You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The edge applies real protections on customers' behalf — firewall rules, connector routing, branded error pages, per-listener certificate isolation. But our confidence that those protections are actually in force has rested almost entirely on "the request worked." A request can succeed while the protection behind it never applied, applied only partly, or landed in the wrong place. That whole class of silent failure has been invisible to us, and our edge tests couldn't catch it because they ran against a simplified setup that didn't resemble how the edge really runs.
Two gaps, reinforcing each other:
No way to ask the edge what it believes it should be running. We could observe traffic, but not the intended configuration behind it — so we couldn't tell "healthy response" apart from "healthy response with the protection silently missing."
No faithful place to prove edge behavior. Tests ran on a single-stack stand-in, not the real two-cluster topology, real gateway version, real firewall data plane, or real config-delivery path. Every gap between test and production was a place a bug could hide.
The work
A stack of five PRs that closes both gaps and then proves the edge's core guarantees with real traffic:
Confirm the edge is actually running the configuration it was given #225 — Confirm the edge is running what it was given. Compares intended vs. actually-serving config and names any gap in plain terms (missing, wrong count, wrong place, rejected, dropped) instead of leaving a surprising result a guess.
Prove the edge's core guarantees with real traffic #228 — Prove the edge's core guarantees with real traffic. Four end-to-end tests: the firewall enforces, an offline origin fails cleanly, the branded error page shows, and one bad certificate can't break its neighbors — each judged from a real request, backed by proof the edge was configured the way the test assumed.
Outcome
Silent edge misconfiguration gets a name and a place to surface — in testing, before it reaches customers — instead of hiding behind a green response in production.
Known follow-up
The new prod-fidelity environment and its real-traffic scenarios are not yet wired into CI. CI still runs the older single-stack make test-e2e; the two-cluster env and test/e2e-edge/ chainsaw scenarios run locally via task test-infra:e2e. Wiring this stack into CI so every PR exercises the real edge path is the natural next step once the stack lands.
The problem
The edge applies real protections on customers' behalf — firewall rules, connector routing, branded error pages, per-listener certificate isolation. But our confidence that those protections are actually in force has rested almost entirely on "the request worked." A request can succeed while the protection behind it never applied, applied only partly, or landed in the wrong place. That whole class of silent failure has been invisible to us, and our edge tests couldn't catch it because they ran against a simplified setup that didn't resemble how the edge really runs.
Two gaps, reinforcing each other:
The work
A stack of five PRs that closes both gaps and then proves the edge's core guarantees with real traffic:
Outcome
Silent edge misconfiguration gets a name and a place to surface — in testing, before it reaches customers — instead of hiding behind a green response in production.
Known follow-up
The new prod-fidelity environment and its real-traffic scenarios are not yet wired into CI. CI still runs the older single-stack
make test-e2e; the two-cluster env andtest/e2e-edge/chainsaw scenarios run locally viatask test-infra:e2e. Wiring this stack into CI so every PR exercises the real edge path is the natural next step once the stack lands.