You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The E2E gating test chainsaw/trafficprotectionpolicy-enforce-serves-traffic (added in #245) went red on main — failing on every open PR, so the whole E2E Tests workflow was red across the board. This ticket tracks turning it green.
Update 2026-07-13 (post-#252). The E2E Tests run on the #252 merge commit (411d117c, run 29267425732) shows the gating test is still red, and #252 is not the unblock. The e2e runs in-cluster from the merged code with a pinned coraza image, so that run already contained #252 — yet:
trafficprotectionpolicy-enforce-serves-traffic → FAIL — Gateway waf-gw never programs the Enforce WAF listener (status: {}, Programmed=Unknown), 30s assert timeout.
The remaining blocker is #242 (core Enforce filter defect), now marked as a blocked_by dependency. #252 still matters for prod (stops tenant inverted-paranoia policies 500ing), but it is orthogonal to greening this e2e.
Failure signature
The downstream Gateway never reaches Programmed=True; Envoy rejects the Coraza WAF Enforce listener:
datum-cloud/infra#3329 — nil-pointer panic in EncodeData (shadowed err) on response-phase block — CLOSED
e2e config:
coraza-waf pin in config/dev/downstream_resources/downstream-gateway.yaml:66 bumped v1.1.1-dev2 → v1.3.0-alpha10.
Remaining to turn green
Blocked by #242. Even with all of the above landed, run 411d117c proves the Enforce WAF listener still fails to program (status: {}). The coraza v1.3.0-alpha10 runtime fixes (#3324/#3329) addressed response-phase 500s but not this listener-programming failure.
Summary
The E2E gating test
chainsaw/trafficprotectionpolicy-enforce-serves-traffic(added in #245) went red onmain— failing on every open PR, so the wholeE2E Testsworkflow was red across the board. This ticket tracks turning it green.Failure signature
The downstream Gateway never reaches
Programmed=True; Envoy rejects the Coraza WAF Enforce listener:Two independent TPP-Enforce paths produced the same "500 / broken listener" family that reddens this test:
What's landed
NSO:
%-escape the branded error page (operator allowlist + startup validation) — fixes extension-server: branded error page injected as Envoy SubstitutionFormatString → unescaped%rejects the listener (breaks TPP Enforce) #243 (merged 2026-07-10)RouteBaseDirectivesbefore per-policy append — fixes Latent: getCorazaDirectivesForTrafficProtectionPolicy aliases the shared RouteBaseDirectives slice (corrupts directives across policies if EPP emission is enabled) #246 (merged 2026-07-10)Accepted=False/Invalid, skip attachment) — merged 2026-07-13 16:41. Verified green by the newtrafficprotectionpolicy-paranoia-validatione2e.Edge coraza-waf (infra repo):
coraza-waftov1.3.0-alpha8— MERGED (e2e + staging now onv1.3.0-alpha10)SendLocalReply(empty body)dropped by Envoy 1.37.x — CLOSEDEncodeData(shadowed err) on response-phase block — CLOSEDe2e config:
config/dev/downstream_resources/downstream-gateway.yaml:66bumpedv1.1.1-dev2→v1.3.0-alpha10.Remaining to turn green
Blocked by #242. Even with all of the above landed, run
411d117cproves the Enforce WAF listener still fails to program (status: {}). The corazav1.3.0-alpha10runtime fixes (#3324/#3329) addressed response-phase 500s but not this listener-programming failure.Programmed=Truewith a WAF policy inEnforce.E2E Testsonmainand confirmtrafficprotectionpolicy-enforce-serves-trafficpasses.Acceptance criteria
E2E Testsworkflow green onmainchainsaw/trafficprotectionpolicy-enforce-serves-trafficpasses with the WAF inEnforcemode (Programmed=Trueon the downstream Gateway)v1.1.1-dev2(nowv1.3.0-alpha10)trafficprotectionpolicy-paranoia-validationPASS)Related
%rejects the listener (breaks TPP Enforce) #243, fix: make error-page body Envoy-safe via operator allowlist + startup validation (#243) #244, Latent: getCorazaDirectivesForTrafficProtectionPolicy aliases the shared RouteBaseDirectives slice (corrupts directives across policies if EPP emission is enabled) #246, fix: clone RouteBaseDirectives before per-policy append (#246) #249, fix: reject inverted TrafficProtectionPolicy paranoia levels at admission #251, fix: flag inverted TrafficProtectionPolicy paranoia levels via status condition #252