Skip to content

ClientTrafficPolicy should handle http3 + client TLS gracefully instead of generating a rejected QUIC listener #8581

New issue
New issue
Open
#8583
Open
ClientTrafficPolicy should handle http3 + client TLS gracefully instead of generating a rejected QUIC listener#8581
#8583
Assignees
zhaohuabing
Labels
kind/bugSomething isn't working
@zhaohuabing

Description

@zhaohuabing
zhaohuabing
opened on Mar 23, 2026

Description:

Enabling both HTTP/3 and downstream client certificate validation via ClientTrafficPolicy currently produces a QUIC listener that Envoy rejects.

Example Envoy warning:

gRPC config for type.googleapis.com/envoy.config.listener.v3.Listener rejected:
Error adding/updating listener(s) ingress/envoy-private/https-mtls-quic:
TLS Client Authentication is not supported over QUIC

Envoy Gateway should detect this unsupported combination earlier and handle it gracefully by surfacing it to Gateway/CTP status.

Metadata

Metadata

Assignees

Labels

kind/bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions