diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go
index 98489a573bc..b237bf82e4c 100644
--- a/internal/gatewayapi/route.go
+++ b/internal/gatewayapi/route.go
@@ -1064,9 +1064,13 @@ func (t *Translator) processTCPRouteParentRefs(tcpRoute *TCPRouteContext, resour
 			accepted = true
 			irKey := t.getIRKey(listener.gateway)
 
-			tls := ir.TLS{
-				Terminate: irTLSConfigs(listener.tlsSecrets),
+			var tls *ir.TLS
+			if len(listener.tlsSecrets) > 0 {
+				tls = &ir.TLS{
+					Terminate: irTLSConfigs(listener.tlsSecrets),
+				}
 			}
+
 			if listener.Hostname != nil {
 				tls.TLSInspectorConfig = &ir.TLSInspectorConfig{
 					SNIs: []string{string(*listener.Hostname)},
@@ -1081,7 +1085,7 @@ func (t *Translator) processTCPRouteParentRefs(tcpRoute *TCPRouteContext, resour
 						Name:     irRouteDestinationName(tcpRoute, -1 /*rule index*/),
 						Settings: destSettings,
 					},
-					TLS: &tls,
+					TLS: tls,
 				}
 				irListener.Routes = append(irListener.Routes, irRoute)
 
diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml
index e61c3b211a4..857ec1e89d1 100644
--- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml
+++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml
@@ -291,7 +291,6 @@ xdsIR:
             maxConnectionDuration: 17s
           tcp:
             connectTimeout: 15s
-        tls: {}
     udp:
     - address: 0.0.0.0
       destination:
diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml
index 811442554f4..5c0f2240bd6 100644
--- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml
+++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml
@@ -364,7 +364,6 @@ xdsIR:
             maxConnectionDuration: 17s
           tcp:
             connectTimeout: 15s
-        tls: {}
     udp:
     - address: 0.0.0.0
       destination:
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-mismatch-port-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-mismatch-port-protocol.out.yaml
index c2210210ff8..736c23a35b7 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-mismatch-port-protocol.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-mismatch-port-protocol.out.yaml
@@ -100,4 +100,3 @@ xdsIR:
           settings:
           - weight: 1
         name: tcproute/default/tcproute-1
-        tls: {}
diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-backends.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-backends.out.yaml
index c4ce6bdbdfc..cbc01a3d11d 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-backends.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-backends.out.yaml
@@ -115,4 +115,3 @@ xdsIR:
             protocol: TCP
             weight: 50
         name: tcproute/default/tcproute-1
-        tls: {}
diff --git a/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-tcproutes.out.yaml b/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-tcproutes.out.yaml
index 6441a614d07..f7fd4e2752c 100644
--- a/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-tcproutes.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-tcproutes.out.yaml
@@ -136,4 +136,3 @@ xdsIR:
             protocol: TCP
             weight: 1
         name: tcproute/default/tcproute-1
-        tls: {}
diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml
index 923ff633afe..e3bc11e2cc5 100644
--- a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml
@@ -129,4 +129,3 @@ xdsIR:
             protocol: TCP
             weight: 1
         name: tcproute/default/tcproute-1
-        tls: {}
diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml
index c6a8f9cb021..5a5d4d9dcb9 100644
--- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml
@@ -204,4 +204,3 @@ xdsIR:
             protocol: TCP
             weight: 1
         name: tcproute/default/tcproute-1
-        tls: {}
diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-with-sectionname.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-with-sectionname.out.yaml
index b667e4243a1..d2d74cd296e 100644
--- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-with-sectionname.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-with-sectionname.out.yaml
@@ -174,7 +174,6 @@ xdsIR:
             protocol: TCP
             weight: 1
         name: tcproute/default/tcproute-1
-        tls: {}
     - address: 0.0.0.0
       name: envoy-gateway/gateway-1/tcp2
       port: 10163
@@ -189,4 +188,3 @@ xdsIR:
             protocol: TCP
             weight: 1
         name: tcproute/default/tcproute-2
-        tls: {}
diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-without-sectionname.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-without-sectionname.out.yaml
index f39d2f4bedb..20519f07857 100644
--- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-without-sectionname.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-without-sectionname.out.yaml
@@ -170,7 +170,6 @@ xdsIR:
             protocol: TCP
             weight: 1
         name: tcproute/default/tcproute-1
-        tls: {}
     - address: 0.0.0.0
       name: envoy-gateway/gateway-1/tcp2
       port: 10162
@@ -185,4 +184,3 @@ xdsIR:
             protocol: TCP
             weight: 1
         name: tcproute/default/tcproute-1
-        tls: {}