Initial commit for 4.10

wallarm · Dec 18, 2023 · 2f4732f · 2f4732f
1 parent 3e1f589
commit 2f4732f
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 0 deletions.
diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl
@@ -320,6 +320,25 @@ Create the name of the controller service account to use
 {{ toYaml .Values.controller.wallarm.collectd.resources | indent 4 }}
 {{- end -}}
 
+{{- define "ingress-nginx.wallarmApifirewallContainer" -}}
+- name: api-firewall
+{{- if .Values.controller.wallarm.wallarm-apifirewall.image }}
+  {{- with .Values.controller.wallarm.wallarm-apifirewall.image }}
+  image: "{{ .repository }}:{{ .tag }}"
+  {{- end }}
+{{- else }}
+  image: "{{ .Values.controller.wallarm.helpers.image }}:{{ .Values.controller.wallarm.helpers.tag }}"
+{{- end }}
+  imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}"
+  args: ["api-firewall"]
+  volumeMounts:
+    - name: wallarm
+      mountPath: {{ include "wallarm.path" . }}
+  securityContext: {{ include "controller.containerSecurityContext" . | nindent 4 }}
+  resources:
+{{ toYaml .Values.controller.wallarm.wallarm-apifirewall.resources | indent 4 }}
+{{- end -}}
+
 {{/*
 Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled
 */}}

diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml
@@ -198,6 +198,7 @@ spec:
       {{- if .Values.controller.wallarm.enabled }}
         {{ include "ingress-nginx.wallarmCronContainer" . | nindent 8 }}
         {{ include "ingress-nginx.wallarmCollectdContainer" . | nindent 8 }}
+        {{ include "ingress-nginx.wallarmApifirewallContainer" . | nindent 8 }}
       {{- end }}
     {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled .Values.controller.wallarm.enabled) }}
       initContainers:

diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml
@@ -201,6 +201,7 @@ spec:
       {{- if .Values.controller.wallarm.enabled }}
         {{ include "ingress-nginx.wallarmCronContainer" . | nindent 8 }}
         {{ include "ingress-nginx.wallarmCollectdContainer" . | nindent 8 }}
+        {{ include "ingress-nginx.wallarmApifirewallContainer" . | nindent 8 }}
       {{- end }}
     {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled .Values.controller.wallarm.enabled) }}
       initContainers:

diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
@@ -815,6 +815,9 @@ controller:
       resources: {}
     wallarm-antibot:
       resources: {}
+    wallarm-apifirewall:
+      resources: {}
+      livenessProbe: {} # TODO
     metrics:
       port: 18080
       enabled: false

diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
@@ -1288,6 +1288,21 @@ stream {
         {{ end }}
         {{ end }}
 
+        {{ if $all.Cfg.EnableWallarm }}
+        # api firewall
+        location ~ ^/wallarm-apifw(.*)$ {
+            wallarm_mode off;
+            proxy_pass http://api-firewall:8088$1;
+            error_page 404 431         = @wallarm-apifw-fallback;
+            error_page 500 502 503 504 = @wallarm-apifw-fallback;
+        }
+
+        location @wallarm-apifw-fallback {
+            wallarm_mode off;
+            return 500 "API FW fallback";
+        }
+        {{ end }}
+
         location {{ $path }} {
             {{ $ing := (getIngressInformation $location.Ingress $server.Hostname $location.IngressPath) }}
             set $namespace      {{ $ing.Namespace | quote}};