish InvalidKind vs
InvalidCACertificateRef.

I’ll push an updated revision shortly.

[Aditya7880900936]

Hi @arkodg
Thanks for the review and the clarification.

I’ve updated the error classification for CA resolution failures so that missing or unusable CA bundles use a more accurate error, allowing the status to consistently report InvalidCACertificateRef without altering validation logic.

All tests pass locally (go test ./..., make test).

[jukie]

This looks good, thanks! Could you confirm that the new conformance test in kubernetes-sigs/gateway-api#4360 passes here?

[Aditya7880900936]

Hi @jukie @arkodg
Thanks for the heads-up.

It looks like the current CI failures are occurring during Helm chart linting, before the Gateway API conformance assertions run. I’ve updated the branch to pick up the latest changes from main and will confirm the result once the conformance tests complete.

[Aditya7880900936]

Hi @arkodg ,
Thanks for the review!
I’ve updated the implementation to distinguish invalid CA kinds vs missing/empty CA bundles, updated the expected test output, and ensured DCO compliance.
All gatewayapi tests are passing locally. Please let me know if you’d like this handled differently.

[arkodg]

can you add a test case

[Aditya7880900936]

Hi @arkodg, thanks for the note.

I’ve added coverage through the existing Gateway API golden tests. The file
internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml now covers both cases:

supported CA ref kinds where the CA data is missing, and

unsupported / invalid CA ref kinds.

This validates the updated status reasons end-to-end with the expected output.
Happy to add or adjust anything further if you had something else in mind.

Thanks!

[netlify]

✅ Deploy Preview for cerulean-figolla-1f9435 canceled.

Name	Link
🔨 Latest commit	dd29001
🔍 Latest deploy log	https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/697708d4e0d6d80008206dd4

[Aditya7880900936]

Friendly Ping @arkodg ,
i just wanna know is there any thing need to be updated .

[arkodg]

does a YAML test case exist that verifies the code path you added

[Aditya7880900936]

Yes — the existing golden test
internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml
already covers the code path added in this PR.

It includes:

• an invalid CA ref kind, which triggers ErrBackendTLSPolicyInvalidKind, and

• a valid ref kind with no CA data, which triggers ErrBackendTLSPolicyNoValidCACertificate.

The expected status output in the golden file was updated as part of this change to reflect the new branching logic.

If you’d prefer this to be split into a more explicit test case or renamed for clarity, I’m happy to do that.

[arkodg]

CI is failing

[Aditya7880900936]

Hi @arkodg ,
I ran make lint and make generate locally.
Since this change only affects BackendTLSPolicy logic and testdata, no generated artifacts were included.
All relevant gatewayapi tests are passing.

[arkodg]

here is the error from the CI, it is expecting a specific order, you can use make testdata to generate this

===========> ERROR: Some files need to be updated
diff --git a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml
index 2b0a7f3..fb88e9b 100644
--- a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml
+++ b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml
@@ -59,12 +59,14 @@ backendTLSPolicies:
         sectionName: http
       conditions:
       - lastTransitionTime: null
-        message: Unsupported reference kind, supported kinds are ConfigMap, Secret, and ClusterTrustBundle.
+        message: Unsupported reference kind, supported kinds are ConfigMap, Secret,
+          and ClusterTrustBundle.
         reason: InvalidKind
         status: "False"
         type: Accepted
       - lastTransitionTime: null
-        message: Unsupported reference kind, supported kinds are ConfigMap, Secret, and ClusterTrustBundle.
+        message: Unsupported reference kind, supported kinds are ConfigMap, Secret,
+          and ClusterTrustBundle.
         reason: InvalidKind
         status: "False"
         type: ResolvedRefs
         ```

[Aditya7880900936]

Thanks @arkodg! I regenerated the testdata using make testdata to match the expected order and pushed the updated output.

[arkodg]

TestGatewayAPIConformance/BackendTLSPolicyInvalidKind/BackendTLSPolicy_with_a_single_invalid_CACertificateRef_has_a_Accepted_Condition_with_status_False_and_Reason_NoValidCACertificate

is failing

[Aditya7880900936]

Thanks @arkodg , found the issue. For invalid CA ref kind, Accepted must still use NoValidCACertificate while ResolvedRefs uses InvalidKind. Fixed the logic and regenerated testdata.

[zirain]

Remove this from v1.5, this's need Gateway API v1.4.