App Policy Bundle (#3560)

App Policy Bundle
nginxinc · Feb 23, 2023 · 14ebdc4 · 14ebdc4
1 parent 8ae8509
commit 14ebdc4
Show file tree

Hide file tree

Showing 11 changed files with 506 additions and 10 deletions.
diff --git a/deployments/common/crds/k8s.nginx.org_policies.yaml b/deployments/common/crds/k8s.nginx.org_policies.yaml
@@ -160,6 +160,8 @@ spec:
                   description: WAF defines an WAF policy.
                   type: object
                   properties:
+                    apBundle:
+                      type: string
                     apPolicy:
                       type: string
                     enable:

diff --git a/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml b/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml
@@ -160,6 +160,8 @@ spec:
                   description: WAF defines an WAF policy.
                   type: object
                   properties:
+                    apBundle:
+                      type: string
                     apPolicy:
                       type: string
                     enable:

diff --git a/internal/configs/configurator.go b/internal/configs/configurator.go
@@ -32,6 +32,7 @@ import (
 
 const (
 	pemFileNameForWildcardTLSSecret = "/etc/nginx/secrets/wildcard" // #nosec G101
+	appProtectBundleFolder          = "/etc/nginx/waf/bundles/"
 	appProtectPolicyFolder          = "/etc/nginx/waf/nac-policies/"
 	appProtectLogConfFolder         = "/etc/nginx/waf/nac-logconfs/"
 	appProtectUserSigFolder         = "/etc/nginx/waf/nac-usersigs/"

diff --git a/internal/configs/version2/http.go b/internal/configs/version2/http.go
@@ -126,6 +126,7 @@ type OIDC struct {
 type WAF struct {
 	Enable              string
 	ApPolicy            string
+	ApBundle            string
 	ApSecurityLogEnable bool
 	ApLogConf           []string
 }

diff --git a/internal/configs/version2/nginx-plus.virtualserver.tmpl b/internal/configs/version2/nginx-plus.virtualserver.tmpl
@@ -225,6 +225,10 @@ server {
     app_protect_policy_file {{ .ApPolicy }};
         {{ end }}
 
+        {{ if .ApBundle }}
+    app_protect_policy_file {{ .ApBundle }};
+        {{ end }}
+
         {{ if .ApSecurityLogEnable }}
     app_protect_security_log_enable on;
         {{ range $logconf := .ApLogConf }}
@@ -429,6 +433,10 @@ server {
         app_protect_policy_file {{ .ApPolicy }};
             {{ end }}
 
+            {{ if .ApBundle }}
+        app_protect_policy_file {{ .ApBundle }};
+            {{ end }}
+
             {{ if .ApSecurityLogEnable }}
         app_protect_security_log_enable on;
             {{ range $logconf := .ApLogConf }}