From 2f4732fdd0b5e5fcfccf7cff849cbe829026baa0 Mon Sep 17 00:00:00 2001 From: Nikita Nedvetskii Date: Mon, 18 Dec 2023 14:32:22 +0100 Subject: [PATCH] Initial commit for 4.10 --- charts/ingress-nginx/templates/_helpers.tpl | 19 +++++++++++++++++++ .../templates/controller-daemonset.yaml | 1 + .../templates/controller-deployment.yaml | 1 + charts/ingress-nginx/values.yaml | 3 +++ rootfs/etc/nginx/template/nginx.tmpl | 15 +++++++++++++++ 5 files changed, 39 insertions(+) diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl index a314a59c1d..6b1c39ca14 100644 --- a/charts/ingress-nginx/templates/_helpers.tpl +++ b/charts/ingress-nginx/templates/_helpers.tpl @@ -320,6 +320,25 @@ Create the name of the controller service account to use {{ toYaml .Values.controller.wallarm.collectd.resources | indent 4 }} {{- end -}} +{{- define "ingress-nginx.wallarmApifirewallContainer" -}} +- name: api-firewall +{{- if .Values.controller.wallarm.wallarm-apifirewall.image }} + {{- with .Values.controller.wallarm.wallarm-apifirewall.image }} + image: "{{ .repository }}:{{ .tag }}" + {{- end }} +{{- else }} + image: "{{ .Values.controller.wallarm.helpers.image }}:{{ .Values.controller.wallarm.helpers.tag }}" +{{- end }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" + args: ["api-firewall"] + volumeMounts: + - name: wallarm + mountPath: {{ include "wallarm.path" . }} + securityContext: {{ include "controller.containerSecurityContext" . | nindent 4 }} + resources: +{{ toYaml .Values.controller.wallarm.wallarm-apifirewall.resources | indent 4 }} +{{- end -}} + {{/* Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled */}} diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml index e1c1437b57..4a6e6d4efa 100644 --- a/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -198,6 +198,7 @@ spec: {{- if .Values.controller.wallarm.enabled }} {{ include "ingress-nginx.wallarmCronContainer" . | nindent 8 }} {{ include "ingress-nginx.wallarmCollectdContainer" . | nindent 8 }} + {{ include "ingress-nginx.wallarmApifirewallContainer" . | nindent 8 }} {{- end }} {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled .Values.controller.wallarm.enabled) }} initContainers: diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index fe7d5711de..25d63cee52 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -201,6 +201,7 @@ spec: {{- if .Values.controller.wallarm.enabled }} {{ include "ingress-nginx.wallarmCronContainer" . | nindent 8 }} {{ include "ingress-nginx.wallarmCollectdContainer" . | nindent 8 }} + {{ include "ingress-nginx.wallarmApifirewallContainer" . | nindent 8 }} {{- end }} {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled .Values.controller.wallarm.enabled) }} initContainers: diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 5de82a8df6..4014a4e6f7 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -815,6 +815,9 @@ controller: resources: {} wallarm-antibot: resources: {} + wallarm-apifirewall: + resources: {} + livenessProbe: {} # TODO metrics: port: 18080 enabled: false diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 7d2a22610b..c30ebb1bee 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -1288,6 +1288,21 @@ stream { {{ end }} {{ end }} + {{ if $all.Cfg.EnableWallarm }} + # api firewall + location ~ ^/wallarm-apifw(.*)$ { + wallarm_mode off; + proxy_pass http://api-firewall:8088$1; + error_page 404 431 = @wallarm-apifw-fallback; + error_page 500 502 503 504 = @wallarm-apifw-fallback; + } + + location @wallarm-apifw-fallback { + wallarm_mode off; + return 500 "API FW fallback"; + } + {{ end }} + location {{ $path }} { {{ $ing := (getIngressInformation $location.Ingress $server.Hostname $location.IngressPath) }} set $namespace {{ $ing.Namespace | quote}};