nginx
diff --git a/‎docs-web/configuration/ingress-resources/advanced-configuration-with-annotations.md‎
Lines changed: 2 additions & 2 deletions b/‎docs-web/configuration/ingress-resources/advanced-configuration-with-annotations.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎internal/configs/configurator.go‎
Lines changed: 6 additions & 7 deletions b/‎internal/configs/configurator.go‎
Lines changed: 6 additions & 7 deletions
diff --git a/‎internal/configs/configurator_test.go‎
Lines changed: 22 additions & 14 deletions b/‎internal/configs/configurator_test.go‎
Lines changed: 22 additions & 14 deletions
diff --git a/‎internal/configs/ingress.go‎
Lines changed: 28 additions & 17 deletions b/‎internal/configs/ingress.go‎
Lines changed: 28 additions & 17 deletions
diff --git a/‎internal/configs/ingress_test.go‎
Lines changed: 40 additions & 32 deletions b/‎internal/configs/ingress_test.go‎
Lines changed: 40 additions & 32 deletions
diff --git a/‎internal/configs/version1/config.go‎
Lines changed: 1 addition & 1 deletion b/‎internal/configs/version1/config.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎internal/configs/version1/nginx-plus.ingress.tmpl‎
Lines changed: 2 additions & 1 deletion b/‎internal/configs/version1/nginx-plus.ingress.tmpl‎
Lines changed: 2 additions & 1 deletion
@@ -415,12 +415,12 @@ The table below summarizes the available annotations.
      - `Example for App Protect <https://github.com/nginxinc/kubernetes-ingress/tree/v1.11.3/examples/appprotect>`_.
    * - ``appprotect.f5.com/app-protect-security-log``
      - N/A
-     - The App Protect log configuration for the Ingress Resource. Format is ``namespace/name``. If no namespace is specified, the same namespace as the Ingress Resource is used. If not specified the  default is used which is:  filter: ``illegal``, format: ``default``
+     - The App Protect log configuration for the Ingress Resource. Format is ``namespace/name``. If no namespace is specified, the same namespace as the Ingress Resource is used. If not specified the  default is used which is:  filter: ``illegal``, format: ``default``. Multiple configurations can be specified in a comma seperated list. Both log configurations and destinations list (see below) must be of equal length. Configs and destinations are paired by the list indices.
      - N/A
      - `Example for App Protect <https://github.com/nginxinc/kubernetes-ingress/tree/v1.11.3/examples/appprotect>`_.
    * - ``appprotect.f5.com/app-protect-security-log-destination``
      - N/A
-     - The destination of the security log. For more information check the `DESTINATION argument </nginx-app-protect/troubleshooting/#app-protect-security-log>`_.
+     - The destination of the security log. For more information check the `DESTINATION argument </nginx-app-protect/troubleshooting/#app-protect-security-log>`_. Multiple destinations can be specified in a coma seperated list.  Both log configurations and destinations list (see above) must be of equal length. Configs and destinations are paired by the list indices.
      - ``syslog:server=localhost:514``
      - `Example for App Protect <https://github.com/nginxinc/kubernetes-ingress/tree/v1.11.3/examples/appprotect>`_.
 ```
@@ -1221,20 +1221,19 @@ func createSpiffeCert(certs []*x509.Certificate) []byte {
 	return pemData
 }
 
-func (cnf *Configurator) updateApResources(ingEx *IngressEx) map[string]string {
-	apRes := make(map[string]string)
+func (cnf *Configurator) updateApResources(ingEx *IngressEx) (apRes AppProtectResources) {
 	if ingEx.AppProtectPolicy != nil {
 		policyFileName := appProtectPolicyFileNameFromUnstruct(ingEx.AppProtectPolicy)
 		policyContent := generateApResourceFileContent(ingEx.AppProtectPolicy)
 		cnf.nginxManager.CreateAppProtectResourceFile(policyFileName, policyContent)
-		apRes[appProtectPolicyKey] = policyFileName
+		apRes.AppProtectPolicy = policyFileName
 	}
 
-	if ingEx.AppProtectLogConf != nil {
-		logConfFileName := appProtectLogConfFileNameFromUnstruct(ingEx.AppProtectLogConf)
-		logConfContent := generateApResourceFileContent(ingEx.AppProtectLogConf)
+	for _, logConf := range ingEx.AppProtectLogs {
+		logConfFileName := appProtectLogConfFileNameFromUnstruct(logConf.LogConf)
+		logConfContent := generateApResourceFileContent(logConf.LogConf)
 		cnf.nginxManager.CreateAppProtectResourceFile(logConfFileName, logConfContent)
-		apRes[appProtectLogConfKey] = logConfFileName + " " + ingEx.AppProtectLogDst
+		apRes.AppProtectLogconfs = append(apRes.AppProtectLogconfs, logConfFileName+" "+logConf.Dest)
 	}
 
 	return apRes
 
@@ -1091,7 +1091,7 @@ func TestUpdateApResources(t *testing.T) {
 
 	tests := []struct {
 		ingEx    *IngressEx
-		expected map[string]string
+		expected AppProtectResources
 		msg      string
 	}{
 		{
@@ -1100,7 +1100,7 @@ func TestUpdateApResources(t *testing.T) {
 					ObjectMeta: meta_v1.ObjectMeta{},
 				},
 			},
-			expected: map[string]string{},
+			expected: AppProtectResources{},
 			msg:      "no app protect resources",
 		},
 		{
@@ -1110,8 +1110,8 @@ func TestUpdateApResources(t *testing.T) {
 				},
 				AppProtectPolicy: appProtectPolicy,
 			},
-			expected: map[string]string{
-				"policy": "/etc/nginx/waf/nac-policies/test-ns_test-name",
+			expected: AppProtectResources{
+				AppProtectPolicy: "/etc/nginx/waf/nac-policies/test-ns_test-name",
 			},
 			msg: "app protect policy",
 		},
@@ -1120,11 +1120,15 @@ func TestUpdateApResources(t *testing.T) {
 				Ingress: &networking.Ingress{
 					ObjectMeta: meta_v1.ObjectMeta{},
 				},
-				AppProtectLogConf: appProtectLogConf,
-				AppProtectLogDst:  appProtectLogDst,
+				AppProtectLogs: []AppProtectLog{
+					{
+						LogConf: appProtectLogConf,
+						Dest:    appProtectLogDst,
+					},
+				},
 			},
-			expected: map[string]string{
-				"logconf": "/etc/nginx/waf/nac-logconfs/test-ns_test-name test-dst",
+			expected: AppProtectResources{
+				AppProtectLogconfs: []string{"/etc/nginx/waf/nac-logconfs/test-ns_test-name test-dst"},
 			},
 			msg: "app protect log conf",
 		},
@@ -1133,13 +1137,17 @@ func TestUpdateApResources(t *testing.T) {
 				Ingress: &networking.Ingress{
 					ObjectMeta: meta_v1.ObjectMeta{},
 				},
-				AppProtectPolicy:  appProtectPolicy,
-				AppProtectLogConf: appProtectLogConf,
-				AppProtectLogDst:  appProtectLogDst,
+				AppProtectPolicy: appProtectPolicy,
+				AppProtectLogs: []AppProtectLog{
+					{
+						LogConf: appProtectLogConf,
+						Dest:    appProtectLogDst,
+					},
+				},
 			},
-			expected: map[string]string{
-				"policy":  "/etc/nginx/waf/nac-policies/test-ns_test-name",
-				"logconf": "/etc/nginx/waf/nac-logconfs/test-ns_test-name test-dst",
+			expected: AppProtectResources{
+				AppProtectPolicy:   "/etc/nginx/waf/nac-policies/test-ns_test-name",
+				AppProtectLogconfs: []string{"/etc/nginx/waf/nac-logconfs/test-ns_test-name test-dst"},
 			},
 			msg: "app protect policy and log conf",
 		},
 
@@ -20,19 +20,30 @@ const emptyHost = ""
 const appProtectPolicyKey = "policy"
 const appProtectLogConfKey = "logconf"
 
+// AppProtectResources holds namespace names of App Protect resources relavant to an Ingress
+type AppProtectResources struct {
+	AppProtectPolicy   string
+	AppProtectLogconfs []string
+}
+
+// AppProtectLog holds a single pair of log config and log destination
+type AppProtectLog struct {
+	LogConf *unstructured.Unstructured
+	Dest    string
+}
+
 // IngressEx holds an Ingress along with the resources that are referenced in this Ingress.
 type IngressEx struct {
-	Ingress           *networking.Ingress
-	Endpoints         map[string][]string
-	HealthChecks      map[string]*api_v1.Probe
-	ExternalNameSvcs  map[string]bool
-	PodsByIP          map[string]PodInfo
-	ValidHosts        map[string]bool
-	ValidMinionPaths  map[string]bool
-	AppProtectPolicy  *unstructured.Unstructured
-	AppProtectLogConf *unstructured.Unstructured
-	AppProtectLogDst  string
-	SecretRefs        map[string]*secrets.SecretReference
+	Ingress          *networking.Ingress
+	Endpoints        map[string][]string
+	HealthChecks     map[string]*api_v1.Probe
+	ExternalNameSvcs map[string]bool
+	PodsByIP         map[string]PodInfo
+	ValidHosts       map[string]bool
+	ValidMinionPaths map[string]bool
+	AppProtectPolicy *unstructured.Unstructured
+	AppProtectLogs   []AppProtectLog
+	SecretRefs       map[string]*secrets.SecretReference
 }
 
 // JWTKey represents a secret that holds JSON Web Key.
@@ -55,7 +66,7 @@ type MergeableIngresses struct {
 	Minions []*IngressEx
 }
 
-func generateNginxCfg(ingEx *IngressEx, apResources map[string]string, isMinion bool, baseCfgParams *ConfigParams, isPlus bool,
+func generateNginxCfg(ingEx *IngressEx, apResources AppProtectResources, isMinion bool, baseCfgParams *ConfigParams, isPlus bool,
 	isResolverConfigured bool, staticParams *StaticConfigParams, isWildcardEnabled bool) (version1.IngressNginxConfig, Warnings) {
 	hasAppProtect := staticParams.MainAppProtectLoadModule
 	cfgParams := parseAnnotations(ingEx, baseCfgParams, isPlus, hasAppProtect, staticParams.EnableInternalRoutes)
@@ -139,8 +150,8 @@ func generateNginxCfg(ingEx *IngressEx, apResources map[string]string, isMinion
 		allWarnings.Add(warnings)
 
 		if hasAppProtect {
-			server.AppProtectPolicy = apResources[appProtectPolicyKey]
-			server.AppProtectLogConf = apResources[appProtectLogConfKey]
+			server.AppProtectPolicy = apResources.AppProtectPolicy
+			server.AppProtectLogConfs = apResources.AppProtectLogconfs
 		}
 
 		if !isMinion && cfgParams.JWTKey != "" {
@@ -500,7 +511,7 @@ func upstreamMapToSlice(upstreams map[string]version1.Upstream) []version1.Upstr
 	return result
 }
 
-func generateNginxCfgForMergeableIngresses(mergeableIngs *MergeableIngresses, masterApResources map[string]string,
+func generateNginxCfgForMergeableIngresses(mergeableIngs *MergeableIngresses, masterApResources AppProtectResources,
 	baseCfgParams *ConfigParams, isPlus bool, isResolverConfigured bool, staticParams *StaticConfigParams,
 	isWildcardEnabled bool) (version1.IngressNginxConfig, Warnings) {
 
@@ -558,8 +569,8 @@ func generateNginxCfgForMergeableIngresses(mergeableIngs *MergeableIngresses, ma
 		}
 
 		isMinion := true
-		// App Protect Resources not allowed in minions - pass empty map
-		dummyApResources := make(map[string]string)
+		// App Protect Resources not allowed in minions - pass empty struct
+		dummyApResources := AppProtectResources{}
 		nginxCfg, minionWarnings := generateNginxCfg(minion, dummyApResources, isMinion, baseCfgParams, isPlus, isResolverConfigured, staticParams, isWildcardEnabled)
 		warnings.Add(minionWarnings)
 
 
@@ -24,8 +24,8 @@ func TestGenerateNginxCfg(t *testing.T) {
 	isPlus := false
 	expected := createExpectedConfigForCafeIngressEx(isPlus)
 
-	apRes := make(map[string]string)
-	result, warnings := generateNginxCfg(&cafeIngressEx, apRes, false, configParams, isPlus, false, &StaticConfigParams{}, false)
+	apRes := AppProtectResources{}
+	result, warnings := generateNginxCfg(&cafeIngressEx, apRes, false, configParams, false, false, &StaticConfigParams{}, false)
 
 	if diff := cmp.Diff(expected, result); diff != "" {
 		t.Errorf("generateNginxCfg() returned unexpected result (-want +got):\n%s", diff)
@@ -66,8 +66,8 @@ func TestGenerateNginxCfgForJWT(t *testing.T) {
 		},
 	}
 
-	apRes := make(map[string]string)
-	result, warnings := generateNginxCfg(&cafeIngressEx, apRes, false, configParams, isPlus, false, &StaticConfigParams{}, false)
+	apRes := AppProtectResources{}
+	result, warnings := generateNginxCfg(&cafeIngressEx, apRes, false, configParams, true, false, &StaticConfigParams{}, false)
 
 	if !reflect.DeepEqual(result.Servers[0].JWTAuth, expected.Servers[0].JWTAuth) {
 		t.Errorf("generateNginxCfg returned \n%v,  but expected \n%v", result.Servers[0].JWTAuth, expected.Servers[0].JWTAuth)
@@ -85,7 +85,7 @@ func TestGenerateNginxCfgWithMissingTLSSecret(t *testing.T) {
 	cafeIngressEx.SecretRefs["cafe-secret"].Error = errors.New("secret doesn't exist")
 	configParams := NewDefaultConfigParams()
 
-	apRes := make(map[string]string)
+	apRes := AppProtectResources{}
 	result, resultWarnings := generateNginxCfg(&cafeIngressEx, apRes, false, configParams, false, false, &StaticConfigParams{}, false)
 
 	expectedSSLRejectHandshake := true
@@ -109,7 +109,7 @@ func TestGenerateNginxCfgWithWildcardTLSSecret(t *testing.T) {
 	cafeIngressEx.Ingress.Spec.TLS[0].SecretName = ""
 	configParams := NewDefaultConfigParams()
 
-	apRes := make(map[string]string)
+	apRes := AppProtectResources{}
 	result, warnings := generateNginxCfg(&cafeIngressEx, apRes, false, configParams, false, false, &StaticConfigParams{}, true)
 
 	resultServer := result.Servers[0]
@@ -352,8 +352,8 @@ func TestGenerateNginxCfgForMergeableIngresses(t *testing.T) {
 
 	configParams := NewDefaultConfigParams()
 
-	masterApRes := make(map[string]string)
-	result, warnings := generateNginxCfgForMergeableIngresses(mergeableIngresses, masterApRes, configParams, isPlus, false, &StaticConfigParams{}, false)
+	masterApRes := AppProtectResources{}
+	result, warnings := generateNginxCfgForMergeableIngresses(mergeableIngresses, masterApRes, configParams, false, false, &StaticConfigParams{}, false)
 
 	if diff := cmp.Diff(expected, result); diff != "" {
 		t.Errorf("generateNginxCfgForMergeableIngresses() returned unexpected result (-want +got):\n%s", diff)
@@ -377,7 +377,7 @@ func TestGenerateNginxConfigForCrossNamespaceMergeableIngresses(t *testing.T) {
 	expected := createExpectedConfigForCrossNamespaceMergeableCafeIngress()
 	configParams := NewDefaultConfigParams()
 
-	emptyApResources := make(map[string]string)
+	emptyApResources := AppProtectResources{}
 	result, warnings := generateNginxCfgForMergeableIngresses(mergeableIngresses, emptyApResources, configParams, false, false, &StaticConfigParams{}, false)
 
 	if diff := cmp.Diff(expected, result); diff != "" {
@@ -442,7 +442,7 @@ func TestGenerateNginxCfgForMergeableIngressesForJWT(t *testing.T) {
 	minionJwtKeyFileNames[objectMetaToFileName(&mergeableIngresses.Minions[0].Ingress.ObjectMeta)] = "/etc/nginx/secrets/default-coffee-jwk"
 	configParams := NewDefaultConfigParams()
 
-	masterApRes := make(map[string]string)
+	masterApRes := AppProtectResources{}
 	result, warnings := generateNginxCfgForMergeableIngresses(mergeableIngresses, masterApRes, configParams, isPlus, false, &StaticConfigParams{}, false)
 
 	if !reflect.DeepEqual(result.Servers[0].JWTAuth, expected.Servers[0].JWTAuth) {
@@ -837,8 +837,8 @@ func TestGenerateNginxCfgForSpiffe(t *testing.T) {
 		expected.Servers[0].Locations[i].SSL = true
 	}
 
-	apResources := make(map[string]string)
-	result, warnings := generateNginxCfg(&cafeIngressEx, apResources, false, configParams, isPlus, false,
+	apResources := AppProtectResources{}
+	result, warnings := generateNginxCfg(&cafeIngressEx, apResources, false, configParams, false, false,
 		&StaticConfigParams{NginxServiceMesh: true}, false)
 
 	if diff := cmp.Diff(expected, result); diff != "" {
@@ -861,8 +861,8 @@ func TestGenerateNginxCfgForInternalRoute(t *testing.T) {
 	expected.Servers[0].SpiffeCerts = true
 	expected.Ingress.Annotations[internalRouteAnnotation] = "true"
 
-	apResources := make(map[string]string)
-	result, warnings := generateNginxCfg(&cafeIngressEx, apResources, false, configParams, isPlus, false,
+	apResources := AppProtectResources{}
+	result, warnings := generateNginxCfg(&cafeIngressEx, apResources, false, configParams, false, false,
 		&StaticConfigParams{NginxServiceMesh: true, EnableInternalRoutes: true}, false)
 
 	if diff := cmp.Diff(expected, result); diff != "" {
@@ -1311,19 +1311,23 @@ func TestGenerateNginxCfgForAppProtect(t *testing.T) {
 			},
 		},
 	}
-	cafeIngressEx.AppProtectLogConf = &unstructured.Unstructured{
-		Object: map[string]interface{}{
-			"metadata": map[string]interface{}{
-				"namespace": "default",
-				"name":      "logconf",
+	cafeIngressEx.AppProtectLogs = []AppProtectLog{
+		{
+			LogConf: &unstructured.Unstructured{
+				Object: map[string]interface{}{
+					"metadata": map[string]interface{}{
+						"namespace": "default",
+						"name":      "logconf",
+					},
+				},
 			},
 		},
 	}
 
 	configParams := NewDefaultConfigParams()
-	apRes := map[string]string{
-		appProtectPolicyKey:  "/etc/nginx/waf/nac-policies/default_dataguard-alarm",
-		appProtectLogConfKey: "/etc/nginx/waf/nac-logconfs/default_logconf syslog:server=127.0.0.1:514",
+	apRes := AppProtectResources{
+		AppProtectPolicy:   "/etc/nginx/waf/nac-policies/default_dataguard-alarm",
+		AppProtectLogconfs: []string{"/etc/nginx/waf/nac-logconfs/default_logconf syslog:server=127.0.0.1:514"},
 	}
 	staticCfgParams := &StaticConfigParams{
 		MainAppProtectLoadModule: true,
@@ -1334,7 +1338,7 @@ func TestGenerateNginxCfgForAppProtect(t *testing.T) {
 	expected := createExpectedConfigForCafeIngressEx(isPlus)
 	expected.Servers[0].AppProtectEnable = "on"
 	expected.Servers[0].AppProtectPolicy = "/etc/nginx/waf/nac-policies/default_dataguard-alarm"
-	expected.Servers[0].AppProtectLogConf = "/etc/nginx/waf/nac-logconfs/default_logconf syslog:server=127.0.0.1:514"
+	expected.Servers[0].AppProtectLogConfs = []string{"/etc/nginx/waf/nac-logconfs/default_logconf syslog:server=127.0.0.1:514"}
 	expected.Servers[0].AppProtectLogEnable = "on"
 	expected.Ingress.Annotations = cafeIngressEx.Ingress.Annotations
 
@@ -1359,19 +1363,23 @@ func TestGenerateNginxCfgForMergeableIngressesForAppProtect(t *testing.T) {
 			},
 		},
 	}
-	mergeableIngresses.Master.AppProtectLogConf = &unstructured.Unstructured{
-		Object: map[string]interface{}{
-			"metadata": map[string]interface{}{
-				"namespace": "default",
-				"name":      "logconf",
+	mergeableIngresses.Master.AppProtectLogs = []AppProtectLog{
+		{
+			LogConf: &unstructured.Unstructured{
+				Object: map[string]interface{}{
+					"metadata": map[string]interface{}{
+						"namespace": "default",
+						"name":      "logconf",
+					},
+				},
 			},
 		},
 	}
 
 	configParams := NewDefaultConfigParams()
-	apRes := map[string]string{
-		appProtectPolicyKey:  "/etc/nginx/waf/nac-policies/default_dataguard-alarm",
-		appProtectLogConfKey: "/etc/nginx/waf/nac-logconfs/default_logconf syslog:server=127.0.0.1:514",
+	apRes := AppProtectResources{
+		AppProtectPolicy:   "/etc/nginx/waf/nac-policies/default_dataguard-alarm",
+		AppProtectLogconfs: []string{"/etc/nginx/waf/nac-logconfs/default_logconf syslog:server=127.0.0.1:514"},
 	}
 	staticCfgParams := &StaticConfigParams{
 		MainAppProtectLoadModule: true,
@@ -1382,7 +1390,7 @@ func TestGenerateNginxCfgForMergeableIngressesForAppProtect(t *testing.T) {
 	expected := createExpectedConfigForMergeableCafeIngress(isPlus)
 	expected.Servers[0].AppProtectEnable = "on"
 	expected.Servers[0].AppProtectPolicy = "/etc/nginx/waf/nac-policies/default_dataguard-alarm"
-	expected.Servers[0].AppProtectLogConf = "/etc/nginx/waf/nac-logconfs/default_logconf syslog:server=127.0.0.1:514"
+	expected.Servers[0].AppProtectLogConfs = []string{"/etc/nginx/waf/nac-logconfs/default_logconf syslog:server=127.0.0.1:514"}
 	expected.Servers[0].AppProtectLogEnable = "on"
 	expected.Ingress.Annotations = mergeableIngresses.Master.Ingress.Annotations
 
 
@@ -97,7 +97,7 @@ type Server struct {
 	SSLPorts            []int
 	AppProtectEnable    string
 	AppProtectPolicy    string
-	AppProtectLogConf   string
+	AppProtectLogConfs  []string
 	AppProtectLogEnable string
 
 	SpiffeCerts bool
 
@@ -70,7 +70,8 @@ server {
 	{{- end}}
 	{{- if $server.AppProtectLogEnable}}
 	app_protect_security_log_enable {{$server.AppProtectLogEnable}};
-	{{if $server.AppProtectLogConf}}app_protect_security_log {{$server.AppProtectLogConf}};{{end}}
+	{{range $AppProtectLogConf := $server.AppProtectLogConfs}}app_protect_security_log {{$AppProtectLogConf}};
+	{{end}}
 	{{- end}}
 
 	{{if not $server.GRPCOnly}}