Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integrate NAP WAF v5 #5698

Merged
merged 41 commits into from
Jun 12, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
55e7f16
Add build stages for WAF v5
shaun-nx Jun 5, 2024
207d4d8
Add Helm value to enable WAF v5
shaun-nx Jun 5, 2024
b4785b2
Use repo files from main branch
shaun-nx Jun 6, 2024
7f9f222
Add emptyDir for bundles volumes
shaun-nx Jun 6, 2024
a889556
Fix template helper to add volumes required for WAF v5
shaun-nx Jun 6, 2024
cb99011
Update `help` make command to allow digits
shaun-nx Jun 6, 2024
da4d982
Add waf-enforcer and waf-config-mgr containers to daemonset template
shaun-nx Jun 6, 2024
78f3e8a
Move waf enforcer and config mgr to template helper
shaun-nx Jun 6, 2024
7ea2f6d
Used `debian-plus` build stage as base for `debian-plus-nap-v5`
shaun-nx Jun 7, 2024
1b8ffe5
Set v5 to false by default
shaun-nx Jun 7, 2024
8240d69
Add v5 build stages to ci and update sed in dockerfile
shaun-nx Jun 7, 2024
f1e2738
Update unit tests to use /etc/app_protect/bundles/
shaun-nx Jun 7, 2024
24213bc
Tag & Release WAF V5 images
pdabelf5 Jun 10, 2024
52e0290
initial pass of helm values for waf v5
oseoin Jun 10, 2024
dfaecf4
remove wafv5-dos publish steps
pdabelf5 Jun 10, 2024
b354c69
add debian & ubi8 waf v5 targets
pdabelf5 Jun 10, 2024
b19454d
add WAF_VERSION variable to dockerfile
pdabelf5 Jun 10, 2024
cc0377d
add enforcer addr config and remove test mount
oseoin Jun 10, 2024
69eae5e
helm docs for waf v5
oseoin Jun 10, 2024
6fc6422
mount agent.sh on ubi-8-plus-nap
pdabelf5 Jun 10, 2024
06c627b
adding missing script mounts for ubi8 waf v5
oseoin Jun 10, 2024
cc3b35a
Merge branch 'main' into feat/waf-v5
oseoin Jun 10, 2024
5d5619d
conditional compiler reference for v4
oseoin Jun 11, 2024
dea1c7c
Merge branch 'main' into feat/waf-v5
oseoin Jun 11, 2024
e1fb507
reorder debian waf v5
oseoin Jun 11, 2024
06c4a71
fix debian waf v5 build
oseoin Jun 11, 2024
7b729df
Merge branch 'main' into feat/waf-v5
oseoin Jun 11, 2024
637dc8c
update agent install logic
pdabelf5 Jun 11, 2024
dbfcb6e
fix enforcer address flag
oseoin Jun 11, 2024
9b5b02e
fix agent arg
oseoin Jun 11, 2024
6b5a36d
re-add bundle mount to NIC
oseoin Jun 11, 2024
87fdab8
Merge branch 'main' into feat/waf-v5
oseoin Jun 11, 2024
fe17f41
Update charts/nginx-ingress/values.schema.json
oseoin Jun 11, 2024
e22453b
fix enforcer address
oseoin Jun 12, 2024
e172216
Merge branch 'feat/waf-v5' of github.com:nginxinc/kubernetes-ingress …
oseoin Jun 12, 2024
1e24f0b
switch waf bundle path depending on v5 or earlier
oseoin Jun 12, 2024
52b6c9e
helm lint fixes
oseoin Jun 12, 2024
20ebbbd
ubi build fix
oseoin Jun 12, 2024
75b78ae
explicit v4 dir for waf bundles
oseoin Jun 12, 2024
2d9361e
Merge branch 'main' into feat/waf-v5
oseoin Jun 12, 2024
eafc7ff
Merge branch 'main' into feat/waf-v5
oseoin Jun 12, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/config/config-plus-gcr-release
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release
declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips" "-mktpl" "-alpine-mktpl" "-alpine-mktpl-fips")
declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl" "-alpine-fips")
declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips")
declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl")
declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl")
declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")
Expand Down
1 change: 1 addition & 0 deletions .github/config/config-plus-nginx
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ export TARGET_REGISTRY=docker-mgmt.nginx.com
export TARGET_NAP_WAF_DOS_IMAGE_PREFIX="nginx-ic-nap-dos/nginx-plus-ingress"
declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips")
declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips")
declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips")
declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi")
declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi")
declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")
Expand Down
29 changes: 29 additions & 0 deletions .github/scripts/copy-images.sh
Original file line number Diff line number Diff line change
Expand Up @@ -28,19 +28,25 @@ TARGET_OSS_IMAGE_PREFIX=${TARGET_OSS_IMAGE_PREFIX:-"nginx-ic/nginx-ingress"}

SOURCE_PLUS_IMAGE_PREFIX=${SOURCE_PLUS_IMAGE_PREFIX:-"nginx-ic/nginx-plus-ingress"}
SOURCE_NAP_WAF_IMAGE_PREFIX=${SOURCE_NAP_WAF_IMAGE_PREFIX:-"nginx-ic-nap/nginx-plus-ingress"}
SOURCE_NAP_WAFV5_IMAGE_PREFIX=${SOURCE_NAP_WAFV5_IMAGE_PREFIX:-"nginx-ic-nap-v5/nginx-plus-ingress"}
SOURCE_NAP_DOS_IMAGE_PREFIX=${SOURCE_NAP_DOS_IMAGE_PREFIX:-"nginx-ic-dos/nginx-plus-ingress"}
SOURCE_NAP_WAF_DOS_IMAGE_PREFIX=${SOURCE_NAP_WAF_DOS_IMAGE_PREFIX:-"nginx-ic-dos-nap/nginx-plus-ingress"}
SOURCE_NAP_WAFV5_DOS_IMAGE_PREFIX=${SOURCE_NAP_WAFV5_DOS_IMAGE_PREFIX:-"nginx-ic-dos-nap-v5/nginx-plus-ingress"}

TARGET_PLUS_IMAGE_PREFIX=${TARGET_PLUS_IMAGE_PREFIX:-"nginx-ic/nginx-plus-ingress"}
TARGET_NAP_WAF_IMAGE_PREFIX=${TARGET_NAP_WAF_IMAGE_PREFIX:-"nginx-ic-nap/nginx-plus-ingress"}
TARGET_NAP_WAFV5_IMAGE_PREFIX=${TARGET_NAP_WAFV5_IMAGE_PREFIX:-"nginx-ic-nap/nginx-plus-ingress"}
TARGET_NAP_DOS_IMAGE_PREFIX=${TARGET_NAP_DOS_IMAGE_PREFIX:-"nginx-ic-dos/nginx-plus-ingress"}
TARGET_NAP_WAF_DOS_IMAGE_PREFIX=${TARGET_NAP_WAF_DOS_IMAGE_PREFIX:-"nginx-ic-dos-nap/nginx-plus-ingress"}
TARGET_NAP_WAFV5_DOS_IMAGE_PREFIX=${TARGET_NAP_WAFV5_DOS_IMAGE_PREFIX:-"nginx-ic-dos-nap-v5/nginx-plus-ingress"}

declare -a OSS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine")
declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips")
declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips")
declare -a NAP_WAFV5_TAG_POSTFIX_LIST=()
declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi")
declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi")
declare -a NAP_WAFV5_DOS_TAG_POSTFIX_LIST=()
declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")

CONFIG_PATH=${CONFIG_PATH:-~/.nic-release/config}
Expand Down Expand Up @@ -152,6 +158,29 @@ if $PUBLISH_WAF; then
done
fi
done
for postfix in "${NAP_WAFV5_TAG_POSTFIX_LIST[@]}"; do
image=${SOURCE_REGISTRY}/${SOURCE_NAP_WAFV5_IMAGE_PREFIX}:${SOURCE_TAG}${postfix}
echo "Processing image ${image}"
new_tag=${TARGET_REGISTRY}/${TARGET_NAP_WAFV5_IMAGE_PREFIX}:${TARGET_TAG}${postfix}
if $IS_IMMUTABLE && skopeo --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
echo " ECR is immutable & tag ${new_tag} already exists, skipping."
else
echo " Pushing image NAP WAFV5 ${new_tag}..."
if ! $DRY_RUN; then
skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
fi
for tag in "${ADDITIONAL_TAGS[@]}"; do
if [ -z "${tag}" ]; then
continue
fi
additional_tag=${TARGET_REGISTRY}/${TARGET_NAP_WAFV5_IMAGE_PREFIX}:${tag}${postfix}
echo " Pushing image NAP WAFV5 ${additional_tag}..."
if ! $DRY_RUN; then
skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
fi
done
fi
done
else
echo "Skipping Publish Plus WAF flow"
fi
Expand Down
5 changes: 3 additions & 2 deletions .github/workflows/build-plus.yml
Original file line number Diff line number Diff line change
Expand Up @@ -123,8 +123,8 @@ jobs:
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: |
name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}/nginx-plus-ingress
name=docker-mgmt.nginx.com/nginx-ic${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}/nginx-plus-ingress,enable=${{ inputs.publish-nginx-reqistry && ! contains(inputs.target, 'aws') }}
name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}${{ contains(inputs.image, 'v5') && '-v5' || '' }}/nginx-plus-ingress
name=docker-mgmt.nginx.com/nginx-ic${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}${{ contains(inputs.image, 'v5') && '-v5' || '' }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}/nginx-plus-ingress,enable=${{ inputs.publish-nginx-reqistry && ! contains(inputs.target, 'aws') }}
name=709825985650.dkr.ecr.us-east-1.amazonaws.com/nginx/nginx-plus-ingress${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }},enable=${{ inputs.publish-aws-market-place && contains(inputs.target, 'aws') }}
flavor: |
suffix=${{ contains(inputs.image, 'ubi') && '-ubi' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}},onlatest=true
Expand Down Expand Up @@ -205,6 +205,7 @@ jobs:
PREBUILT_BASE_IMG=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus:${{ inputs.base-image-md5 }}-${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }}
IC_VERSION=${{ github.ref_type == 'tag' && steps.meta.outputs.version || 'CI' }}
${{ inputs.nap_modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.modules) || '' }}
${{ contains(inputs.image, 'v5') && 'WAF_VERSION=v5' || '' }}
${{ (contains(inputs.target, 'aws') && inputs.nap_modules != '') && format('NAP_MODULES_AWS={0}', steps.nap_modules.outputs.modules) || '' }}
secrets: |
"nginx-repo.crt=${{ inputs.nap_modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}"
Expand Down
16 changes: 16 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -739,6 +739,22 @@ jobs:
target: goreleaser
platforms: "linux/amd64"
nap_modules: waf
- image: alpine-plus-nap-v5-fips
target: goreleaser
platforms: "linux/amd64"
nap_modules: waf
- image: debian-plus-nap-v5
target: goreleaser
platforms: "linux/amd64"
nap_modules: waf
- image: ubi-9-plus-nap-v5
target: goreleaser
platforms: "linux/amd64"
nap_modules: waf
- image: ubi-8-plus-nap-v5
target: goreleaser
platforms: "linux/amd64"
nap_modules: waf
uses: ./.github/workflows/build-plus.yml
with:
platforms: ${{ matrix.platforms }}
Expand Down
35 changes: 33 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,8 @@ export DOCKER_BUILDKIT = 1

.PHONY: help
help: Makefile ## Display this help
@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "; printf "Usage:\n\n make \033[36m<target>\033[0m [VARIABLE=value...]\n\nTargets:\n\n"}; {printf " \033[36m%-30s\033[0m %s\n", $$1, $$2}'
@grep -E '^(override )?[a-zA-Z_-]+ \??\+?= .*? ## .*$$' $< | sort | awk 'BEGIN {FS = " \\??\\+?= .*? ## "; printf "\nVariables:\n\n"}; {gsub(/override /, "", $$1); printf " \033[36m%-30s\033[0m %s\n", $$1, $$2}'
@grep -E '^[a-zA-Z0-9_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "; printf "Usage:\n\n make \033[36m<target>\033[0m [VARIABLE=value...]\n\nTargets:\n\n"}; {printf " \033[36m%-30s\033[0m %s\n", $$1, $$2}'
@grep -E '^(override )?[a-zA-Z0-9_-]+ \??\+?= .*? ## .*$$' $< | sort | awk 'BEGIN {FS = " \\??\\+?= .*? ## "; printf "\nVariables:\n\n"}; {gsub(/override /, "", $$1); printf " \033[36m%-30s\033[0m %s\n", $$1, $$2}'

.PHONY: all
all: test lint verify-codegen update-crds debian-image
Expand Down Expand Up @@ -141,6 +141,13 @@ alpine-image-plus-fips: build ## Create Docker image for Ingress Controller (Alp
alpine-image-nap-plus-fips: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus, NGINX App Protect WAF and FIPS)
$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus-nap-fips --build-arg NGINX_AGENT=$(NGINX_AGENT)

.PHONY: alpine-image-nap-v5-plus-fips
alpine-image-nap-v5-plus-fips: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus, NGINX App Protect WAFv5 and FIPS)
$(DOCKER_CMD) $(PLUS_ARGS) \
--build-arg BUILD_OS=alpine-plus-nap-v5-fips \
--build-arg NGINX_AGENT=$(NGINX_AGENT) \
--build-arg WAF_VERSION=v5

.PHONY: debian-image-plus
debian-image-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus)
$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus
Expand All @@ -149,6 +156,14 @@ debian-image-plus: build ## Create Docker image for Ingress Controller (Debian w
debian-image-nap-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and NGINX App Protect WAF)
$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg NAP_MODULES=waf --build-arg NGINX_AGENT=$(NGINX_AGENT)

.PHONY: debian-image-nap-v5-plus
debian-image-nap-v5-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and NGINX App Protect WAFv5)
$(DOCKER_CMD) $(PLUS_ARGS) \
--build-arg BUILD_OS=debian-plus-nap-v5 \
--build-arg NAP_MODULES=waf \
--build-arg NGINX_AGENT=$(NGINX_AGENT) \
--build-arg WAF_VERSION=v5

.PHONY: debian-image-dos-plus
debian-image-dos-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and NGINX App Protect DoS)
$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg NAP_MODULES=dos
Expand All @@ -169,6 +184,14 @@ ubi-image-plus: build ## Create Docker image for Ingress Controller (UBI with NG
ubi-image-nap-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect WAF)
$(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-9-plus-nap --build-arg NAP_MODULES=waf --build-arg NGINX_AGENT=$(NGINX_AGENT)

.PHONY: ubi-image-nap-v5-plus
ubi-image-nap-v5-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect WAFv5)
$(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license \
--build-arg BUILD_OS=ubi-9-plus-nap-v5 \
--build-arg NAP_MODULES=waf \
--build-arg NGINX_AGENT=$(NGINX_AGENT) \
--build-arg WAF_VERSION=v5

.PHONY: ubi-image-dos-plus
ubi-image-dos-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect DoS)
$(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-8-plus-nap --build-arg NAP_MODULES=dos
Expand All @@ -177,6 +200,14 @@ ubi-image-dos-plus: build ## Create Docker image for Ingress Controller (UBI wit
ubi-image-nap-dos-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus, NGINX App Protect WAF and DoS)
$(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-8-plus-nap --build-arg NAP_MODULES=waf,dos --build-arg NGINX_AGENT=$(NGINX_AGENT)

.PHONY: ubi-image-nap-dos-v5-plus
ubi-image-nap-dos-v5-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus, NGINX App Protect WAFv5 and DoS)
$(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license \
--build-arg BUILD_OS=ubi-8-plus-nap-v5 \
--build-arg NAP_MODULES=waf,dos \
--build-arg NGINX_AGENT=$(NGINX_AGENT) \
--build-arg WAF_VERSION=v5

.PHONY: all-images ## Create all the Docker images for Ingress Controller
all-images: alpine-image alpine-image-plus alpine-image-plus-fips alpine-image-nap-plus-fips debian-image debian-image-plus debian-image-nap-plus debian-image-dos-plus debian-image-nap-dos-plus ubi-image ubi-image-plus ubi-image-nap-plus ubi-image-dos-plus ubi-image-nap-dos-plus

Expand Down
Loading
Loading