Implement WAFPolicy controller

Author: ciarams87

apis/v1alpha1/wafpolicy_types.go

@@ -59,6 +59,10 @@ type WAFPolicySpec struct {
 }
 
 // WAFPolicySource defines the source location and configuration for fetching WAF policy bundles.
+//
+// +kubebuilder:validation:XValidation:message="policySource is required when securityLogs are specified",rule="!has(self.securityLogs) || has(self.policySource)"
+//
+//nolint:lll
 type WAFPolicySource struct {
 	// AuthSecret is the Secret containing authentication credentials for the WAF policy source.
 	//

charts/nginx-gateway-fabric/templates/clusterrole.yaml

@@ -109,6 +109,7 @@ rules:
   - clientsettingspolicies
   - observabilitypolicies
   - upstreamsettingspolicies
+  - wafpolicies
   {{- if .Values.nginxGateway.snippetsFilters.enable }}
   - snippetsfilters
   {{- end }}
@@ -122,6 +123,7 @@ rules:
   - clientsettingspolicies/status
   - observabilitypolicies/status
   - upstreamsettingspolicies/status
+  - wafpolicies/status
   {{- if .Values.nginxGateway.snippetsFilters.enable }}
   - snippetsfilters/status
   {{- end }}

config/crd/bases/gateway.nginx.org_wafpolicies.yaml

@@ -151,6 +151,9 @@ spec:
                 required:
                 - fileLocation
                 type: object
+                x-kubernetes-validations:
+                - message: policySource is required when securityLogs are specified
+                  rule: '!has(self.securityLogs) || has(self.policySource)'
               securityLogs:
                 description: |-
                   SecurityLogs defines the security logging configuration for app_protect_security_log directives.
@@ -331,6 +334,9 @@ spec:
                       required:
                       - fileLocation
                       type: object
+                      x-kubernetes-validations:
+                      - message: policySource is required when securityLogs are specified
+                        rule: '!has(self.securityLogs) || has(self.policySource)'
                     name:
                       description: Name is the name of the security log configuration.
                       maxLength: 63

deploy/azure/deploy.yaml

@@ -145,6 +145,7 @@ rules:
   - clientsettingspolicies
   - observabilitypolicies
   - upstreamsettingspolicies
+  - wafpolicies
   verbs:
   - list
   - watch
@@ -155,6 +156,7 @@ rules:
   - clientsettingspolicies/status
   - observabilitypolicies/status
   - upstreamsettingspolicies/status
+  - wafpolicies/status
   verbs:
   - update
 - apiGroups:

deploy/default/deploy.yaml

@@ -145,6 +145,7 @@ rules:
   - clientsettingspolicies
   - observabilitypolicies
   - upstreamsettingspolicies
+  - wafpolicies
   verbs:
   - list
   - watch
@@ -155,6 +156,7 @@ rules:
   - clientsettingspolicies/status
   - observabilitypolicies/status
   - upstreamsettingspolicies/status
+  - wafpolicies/status
   verbs:
   - update
 - apiGroups:

deploy/experimental-nginx-plus/deploy.yaml

@@ -149,6 +149,7 @@ rules:
   - clientsettingspolicies
   - observabilitypolicies
   - upstreamsettingspolicies
+  - wafpolicies
   verbs:
   - list
   - watch
@@ -159,6 +160,7 @@ rules:
   - clientsettingspolicies/status
   - observabilitypolicies/status
   - upstreamsettingspolicies/status
+  - wafpolicies/status
   verbs:
   - update
 - apiGroups:

deploy/experimental/deploy.yaml

@@ -149,6 +149,7 @@ rules:
   - clientsettingspolicies
   - observabilitypolicies
   - upstreamsettingspolicies
+  - wafpolicies
   verbs:
   - list
   - watch
@@ -159,6 +160,7 @@ rules:
   - clientsettingspolicies/status
   - observabilitypolicies/status
   - upstreamsettingspolicies/status
+  - wafpolicies/status
   verbs:
   - update
 - apiGroups:

deploy/nginx-plus/deploy.yaml

@@ -145,6 +145,7 @@ rules:
   - clientsettingspolicies
   - observabilitypolicies
   - upstreamsettingspolicies
+  - wafpolicies
   verbs:
   - list
   - watch
@@ -155,6 +156,7 @@ rules:
   - clientsettingspolicies/status
   - observabilitypolicies/status
   - upstreamsettingspolicies/status
+  - wafpolicies/status
   verbs:
   - update
 - apiGroups:

deploy/nodeport/deploy.yaml

@@ -145,6 +145,7 @@ rules:
   - clientsettingspolicies
   - observabilitypolicies
   - upstreamsettingspolicies
+  - wafpolicies
   verbs:
   - list
   - watch
@@ -155,6 +156,7 @@ rules:
   - clientsettingspolicies/status
   - observabilitypolicies/status
   - upstreamsettingspolicies/status
+  - wafpolicies/status
   verbs:
   - update
 - apiGroups:

deploy/openshift/deploy.yaml

@@ -145,6 +145,7 @@ rules:
   - clientsettingspolicies
   - observabilitypolicies
   - upstreamsettingspolicies
+  - wafpolicies
   verbs:
   - list
   - watch
@@ -155,6 +156,7 @@ rules:
   - clientsettingspolicies/status
   - observabilitypolicies/status
   - upstreamsettingspolicies/status
+  - wafpolicies/status
   verbs:
   - update
 - apiGroups:

deploy/snippets-filters-nginx-plus/deploy.yaml

@@ -145,6 +145,7 @@ rules:
   - clientsettingspolicies
   - observabilitypolicies
   - upstreamsettingspolicies
+  - wafpolicies
   - snippetsfilters
   verbs:
   - list
@@ -156,6 +157,7 @@ rules:
   - clientsettingspolicies/status
   - observabilitypolicies/status
   - upstreamsettingspolicies/status
+  - wafpolicies/status
   - snippetsfilters/status
   verbs:
   - update

deploy/snippets-filters/deploy.yaml

@@ -145,6 +145,7 @@ rules:
   - clientsettingspolicies
   - observabilitypolicies
   - upstreamsettingspolicies
+  - wafpolicies
   - snippetsfilters
   verbs:
   - list
@@ -156,6 +157,7 @@ rules:
   - clientsettingspolicies/status
   - observabilitypolicies/status
   - upstreamsettingspolicies/status
+  - wafpolicies/status
   - snippetsfilters/status
   verbs:
   - update

internal/controller/manager.go

@@ -48,6 +48,7 @@ import (
 	"github.com/nginx/nginx-gateway-fabric/internal/controller/nginx/config/policies/clientsettings"
 	"github.com/nginx/nginx-gateway-fabric/internal/controller/nginx/config/policies/observability"
 	"github.com/nginx/nginx-gateway-fabric/internal/controller/nginx/config/policies/upstreamsettings"
+	"github.com/nginx/nginx-gateway-fabric/internal/controller/nginx/config/policies/wafsettings"
 	ngxvalidation "github.com/nginx/nginx-gateway-fabric/internal/controller/nginx/config/validation"
 	"github.com/nginx/nginx-gateway-fabric/internal/controller/provisioner"
 	"github.com/nginx/nginx-gateway-fabric/internal/controller/state"
@@ -326,6 +327,10 @@ func createPolicyManager(
 			GVK:       mustExtractGVK(&ngfAPIv1alpha1.UpstreamSettingsPolicy{}),
 			Validator: upstreamsettings.NewValidator(validator),
 		},
+		{
+			GVK:       mustExtractGVK(&ngfAPIv1alpha1.WAFPolicy{}),
+			Validator: wafsettings.NewValidator(validator),
+		},
 	}
 
 	return policies.NewManager(mustExtractGVK, cfgs...)
@@ -507,6 +512,12 @@ func registerControllers(
 				controller.WithK8sPredicate(k8spredicate.GenerationChangedPredicate{}),
 			},
 		},
+		{
+			objectType: &ngfAPIv1alpha1.WAFPolicy{},
+			options: []controller.Option{
+				controller.WithK8sPredicate(k8spredicate.GenerationChangedPredicate{}),
+			},
+		},
 	}
 
 	if cfg.ExperimentalFeatures {
@@ -745,6 +756,7 @@ func prepareFirstEventBatchPreparerArgs(cfg config.Config) ([]client.Object, []c
 		&ngfAPIv1alpha1.ClientSettingsPolicyList{},
 		&ngfAPIv1alpha2.ObservabilityPolicyList{},
 		&ngfAPIv1alpha1.UpstreamSettingsPolicyList{},
+		&ngfAPIv1alpha1.WAFPolicyList{},
 		partialObjectMetadataList,
 	}
 

internal/controller/manager_test.go

@@ -68,6 +68,7 @@ func TestPrepareFirstEventBatchPreparerArgs(t *testing.T) {
 				&ngfAPIv1alpha1.ClientSettingsPolicyList{},
 				&ngfAPIv1alpha2.ObservabilityPolicyList{},
 				&ngfAPIv1alpha1.UpstreamSettingsPolicyList{},
+				&ngfAPIv1alpha1.WAFPolicyList{},
 			},
 		},
 		{
@@ -97,6 +98,7 @@ func TestPrepareFirstEventBatchPreparerArgs(t *testing.T) {
 				&ngfAPIv1alpha1.ClientSettingsPolicyList{},
 				&ngfAPIv1alpha2.ObservabilityPolicyList{},
 				&ngfAPIv1alpha1.UpstreamSettingsPolicyList{},
+				&ngfAPIv1alpha1.WAFPolicyList{},
 			},
 		},
 		{
@@ -124,6 +126,7 @@ func TestPrepareFirstEventBatchPreparerArgs(t *testing.T) {
 				&ngfAPIv1alpha2.ObservabilityPolicyList{},
 				&ngfAPIv1alpha1.SnippetsFilterList{},
 				&ngfAPIv1alpha1.UpstreamSettingsPolicyList{},
+				&ngfAPIv1alpha1.WAFPolicyList{},
 			},
 		},
 		{
@@ -154,6 +157,7 @@ func TestPrepareFirstEventBatchPreparerArgs(t *testing.T) {
 				&ngfAPIv1alpha2.ObservabilityPolicyList{},
 				&ngfAPIv1alpha1.SnippetsFilterList{},
 				&ngfAPIv1alpha1.UpstreamSettingsPolicyList{},
+				&ngfAPIv1alpha1.WAFPolicyList{},
 			},
 		},
 	}

internal/controller/nginx/config/generator.go

@@ -16,6 +16,7 @@ import (
 	"github.com/nginx/nginx-gateway-fabric/internal/controller/nginx/config/policies/clientsettings"
 	"github.com/nginx/nginx-gateway-fabric/internal/controller/nginx/config/policies/observability"
 	"github.com/nginx/nginx-gateway-fabric/internal/controller/nginx/config/policies/upstreamsettings"
+	"github.com/nginx/nginx-gateway-fabric/internal/controller/nginx/config/policies/wafsettings"
 	"github.com/nginx/nginx-gateway-fabric/internal/controller/state/dataplane"
 	"github.com/nginx/nginx-gateway-fabric/internal/framework/file"
 )
@@ -44,6 +45,9 @@ const (
 	// includesFolder is the folder where are all include files are stored.
 	includesFolder = configFolder + "/includes"
 
+	// appProtectBundleFolder is the folder where the NGINX App Protect WAF bundles are stored.
+	appProtectBundleFolder = "/etc/app_protect/bundles"
+
 	// httpConfigFile is the path to the configuration file with HTTP configuration.
 	httpConfigFile = httpFolder + "/http.conf"
 
@@ -119,10 +123,15 @@ func (g GeneratorImpl) Generate(conf dataplane.Configuration) []agent.File {
 	policyGenerator := policies.NewCompositeGenerator(
 		clientsettings.NewGenerator(),
 		observability.NewGenerator(conf.Telemetry),
+		wafsettings.NewGenerator(),
 	)
 
 	files = append(files, g.executeConfigTemplates(conf, policyGenerator)...)
 
+	for id, bundle := range conf.WAF.WAFBundles {
+		files = append(files, generateWAFBundle(id, bundle))
+	}
+
 	for id, bundle := range conf.CertBundles {
 		files = append(files, generateCertBundle(id, bundle))
 	}
@@ -245,3 +254,19 @@ func generateCertBundle(id dataplane.CertBundleID, cert []byte) agent.File {
 func generateCertBundleFileName(id dataplane.CertBundleID) string {
 	return filepath.Join(secretsFolder, string(id)+".crt")
 }
+
+func generateWAFBundle(id dataplane.WAFBundleID, bundle []byte) agent.File {
+	return agent.File{
+		Meta: &pb.FileMeta{
+			Name:        GenerateWAFBundleFileName(id),
+			Hash:        filesHelper.GenerateHash(bundle),
+			Permissions: file.RegularFileMode,
+			Size:        int64(len(bundle)),
+		},
+		Contents: bundle,
+	}
+}
+
+func GenerateWAFBundleFileName(id dataplane.WAFBundleID) string {
+	return filepath.Join(appProtectBundleFolder, string(id)+".tgz")
+}

internal/controller/nginx/config/policies/policy.go

@@ -26,6 +26,8 @@ type Policy interface {
 type GlobalSettings struct {
 	// TelemetryEnabled is whether telemetry is enabled in the NginxProxy resource.
 	TelemetryEnabled bool
+	// WAFEnabled is whether WAF is enabled in the NginxProxy resource.
+	WAFEnabled bool
 }
 
 // ValidateTargetRef validates a policy's targetRef for the proper group and kind.