[RS-2546] Update operator to deploy waf-http-filter in Enterprise #4008
Conversation
gantony
force-pushed
the
antony-waf-http-filter
branch
from
6d4bc41 to
7414979
Compare
pkg/render/gateway_api.go
Outdated
| @@ -402,7 +409,7 @@ func (pr *gatewayAPIImplementationComponent) Objects() ([]client.Object, []clien | |||
| CreateNamespace( | |||
| resources.namespace.Name, | |||
| pr.cfg.Installation.KubernetesProvider, | |||
| PSSBaseline, | |||
| PSSPrivileged, | |||
There was a problem hiding this comment.
We should comment why we need Privileged here.
There was a problem hiding this comment.
Added a comment. Was discussed here: https://tigera.slack.com/archives/GS3MM6YR0/p1747350565419999?thread_ts=1747349921.824689&cid=GS3MM6YR0
pkg/render/gateway_api.go
Outdated
| } | ||
| } | ||
|
|
||
| if envoyProxy.Spec.Provider.Kubernetes.EnvoyDeployment.Container.VolumeMounts == nil { |
There was a problem hiding this comment.
What if the mounts are non-nil? How/when can that happen, and do we need to append this volume mount?
There was a problem hiding this comment.
It can be non-nil if we use a custom envoy proxy (functionality recently added by Nell). It's best to handle it so I've updated it with changes to do so (and tests).
pkg/render/gateway_api.go
Outdated
| } | ||
|
|
||
| // Add the init container to the deployment | ||
| if envoyProxy.Spec.Provider.Kubernetes.EnvoyDeployment.InitContainers == nil { |
There was a problem hiding this comment.
What scenarios can the InitContainers be non-nil? And if they are non-nil, do we not want to insert this init container into them?
pkg/render/gateway_api.go
Outdated
| // Update the envoy proxy deployment to include the WAF HTTP filter | ||
|
|
||
| // Update Pod volumes | ||
| if envoyProxy.Spec.Provider.Kubernetes.EnvoyDeployment.Pod.Volumes == nil { |
There was a problem hiding this comment.
Same question here regarding nill-ness
gantony
force-pushed
the
antony-waf-http-filter
branch
from
ab92591 to
2e87cc5
Compare
| hasSocketVolumeMount := false | ||
| for _, volumeMount := range envoyProxy.Spec.Provider.Kubernetes.EnvoyDeployment.Container.VolumeMounts { | ||
| if volumeMount.Name == socketVolumeMount.Name { | ||
| hasSocketVolumeMount = true |
There was a problem hiding this comment.
For the initContainer we ensured the init container wafHTTPFilter was set as we expect. Why don't we do the same here?
| hasSocketVolume := false | ||
| for _, volume := range envoyProxy.Spec.Provider.Kubernetes.EnvoyDeployment.Pod.Volumes { | ||
| if volume.Name == logsVolume.Name { | ||
| hasLogsVolume = true |
| hasLogsVolume = true | ||
| } | ||
| if volume.Name == socketVolume.Name { | ||
| hasSocketVolume = true |
Description
This PR updates the operator to deploy
waf-http-filterin Enterprise when enabling the Gateway API.This will setup the required
waf-http-filtersidecar container in the envoy-proxy deployment, but envoy won't be configured to use it by default. To do so, the user will need to create a separateEnvoyExtensionPolicyto enable the filter and protect the traffic with WAF.Release Note
For PR author
make gen-filesmake gen-versionsFor PR reviewers
A note for code reviewers - all pull requests must have the following:
kind/bugif this is a bugfix.kind/enhancementif this is a a new feature.enterpriseif this PR applies to Calico Enterprise only.