Skip to content

App Policy Bundle #3560

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Feb 23, 2023
Merged

App Policy Bundle #3560

merged 8 commits into from
Feb 23, 2023

Conversation

jjngx
Copy link
Contributor

@jjngx jjngx commented Feb 16, 2023
edited
Loading

Proposed changes

This PR introduces new functionality for NIC with App Protect. Users can provide app protect policy bundles on a mounted volume.

Introduced updates:

  • update the Policy CRD - added new field apBundle of type string
  • volume with app protect policy bundle must be mounted at /etc/nginx/waf/bundles/
  • NIC (with App Protect) deployment.yaml must include mounted volume, for example:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-ingress
  namespace: nginx-ingress
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx-ingress
  template:
    metadata:
      labels:
        app: nginx-ingress
     #annotations:
       #prometheus.io/scrape: "true"
       #prometheus.io/port: "9113"
       #prometheus.io/scheme: http
    spec:
      volumes:
      - name: app-pv
        persistentVolumeClaim:
          claimName: pvc-bundle
      serviceAccountName: nginx-ingress
      automountServiceAccountToken: true
      containers:
      - image: <nginx-plus-nap img>:<tag>
        volumeMounts:
        - name: app-pv
          mountPath: /etc/nginx/waf/bundles
        imagePullPolicy: IfNotPresent
        name: nginx-plus-ingress
...

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

@jjngx jjngx requested a review from a team as a code owner February 16, 2023 18:38
@jjngx jjngx requested a review from ciarams87 February 16, 2023 18:38
@github-actions github-actions bot added the helm_chart Pull requests that update the Helm Chart label Feb 16, 2023
@haywoodsh
Copy link
Contributor

Looks good! Will the docs and automated tests be included in this PR?

@jjngx
Copy link
Contributor Author

jjngx commented Feb 21, 2023

Looks good! Will the docs and automated tests be included in this PR?

Not at the moment. Docs and examples will be added when we can generate a correct bundle. Generating policy bundles that are compatible with a NIC version is outside of the scope of this story.

@codecov-commenter
Copy link

codecov-commenter commented Feb 21, 2023
edited
Loading

Codecov Report

Merging #3560 (3773e99) into main (796fba4) will increase coverage by 0.03%.
The diff coverage is 100.00%.

❗ Current head 3773e99 differs from pull request most recent head 6d2b589. Consider uploading reports for the commit 6d2b589 to get more accurate results

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@            Coverage Diff             @@
##             main    #3560      +/-   ##
==========================================
+ Coverage   52.26%   52.29%   +0.03%     
==========================================
  Files          59       59              
  Lines       16834    16849      +15     
==========================================
+ Hits         8799     8812      +13     
- Misses       7738     7740       +2     
  Partials      297      297
Impacted Files Coverage Δ
internal/configs/configurator.go 38.67% <ø> (ø)
internal/configs/version2/http.go 0.00% <ø> (ø)
internal/configs/virtualserver.go 95.07% <100.00%> (+<0.01%) ⬆️
pkg/apis/configuration/validation/policy.go 91.41% <100.00%> (+0.24%) ⬆️
...ternal/k8s/appprotect/app_protect_configuration.go 86.16% <0.00%> (-0.58%) ⬇️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

vepatel
vepatel approved these changes Feb 22, 2023
View reviewed changes
Copy link
Contributor

@vepatel vepatel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jjngx jjngx requested a review from a team February 22, 2023 14:47
@jjngx jjngx merged commit 14ebdc4 into main Feb 23, 2023
@jjngx jjngx deleted the poc/appolicyblob branch February 23, 2023 15:38
@shaun-nx shaun-nx added the enhancement Pull requests for new features/feature enhancements label Mar 22, 2023
@brianehlert brianehlert mentioned this pull request Oct 6, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ciarams87 ciarams87 ciarams87 approved these changes

@vepatel vepatel vepatel approved these changes

@shaun-nx shaun-nx Awaiting requested review from shaun-nx

@haywoodsh haywoodsh Awaiting requested review from haywoodsh

Assignees
No one assigned
Labels
enhancement Pull requests for new features/feature enhancements helm_chart Pull requests that update the Helm Chart
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@jjngx @haywoodsh @codecov-commenter @ciarams87 @vepatel @shaun-nx