nginx
diff --git a/‎internal/configs/configurator.go‎
Lines changed: 8 additions & 7 deletions b/‎internal/configs/configurator.go‎
Lines changed: 8 additions & 7 deletions
diff --git a/‎internal/configs/configurator_test.go‎
Lines changed: 13 additions & 12 deletions b/‎internal/configs/configurator_test.go‎
Lines changed: 13 additions & 12 deletions
diff --git a/‎internal/configs/ingress.go‎
Lines changed: 14 additions & 8 deletions b/‎internal/configs/ingress.go‎
Lines changed: 14 additions & 8 deletions
diff --git a/‎internal/configs/version1/config.go‎
Lines changed: 1 addition & 1 deletion b/‎internal/configs/version1/config.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎internal/configs/version1/nginx-plus.ingress.tmpl‎
Lines changed: 2 additions & 1 deletion b/‎internal/configs/version1/nginx-plus.ingress.tmpl‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎internal/k8s/appprotect/app_protect_resources.go‎
Lines changed: 9 additions & 0 deletions b/‎internal/k8s/appprotect/app_protect_resources.go‎
Lines changed: 9 additions & 0 deletions
@@ -1221,20 +1221,21 @@ func createSpiffeCert(certs []*x509.Certificate) []byte {
 	return pemData
 }
 
-func (cnf *Configurator) updateApResources(ingEx *IngressEx) map[string]string {
-	apRes := make(map[string]string)
+func (cnf *Configurator) updateApResources(ingEx *IngressEx) (apRes AppProtectResources) {
 	if ingEx.AppProtectPolicy != nil {
 		policyFileName := appProtectPolicyFileNameFromUnstruct(ingEx.AppProtectPolicy)
 		policyContent := generateApResourceFileContent(ingEx.AppProtectPolicy)
 		cnf.nginxManager.CreateAppProtectResourceFile(policyFileName, policyContent)
-		apRes[appProtectPolicyKey] = policyFileName
+		apRes.AppProtectPolicy = policyFileName
 	}
 
 	if ingEx.AppProtectLogConf != nil {
-		logConfFileName := appProtectLogConfFileNameFromUnstruct(ingEx.AppProtectLogConf)
-		logConfContent := generateApResourceFileContent(ingEx.AppProtectLogConf)
-		cnf.nginxManager.CreateAppProtectResourceFile(logConfFileName, logConfContent)
-		apRes[appProtectLogConfKey] = logConfFileName + " " + ingEx.AppProtectLogDst
+		for i, logConf := range ingEx.AppProtectLogConf {
+			logConfFileName := appProtectLogConfFileNameFromUnstruct(logConf)
+			logConfContent := generateApResourceFileContent(logConf)
+			cnf.nginxManager.CreateAppProtectResourceFile(logConfFileName, logConfContent)
+			apRes.AppProtectLogconfs = append(apRes.AppProtectLogconfs, logConfFileName+" "+ingEx.AppProtectLogDst[i])
+		}
 	}
 
 	return apRes
 
@@ -1079,19 +1079,20 @@ func TestUpdateApResources(t *testing.T) {
 			},
 		},
 	}
-	appProtectLogConf := &unstructured.Unstructured{
-		Object: map[string]interface{}{
+	appProtectLogConf := []*unstructured.Unstructured{
+		{Object: map[string]interface{}{
 			"metadata": map[string]interface{}{
 				"namespace": "test-ns",
 				"name":      "test-name",
 			},
 		},
+		},
 	}
-	appProtectLogDst := "test-dst"
+	appProtectLogDst := []string{"test-dst"}
 
 	tests := []struct {
 		ingEx    *IngressEx
-		expected map[string]string
+		expected AppProtectResources
 		msg      string
 	}{
 		{
@@ -1100,7 +1101,7 @@ func TestUpdateApResources(t *testing.T) {
 					ObjectMeta: meta_v1.ObjectMeta{},
 				},
 			},
-			expected: map[string]string{},
+			expected: AppProtectResources{},
 			msg:      "no app protect resources",
 		},
 		{
@@ -1110,8 +1111,8 @@ func TestUpdateApResources(t *testing.T) {
 				},
 				AppProtectPolicy: appProtectPolicy,
 			},
-			expected: map[string]string{
-				"policy": "/etc/nginx/waf/nac-policies/test-ns_test-name",
+			expected: AppProtectResources{
+				AppProtectPolicy: "/etc/nginx/waf/nac-policies/test-ns_test-name",
 			},
 			msg: "app protect policy",
 		},
@@ -1123,8 +1124,8 @@ func TestUpdateApResources(t *testing.T) {
 				AppProtectLogConf: appProtectLogConf,
 				AppProtectLogDst:  appProtectLogDst,
 			},
-			expected: map[string]string{
-				"logconf": "/etc/nginx/waf/nac-logconfs/test-ns_test-name test-dst",
+			expected: AppProtectResources{
+				AppProtectLogconfs: []string{"/etc/nginx/waf/nac-logconfs/test-ns_test-name test-dst"},
 			},
 			msg: "app protect log conf",
 		},
@@ -1137,9 +1138,9 @@ func TestUpdateApResources(t *testing.T) {
 				AppProtectLogConf: appProtectLogConf,
 				AppProtectLogDst:  appProtectLogDst,
 			},
-			expected: map[string]string{
-				"policy":  "/etc/nginx/waf/nac-policies/test-ns_test-name",
-				"logconf": "/etc/nginx/waf/nac-logconfs/test-ns_test-name test-dst",
+			expected: AppProtectResources{
+				AppProtectPolicy:   "/etc/nginx/waf/nac-policies/test-ns_test-name",
+				AppProtectLogconfs: []string{"/etc/nginx/waf/nac-logconfs/test-ns_test-name test-dst"},
 			},
 			msg: "app protect policy and log conf",
 		},
 
@@ -20,6 +20,12 @@ const emptyH
6D3F
ost = ""
 const appProtectPolicyKey = "policy"
 const appProtectLogConfKey = "logconf"
 
+// AppProtectResources holds namespace names of App Protect resources relavant to an Ingress
+type AppProtectResources struct {
+	AppProtectPolicy   string
+	AppProtectLogconfs []string
+}
+
 // IngressEx holds an Ingress along with the resources that are referenced in this Ingress.
 type IngressEx struct {
 	Ingress           *networking.Ingress
@@ -30,8 +36,8 @@ type IngressEx struct {
 	ValidHosts        map[string]bool
 	ValidMinionPaths  map[string]bool
 	AppProtectPolicy  *unstructured.Unstructured
-	AppProtectLogConf *unstructured.Unstructured
-	AppProtectLogDst  string
+	AppProtectLogConf []*unstructured.Unstructured
+	AppProtectLogDst  []string
 	SecretRefs        map[string]*secrets.SecretReference
 }
 
@@ -55,7 +61,7 @@ type MergeableIngresses struct {
 	Minions []*IngressEx
 }
 
-func generateNginxCfg(ingEx *IngressEx, apResources map[string]string, isMinion bool, baseCfgParams *ConfigParams, isPlus bool,
+func generateNginxCfg(ingEx *IngressEx, apResources AppProtectResources, isMinion bool, baseCfgParams *ConfigParams, isPlus bool,
 	isResolverConfigured bool, staticParams *StaticConfigParams, isWildcardEnabled bool) (version1.IngressNginxConfig, Warnings) {
 	hasAppProtect := staticParams.MainAppProtectLoadModule
 	cfgParams := parseAnnotations(ingEx, baseCfgParams, isPlus, hasAppProtect, staticParams.EnableInternalRoutes)
@@ -139,8 +145,8 @@ func generateNginxCfg(ingEx *IngressEx, apResources map[string]string, isMinion
 		allWarnings.Add(warnings)
 
 		if hasAppProtect {
-			server.AppProtectPolicy = apResources[appProtectPolicyKey]
-			server.AppProtectLogConf = apResources[appProtectLogConfKey]
+			server.AppProtectPolicy = apResources.AppProtectPolicy
+			server.AppProtectLogConfs = apResources.AppProtectLogconfs
 		}
 
 		if !isMinion && cfgParams.JWTKey != "" {
@@ -500,7 +506,7 @@ func upstreamMapToSlice(upstreams map[string]version1.Upstream) []version1.Upstr
 	return result
 }
 
-func generateNginxCfgForMergeableIngresses(mergeableIngs *MergeableIngresses, masterApResources map[string]string,
+func generateNginxCfgForMergeableIngresses(mergeableIngs *MergeableIngresses, masterApResources AppProtectResources,
 	baseCfgParams *ConfigParams, isPlus bool, isResolverConfigured bool, staticParams *StaticConfigParams,
 	isWildcardEnabled bool) (version1.IngressNginxConfig, Warnings) {
 
@@ -558,8 +564,8 @@ func generateNginxCfgForMergeableIngresses(mergeableIngs *MergeableIngresses, ma
 		}
 
 		isMinion := true
-		// App Protect Resources not allowed in minions - pass empty map
-		dummyApResources := make(map[string]string)
+		// App Protect Resources not allowed in minions - pass empty struct
+		dummyApResources := AppProtectResources{}
 		nginxCfg, minionWarnings := generateNginxCfg(minion, dummyApResources, isMinion, baseCfgParams, isPlus, isResolverConfigured, staticParams, isWildcardEnabled)
 		warnings.Add(minionWarnings)
 
 
@@ -24,8 +24,8 @@ func TestGenerateNginxCfg(t *testing.T) {
 	isPlus := false
 	expected := createExpectedConfigForCafeIngressEx(isPlus)
 
-	apRes := make(map[string]string)
-	result, warnings := generateNginxCfg(&cafeIngressEx, apRes, false, configParams, isPlus, false, &StaticConfigParams{}, false)
+	apRes := AppProtectResources{}
+	result, warnings := generateNginxCfg(&cafeIngressEx, apRes, false, configParams, false, false, &StaticConfigParams{}, false)
 
 	if diff := cmp.Diff(expected, result); diff != "" {
 		t.Errorf("generateNginxCfg() returned unexpected result (-want +got):\n%s", diff)
@@ -66,8 +66,8 @@ func TestGenerateNginxCfgForJWT(t *testing.T) {
 		},
 	}
 
-	apRes := make(map[string]string)
-	result, warnings := generateNginxCfg(&cafeIngressEx, apRes, false, configParams, isPlus, false, &StaticConfigParams{}, false)
+	apRes := AppProtectResources{}
+	result, warnings := generateNginxCfg(&cafeIngressEx, apRes, false, configParams, true, false, &StaticConfigParams{}, false)
 
 	if !reflect.DeepEqual(result.Servers[0].JWTAuth, expected.Servers[0].JWTAuth) {
 		t.Errorf("generateNginxCfg returned \n%v,  but expected \n%v", result.Servers[0].JWTAuth, expected.Servers[0].JWTAuth)
@@ -85,7 +85,7 @@ func TestGenerateNginxCfgWithMissingTLSSecret(t *testing.T) {
 	cafeIngressEx.SecretRefs["cafe-secret"].Error = errors.New("secret doesn't exist")
 	configParams := NewDefaultConfigParams()
 
-	apRes := make(map[string]string)
+	apRes := AppProtectResources{}
 	result, resultWarnings := generateNginxCfg(&cafeIngressEx, apRes, false, configParams, false, false, &StaticConfigParams{}, false)
 
 	expectedSSLRejectHandshake := true
@@ -109,7 +109,7 @@ func TestGenerateNginxCfgWithWildcardTLSSecret(t *testing.T) {
 	cafeIngressEx.Ingress.Spec.TLS[0].SecretName = ""
 	configParams := NewDefaultConfigParams()
 
-	apRes := make(map[string]string)
+	apRes := AppProtectResources{}
 	result, warnings := generateNginxCfg(&cafeIngressEx, apRes, false, configParams, false, false, &StaticConfigParams{}, true)
 
 	resultServer := result.Servers[0]
@@ -352,8 +352,8 @@ func TestGenerateNginxCfgForMergeableIngresses(t *testing.T) {
 
 	configParams := NewDefaultConfigParams()
 
-	masterApRes := make(map[string]string)
-	result, warnings := generateNginxCfgForMergeableIngresses(mergeableIngresses, masterApRes, configParams, isPlus, false, &StaticConfigParams{}, false)
+	masterApRes := AppProtectResources{}
+	result, warnings := generateNginxCfgForMergeableIngresses(mergeableIngresses, masterApRes, configParams, false, false, &StaticConfigParams{}, false)
 
 	if diff := cmp.Diff(expected, result); diff != "" {
 		t.Errorf("generateNginxCfgForMergeableIngresses() returned unexpected result (-want +got):\n%s", diff)
@@ -377,7 +377,7 @@ func TestGenerateNginxConfigForCrossNamespaceMergeableIngresses(t *testing.T) {
 	expected := createExpectedConfigForCrossNamespaceMergeableCafeIngress()
 	configParams := NewDefaultConfigParams()
 
-	emptyApResources := make(map[string]string)
+	emptyApResources := AppProtectResources{}
 	result, warnings := generateNginxCfgForMergeableIngresses(mergeableIngresses, emptyApResources, configParams, false, false, &StaticConfigParams{}, false)
 
 	if diff := cmp.Diff(expected, result); diff != "" {
@@ -442,7 +442,7 @@ func TestGenerateNginxCfgForMergeableIngressesForJWT(t *testing.T) {
 	minionJwtKeyFileNames[objectMetaToFileName(&mergeableIngresses.Minions[0].Ingress.ObjectMeta)] = "/etc/nginx/secrets/default-coffee-jwk"
 	configParams := NewDefaultConfigParams()
 
-	masterApRes := make(map[string]string)
 	result, warnings := generateNginxCfgForMergeableIngresses(mergeableIngresses, masterApRes, configParams, isPlus, false, &StaticConfigParams{}, false)
 
 	if !reflect.DeepEqual(result.Servers[0].JWTAuth, expected.Servers[0].JWTAuth) {
@@ -837,8 +837,8 @@ func TestGenerateNginxCfgForSpiffe(t *testing.T) {
 		expected.Servers[0].Locations[i].SSL = true
 	}
 
-	apResources := make(map[string]string)
-	result, warnings := generateNginxCfg(&cafeIngressEx, apResources, false, configParams, isPlus, false,
+	apResources := AppProtectResources{}
+	result, warnings := generateNginxCfg(&cafeIngressEx, apResources, false, configParams, false, false,
 		&StaticConfigParams{NginxServiceMesh: true}, false)
 
 	if diff := cmp.Diff(expected, result); diff != "" {
@@ -861,8 +861,8 @@ func TestGenerateNginxCfgForInternalRoute(t *testing.T) {
 	expected.Servers[0].SpiffeCerts = true
 	expected.Ingress.Annotations[internalRouteAnnotation] = "true"
 
-	apResources := make(map[string]string)
-	result, warnings := generateNginxCfg(&cafeIngressEx, apResources, false, configParams, isPlus, false,
+	apResources := AppProtectResources{}
+	result, warnings := generateNginxCfg(&cafeIngressEx, apResources, false, configParams, false, false,
 		&StaticConfigParams{NginxServiceMesh: true, EnableInternalRoutes: true}, false)
 
 	if diff := cmp.Diff(expected, result); diff != "" {
@@ -1311,19 +1311,20 @@ func TestGenerateNginxCfgForAppProtect(t *testing.T) {
 			},
 		},
 	}
-	cafeIngressEx.AppProtectLogConf = &unstructured.Unstructured{
-		Object: map[string]interface{}{
+	cafeIngressEx.AppProtectLogConf = []*unstructured.Unstructured{
+		{Object: map[string]interface{}{
 			"metadata": map[string]interface{}{
 				"namespace": "default",
 				"name":      "logconf",
 			},
 		},
+		},
 	}
 
 	configParams := NewDefaultConfigParams()
-	apRes := map[string]string{
-		appProtectPolicyKey:  "/etc/nginx/waf/nac-policies/default_dataguard-alarm",
-		appProtectLogConfKey: "/etc/nginx/waf/nac-logconfs/default_logconf syslog:server=127.0.0.1:514",
+	apRes := AppProtectResources{
+		AppProtectPolicy:   "/etc/nginx/waf/nac-policies/default_dataguard-alarm",
+		AppProtectLogconfs: []string{"/etc/nginx/waf/nac-logconfs/default_logconf syslog:server=127.0.0.1:514"},
 	}
 	staticCfgParams := &StaticConfigParams{
 		MainAppProtectLoadModule: true,
@@ -1334,7 +1335,7 @@ func TestGenerateNginxCfgForAppProtect(t *testing.T) {
 	expected := createExpectedConfigForCafeIngressEx(isPlus)
 	expected.Servers[0].AppProtectEnable = "on"
 	expected.Servers[0].AppProtectPolicy = "/etc/nginx/waf/nac-policies/default_dataguard-alarm"
-	expected.Servers[0].AppProtectLogConf = "/etc/nginx/waf/nac-logconfs/default_logconf syslog:server=127.0.0.1:514"
+	expected.Servers[0].AppProtectLogConfs = []string{"/etc/nginx/waf/nac-logconfs/default_logconf syslog:server=127.0.0.1:514"}
 	expected.Servers[0].AppProtectLogEnable = "on"
 	expected.Ingress.Annotations = cafeIngressEx.Ingress.Annotations
 
@@ -1359,19 +1360,20 @@ func TestGenerateNginxCfgForMergeableIngressesForAppProtect(t *testing.T) {
 			},
 		},
 	}
-	mergeableIngresses.Master.AppProtectLogConf = &unstructured.Unstructured{
-		Object: map[string]interface{}{
+	mergeableIngresses.Master.AppProtectLogConf = []*unstructured.Unstructured{
+		{Object: map[string]interface{}{
 			"metadata": map[string]interface{}{
 				"namespace": "default",
 				"name":      "logconf",
 			},
 		},
+		},
 	}
 
 	configParams := NewDefaultConfigParams()
-	apRes := map[string]string{
-		appProtectPolicyKey:  "/etc/nginx/waf/nac-policies/default_dataguard-alarm",
-		appProtectLogConfKey: "/etc/nginx/waf/nac-logconfs/default_logconf syslog:server=127.0.0.1:514",
+	apRes := AppProtectResources{
+		AppProtectPolicy:   "/etc/nginx/waf/nac-policies/default_dataguard-alarm",
+		AppProtectLogconfs: []string{"/etc/nginx/waf/nac-logconfs/default_logconf syslog:server=127.0.0.1:514"},
 	}
 	staticCfgParams := &StaticConfigParams{
 		MainAppProtectLoadModule: true,
@@ -1382,7 +1384,7 @@ func TestGenerateNginxCfgForMergeableIngressesForAppProtect(t *testing.T) {
 	expected := createExpectedConfigForMergeableCafeIngress(isPlus)
 	expected.Servers[0].AppProtectEnable = "on"
 	expected.Servers[0].AppProtectPolicy = "/etc/nginx/waf/nac-policies/default_dataguard-alarm"
-	expected.Servers[0].AppProtectLogConf = "/etc/nginx/waf/nac-logconfs/default_logconf syslog:server=127.0.0.1:514"
+	expected.Servers[0].AppProtectLogConfs = []string{"/etc/nginx/waf/nac-logconfs/default_logconf syslog:server=127.0.0.1:514"}
 	expected.Servers[0].AppProtectLogEnable = "on"
 	expected.Ingress.Annotations = mergeableIngresses.Master.Ingress.Annotations
 
 
@@ -97,7 +97,7 @@ type Server struct {
 	SSLPorts            []int
 	AppProtectEnable    string
 	AppProtectPolicy    string
-	AppProtectLogConf   string
+	AppProtectLogConfs  []string
 	AppProtectLogEnable string
 
 	SpiffeCerts bool
 
@@ -70,7 +70,8 @@ server {
 	{{- end}}
 	{{- if $server.AppProtectLogEnable}}
 	app_protect_security_log_enable {{$server.AppProtectLogEnable}};
-	{{if $server.AppProtectLogConf}}app_protect_security_log {{$server.AppProtectLogConf}};{{end}}
+	{{if $server.AppProtectLogConfs}}{{range $AppProtectLogConf := $server.AppProtectLogConfs}}app_protect_security_log {{$AppProtectLogConf}};
+	{{end}}{{end}}
 	{{- end}}
 
 	{{if not $server.GRPCOnly}}
 
@@ -118,6 +118,15 @@ func ParseResourceReferenceAnnotation(ns, antn string) string {
 	return antn
 }
 
+// ParseResourceReferenceAnnotationList returns a slice of ns/names strings
+func ParseResourceReferenceAnnotationList(ns, annotations string) []string {
+	out := []string{}
+	for _, antn := range strings.Split(annotations, ",") {
+		out = append(out, ParseResourceReferenceAnnotation(ns, antn))
+	}
+	return out
+}
+
 func validateAppProtectUserSig(userSig *unstructured.Unstructured) error {
 	sigName := userSig.GetName()
 	err := validateRequiredSlices(userSig, appProtectUserSigRequiredSlices)