Skip to content

Commit

Permalink
Unbind app-protect from -preview-policies
Browse files Browse the repository at this point in the history
  • Loading branch information
galitskiy authored and ciarams87 committed Dec 10, 2021
1 parent cb8a7f1 commit d954961
Show file tree
Hide file tree
Showing 5 changed files with 13 additions and 22 deletions.
2 changes: 0 additions & 2 deletions docs/content/configuration/policy-resource.md
Original file line number Diff line number Diff line change
Expand Up @@ -357,8 +357,6 @@ For `kubectl get` and similar commands, you can also use the short name `pol` in

### WAF

> **Feature Status**: WAF is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller.

> Note: This feature is only available in NGINX Plus with AppProtect.

The WAF policy configures NGINX Plus to secure client requests using App Protect policies.
Expand Down
4 changes: 0 additions & 4 deletions pkg/apis/configuration/validation/policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,10 +84,6 @@ func validatePolicySpec(spec *v1.PolicySpec, fieldPath *field.Path, isPlus, enab
}

if spec.WAF != nil {
if !enablePreviewPolicies {
allErrs = append(allErrs, field.Forbidden(fieldPath.Child("waf"),
"waf is a preview policy. Preview policies must be enabled to use via cli argument -enable-preview-policies"))
}
if !isPlus {
allErrs = append(allErrs, field.Forbidden(fieldPath.Child("waf"), "WAF is only supported in NGINX Plus"))
}
Expand Down
26 changes: 13 additions & 13 deletions pkg/apis/configuration/validation/policy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,19 @@ func TestValidatePolicy(t *testing.T) {
enableAppProtect: true,
msg: "use WAF(plus only) policy",
},
{
policy: &v1.Policy{
Spec: v1.PolicySpec{
WAF: &v1.WAF{
Enable: true,
},
},
},
isPlus: true,
enablePreviewPolicies: false,
enableAppProtect: true,
msg: "WAF policy with preview policies disabled",
},
}
for _, test := range tests {
err := ValidatePolicy(test.policy, test.isPlus, test.enablePreviewPolicies, test.enableAppProtect)
Expand Down Expand Up @@ -231,19 +244,6 @@ func TestValidatePolicyFails(t *testing.T) {
enablePreviewPolicies: true,
msg: "OIDC policy in OSS",
},
{
policy: &v1.Policy{
Spec: v1.PolicySpec{
WAF: &v1.WAF{
Enable: true,
},
},
},
isPlus: true,
enablePreviewPolicies: false,
enableAppProtect: true,
msg: "WAF policy with preview policies disabled",
},
{
policy: &v1.Policy{
Spec: v1.PolicySpec{
Expand Down
2 changes: 0 additions & 2 deletions tests/suite/test_app_protect_waf_policies.py
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,6 @@ def assert_valid_responses(response) -> None:
f"-enable-custom-resources",
f"-enable-leader-election=false",
f"-enable-app-protect",
f"-enable-preview-policies",
],
},
{"example": "ap-waf", "app_type": "simple",},
Expand Down Expand Up @@ -390,7 +389,6 @@ def test_ap_waf_policy_logs(
f"-enable-custom-resources",
f"-enable-leader-election=false",
f"-enable-app-protect",
f"-enable-preview-policies",
],
},
{"example": "virtual-server-route"},
Expand Down
1 change: 0 additions & 1 deletion tests/suite/test_batch_startup_times.py
Original file line number Diff line number Diff line change
Expand Up @@ -412,7 +412,6 @@ def fin():
f"-enable-custom-resources",
f"-enable-leader-election=false",
f"-enable-app-protect",
f"-enable-preview-policies",
f"-enable-prometheus-metrics",
],
},
Expand Down

0 comments on commit d954961

Please sign in to comment.