envoyproxy · arkodg · Jul 31, 2025 · Jul 31, 2025 · Jul 31, 2025 · Jul 31, 2025
@@ -19,7 +19,3 @@ http:
               name: "first-route-dest/backend/0"
               tls:
                 insecureSkipVerify: true
-                useSystemTrustStore: true
-                CACertificate:
-                  name: policy-btls/default-ca
-                sni: example.com
@@ -30,5 +30,4 @@
       typedConfig:
         '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
         commonTlsContext: {}
-        sni: example.com
   type: EDS
@@ -1060,7 +1060,8 @@ func addXdsCluster(tCtx *types.ResourceVersionTable, args *xdsClusterArgs) error
 	preferLocal := ptr.Deref(args.loadBalancer, ir.LoadBalancer{}).PreferLocal
 	xdsEndpoints := buildXdsClusterLoadAssignment(args.name, args.settings, preferLocal)
 	for _, ds := range args.settings {
-		if ds.TLS != nil {
+		shouldValidateTLS := ds.TLS != nil && !ds.TLS.InsecureSkipVerify
+		if shouldValidateTLS {
 			// Create an SDS secret for the CA certificate - either with inline bytes or with a filesystem ref
 			secret := buildXdsUpstreamTLSCASecret(ds.TLS)
 			if err := tCtx.AddXdsResource(resourcev3.SecretType, secret); err != nil {

@@ -153,7 +153,7 @@ spec:
 apiVersion: gateway.envoyproxy.io/v1alpha1
 kind: Backend
 metadata:
-  name: backend-insecure-tls-verify
+  name: backend-insecure-tls-verify-and-mismatch-ca
   namespace: gateway-conformance-infra
 spec:
   endpoints:
@@ -166,7 +166,7 @@ spec:
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
-  name: http-with-backend-insecure-skip-verify
+  name: http-with-backend-insecure-skip-verify-and-mismatch-ca
   namespace: gateway-conformance-infra
 spec:
   parentRefs:
@@ -175,9 +175,40 @@ spec:
     - matches:
         - path:
             type: PathPrefix
-            value: /backend-tls-skip-verify
+            value: /backend-tls-skip-verify-and-mismatch-ca
       backendRefs:
-        - name: backend-insecure-tls-verify
+        - name: backend-insecure-tls-verify-and-mismatch-ca
+          group: gateway.envoyproxy.io
+          kind: Backend
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: Backend
+metadata:
+  name: backend-insecure-tls-verify-without-backend-tls-policy
+  namespace: gateway-conformance-infra
+spec:
+  endpoints:
+    - fqdn:
+        hostname: tls-backend-2.gateway-conformance-infra.svc.cluster.local
+        port: 443
+  tls:
+    insecureSkipVerify: true
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-with-backend-insecure-skip-verify-without-backend-tls-policy
+  namespace: gateway-conformance-infra
+spec:
+  parentRefs:
+    - name: same-namespace
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /backend-tls-skip-verify-without-backend-tls-policy
+      backendRefs:
+        - name: backend-insecure-tls-verify-without-backend-tls-policy
           group: gateway.envoyproxy.io
           kind: Backend
 ---
@@ -88,12 +88,29 @@ var BackendTLSTest = suite.ConformanceTest{
 		})
 
 		t.Run("with CA mismatch and skip tls verify", func(t *testing.T) {
-			routeNN := types.NamespacedName{Name: "http-with-backend-insecure-skip-verify", Namespace: ConformanceInfraNamespace}
+			routeNN := types.NamespacedName{Name: "http-with-backend-insecure-skip-verify-and-mismatch-ca", Namespace: ConformanceInfraNamespace}
 			gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
 
 			expectedResponse := http.ExpectedResponse{
 				Request: http.Request{
-					Path: "/backend-tls-skip-verify",
+					Path: "/backend-tls-skip-verify-and-mismatch-ca",
+				},
+				Response: http.Response{
+					StatusCode: 200, // Bad Request: Client sent an HTTP request to an HTTPS server
+				},
+				Namespace: ConformanceInfraNamespace,
+			}
+
+			http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse)
+		})
+
+		t.Run("without BackendTLSPolicy and skip tls verify", func(t *testing.T) {
+			routeNN := types.NamespacedName{Name: "http-with-backend-insecure-skip-verify-without-backend-tls-policy", Namespace: ConformanceInfraNamespace}
+			gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
+
+			expectedResponse := http.ExpectedResponse{
+				Request: http.Request{
+					Path: "/backend-tls-skip-verify-without-backend-tls-policy",
 				},
 				Response: http.Response{
 					StatusCode: 200, // Bad Request: Client sent an HTTP request to an HTTPS server