Arko Dasgupta

is this for v1.4.0 @shawnh2 ?

can we also log the transient error

@patrostkowski still working on this ? we'd like to get this into the patch release scheduled to be out next week

seems like a valid use to support we probably need to add this line https://github.com/envoyproxy/gateway/blob/eeb62c88f8949f8da8a1278ec5515ffa1a004444/internal/gatewayapi/backendtrafficpolicy.go#L400 for TCP

hey @muzcategui1106, I think it's fine to set the hostname to `ir.TCPRoute.TLS.TLSInspectorConfig.SNIs[0]` if `ir.TCPRoute.TLS != nil && .......` if that assumption made is wrong, we can revisit the `HealthCheck` API...

@muzcategui1106 does the feature work if we delete the `ErrHCHTTPHostInvalid` check ?

@muzcategui1106 can you make the health check e/p http only ? the addition of `BackendTLSPolicy` for `passthrough-echoserver` is adding another tls socket to the cluster which is breaking tls passthrough...

youre right @muzcategui1106, for TLS Passthrough, the healh check is limited to tcp checks with the current API

> Seems like we can use `transport_socket_match_criteria` at the healthcheck level. I am going to try to use EnvoyPatchPolicy to see if I can patch the envoy proxy configuration with...

I'd vote for adding a `caCertificateRefs` field in here to solve this