Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RS-2246] Updates for view WAF ruleset epic #3664

Merged
merged 13 commits into from
Dec 20, 2024

Conversation

gantony
Copy link
Contributor

@gantony gantony commented Dec 19, 2024

Description

This PR implements operator changes for PMREQ-704 - WAF - Ability to View Rules.

High-level description of the changes form the design doc:

The user-editable part of the ruleset is kept in the modsecurity-ruleset configmap. The name is outdated/misleading as we’re no longer using modsecurity, as we’re now using Coraza.

For this work, we need to:

  • Create a coreruleset-default configmap that holds corerulesets files. This configmap is managed by the operator and is immutable (any changes are reverted to their original value).
    Rename modsecurity-ruleset to tigera-coreruleset-config to reflect the fact that we no longer use modsecurity and that the purpose of this configmap is to configure the ruleset. While we provide good defaults to kubernetes, the user is encouraged to edit it to fit their needs (as we currently document).
  • Update Dikaste’s deployment to mount the new coreruleset-default configmap as a volume to load the configuration, instead of using the built-in coraza-coreruleset go module.
  • Update Dikaste to use the new configuration loaded from the configmap.

This leverages changes made in https://github.com/tigera/calico-private/pull/8391.

This PR supersedes #3649, which itself replaced #3643 🙈.
While generally smaller PRs are preferred, for this work we felt having all the changes in one place was better.

For PR author

  • Tests for change.
  • If changing pkg/apis/, run make gen-files
  • If changing versions, run make gen-versions

For PR reviewers

A note for code reviewers - all pull requests must have the following:

  • Milestone set according to targeted release.
  • Appropriate labels:
    • kind/bug if this is a bugfix.
    • kind/enhancement if this is a a new feature.
    • enterprise if this PR applies to Calico Enterprise only.

@gantony gantony changed the title [RS-2250] Updates for view WAF ruleset epic [RS-2246] Updates for view WAF ruleset epic Dec 19, 2024
@Brian-McM Brian-McM merged commit 09433f9 into tigera:master Dec 20, 2024
5 checks passed
@gantony gantony deleted the antony-no-coraza-default-ruleset branch December 20, 2024 17:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants