diff --git a/build/kic_crds/ap-logconf-definition.yaml b/build/kic_crds/ap-logconf-definition.yaml new file mode 100644 index 00000000..6ff7158a --- /dev/null +++ b/build/kic_crds/ap-logconf-definition.yaml @@ -0,0 +1,69 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: aplogconfs.appprotect.f5.com +spec: + preserveUnknownFields: false + group: appprotect.f5.com + names: + kind: APLogConf + listKind: APLogConfList + plural: aplogconfs + singular: aplogconf + scope: Namespaced + validation: + openAPIV3Schema: + description: APLogConf is the Schema for the APLogConfs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APLogConfSpec defines the desired state of APLogConf + properties: + content: + properties: + format: + enum: + - splunk + - arcsight + - default + - user-defined + type: string + format_string: + type: string + max_message_size: + pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ + type: string + max_request_size: + pattern: ^([1-9]|[1-9][0-9]|[1-9][0-9]{2}|1[0-9]{3}|20[1-3][0-9]|204[1-8]|any)$ + type: string + type: object + filter: + properties: + request_type: + enum: + - all + - illegal + - blocked + type: string + type: object + type: object + type: object + version: v1beta1 + versions: + - name: v1beta1 + served: true + storage: true \ No newline at end of file diff --git a/build/kic_crds/ap-policy-definition.yaml b/build/kic_crds/ap-policy-definition.yaml new file mode 100644 index 00000000..3eaa1d50 --- /dev/null +++ b/build/kic_crds/ap-policy-definition.yaml @@ -0,0 +1,830 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: appolicies.appprotect.f5.com +spec: + preserveUnknownFields: false + group: appprotect.f5.com + names: + kind: APPolicy + listKind: APPolicyList + plural: appolicies + singular: appolicy + scope: Namespaced + validation: + openAPIV3Schema: + description: APPolicyConfig is the Schema for the APPolicyconfigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APPolicySpec defines the desired state of APPolicy + properties: + modifications: + items: + properties: {} + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + policy: + description: Defines the App Protect policy + properties: + applicationLanguage: + enum: + - iso-8859-10 + - iso-8859-6 + - windows-1255 + - auto-detect + - koi8-r + - gb18030 + - iso-8859-8 + - windows-1250 + - iso-8859-9 + - windows-1252 + - iso-8859-16 + - gb2312 + - iso-8859-2 + - iso-8859-5 + - windows-1257 + - windows-1256 + - iso-8859-13 + - windows-874 + - windows-1253 + - iso-8859-3 + - euc-jp + - utf-8 + - gbk + - windows-1251 + - big5 + - iso-8859-1 + - shift_jis + - euc-kr + - iso-8859-4 + - iso-8859-7 + - iso-8859-15 + type: string + blocking-settings: + properties: + evasions: + items: + properties: + description: + enum: + - '%u decoding' + - Apache whitespace + - Bad unescape + - Bare byte decoding + - Directory traversals + - IIS backslashes + - IIS Unicode codepoints + - Multiple decoding + type: string + enabled: + type: boolean + maxDecodingPasses: + type: integer + type: object + type: array + http-protocols: + items: + properties: + description: + enum: + - Unparsable request content + - Several Content-Length headers + - 'POST request with Content-Length: 0' + - Null in request + - No Host header in HTTP/1.1 request + - Multiple host headers + - Host header contains IP address + - High ASCII characters in headers + - Header name with no header value + - CRLF characters before request start + - Content length should be a positive number + - Chunked request with Content-Length header + - Check maximum number of parameters + - Check maximum number of headers + - Body in GET or HEAD requests + - Bad multipart/form-data request parsing + - Bad multipart parameters parsing + - Bad HTTP version + - Bad host header value + type: string + enabled: + type: boolean + maxHeaders: + type: integer + maxParams: + type: integer + type: object + type: array + violations: + items: + properties: + alarm: + type: boolean + block: + type: boolean + description: + type: string + name: + enum: + - VIOL_XML_SOAP_ATTACHMENT + - VIOL_DATA_GUARD + - VIOL_LOGIN_URL_EXPIRED + - VIOL_LOGIN_URL_BYPASSED + - VIOL_REQUEST_MAX_LENGTH + - VIOL_VIRUS + - VIOL_EVASION + - VIOL_XML_WEB_SERVICES_SECURITY + - VIOL_XML_FORMAT + - VIOL_XML_SCHEMA + - VIOL_XML_MALFORMED + - VIOL_CSRF + - VIOL_ENCODING + - VIOL_HTTP_PROTOCOL + - VIOL_GEOLOCATION + - VIOL_QUERY_STRING_LENGTH + - VIOL_REQUEST_LENGTH + - VIOL_COOKIE_LENGTH + - VIOL_URL_LENGTH + - VIOL_CSRF_EXPIRED + - VIOL_BRUTE_FORCE + - VIOL_XML_SOAP_METHOD + - VIOL_PARAMETER_VALUE_METACHAR + - VIOL_PARAMETER_NAME_METACHAR + - VIOL_URL_METACHAR + - VIOL_PARAMETER_REPEATED + - VIOL_JSON_FORMAT + - VIOL_HEADER_LENGTH + - VIOL_PARAMETER_MULTIPART_NULL_VALUE + - VIOL_POST_DATA_LENGTH + - VIOL_PARAMETER_EMPTY_VALUE + - VIOL_PARAMETER + - VIOL_FLOW_DISALLOWED_INPUT + - VIOL_DYNAMIC_SESSION + - VIOL_METHOD + - VIOL_FLOW + - VIOL_URL + - VIOL_FILETYPE + - VIOL_PARAMETER_VALUE_REGEXP + - VIOL_FLOW_MANDATORY_PARAMS + - VIOL_ATTACK_SIGNATURE + - VIOL_PARAMETER_NUMERIC_VALUE + - VIOL_PARAMETER_DATA_TYPE + - VIOL_PARAMETER_VALUE_LENGTH + - VIOL_PARAMETER_DYNAMIC_VALUE + - VIOL_PARAMETER_STATIC_VALUE + - VIOL_COOKIE_EXPIRED + - VIOL_ASM_COOKIE_HIJACKING + - VIOL_SESSION_AWARENESS + - VIOL_FLOW_ENTRY_POINT + - VIOL_JSON_MALFORMED + - VIOL_COOKIE_MALFORMED + - VIOL_COOKIE_MODIFIED + - VIOL_ASM_COOKIE_MODIFIED + - VIOL_HTTP_RESPONSE_STATUS + - VIOL_URL_CONTENT_TYPE + - VIOL_HEADER_METACHAR + - VIOL_GWT_MALFORMED + - VIOL_FILE_UPLOAD + - VIOL_MALICIOUS_IP + - VIOL_PARAMETER_VALUE_BASE64 + - VIOL_GWT_FORMAT + - VIOL_MANDATORY_HEADER + - VIOL_REDIRECT + - VIOL_WEBSOCKET_BAD_REQUEST + - VIOL_WEBSOCKET_FRAMING_PROTOCOL + - VIOL_WEBSOCKET_FRAME_MASKING + - VIOL_WEBSOCKET_FRAME_LENGTH + - VIOL_WEBSOCKET_TEXT_NULL_VALUE + - VIOL_CROSS_ORIGIN_REQUEST + - VIOL_WEBSOCKET_TEXT_MESSAGE_NOT_ALLOWED + - VIOL_WEBSOCKET_BINARY_MESSAGE_NOT_ALLOWED + - VIOL_WEBSOCKET_EXTENSION + - VIOL_WEBSOCKET_FRAMES_PER_MESSAGE_COUNT + - VIOL_WEBSOCKET_BINARY_MESSAGE_LENGTH + - VIOL_PLAINTEXT_FORMAT + - VIOL_BLACKLISTED_IP + - VIOL_THREAT_CAMPAIGN + - VIOL_PARAMETER_ARRAY_VALUE + - VIOL_JSON_SCHEMA + - VIOL_MANDATORY_PARAMETER + - VIOL_PARAMETER_LOCATION + - VIOL_MALICIOUS_DEVICE + - VIOL_BLOCKING_CONDITION + - VIOL_THREAT_ANALYSIS + - VIOL_LEAKED_CREDENTIALS + - VIOL_HOSTNAME + - VIOL_HOSTNAME_MISMATCH + - VIOL_CONVICTION + - VIOL_MANDATORY_REQUEST_BODY + - VIOL_RATING_THREAT + - VIOL_RATING_NEED_EXAMINATION + type: string + type: object + type: array + type: object + caseInsensitive: + type: boolean + character-sets: + items: + properties: + characterSet: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + characterSetType: + enum: + - gwt-content + - header + - json-content + - parameter-name + - parameter-value + - plain-text-content + - url + - xml-content + type: string + type: object + type: array + cookie-settings: + properties: + maximumCookieHeaderLength: + pattern: any|\d+ + type: string + type: object + cookies: + items: + properties: + accessibleOnlyThroughTheHttpProtocol: + type: boolean + attackSignaturesCheck: + type: boolean + enforcementType: + type: string + insertSameSiteAttribute: + enum: + - lax + - none + - none-value + - strict + type: string + name: + type: string + securedOverHttpsConnection: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + signatureId: + type: integer + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + type: object + type: array + data-guard: + properties: + creditCardNumbers: + type: boolean + enabled: + type: boolean + enforcementMode: + enum: + - ignore-urls-in-list + - enforce-urls-in-list + type: string + enforcementUrls: + items: + type: string + type: array + lastCcnDigitsToExpose: + type: integer + lastSsnDigitsToExpose: + type: integer + maskData: + type: boolean + usSocialSecurityNumbers: + type: boolean + type: object + description: + type: string + enablePassiveMode: + type: boolean + enforcementMode: + enum: + - transparent + - blocking + type: string + filetypes: + items: + properties: + allowed: + type: boolean + checkPostDataLength: + type: boolean + checkQueryStringLength: + type: boolean + checkRequestLength: + type: boolean + checkUrlLength: + type: boolean + name: + type: string + postDataLength: + type: integer + queryStringLength: + type: integer + requestLength: + type: integer + responseCheck: + type: boolean + type: + enum: + - explicit + - wildcard + type: string + urlLength: + type: integer + type: object + type: array + fullPath: + type: string + general: + properties: + allowedResponseCodes: + items: + format: int32 + maximum: 999 + minimum: 100 + type: integer + type: array + customXffHeaders: + items: + type: string + type: array + maskCreditCardNumbersInRequest: + type: boolean + trustXff: + type: boolean + type: object + header-settings: + properties: + maximumHttpHeaderLength: + pattern: any|\d+ + type: string + type: object + headers: + items: + properties: + base64Decoding: + type: boolean + checkSignatures: + type: boolean + htmlNormalization: + type: boolean + mandatory: + type: boolean + maskValueInLogs: + type: boolean + name: + type: string + normalizationViolations: + type: boolean + percentDecoding: + type: boolean + type: + enum: + - explicit + - wildcard + type: string + urlNormalization: + type: boolean + type: object + type: array + json-profiles: + items: + properties: + defenseAttributes: + properties: + maximumArrayLength: + pattern: any|\d+ + type: string + maximumStructureDepth: + pattern: any|\d+ + type: string + maximumTotalLengthOfJSONData: + pattern: any|\d+ + type: string + maximumValueLength: + pattern: any|\d+ + type: string + tolerateJSONParsingWarnings: + type: boolean + type: object + description: + type: string + hasValidationFiles: + type: boolean + name: + enum: + - Default + type: string + type: object + type: array + json-validation-files: + items: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + methods: + items: + properties: + name: + type: string + type: object + type: array + name: + type: string + parameters: + items: + properties: + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + attackSignaturesCheck: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + level: + enum: + - global + type: string + metacharsOnParameterValueCheck: + type: boolean + name: + enum: + - '*' + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + parameterLocation: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + signatureId: + type: integer + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + type: string + type: object + type: array + response-pages: + items: + properties: + ajaxActionType: + enum: + - alert-popup + - custom + - redirect + type: string + ajaxCustomContent: + type: boolean + ajaxEnabled: + type: boolean + ajaxPopupMessage: + type: string + ajaxRedirectUrl: + type: string + responseActionType: + enum: + - custom + - default + - erase-cookies + - redirect + - soap-fault + type: string + responseContent: + type: string + responseHeader: + type: string + responsePageType: + enum: + - ajax + - ajax-login + - captcha + - captcha-fail + - default + - failed-login-honeypot + - failed-login-honeypot-ajax + - hijack + - leaked-credentials + - leaked-credentials-ajax + - mobile + - persistent-flow + - xml + type: string + responseRedirectUrl: + type: string + type: object + type: array + sensitive-parameters: + items: + properties: + name: + type: string + type: object + type: array + server-technologies: + items: + properties: + serverTechnologyName: + enum: + - Jenkins + - SharePoint + - Oracle Application Server + - Python + - Oracle Identity Manager + - Spring Boot + - CouchDB + - SQLite + - Handlebars + - Mustache + - Prototype + - Zend + - Redis + - Underscore.js + - Ember.js + - ZURB Foundation + - ef.js + - Vue.js + - UIKit + - TYPO3 CMS + - RequireJS + - React + - MooTools + - Laravel + - GraphQL + - Google Web Toolkit + - Express.js + - CodeIgniter + - Backbone.js + - AngularJS + - JavaScript + - Nginx + - Jetty + - Joomla + - JavaServer Faces (JSF) + - Ruby + - MongoDB + - Django + - Node.js + - Citrix + - JBoss + - Elasticsearch + - Apache Struts + - XML + - PostgreSQL + - IBM DB2 + - Sybase/ASE + - CGI + - Proxy Servers + - SSI (Server Side Includes) + - Cisco + - Novell + - Macromedia JRun + - BEA Systems WebLogic Server + - Lotus Domino + - MySQL + - Oracle + - Microsoft SQL Server + - PHP + - Outlook Web Access + - Apache/NCSA HTTP Server + - Apache Tomcat + - WordPress + - Macromedia ColdFusion + - Unix/Linux + - Microsoft Windows + - ASP.NET + - Front Page Server Extensions (FPSE) + - IIS + - WebDAV + - ASP + - Java Servlets/JSP + - jQuery + type: string + type: object + type: array + signature-sets: + items: + properties: {} + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + signature-settings: + properties: + attackSignatureFalsePositiveMode: + enum: + - detect + - detect-and-allow + - disabled + type: string + minimumAccuracyForAutoAddedSignatures: + enum: + - high + - low + - medium + type: string + type: object + signatures: + items: + properties: + enabled: + type: boolean + signatureId: + type: integer + type: object + type: array + softwareVersion: + type: string + template: + properties: + name: + type: string + type: object + urls: + items: + properties: + description: + type: string + method: + enum: + - '*' + type: string + name: + enum: + - '*' + type: string + protocol: + enum: + - http + - https + type: string + type: object + type: array + whitelist-ips: + items: + properties: + blockRequests: + enum: + - always + - never + - policy-default + type: string + ipAddress: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + ipMask: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + type: object + type: array + xml-profiles: + items: + properties: + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowCDATA: + type: boolean + allowDTDs: + type: boolean + allowExternalReferences: + type: boolean + allowProcessingInstructions: + type: boolean + maximumAttributeValueLength: + pattern: any|\d+ + type: string + maximumAttributesPerElement: + pattern: any|\d+ + type: string + maximumChildrenPerElement: + pattern: any|\d+ + type: string + maximumDocumentDepth: + pattern: any|\d+ + type: string + maximumDocumentSize: + pattern: any|\d+ + type: string + maximumElements: + pattern: any|\d+ + type: string + maximumNSDeclarations: + pattern: any|\d+ + type: string + maximumNameLength: + pattern: any|\d+ + type: string + maximumNamespaceLength: + pattern: any|\d+ + type: string + tolerateCloseTagShorthand: + type: boolean + tolerateLeadingWhiteSpace: + type: boolean + tolerateNumericNames: + type: boolean + type: object + description: + type: string + enableWss: + type: boolean + followSchemaLinks: + type: boolean + name: + type: string + type: object + type: array + xml-validation-files: + items: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + type: object + type: object + type: object + version: v1beta1 + versions: + - name: v1beta1 + served: true + storage: true \ No newline at end of file diff --git a/deploy/crds/k8s.nginx.org_nginxingresscontrollers_crd.yaml b/deploy/crds/k8s.nginx.org_nginxingresscontrollers_crd.yaml index 2ea5a12c..acfa29de 100644 --- a/deploy/crds/k8s.nginx.org_nginxingresscontrollers_crd.yaml +++ b/deploy/crds/k8s.nginx.org_nginxingresscontrollers_crd.yaml @@ -32,6 +32,17 @@ spec: spec: description: NginxIngressControllerSpec defines the desired state of NginxIngressController properties: + appProtect: + description: App Protect support configuration. Requires enableCRDs + set to true. + nullable: true + properties: + enable: + description: Enable App Protect. + type: boolean + required: + - enable + type: object configMapData: additionalProperties: type: string @@ -126,6 +137,11 @@ spec: is false meaning the Ingress Controller will be deployed for NGINX OSS. type: boolean + nginxReloadTimeout: + description: Timeout in milliseconds which the Ingress Controller + will wait for a successful NGINX reload after a change or at the + initial start. + type: integer nginxStatus: description: NGINX stub_status, or the NGINX Plus API. nullable: true diff --git a/deploy/role.yaml b/deploy/role.yaml index 71da0321..a6a644f0 100644 --- a/deploy/role.yaml +++ b/deploy/role.yaml @@ -70,6 +70,7 @@ rules: - get - apiGroups: - k8s.nginx.org + - appprotect.f5.com resources: - '*' verbs: diff --git a/docs/nginx-ingress-controller.md b/docs/nginx-ingress-controller.md index 3fa319d5..46092fdd 100644 --- a/docs/nginx-ingress-controller.md +++ b/docs/nginx-ingress-controller.md @@ -68,6 +68,9 @@ spec: error-log-level: debug enableTLSPassthrough: true globalConfiguration: my-nginx-ingress/nginx-configuration + nginxReloadTimeout: 5000 + appProtect: + enable: true ``` | Field | Type | Description | Required | @@ -94,6 +97,8 @@ spec: | `configMapData` | `map[string]string` | Initial values of the Ingress Controller ConfigMap. Check the [ConfigMap docs](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) for more information about possible values. | No | | `globalConfiguration` | `string` | The GlobalConfiguration resource for global configuration of the Ingress Controller. Format is namespace/name. Requires enableCRDs set to true. | No | | `enableTLSPassthrough` | `boolean` | Enable TLS Passthrough on port 443. Requires enableCRDs set to true. | No | +| `appprotect` | [appprotect](#nginxingresscontrollerappprotect) | App Protect support configuration. Requires nginxPlus set to true. | No | +| `nginxReloadTimeout` | `int`| Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. (default is 4000. Default is 20000 instead if `enable-app-protect` is true) | No | ## NginxIngressController.Image @@ -131,3 +136,9 @@ spec: | --- | --- | --- | --- | | `enable` | `boolean` | Enable Prometheus metrics. | Yes | | `port` | `int` | Sets the port where the Prometheus metrics are exposed. Default is 9113. Format is `1023 - 65535`. | No | + +## NginxIngressController.AppProtect + +| Field | Type | Description | Required | +| --- | --- | --- | --- | +| `enable` | `boolean` | Enable App Protect. | Yes | diff --git a/pkg/apis/k8s/v1alpha1/nginxingresscontroller_types.go b/pkg/apis/k8s/v1alpha1/nginxingresscontroller_types.go index 0ce7522b..391a7e52 100644 --- a/pkg/apis/k8s/v1alpha1/nginxingresscontroller_types.go +++ b/pkg/apis/k8s/v1alpha1/nginxingresscontroller_types.go @@ -35,6 +35,7 @@ type NginxIngressControllerSpec struct { // +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors=true EnableCRDs bool `json:"enableCRDs"` // Enable custom NGINX configuration snippets in VirtualServer and VirtualServerRoute resources. + // Requires enableCRDs set to true. // +kubebuilder:validation:Optional // +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors=true EnableSnippets bool `json:"enableSnippets"` @@ -115,6 +116,16 @@ type NginxIngressControllerSpec struct { // +kubebuilder:validation:Optional // +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors=true EnableTLSPassthrough bool `json:"enableTLSPassthrough"` + // App Protect support configuration. + // Requires enableCRDs set to true. + // +kubebuilder:validation:Optional + // +nullable + // +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors=true + AppProtect *AppProtect `json:"appProtect"` + // Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. + // +kubebuilder:validation:Optional + // +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors=true + NginxReloadTimeout int `json:"nginxReloadTimeout"` } // Image defines the Repository, Tag and ImagePullPolicy of the Ingress Controller Image. @@ -178,6 +189,12 @@ type Prometheus struct { Port *uint16 `json:"port"` } +// App Protect support configuration. +type AppProtect struct { + // Enable App Protect. + Enable bool `json:"enable"` +} + // NginxIngressControllerStatus defines the observed state of NginxIngressController type NginxIngressControllerStatus struct { // Deployed is true if the Operator has finished the deployment of the NginxIngressController. diff --git a/pkg/apis/k8s/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/k8s/v1alpha1/zz_generated.deepcopy.go index 653e0364..3926a495 100644 --- a/pkg/apis/k8s/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/k8s/v1alpha1/zz_generated.deepcopy.go @@ -8,6 +8,22 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AppProtect) DeepCopyInto(out *AppProtect) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AppProtect. +func (in *AppProtect) DeepCopy() *AppProtect { + if in == nil { + return nil + } + out := new(AppProtect) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *HealthStatus) DeepCopyInto(out *HealthStatus) { *out = *in @@ -137,6 +153,11 @@ func (in *NginxIngressControllerSpec) DeepCopyInto(out *NginxIngressControllerSp (*out)[key] = val } } + if in.AppProtect != nil { + in, out := &in.AppProtect, &out.AppProtect + *out = new(AppProtect) + **out = **in + } return } diff --git a/pkg/controller/nginxingresscontroller/rbac.go b/pkg/controller/nginxingresscontroller/rbac.go index c9bbed9f..93b86309 100644 --- a/pkg/controller/nginxingresscontroller/rbac.go +++ b/pkg/controller/nginxingresscontroller/rbac.go @@ -45,10 +45,14 @@ func clusterRoleForNginxIngressController(name string) *rbacv1.ClusterRole { { Verbs: []string{"get", "list", "watch"}, APIGroups: []string{"k8s.nginx.org"}, - Resources: []string{"virtualservers", "virtualserverroutes", "globalconfigurations", "transportservers"}, + Resources: []string{"virtualservers", "virtualserverroutes", "globalconfigurations", "transportservers", "policies"}, + }, + { + Verbs: []string{"get", "list", "watch"}, + APIGroups: []string{"appprotect.f5.com"}, + Resources: []string{"aplogconfs", "appolicies"}, }, } - return &rbacv1.ClusterRole{ ObjectMeta: v1.ObjectMeta{ Name: name, diff --git a/pkg/controller/nginxingresscontroller/rbac_test.go b/pkg/controller/nginxingresscontroller/rbac_test.go index 2c3442e1..67a88b52 100644 --- a/pkg/controller/nginxingresscontroller/rbac_test.go +++ b/pkg/controller/nginxingresscontroller/rbac_test.go @@ -53,7 +53,12 @@ func TestClusterRoleForNginxIngressController(t *testing.T) { { Verbs: []string{"get", "list", "watch"}, APIGroups: []string{"k8s.nginx.org"}, - Resources: []string{"virtualservers", "virtualserverroutes", "globalconfigurations", "transportservers"}, + Resources: []string{"virtualservers", "virtualserverroutes", "globalconfigurations", "transportservers", "policies"}, + }, + { + Verbs: []string{"get", "list", "watch"}, + APIGroups: []string{"appprotect.f5.com"}, + Resources: []string{"aplogconfs", "appolicies"}, }, }, } diff --git a/pkg/controller/nginxingresscontroller/utils.go b/pkg/controller/nginxingresscontroller/utils.go index 4d2d4e85..1d542a6c 100644 --- a/pkg/controller/nginxingresscontroller/utils.go +++ b/pkg/controller/nginxingresscontroller/utils.go @@ -30,6 +30,10 @@ func generatePodArgs(instance *k8sv1alpha1.NginxIngressController) []string { if instance.Spec.NginxPlus { args = append(args, "-nginx-plus") + + if instance.Spec.AppProtect != nil && instance.Spec.AppProtect.Enable { + args = append(args, "-enable-app-protect") + } } if !instance.Spec.EnableCRDs { @@ -115,6 +119,10 @@ func generatePodArgs(instance *k8sv1alpha1.NginxIngressController) []string { } } + if instance.Spec.NginxReloadTimeout != 0 { + args = append(args, fmt.Sprintf("-nginx-reload-timeout=%v", instance.Spec.NginxReloadTimeout)) + } + return args } diff --git a/pkg/controller/nginxingresscontroller/utils_test.go b/pkg/controller/nginxingresscontroller/utils_test.go index 02751d64..a4c2b5ba 100644 --- a/pkg/controller/nginxingresscontroller/utils_test.go +++ b/pkg/controller/nginxingresscontroller/utils_test.go @@ -181,12 +181,17 @@ func TestGeneratePodArgs(t *testing.T) { GlobalConfiguration: "my-nginx-ingress/globalconfiguration", EnableSnippets: true, EnableTLSPassthrough: true, + AppProtect: &k8sv1alpha1.AppProtect{ + Enable: true, + }, + NginxReloadTimeout: 5000, }, }, expected: []string{ "-nginx-configmaps=my-nginx-ingress/my-nginx-ingress", "-default-server-tls-secret=my-nginx-ingress/my-secret", "-nginx-plus", + "-enable-app-protect", "-enable-custom-resources=false", "-ingress-class=ingressClass", "-use-ingress-class-only", @@ -204,6 +209,7 @@ func TestGeneratePodArgs(t *testing.T) { "-wildcard-tls-secret=my-nginx-ingress/wildcard-secret", "-enable-prometheus-metrics", "-prometheus-metrics-listen-port=9114", + "-nginx-reload-timeout=5000", }, }, }