Ability to turn off API Firewall functionality

charts/ingress-nginx/templates/_helpers.tpl

@@ -343,17 +343,32 @@ Create the name of the controller service account to use
 {{- end }}
   imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}"
   args: ["api-firewall"]
+  env:
+    - name: APIFW_SPECIFICATION_UPDATE_PERIOD
+      value: "{{ .Values.controller.wallarm.apifirewall.config.specificationUpdatePeriod }}"
+    - name: API_MODE_UNKNOWN_PARAMETERS_DETECTION
+      value: "{{ .Values.controller.wallarm.apifirewall.config.unknownParametersDetection }}"
+    - name: APIFW_URL
+      value: "http://0.0.0.0:{{ .Values.controller.wallarm.apifirewall.config.mainPort }}"
+    - name: APIFW_HEALTH_HOST
+      value: "0.0.0.0:{{ .Values.controller.wallarm.apifirewall.config.healthPort }}"
+    - name: APIFW_LOG_LEVEL
+      value: "{{ .Values.controller.wallarm.apifirewall.config.logLevel }}"
+    - name: APIFW_LOG_FORMAT
+      value: "{{ .Values.controller.wallarm.apifirewall.config.logFormat }}"
+    - name: APIFW_MODE
+      value: api
+    - name: APIFW_READ_TIMEOUT
+      value: 5s
+    - name: APIFW_WRITE_TIMEOUT
+      value: 5s
+    - name: APIFW_API_MODE_DEBUG_PATH_DB
+      value: "/opt/wallarm/var/lib/wallarm-api/1/wallarm_api.db"
   volumeMounts:
     - name: wallarm-apifw
       mountPath: {{ include "wallarm-apifw.path" . }}
   securityContext: {{ include "controller.containerSecurityContext" . | nindent 4 }}
   resources: {{ toYaml .Values.controller.wallarm.apifirewall.resources | nindent 4 }}
-{{- if or .Values.controller.wallarm.apifirewall.livenessProbeEnabled .Values.controller.wallarm.apifirewall.readinessProbeEnabled }}
-  ports:
-    - name: health
-      containerPort: 9667
-      protocol: TCP
-{{- end }}
 {{- if .Values.controller.wallarm.apifirewall.livenessProbeEnabled }}
   livenessProbe: {{ toYaml .Values.controller.wallarm.apifirewall.livenessProbe | nindent 4 }}
 {{- end }}

charts/ingress-nginx/templates/controller-configmap-cron.yaml

@@ -36,7 +36,9 @@ data:
     {{ .schedule }} /opt/wallarm/usr/share/wallarm-common/syncnode -f -p -r 120 -l STDOUT -L DEBUG
     {{- end }}
 
+    {{- if .Values.controller.wallarm.apifirewall.enabled }}
     {{- with .Values.controller.wallarm.cron.jobs.syncApiSpecs }}
     # sync-api-specs
     {{ .schedule }} /opt/wallarm/usr/share/wallarm-common/sync-api-specs -l STDOUT
     {{- end }}
+    {{- end }}

charts/ingress-nginx/templates/controller-configmap.yaml

@@ -18,6 +18,8 @@ data:
   enable-wallarm: "{{ .Values.controller.wallarm.enabled }}"
   wallarm-upstream-service: "{{ include "ingress-nginx.controller.fullname" . }}-wallarm-tarantool"
   wallarm-metrics-port: "{{ .Values.controller.wallarm.metrics.port }}"
+  wallarm-apifw-enabled: "{{ .Values.controller.wallarm.apifirewall.enabled }}"
+  wallarm-apifw-port: "{{ .Values.controller.wallarm.apifirewall.config.mainPort }}"
 {{- if .Values.controller.wallarm.fallback }}
   wallarm-fallback: "{{ .Values.controller.wallarm.fallback }}"
 {{- end }}

charts/ingress-nginx/values.yaml

@@ -885,6 +885,17 @@ controller:
       resources: {}
     apifirewall:
       enabled: true
+      config:
+        # 18081
+        mainPort: 8088
+        # 18082
+        healthPort: 9667
+        specificationUpdatePeriod: 1m
+        unknownParametersDetection: true
+        #### TRACE|DEBUG|INFO|WARNING|ERROR
+        logLevel: INFO
+        ### TEXT|JSON
+        logFormat: TEXT
       resources: {}
       livenessProbeEnabled: true
       livenessProbe:

internal/ingress/controller/config/config.go

@@ -826,6 +826,8 @@ type Configuration struct {
 	// https://docs.wallarm.com/en/admin-en/configure-parameters-en.html#wallarmfallback
 	WallarmFallback string `json:"wallarm-fallback"`
 
+	WallarmApiFwEnabled                 bool   `json:"wallarm-apifw-enabled"`
+	WallarmApiFwPort                    int    `json:"wallarm-apifw-port"`
 	WallarmACLExportEnable              string `json:"wallarm-acl-export-enable"`
 	WallarmACLExportShmSize             string `json:"wallarm-acl-export-shm-size"`
 	WallarmACLExportSampleLimit         int    `json:"wallarm-acl-export-sample-limit"`

rootfs/etc/nginx/template/nginx.tmpl

@@ -1288,11 +1288,11 @@ stream {
         {{ end }}
         {{ end }}
 
-        {{ if $all.Cfg.EnableWallarm }}
+        {{ if and $all.Cfg.EnableWallarm $all.Cfg.WallarmApiFwEnabled }}
         # api firewall
         location ~ ^/wallarm-apifw(.*)$ {
             wallarm_mode off;
-            proxy_pass http://127.0.0.2:8088$1;
+            proxy_pass http://127.0.0.2:{{ $all.Cfg.WallarmApiFwPort }}$1;
             error_page 404 431         = @wallarm-apifw-fallback;
             error_page 500 502 503 504 = @wallarm-apifw-fallback;
         }

test/e2e/run-chart-test.sh

@@ -50,7 +50,7 @@ export ARCH=${ARCH:-amd64}
 # Uses a custom chart-testing image to avoid timeouts waiting for namespace deletion.
 CT_IMAGE="quay.io/dmitriev/chart-testing:3.7.1"
 
-HELM_EXTRA_ARGS="--timeout 180s"
+HELM_EXTRA_ARGS="--timeout 240s"
 HELM_EXTRA_SET_ARGS="\
  --set controller.wallarm.token=${WALLARM_API_TOKEN} \
  --set controller.wallarm.enabled=true \

test/e2e/run-kind-e2e.sh

@@ -130,10 +130,10 @@ if [ "${WALLARM_ENABLED}" == "true" ]; then
     echo "WALLARM_API_TOKEN must be set! Exiting ..."
     exit 1
   fi
-    if [ -z "${WALLARM_API_HOST}" ]; then
-      echo "WALLARM_API_HOST must be set! Exiting ..."
-      exit 1
-    fi
+  if [ -z "${WALLARM_API_HOST}" ]; then
+    echo "WALLARM_API_HOST must be set! Exiting ..."
+    exit 1
+  fi
 fi
 
 echo "[dev-env] running e2e tests..."