datum-cloud · zachsmith1 · Apr 23, 2026 · Apr 23, 2026 · Apr 28, 2026
diff --git a/api/v1alpha/trafficprotectionpolicy_types.go b/api/v1alpha/trafficprotectionpolicy_types.go
@@ -28,7 +28,7 @@ const (
 // TrafficProtectionPolicySpec defines the desired state of TrafficProtectionPolicy.
 //
 // +kubebuilder:validation:XValidation:rule="has(self.targetRefs) ? self.targetRefs.all(ref, ref.group == 'gateway.networking.k8s.io') : true ", message="this policy can only have a targetRefs[*].group of gateway.networking.k8s.io"
-// +kubebuilder:validation:XValidation:rule="has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in ['Gateway', 'HTTPRoute']) : true ", message="this policy can only have a targetRefs[*].kind of Gateway/HTTPRoute"
+// +kubebuilder:validation:XValidation:rule="has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind == 'Gateway') : true", message="this policy can only have a targetRefs[*].kind of Gateway"
 type TrafficProtectionPolicySpec struct {
 
 	// TargetRefs are the names of the Gateway resources this policy

diff --git a/config/crd/bases/networking.datumapis.com_trafficprotectionpolicies.yaml b/config/crd/bases/networking.datumapis.com_trafficprotectionpolicies.yaml
@@ -237,9 +237,9 @@ spec:
             - message: this policy can only have a targetRefs[*].group of gateway.networking.k8s.io
               rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.group ==
                 ''gateway.networking.k8s.io'') : true '
-            - message: this policy can only have a targetRefs[*].kind of Gateway/HTTPRoute
-              rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in [''Gateway'',
-                ''HTTPRoute'']) : true '
+            - message: this policy can only have a targetRefs[*].kind of Gateway
+              rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind == ''Gateway'')
+                : true'
           status:
             description: TrafficProtectionPolicyStatus defines the observed state
               of TrafficProtectionPolicy.

diff --git a/internal/config/config.go b/internal/config/config.go
@@ -645,6 +645,16 @@ func (c *GatewayConfig) ConnectorTunnelListenerName() string {
 	return c.ConnectorInternalListenerName
 }
 
+// WAFBackend identifies which downstream WAF resource the operator emits.
+type WAFBackend string
+
+const (
+	// WAFBackendCorazaEPP uses EnvoyPatchPolicy with the Coraza Go filter.
+	WAFBackendCorazaEPP WAFBackend = "coraza-epp"
+	// WAFBackendTEGESP uses ExtendedSecurityPolicy from Tetrate Enterprise Gateway.
+	WAFBackendTEGESP WAFBackend = "teg-esp"
+)
+
 // +k8s:deepcopy-gen=true
 
 type CorazaConfig struct {
@@ -685,6 +695,15 @@ type CorazaConfig struct {
 	// stored in Envoy routes to inject into trace span attributes. MUST return
 	// a map of string keys to values.
 	TraceRouteMetadataExtractor string `json:"traceRouteMetadataExtractor,omitempty"`
+
+	// WAFBackend selects which downstream resource the TrafficProtectionPolicy
+	// controller emits. "coraza-epp" (default) writes EnvoyPatchPolicy resources
+	// using the Coraza Go filter. "teg-esp" writes ExtendedSecurityPolicy resources
+	// for the Tetrate Enterprise Gateway WAF.
+	//
+	// +kubebuilder:validation:Enum=coraza-epp;teg-esp
+	// +default="coraza-epp"
+	Backend WAFBackend `json:"backend,omitempty"`
 }
 
 // +k8s:deepcopy-gen=true

diff --git a/internal/config/zz_generated.defaults.go b/internal/config/zz_generated.defaults.go