From 6ddda321848c5267f774c32d57af41a054ab52b5 Mon Sep 17 00:00:00 2001
From: Anatole Lucet <anatole.lucet@proton.me>
Date: Fri, 5 Jun 2026 12:16:08 +0200
Subject: [PATCH] Fix BackendTLSPolicy status update

Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
---
 pkg/provider/kubernetes/gateway/client.go    | 13 ++++++++++---
 pkg/provider/kubernetes/gateway/httproute.go |  6 ++++++
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/pkg/provider/kubernetes/gateway/client.go b/pkg/provider/kubernetes/gateway/client.go
index 37c9a85da..7090516c9 100644
--- a/pkg/provider/kubernetes/gateway/client.go
+++ b/pkg/provider/kubernetes/gateway/client.go
@@ -720,20 +720,27 @@ func (c *clientWrapper) UpdateBackendTLSPolicyStatus(ctx context.Context, policy
 		ancestorStatuses := make([]gatev1.PolicyAncestorStatus, len(status.Ancestors))
 		copy(ancestorStatuses, status.Ancestors)
 
-		// keep statuses added by other gateway controllers,
-		// and statuses for Traefik gateway controller but not for the same Gateway as the one in parameter (AncestorRef).
 		for _, ancestorStatus := range currentPolicy.Status.Ancestors {
+			// Keep statuses added by other gateway controllers.
 			if ancestorStatus.ControllerName != controllerName {
 				ancestorStatuses = append(ancestorStatuses, ancestorStatus)
 				continue
 			}
+
+			// Keep statuses added by Traefik for other ancestors.
+			// A BackendTLSPolicy can target services attached to different listeners.
+			if !slices.ContainsFunc(status.Ancestors, func(s gatev1.PolicyAncestorStatus) bool {
+				return reflect.DeepEqual(s.AncestorRef, ancestorStatus.AncestorRef)
+			}) {
+				ancestorStatuses = append(ancestorStatuses, ancestorStatus)
+			}
 		}
 
 		if len(ancestorStatuses) > 16 {
 			return fmt.Errorf("failed to update BackendTLSPolicy %s/%s status: PolicyAncestor statuses count exceeds 16", policy.Namespace, policy.Name)
 		}
 
-		// do not update status when nothing has changed.
+		// Do not update status when nothing has changed.
 		if policyAncestorStatusesEqual(currentPolicy.Status.Ancestors, ancestorStatuses) {
 			return nil
 		}
diff --git a/pkg/provider/kubernetes/gateway/httproute.go b/pkg/provider/kubernetes/gateway/httproute.go
index e9c9875e8..088c3dc8e 100644
--- a/pkg/provider/kubernetes/gateway/httproute.go
+++ b/pkg/provider/kubernetes/gateway/httproute.go
@@ -451,6 +451,12 @@ func (p *Provider) loadHTTPServers(ctx context.Context, namespace string, route
 	var serversTransport *dynamic.ServersTransport
 	for _, policy := range backendTLSPolicies {
 		for _, targetRef := range policy.Spec.TargetRefs {
+			// Skip targetRefs that doesn't match the backendRef,
+			// since a BackendTLSPolicy can select multiple services.
+			if targetRef.Name != backendRef.Name {
+				continue
+			}
+			// Skip the targetRef if the sectionName doesn't match the backendRef port.
 			if targetRef.SectionName != nil && svcPort.Name != string(*targetRef.SectionName) {
 				continue
 			}