fix: normalize CRLF line endings in htpasswd basic auth secrets

internal/gatewayapi/securitypolicy.go

@@ -6,6 +6,7 @@
 package gatewayapi
 
 import (
+	"bytes"
 	//nolint:gosec // SHA1 is required to validate htpasswd {SHA} format.
 	"crypto/sha1"
 	"crypto/tls"
@@ -2013,6 +2014,10 @@ func (t *Translator) buildBasicAuth(
 			usersSecret.Namespace, usersSecret.Name)
 	}
 
+	// Normalize CRLF to LF so the \r is not included in the hash,
+	// which would cause Envoy to reject it as an invalid SHA hash length.
+	usersSecretBytes = bytes.ReplaceAll(usersSecretBytes, []byte("\r\n"), []byte("\n"))
+
 	// Validate the htpasswd format
 	if err := validateHtpasswdFormat(usersSecretBytes); err != nil {
 		return nil, err

internal/gatewayapi/securitypolicy_test.go

@@ -719,6 +719,11 @@ func Test_validateHtpasswdFormat(t *testing.T) {
 			htpasswd:  "user1:{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=\nuser2:$apr1$hashed_user2_password",
 			wantError: true,
 		},
+		{
+			name:      "valid htpasswd with CRLF line endings",
+			htpasswd:  "user1:{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=\r\nuser2:{SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M=\r\n",
+			wantError: false,
+		},
 	}
 
 	for _, tt := range tests {

release-notes/current.yaml

@@ -50,6 +50,8 @@ bug fixes: |
   Fixed endpoint hostname is not respected when doing active health check.
   Fixed ratelimit deployment missing metrics container port (19001), which prevented PodMonitor/ServiceMonitor from targeting the metrics endpoint.
   Fixed per-endpoint hostname override not working because the auto-generated wildcard hostname.
+  Fixed Basic Authentication failing when htpasswd secrets use CRLF line endings by normalizing to LF before passing to Envoy.
+
 
 # Enhancements that improve performance.
 performance improvements: |