8000 Add VS/VSR status update for WAF policy User Defined Signature update · nginx/kubernetes-ingress@1387861 · GitHub < 8000 meta name="twitter:title" content="Add VS/VSR status update for WAF policy User Defined Signature update · nginx/kubernetes-ingress@1387861" />
[go: up one dir, main page]
Skip to content

Commit 1387861

Browse files
Dean-CoakleyDean-Coakley
authored
Add VS/VSR status update for WAF policy User Defined Signature update
* Remove dead code * Add updating VS/VSR status for UDS modification * Delete trailing AP res from VS/VSR refs
1 parent a24f837 commit 1387861

File tree

3 files changed

+43
-33
lines changed

3 files changed

+43
-33
lines changed

internal/configs/configurator.go

Lines changed: 18 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1292,7 +1292,7 @@ func generateApResourceFileContent(apResource *unstructured.Unstructured) []byte
12921292
return data
12931293
}
12941294

1295-
// AddOrUpdateAppProtectResource updates Ingresses that use App Protect Resources
1295+
// AddOrUpdateAppProtectResource updates Ingresses and VirtualServers that use App Protect Resources
12961296
func (cnf *Configurator) AddOrUpdateAppProtectResource(resource *unstructured.Unstructured, ingExes []*IngressEx, mergeableIngresses []*MergeableIngresses, vsExes []*VirtualServerEx) (Warnings, error) {
12971297
allWarnings := newWarnings()
12981298

@@ -1327,9 +1327,9 @@ func (cnf *Configurator) AddOrUpdateAppProtectResource(resource *unstructured.Un
13271327
return allWarnings, nil
13281328
}
13291329

1330-
// DeleteAppProtectPolicy updates Ingresses that use AP Policy after that policy is deleted
1330+
// DeleteAppProtectPolicy updates Ingresses and VirtualServers that use AP Policy after that policy is deleted
13311331
func (cnf *Configurator) DeleteAppProtectPolicy(polNamespaceName string, ingExes []*IngressEx, mergeableIngresses []*MergeableIngresses, vsExes []*VirtualServerEx) (Warnings, error) {
1332-
if len(ingExes) > 0 || len(mergeableIngresses) > 0 {
1332+
if len(ingExes)+len(mergeableIngresses)+len(vsExes) > 0 {
13331333
fName := strings.Replace(polNamespaceName, "/", "_", 1)
13341334
polFileName := appProtectPolicyFolder + fName
13351335
cnf.nginxManager.DeleteAppProtectResourceFile(polFileName)
@@ -1368,9 +1368,9 @@ func (cnf *Configurator) DeleteAppProtectPolicy(polNamespaceN 8000 ame string, ingExes
13681368
return allWarnings, nil
13691369
}
13701370

1371-
// DeleteAppProtectLogConf updates Ingresses that use AP Log Configuration after that policy is deleted
1371+
// DeleteAppProtectLogConf updates Ingresses and VirtualServers that use AP Log Configuration after that policy is deleted
13721372
func (cnf *Configurator) DeleteAppProtectLogConf(logConfNamespaceName string, ingExes []*IngressEx, mergeableIngresses []*MergeableIngresses, vsExes []*VirtualServerEx) (Warnings, error) {
1373-
if len(ingExes) > 0 || len(mergeableIngresses) > 0 {
1373+
if len(ingExes)+len(mergeableIngresses)+len(vsExes) > 0 {
13741374
fName := strings.Replace(logConfNamespaceName, "/", "_", 1)
13751375
logConfFileName := appProtectLogConfFolder + fName
13761376
cnf.nginxManager.DeleteAppProtectResourceFile(logConfFileName)
@@ -1408,8 +1408,10 @@ func (cnf *Configurator) DeleteAppProtectLogConf(logConfNamespaceName string, in
14081408
return allWarnings, nil
14091409
}
14101410

1411-
// RefreshAppProtectUserSigs writes all valid uds files to fs and reloads
1412-
func (cnf *Configurator) RefreshAppProtectUserSigs(userSigs []*unstructured.Unstructured, delPols []string, ingExes []*IngressEx, mergeableIngresses []*MergeableIngresses) (Warnings, error) {
1411+
// RefreshAppProtectUserSigs writes all valid UDS files to fs and reloads NGINX
1412+
func (cnf *Configurator) RefreshAppProtectUserSigs(
1413+
userSigs []*unstructured.Unstructured, delPols []string, ingExes []*IngressEx, mergeableIngresses []*MergeableIngresses, vsExes []*VirtualServerEx,
1414+
) (Warnings, error) {
14131415
allWarnings := newWarnings()
14141416
for _, ingEx := range ingExes {
14151417
warnings, err := cnf.addOrUpdateIngress(ingEx)
@@ -1427,6 +1429,14 @@ func (cnf *Configurator) RefreshAppProtectUserSigs(userSigs []*unstructured.Unst
14271429
allWarnings.Add(warnings)
14281430
}
14291431

1432+
for _, v := range vsExes {
1433+
warnings, err := cnf.addOrUpdateVirtualServer(v)
1434+
if err != nil {
1435+
return allWarnings, fmt.Errorf("Error adding or updating VirtualServer %v/%v: %v", v.VirtualServer.Namespace, v.VirtualServer.Name, err)
1436+
}
1437+
allWarnings.Add(warnings)
1438+
}
1439+
14301440
for _, file := range delPols {
14311441
cnf.nginxManager.DeleteAppProtectResourceFile(file)
14321442
}
@@ -1443,8 +1453,7 @@ func (cnf *Configurator) RefreshAppProtectUserSigs(userSigs []*unstructured.Unst
14431453
return allWarnings, cnf.nginxManager.Reload(nginx.ReloadForOtherUpdate)
14441454
}
14451455

1446-
// AddInternalRouteConfig adds internal route server to NGINX Configuration and
1447-
// reloads NGINX
1456+
// AddInternalRouteConfig adds internal route server to NGINX Configuration and reloads NGINX
14481457
func (cnf *Configurator) AddInternalRouteConfig() error {
14491458
cnf.staticCfgParams.EnableInternalRoutes = true
14501459
cnf.staticCfgParams.PodName = os.Getenv("POD_NAME")

internal/k8s/configuration.go

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -34,14 +34,6 @@ const (
3434
AddOrUpdate
3535
)
3636

37-
// Change represents a change in an App Protect resource
38-
type Change struct {
39-
// Op is an operation that needs be performed on the resource.
40-
Op Operation
41-
// Resource is the target resource.
42-
Resource interface{}
43-
}
44-
4537
// Resource represents a configuration resource.
4638
// A Resource can be a top level configuration object:
4739
// - Regular or Master Ingress

internal/k8s/controller.go

Lines changed: 25 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1077,7 +1077,7 @@ func (lbc *LoadBalancerController) processChanges(changes []ResourceChange) {
10771077
}
10781078
}
10791079

1080-
// processChangesFromGlobalConfiguraton processes changes that come from updates to the GlobalConfiguration resource.
1080+
// processChangesFromGlobalConfiguration processes changes that come from updates to the GlobalConfiguration resource.
10811081
// Such changes need to be processed at once to prevent any inconsistencies in the generated NGINX config.
10821082
func (lbc *LoadBalancerController) processChangesFromGlobalConfiguration(changes []ResourceChange) error {
10831083
var updatedTSExes []*configs.TransportServerEx
@@ -1118,9 +1118,8 @@ func (lbc *LoadBalancerController) processAppProtectChanges(changes []appprotect
11181118
name := impl.Obj.GetName()
11191119
resources := lbc.configuration.FindResourcesForAppProtectPolicyAnnotation(namespace, name)
11201120

1121-
wafPols := getWAFPoliciesForAppProtectPolicy(lbc.getAllPolicies(), namespace+"/"+name)
1122-
for _, pol := range wafPols {
1123-
resources = append(resources, lbc.configuration.FindResourcesForPolicy(pol.Namespace, pol.Name)...)
1121+
for _, wafPol := range getWAFPoliciesForAppProtectPolicy(lbc.getAllPolicies(), namespace+"/"+name) {
1122+
resources = append(resources, lbc.configuration.FindResourcesForPolicy(wafPol.Namespace, wafPol.Name)...)
11241123
}
11251124

11261125
resourceExes := lbc.createExtendedResources(resources)
@@ -1133,9 +1132,8 @@ func (lbc *LoadBalancerController) processAppProtectChanges(changes []appprotect
11331132
name := impl.Obj.GetName()
11341133
resources := lbc.configuration.FindResourcesForAppProtectLogConfAnnotation(namespace, name)
11351134

1136-
wafPols := getWAFPoliciesForAppProtectLogConf(lbc.getAllPolicies(), namespace+"/"+name)
1137-
for _, pol := range wafPols {
1138-
resources = append(resources, lbc.configuration.FindResourcesForPolicy(pol.Namespace, pol.Name)...)
1135+
for _, wafPol := range getWAFPoliciesForAppProtectLogConf(lbc.getAllPolicies(), namespace+"/"+name) {
1136+
resources = append(resources, lbc.configuration.FindResourcesForPolicy(wafPol.Namespace, wafPol.Name)...)
11391137
}
11401138

11411139
resourceExes := lbc.createExtendedResources(resources)
@@ -1151,9 +1149,8 @@ func (lbc *LoadBalancerController) processAppProtectChanges(changes []appprotect
11511149
name := impl.Obj.GetName()
11521150
resources := lbc.configuration.FindResourcesForAppProtectPolicyAnnotation(namespace, name)
11531151

1154-
wafPols := getWAFPoliciesForAppProtectPolicy(lbc.getAllPolicies(), namespace+"/"+name)
1155-
for _, pol := range wafPols {
1156-
resources = append(resources, lbc.configuration.FindResourcesForPolicy(pol.Namespace, pol.Name)...)
1152+
for _, wafPol := range getWAFPoliciesForAppProtectPolicy(lbc.getAllPolicies(), namespace+"/"+name) {
1153+
resources = append(resources, lbc.configuration.FindResourcesForPolicy(wafPol.Namespace, wafPol.Name)...)
11571154
}
11581155

11591156
resourceExes := lbc.createExtendedResources(resources)
@@ -1167,9 +1164,8 @@ func (lbc *LoadBalancerController) processAppProtectChanges(changes []appprotect
11671164
name := impl.Obj.GetName()
11681165
resources := lbc.configuration.FindResourcesForAppProtectLogConfAnnotation(namespace, name)
11691166

1170-
wafPols := getWAFPoliciesForAppProtectLogConf(lbc.getAllPolicies(), namespace+"/"+name)
1171-
for _, pol := range wafPols {
1172-
resources = append(resources, lbc.configuration.FindResourcesForPolicy(pol.Namespace, pol.Name)...)
1167+
for _, wafPol := range getWAFPoliciesForAppProtectLogConf(lbc.getAllPolicies(), namespace+"/"+name) {
1168+
resources = append(resources, lbc.configuration.FindResourcesForPolicy(wafPol.Namespace, wafPol.Name)...)
11731169
}
11741170

11751171
resourceExes := lbc.createExtendedResources(resources)
@@ -1186,28 +1182,41 @@ func (lbc *LoadBalancerController) processAppProtectUserSigChange(change appprot
11861182
var delPols []string
11871183
var allIngExes []*configs.IngressEx
11881184
var allMergeableIngresses []*configs.MergeableIngresses
1185+
var allVsExes []*configs.VirtualServerEx
11891186
var allResources []Resource
11901187

11911188
for _, poladd := range change.PolicyAddsOrUpdates {
11921189
resources := lbc.configuration.FindResourcesForAppProtectPolicyAnnotation(poladd.GetNamespace(), poladd.GetName())
1190+
1191+
for _, wafPol := range getWAFPoliciesForAppProtectPolicy(lbc.getAllPolicies(), appprotect.GetNsName(poladd)) {
1192+
resources = append(resources, lbc.configuration.FindResourcesForPolicy(wafPol.Namespace, wafPol.Name)...)
1193+
}
1194+
11931195
resourceExes := lbc.createExtendedResources(resources)
11941196
allIngExes = append(allIngExes, resourceExes.IngressExes...)
11951197
allMergeableIngresses = append(allMergeableIngresses, resourceExes.MergeableIngresses...)
1198+
allVsExes = append(allVsExes, resourceExes.VirtualServerExes...)
11961199
allResources = append(allResources, resources...)
11971200
}
11981201
for _, poldel := range change.PolicyDeletions {
1199-
polNsName := appprotect.GetNsName(poldel)
12001202
resources := lbc.configuration.FindResourcesForAppProtectPolicyAnnotation(poldel.GetNamespace(), poldel.GetName())
1203+
1204+
polNsName := appprotect.GetNsName(poldel)
1205+
for _, wafPol := range getWAFPoliciesForAppProtectPolicy(lbc.getAllPolicies(), polNsName) {
1206+
resources = append(resources, lbc.configuration.FindResourcesForPolicy(wafPol.Namespace, wafPol.Name)...)
1207+
}
1208+
12011209
resourceExes := lbc.createExtendedResources(resources)
12021210
allIngExes = append(allIngExes, resourceExes.IngressExes...)
12031211
allMergeableIngresses = append(allMergeableIngresses, resourceExes.MergeableIngresses...)
1212+
allVsExes = append(allVsExes, resourceExes.VirtualServerExes...)
12041213
allResources = append(allResources, resources...)
1205-
if len(resourceExes.IngressExes) > 0 || len(resourceExes.MergeableIngresses) > 0 {
1214+
if len(resourceExes.IngressExes)+len(resourceExes.MergeableIngresses)+len(resourceExes.VirtualServerExes) > 0 {
12061215
delPols = append(delPols, polNsName)
12071216
}
12081217
}
12091218

1210-
warnings, err := lbc.configurator.RefreshAppProtectUserSigs(change.UserSigs, delPols, allIngExes, allMergeableIngresses)
1219+
warnings, err := lbc.configurator.RefreshAppProtectUserSigs(change.UserSigs, delPols, allIngExes, allMergeableIngresses, allVsExes)
12111220
if err != nil {
12121221
glog.Errorf("Error when refreshing App Protect Policy User defined signatures: %v", err)
12131222
}

0 commit comments

Comments
 (0)
0