[release/v1.7] cherry-pick for v1.7.2 (#8768)

* fix: handle network errors in rate limit e2e tests (#8446)

Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>
(cherry picked from commit b0638d5)
Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>

* refactor/perf: use LuaPerRoute instead of FilterConfig (#8355)

perf: use LuaPerRoute instead of FilterConfig

Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>
(cherry picked from commit f31ac4e)
Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>

* fix: per-endpoint hostname override blocked by auto-generated wildcad host (#8565)

* fix: per-endpoint hostname override blocked by auto-generated wildcard host

Signed-off-by: zirain <zirain2009@gmail.com>

* add UT

Signed-off-by: zirain <zirain2009@gmail.com>

---------

Signed-off-by: zirain <zirain2009@gmail.com>
(cherry picked from commit 595010a)
Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>

* fix bug with grpcroute mirror filter (#8541)

* fix bug with grpcroute mirror filter

Signed-off-by: Adam Buran <aburan@roblox.com>

* add indexers test

Signed-off-by: Adam Buran <aburan@roblox.com>

* add release note

Signed-off-by: Adam Buran <aburan@roblox.com>

---------

Signed-off-by: Adam Buran <aburan@roblox.com>
Signed-off-by: Arko Dasgupta <arkodg@users.noreply.github.com>
Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com>
(cherry picked from commit e633c08)
Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>

* fix: normalize CRLF line endings in htpasswd basic auth secrets (#8557)

Fixes #8554

Signed-off-by: stekole <stefan@sandnetworks.com>
Signed-off-by: stekole <30674956+stekole@users.noreply.github.com>
(cherry picked from commit 9cac348)
Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>

* fix: avoid metric increments on no-op delete reconcile paths (#8480)

* fix: avoid metric increments on no-op delete reconcile paths

Signed-off-by: Felipe Sabadini Facina <fsabadini@hotmail.com>

* Update internal/infrastructure/kubernetes/infra_resource_test.go

Signed-off-by: Isaac Wilson <isaac.wilson514@gmail.com>

* Update internal/infrastructure/kubernetes/infra_resource_test.go

Signed-off-by: Isaac Wilson <isaac.wilson514@gmail.com>

---------

Signed-off-by: Felipe Sabadini Facina <fsabadini@hotmail.com>
Signed-off-by: Isaac Wilson <isaac.wilson514@gmail.com>
Co-authored-by: Isaac Wilson <isaac.wilson514@gmail.com>
(cherry picked from commit 7a2a4ec)
Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>

* fix(telemetry): support BackendTLSPolicy for telemetry backends (#8545)

* fix(telemetry): support BackendTLSPolicy for telemetry backends

processBackendRefs does not look up BackendTLSPolicy for telemetry
backends (access logs, tracing, metrics), so TLS can only be configured
via Backend.spec.tls. Replace inline processServerValidationTLSSettings
with applyBackendTLSSetting so telemetry backends get the full Backend +
BackendTLSPolicy + EnvoyProxy TLS merge.

Workaround: envoyproxy/ai-gateway#1964

Signed-off-by: Adrian Cole <adrian@tetrate.io>
(cherry picked from commit ac18feb)
Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>

* fix: restore failure-path metric recording for delete and HPA reconcile (#8656)

Fixes #8651

Signed-off-by: Felipe Sabadini Facina <fsabadini@hotmail.com>
(cherry picked from commit 2a5bfd0)
Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>

* fix: status for mirror backend (#8675)

Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com>
(cherry picked from commit fa81778)
Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>

* fix: client certificate secret never delivered when it is exclusively referenced by a SecurityPolicy extAuth Backend (#8654)

* fix: client certificate secret never delivered when it is exclusively referenced by a SecurityPolicy extAuth Backend

Signed-off-by: zirain <zirain2009@gmail.com>

* fix lint

Signed-off-by: zirain <zirain2009@gmail.com>

---------

Signed-off-by: zirain <zirain2009@gmail.com>
(cherry picked from commit c7e21fa)
Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>

* fix: client certificate secret never delivered when it is exclusively referenced by a SecurityPolicy jwt/oidc Backend (#8711)

Signed-off-by: zirain <zirain2009@gmail.com>
(cherry picked from commit 95c3a79)
Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>

* fix: helm secrets rbac for gateway namespace with watch list of namespaces (#8706)

* fix: helm secrets rbac for gateway namespace with watch list of namespaces

Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>

* add release notes

Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>

* review update

Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>

---------

Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>
Co-authored-by: Rudrakh Panigrahi <rudrakh97@gmail.com>
(cherry picked from commit c48a346)
Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>

* add release notes

Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>

* fix lint

Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>

* fix lint

Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>

---------

Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>
Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>
Signed-off-by: zirain <zirain2009@gmail.com>
Signed-off-by: Adam Buran <aburan@roblox.com>
Signed-off-by: Arko Dasgupta <arkodg@users.noreply.github.com>
Signed-off-by: stekole <stefan@sandnetworks.com>
Signed-off-by: stekole <30674956+stekole@users.noreply.github.com>
Signed-off-by: Felipe Sabadini Facina <fsabadini@hotmail.com>
Signed-off-by: Isaac Wilson <isaac.wilson514@gmail.com>
Signed-off-by: Adrian Cole <adrian@tetrate.io>
Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com>
Co-authored-by: Rudrakh Panigrahi <rudrakh97@gmail.com>
Co-authored-by: zirain <zirain2009@gmail.com>
Co-authored-by: aburanrbx <aburan@roblox.com>
Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com>
Co-authored-by: stekole <30674956+stekole@users.noreply.github.com>
Co-authored-by: Felipe Sabadini <fsabadini@hotmail.com>
Co-authored-by: Isaac Wilson <isaac.wilson514@gmail.com>
Co-authored-by: Adrian Cole <64215+codefromthecrypt@users.noreply.github.com>
Co-authored-by: Kota Kimura <86363983+kkk777-7@users.noreply.github.com>

Author: 10 people

charts/gateway-helm/templates/_rbac.tpl

@@ -263,6 +263,17 @@ verbs:
   - watch
 {{- end }}
 
+{{- define "eg.rbac.controllernamespace.secrets.read" -}}
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+{{- end }}
+
 {{- define "eg.rbac.infra.tokenreview" -}}
 - apiGroups:
   - authentication.k8s.io

charts/gateway-helm/templates/infra-manager-rbac.yaml

@@ -42,6 +42,9 @@ metadata:
   {{- include "eg.labels" . | nindent 4 }}
 rules:
 {{ include "eg.rbac.infra.basic" . }}
+{{ if and (.Values.config.envoyGateway.provider.kubernetes) (.Values.config.envoyGateway.provider.kubernetes.watch) (.Values.config.envoyGateway.provider.kubernetes.deploy) (eq .Values.config.envoyGateway.provider.kubernetes.deploy.type "GatewayNamespace") (.Values.config.envoyGateway.provider.kubernetes.watch.namespaces) (gt (len .Values.config.envoyGateway.provider.kubernetes.watch.namespaces) 0) }}
+{{ include "eg.rbac.controllernamespace.secrets.read" . }}
+{{ end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

internal/gatewayapi/filters.go

@@ -209,6 +209,16 @@ func (t *Translator) ProcessGRPCFilters(
 		}
 	}
 
+	if httpFiltersContext.DirectResponse != nil && len(httpFiltersContext.Mirrors) > 0 {
+		httpFiltersContext.DirectResponse = nil
+		httpFiltersContext.Mirrors = nil
+
+		errs.Add(status.NewRouteStatusError(
+			errors.New(requestMirrorDirectResponseConflictMsg),
+			gwapiv1.RouteReasonIncompatibleFilters,
+		).WithType(gwapiv1.RouteConditionAccepted))
+	}
+
 	return httpFiltersContext, errs.GetAllErrors()
 }
 
@@ -1042,6 +1052,13 @@ func (t *Translator) processRequestMirrorFilter(
 	settingName := irDestinationSettingName(destName, -1 /*unused*/)
 	ds, _, err := t.processDestination(settingName, mirrorBackendRef, filterContext.ParentRef, filterContext.Route, resources)
 	if err != nil {
+		// Gateway API conformance: When backendRef Service exists but has no endpoints,
+		// the ResolvedRefs condition should NOT be set to False.
+		// so we return the custom condition error to handle this case and set the status in the caller function.
+		if err.Reason() == status.RouteReasonEndpointsNotFound {
+			return status.NewRouteStatusError(
+				fmt.Errorf("failed to validate the RequestMirror filter: %w", err), err.Reason()).WithType(status.RouteConditionBackendsAvailable)
+		}
 		return err
 	}
 

internal/gatewayapi/listener.go

@@ -634,7 +634,7 @@ func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources *
 				destName := fmt.Sprintf("accesslog_als_%d_%d", i, j)
 				settingName := irDestinationSettingName(destName, -1)
 				// TODO: how to get authority from the backendRefs?
-				ds, traffic, err := t.processBackendRefs(settingName, sink.ALS.BackendCluster, envoyproxy.Namespace, resources, envoyproxy)
+				ds, traffic, err := t.processBackendRefsForTelemetry(settingName, sink.ALS.BackendCluster, envoyproxy.Namespace, resources, envoyproxy)
 				if err != nil {
 					return nil, err
 				}
@@ -680,7 +680,7 @@ func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources *
 				// TODO: rename this, so that we can share backend with tracing?
 				destName := fmt.Sprintf("accesslog_otel_%d_%d", i, j)
 				settingName := irDestinationSettingName(destName, -1)
-				ds, traffic, err := t.processBackendRefs(settingName, sink.OpenTelemetry.BackendCluster, envoyproxy.Namespace, resources, envoyproxy)
+				ds, traffic, err := t.processBackendRefsForTelemetry(settingName, sink.OpenTelemetry.BackendCluster, envoyproxy.Namespace, resources, envoyproxy)
 				if err != nil {
 					return nil, err
 				}
@@ -743,7 +743,7 @@ func (t *Translator) processTracing(gw *gwapiv1.Gateway, envoyproxy *egv1a1.Envo
 	// TODO: rename this, so that we can share backend with accesslog?
 	destName := "tracing"
 	settingName := irDestinationSettingName(destName, -1)
-	ds, traffic, err := t.processBackendRefs(settingName, tracing.Provider.BackendCluster, envoyproxy.Namespace, resources, envoyproxy)
+	ds, traffic, err := t.processBackendRefsForTelemetry(settingName, tracing.Provider.BackendCluster, envoyproxy.Namespace, resources, envoyproxy)
 	if err != nil {
 		return nil, err
 	}
@@ -883,7 +883,7 @@ func (t *Translator) processMetrics(envoyproxy *egv1a1.EnvoyProxy, resources *re
 
 		destName := fmt.Sprintf("metrics_otel_%d", i)
 		settingName := irDestinationSettingName(destName, -1)
-		ds, _, err := t.processBackendRefs(settingName, sink.OpenTelemetry.BackendCluster, envoyproxy.Namespace, resources, envoyproxy)
+		ds, _, err := t.processBackendRefsForTelemetry(settingName, sink.OpenTelemetry.BackendCluster, envoyproxy.Namespace, resources, envoyproxy)
 		if err != nil {
 			return nil, nil, err
 		}
@@ -931,54 +931,66 @@ func (t *Translator) processMetrics(envoyproxy *egv1a1.EnvoyProxy, resources *re
 	}, resolvedSinks, nil
 }
 
-func (t *Translator) processBackendRefs(name string, backendCluster egv1a1.BackendCluster, namespace string,
+func (t *Translator) processBackendRefsForTelemetry(name string, backendCluster egv1a1.BackendCluster, namespace string,
 	resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy,
 ) ([]*ir.DestinationSetting, *ir.TrafficFeatures, error) {
 	traffic, err := translateTrafficFeatures(backendCluster.BackendSettings)
 	if err != nil {
 		return nil, nil, err
 	}
+
+	parent := gwapiv1.ParentReference{
+		Group:     ptr.To(gwapiv1.Group(egv1a1.GroupName)),
+		Kind:      ptr.To(gwapiv1.Kind(egv1a1.KindEnvoyProxy)),
+		Namespace: ptr.To(gwapiv1.Namespace(envoyProxy.Namespace)),
+		Name:      gwapiv1.ObjectName(envoyProxy.Name),
+	}
+
 	result := make([]*ir.DestinationSetting, 0, len(backendCluster.BackendRefs))
 	for i := range backendCluster.BackendRefs {
 		ref := &backendCluster.BackendRefs[i]
 		ns := NamespaceDerefOr(ref.Namespace, namespace)
 		kind := KindDerefOr(ref.Kind, resource.KindService)
+
+		var ds *ir.DestinationSetting
 		switch kind {
 		case resource.KindService:
 			if err := t.validateBackendRefService(ref.BackendObjectReference, ns, corev1.ProtocolTCP); err != nil {
 				return nil, nil, err
 			}
-			ds, err := t.processServiceDestinationSetting(name, ref.BackendObjectReference, ns, ir.TCP, envoyProxy)
+			ds, err = t.processServiceDestinationSetting(name, ref.BackendObjectReference, ns, ir.TCP, envoyProxy)
 			if err != nil {
 				return nil, nil, err
 			}
-			result = append(result, ds)
 		case resource.KindBackend:
 			if err := t.validateBackendRefBackend(ref.BackendObjectReference, resources, ns, true); err != nil {
 				return nil, nil, err
 			}
-			ds := t.processBackendDestinationSetting(name, ref.BackendObjectReference, ns, ir.TCP)
+			ds = t.processBackendDestinationSetting(name, ref.BackendObjectReference, ns, ir.TCP)
 			// Dynamic resolver destinations are not supported for none-route destinations
 			if ds.IsDynamicResolver {
 				return nil, nil, errors.New("dynamic resolver destinations are not supported")
 			}
-			// Apply TLS config for backend (telemetry) clusters
-			backend := t.GetBackend(ns, string(ref.Name))
-			if backend.Spec.TLS != nil {
-				tlsConfig, err := t.processServerValidationTLSSettings(backend)
-				if err != nil {
-					return nil, nil, err
-				}
-				ds.TLS = tlsConfig
-				// Infer SNI from FQDN for telemetry backends (no Host header available)
-				if ds.TLS.SNI == nil && len(backend.Spec.Endpoints) == 1 && backend.Spec.Endpoints[0].FQDN != nil {
-					ds.TLS.SNI = &backend.Spec.Endpoints[0].FQDN.Hostname
-				}
-			}
-			result = append(result, ds)
 		default:
 			return nil, nil, fmt.Errorf("unsupported kind for backendRefs: %s", kind)
 		}
+
+		// Apply TLS from Backend resource, BackendTLSPolicy, and EnvoyProxy.
+		backendTLS, err := t.applyBackendTLSSetting(ref.BackendObjectReference, ns, parent, resources, envoyProxy)
+		if err != nil {
+			return nil, nil, err
+		}
+		ds.TLS = backendTLS
+
+		// Infer SNI from FQDN for telemetry backends (no Host header available).
+		if ds.TLS != nil && ds.TLS.SNI == nil && kind == resource.KindBackend {
+			backend := t.GetBackend(ns, string(ref.Name))
+			if len(backend.Spec.Endpoints) == 1 && backend.Spec.Endpoints[0].FQDN != nil {
+				ds.TLS.SNI = &backend.Spec.Endpoints[0].FQDN.Hostname
+			}
+		}
+
+		result = append(result, ds)
 	}
 	if len(result) == 0 {
 		return nil, traffic, nil

internal/gatewayapi/listener_test.go

@@ -1288,7 +1288,7 @@ func TestProcessBackendRefsSNIInference(t *testing.T) {
 				}},
 			}
 
-			ds, _, err := translator.processBackendRefs("test", backendCluster, ns, resources, nil)
+			ds, _, err := translator.processBackendRefsForTelemetry("test", backendCluster, ns, resources, &egv1a1.EnvoyProxy{ObjectMeta: metav1.ObjectMeta{Namespace: "envoy-gateway-system", Name: "test-proxy"}})
 			require.NoError(t, err)
 			require.Len(t, ds, 1)
 
@@ -1303,3 +1303,176 @@ func TestProcessBackendRefsSNIInference(t *testing.T) {
 		})
 	}
 }
+
+func TestProcessBackendRefsBackendTLSPolicy(t *testing.T) {
+	ns := "test-ns"
+	backendName := "otel-collector"
+	serviceName := "otel-svc"
+	envoyProxy := &egv1a1.EnvoyProxy{ObjectMeta: metav1.ObjectMeta{Namespace: "envoy-gateway-system", Name: "test-proxy"}}
+
+	backendBackendCluster := egv1a1.BackendCluster{BackendRefs: []egv1a1.BackendRef{{
+		BackendObjectReference: gwapiv1.BackendObjectReference{
+			Group: ptr.To(gwapiv1.Group("gateway.envoyproxy.io")), Kind: ptr.To(gwapiv1.Kind("Backend")),
+			Name: gwapiv1.ObjectName(backendName), Namespace: ptr.To(gwapiv1.Namespace(ns)),
+		},
+	}}}
+	otelBackend := &egv1a1.Backend{
+		ObjectMeta: metav1.ObjectMeta{Namespace: ns, Name: backendName},
+		Spec:       egv1a1.BackendSpec{Endpoints: []egv1a1.BackendEndpoint{{FQDN: &egv1a1.FQDNEndpoint{Hostname: "otel.example.com", Port: 443}}}},
+	}
+	otelBackendWithTLS := &egv1a1.Backend{
+		ObjectMeta: metav1.ObjectMeta{Namespace: ns, Name: backendName},
+		Spec: egv1a1.BackendSpec{
+			Endpoints: []egv1a1.BackendEndpoint{{FQDN: &egv1a1.FQDNEndpoint{Hostname: "otel.example.com", Port: 443}}},
+			TLS: &egv1a1.BackendTLSSettings{
+				WellKnownCACertificates: ptr.To(gwapiv1.WellKnownCACertificatesSystem),
+				SNI:                     ptr.To(gwapiv1.PreciseHostname("backend-sni.example.com")),
+			},
+		},
+	}
+	otelBackendPolicy := &gwapiv1.BackendTLSPolicy{
+		ObjectMeta: metav1.ObjectMeta{Namespace: ns, Name: "otel-tls"},
+		Spec: gwapiv1.BackendTLSPolicySpec{
+			TargetRefs: []gwapiv1.LocalPolicyTargetReferenceWithSectionName{{
+				LocalPolicyTargetReference: gwapiv1.LocalPolicyTargetReference{
+					Group: "gateway.envoyproxy.io", Kind: "Backend", Name: gwapiv1.ObjectName(backendName),
+				},
+			}},
+			Validation: gwapiv1.BackendTLSPolicyValidation{
+				WellKnownCACertificates: ptr.To(gwapiv1.WellKnownCACertificatesSystem),
+				Hostname:                "otel.example.com",
+			},
+		},
+	}
+	backendEndpoints := []*ir.DestinationEndpoint{{Host: "otel.example.com", Port: 443}}
+	backendMetadata := &ir.ResourceMetadata{Name: backendName, Namespace: ns}
+	backendPolicyTLS := &ir.TLSUpstreamConfig{
+		SNI: ptr.To("otel.example.com"), UseSystemTrustStore: true,
+		CACertificate: &ir.TLSCACertificate{Name: "otel-tls/test-ns-ca"}, SubjectAltNames: []ir.SubjectAltName{},
+	}
+
+	serviceBackendCluster := egv1a1.BackendCluster{BackendRefs: []egv1a1.BackendRef{{
+		BackendObjectReference: gwapiv1.BackendObjectReference{
+			Name: gwapiv1.ObjectName(serviceName), Namespace: ptr.To(gwapiv1.Namespace(ns)),
+			Port: ptr.To(gwapiv1.PortNumber(4317)),
+		},
+	}}}
+	otelService := &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{Namespace: ns, Name: serviceName},
+		Spec: corev1.ServiceSpec{ClusterIP: "7.7.7.7", Ports: []corev1.ServicePort{{
+			Name: "grpc", Port: 4317, TargetPort: intstr.IntOrString{IntVal: 4317}, Protocol: corev1.ProtocolTCP,
+		}}},
+	}
+	otelEndpointSlice := &discoveryv1.EndpointSlice{
+		ObjectMeta:  metav1.ObjectMeta{Namespace: ns, Name: serviceName, Labels: map[string]string{"kubernetes.io/service-name": serviceName}},
+		AddressType: discoveryv1.AddressTypeIPv4,
+		Endpoints:   []discoveryv1.Endpoint{{Addresses: []string{"7.7.7.7"}, Conditions: discoveryv1.EndpointConditions{Ready: ptr.To(true)}}},
+		Ports:       []discoveryv1.EndpointPort{{Name: ptr.To("grpc"), Port: ptr.To(int32(4317)), Protocol: ptr.To(corev1.ProtocolTCP)}},
+	}
+	otelServicePolicy := &gwapiv1.BackendTLSPolicy{
+		ObjectMeta: metav1.ObjectMeta{Namespace: ns, Name: "otel-svc-tls"},
+		Spec: gwapiv1.BackendTLSPolicySpec{
+			TargetRefs: []gwapiv1.LocalPolicyTargetReferenceWithSectionName{{
+				LocalPolicyTargetReference: gwapiv1.LocalPolicyTargetReference{Kind: "Service", Name: gwapiv1.ObjectName(serviceName)},
+				SectionName:                ptr.To(gwapiv1.SectionName("grpc")),
+			}},
+			Validation: gwapiv1.BackendTLSPolicyValidation{
+				WellKnownCACertificates: ptr.To(gwapiv1.WellKnownCACertificatesSystem),
+				Hostname:                "otel-svc.example.com",
+			},
+		},
+	}
+	serviceEndpoints := []*ir.DestinationEndpoint{{Host: "7.7.7.7", Port: 4317}}
+	serviceMetadata := &ir.ResourceMetadata{Name: serviceName, Namespace: ns, SectionName: "4317"}
+	servicePolicyTLS := &ir.TLSUpstreamConfig{
+		SNI: ptr.To("otel-svc.example.com"), UseSystemTrustStore: true,
+		CACertificate: &ir.TLSCACertificate{Name: "otel-svc-tls/test-ns-ca"}, SubjectAltNames: []ir.SubjectAltName{},
+	}
+
+	tests := []struct {
+		name           string
+		backendCluster egv1a1.BackendCluster
+		context        *TranslatorContext
+		resources      *resource.Resources
+		expected       []*ir.DestinationSetting
+		expectedErr    string
+	}{
+		{
+			name:           "BackendTLSPolicy without Backend TLS",
+			backendCluster: backendBackendCluster,
+			context:        &TranslatorContext{BackendMap: map[types.NamespacedName]*egv1a1.Backend{{Namespace: ns, Name: backendName}: otelBackend}},
+			resources:      &resource.Resources{Backends: []*egv1a1.Backend{otelBackend}, BackendTLSPolicies: []*gwapiv1.BackendTLSPolicy{otelBackendPolicy}},
+			expected: []*ir.DestinationSetting{{
+				Name: "test", Protocol: ir.TCP, Endpoints: backendEndpoints,
+				AddressType: ptr.To(ir.FQDN), Metadata: backendMetadata, TLS: backendPolicyTLS,
+			}},
+		},
+		{
+			name:           "no BackendTLSPolicy and no Backend TLS",
+			backendCluster: backendBackendCluster,
+			context:        &TranslatorContext{BackendMap: map[types.NamespacedName]*egv1a1.Backend{{Namespace: ns, Name: backendName}: otelBackend}},
+			resources:      &resource.Resources{Backends: []*egv1a1.Backend{otelBackend}},
+			expected: []*ir.DestinationSetting{{
+				Name: "test", Protocol: ir.TCP, Endpoints: backendEndpoints,
+				AddressType: ptr.To(ir.FQDN), Metadata: backendMetadata,
+			}},
+		},
+		{
+			name: "Backend ref without namespace, no TLS, no BackendTLSPolicy",
+			backendCluster: egv1a1.BackendCluster{BackendRefs: []egv1a1.BackendRef{{
+				BackendObjectReference: gwapiv1.BackendObjectReference{
+					Group: ptr.To(gwapiv1.Group("gateway.envoyproxy.io")), Kind: ptr.To(gwapiv1.Kind("Backend")),
+					Name: gwapiv1.ObjectName(backendName),
+				},
+			}}},
+			context:   &TranslatorContext{BackendMap: map[types.NamespacedName]*egv1a1.Backend{{Namespace: ns, Name: backendName}: otelBackend}},
+			resources: &resource.Resources{Backends: []*egv1a1.Backend{otelBackend}},
+			expected: []*ir.DestinationSetting{{
+				Name: "test", Protocol: ir.TCP, Endpoints: backendEndpoints,
+				AddressType: ptr.To(ir.FQDN), Metadata: backendMetadata,
+			}},
+		},
+		{
+			name:           "BackendTLSPolicy overrides Backend TLS SNI",
+			backendCluster: backendBackendCluster,
+			context:        &TranslatorContext{BackendMap: map[types.NamespacedName]*egv1a1.Backend{{Namespace: ns, Name: backendName}: otelBackendWithTLS}},
+			resources:      &resource.Resources{Backends: []*egv1a1.Backend{otelBackendWithTLS}, BackendTLSPolicies: []*gwapiv1.BackendTLSPolicy{otelBackendPolicy}},
+			expected: []*ir.DestinationSetting{{
+				Name: "test", Protocol: ir.TCP, Endpoints: backendEndpoints,
+				AddressType: ptr.To(ir.FQDN), Metadata: backendMetadata, TLS: backendPolicyTLS,
+			}},
+		},
+		{
+			name:           "BackendTLSPolicy for Service",
+			backendCluster: serviceBackendCluster,
+			context: &TranslatorContext{
+				ServiceMap: map[types.NamespacedName]*corev1.Service{{Namespace: ns, Name: serviceName}: otelService},
+				EndpointSliceMap: map[backendServiceKey][]*discoveryv1.EndpointSlice{
+					{kind: resource.KindService, namespace: ns, name: serviceName}: {otelEndpointSlice},
+				},
+			},
+			resources: &resource.Resources{BackendTLSPolicies: []*gwapiv1.BackendTLSPolicy{otelServicePolicy}},
+			expected: []*ir.DestinationSetting{{
+				Name: "test", Protocol: ir.TCP, Endpoints: serviceEndpoints,
+				AddressType: ptr.To(ir.IP), Metadata: serviceMetadata, TLS: servicePolicyTLS,
+			}},
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			translator := &Translator{
+				TranslatorContext:     tc.context,
+				BackendEnabled:        true,
+				GatewayControllerName: egv1a1.GatewayControllerName,
+			}
+			ds, _, err := translator.processBackendRefsForTelemetry("test", tc.backendCluster, ns, tc.resources, envoyProxy)
+			if tc.expectedErr != "" {
+				require.EqualError(t, err, tc.expectedErr)
+			} else {
+				require.NoError(t, err)
+				require.Equal(t, tc.expected, ds)
+			}
+		})
+	}
+}

internal/gatewayapi/route.go

@@ -235,7 +235,12 @@ func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRe
 		if len(errs) > 0 {
 			for _, err := range errs {
 				errorCollector.Add(err)
-				processFilterError = errors.Join(processFilterError, err)
+				// Gateway API conformance: When a filter's backend Service exists but has no
+				// endpoints (e.g. RequestMirror), do not treat it as a fatal filter error.
+				// The route should continue to work; only BackendsAvailable is set to False.
+				if err.Type() != status.RouteConditionBackendsAvailable {
+					processFilterError = errors.Join(processFilterError, err)
+				}
 				if err.Type() == gwapiv1.RouteConditionAccepted {
 					unacceptedRules.Insert(ruleIdx)
 				}
@@ -958,7 +963,12 @@ func (t *Translator) processGRPCRouteRules(grpcRoute *GRPCRouteContext, parentRe
 		if len(errs) > 0 {
 			for _, err := range errs {
 				errorCollector.Add(err)
-				processFilterError = errors.Join(processFilterError, err)
+				// Gateway API conformance: When a filter's backend Service exists but has no
+				// endpoints (e.g. RequestMirror), do not treat it as a fatal filter error.
+				// The route should continue to work; only BackendsAvailable is set to False.
+				if err.Type() != status.RouteConditionBackendsAvailable {
+					processFilterError = errors.Join(processFilterError, err)
+				}
 				if err.Type() == gwapiv1.RouteConditionAccepted {
 					unacceptedRules.Insert(ruleIdx)
 				}