Ingress annotation for `WAF` policy behaviour for NAP v5

[shaun-nx]

Overview

As a user of NGINX Ingress Controller, I would like to enhance the security of my ingress resources by configuring WAF style annotation settings

Acceptance Criteria

• Must work with Master/Minion pattern
• Add additional annotations for WAF to enable compatibility with tar bundles
• Mirror fields in WAF Policy
• Ensure all AppProtect related annotations are validated
• Ensure Ingress resource is rejected correctly if an AppProtect related annotations is miss-configured
• Ensure bundle exists in disk on startup
• Ensure Ingress resource is rejected if bundle does not exist when Ingress resource is applied
• Support only WAF v5

Example configuration:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe
  namespace: cafe
  annotations:
    appprotect.f5.com/app-protect-policy-bundle: "policy-cafe.tgz"
    appprotect.f5.com/app-protect-enable: "true"
    appprotect.f5.com/app-protect-security-log-enable: "true"
    appprotect.f5.com/app-protect-security-log: "log_all"
    appprotect.f5.com/app-protect-security-log-destination: "syslog:server=127.0.0.1:514"
spec:
  ingressClassName: nginxplus
  tls:
  - hosts:
    - cafe.example.com
    secretName: cafe-secret
  rules:
  - host: cafe.example.com
    http:
      paths:
      - path: /coffee
        pathType: Prefix
        backend:
          service:
            name: coffee-svc
            port:
              number: 80

[github-actions]

Hi @shaun-nx thanks for reporting!

Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this 🙂

Cheers!