Add WAF parameters to NGINXProxy resource

Author: ciarams87

apis/v1alpha2/nginxproxy_types.go

@@ -72,12 +72,35 @@ type NginxProxySpec struct {
 	//
 	// +optional
 	DisableHTTP2 *bool `json:"disableHTTP2,omitempty"`
+	// WAF enables NGINX App Protect WAF functionality.
+	// When enabled, NGINX Gateway Fabric will deploy additional WAF containers
+	// (waf-enforcer and waf-config-mgr) alongside the main NGINX container.
+	// Default is "Disabled".
+	//
+	// +optional
+	// +kubebuilder:default:=Disabled
+	WAF *WAFState `json:"waf,omitempty"`
 	// Kubernetes contains the configuration for the NGINX Deployment and Service Kubernetes objects.
 	//
 	// +optional
 	Kubernetes *KubernetesSpec `json:"kubernetes,omitempty"`
 }
 
+// WAFState defines the state of WAF functionality.
+//
+// +kubebuilder:validation:Enum=Enabled;Disabled
+type WAFState string
+
+const (
+	// WAFEnabled enables NGINX App Protect WAF functionality.
+	// This will deploy additional containers for WAF enforcement and configuration management.
+	WAFEnabled WAFState = "Enabled"
+
+	// WAFDisabled disables NGINX App Protect WAF functionality.
+	// Only the standard NGINX container will be deployed.
+	WAFDisabled WAFState = "Disabled"
+)
+
 // Telemetry specifies the OpenTelemetry configuration.
 type Telemetry struct {
 	// DisabledFeatures specifies OpenTelemetry features to be disabled.
@@ -388,6 +411,12 @@ type DeploymentSpec struct {
 	// +optional
 	Replicas *int32 `json:"replicas,omitempty"`
 
+	// WAFContainers defines container specifications for NGINX App Protect WAF v5 containers.
+	// These containers are only deployed when WAF is enabled in the NginxProxy spec.
+	//
+	// +optional
+	WAFContainers *WAFContainerSpec `json:"wafContainers,omitempty"`
+
 	// Pod defines Pod-specific fields.
 	//
 	// +optional
@@ -401,6 +430,12 @@ type DeploymentSpec struct {
 
 // DaemonSet is the configuration for the NGINX DaemonSet.
 type DaemonSetSpec struct {
+	// WAFContainers defines container specifications for NGINX App Protect WAF v5 containers.
+	// These containers are only deployed when WAF is enabled in the NginxProxy spec.
+	//
+	// +optional
+	WAFContainers *WAFContainerSpec `json:"wafContainers,omitempty"`
+
 	// Pod defines Pod-specific fields.
 	//
 	// +optional
@@ -485,6 +520,40 @@ type ContainerSpec struct {
 	VolumeMounts []corev1.VolumeMount `json:"volumeMounts,omitempty"`
 }
 
+// WAFContainerSpec defines the container specifications for NGINX App Protect WAF v5.
+// NAP v5 requires two additional containers: waf-enforcer and waf-config-mgr.
+type WAFContainerSpec struct {
+	// Enforcer defines the configuration for the WAF enforcer container.
+	// This container performs the actual WAF enforcement and policy application.
+	//
+	// +optional
+	Enforcer *WAFContainerConfig `json:"enforcer,omitempty"`
+
+	// ConfigManager defines the configuration for the WAF configuration manager container.
+	// This container manages policy configuration and communication with the enforcer.
+	//
+	// +optional
+	ConfigManager *WAFContainerConfig `json:"configManager,omitempty"`
+}
+
+// WAFContainerConfig defines the configuration for a single WAF container.
+type WAFContainerConfig struct {
+	// Image is the container image to use for this WAF container.
+	//
+	// +optional
+	Image *Image `json:"image,omitempty"`
+
+	// Resources describes the compute resource requirements for this WAF container.
+	//
+	// +optional
+	Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
+
+	// VolumeMounts describe the mounting of Volumes within the WAF container.
+	//
+	// +optional
+	VolumeMounts []corev1.VolumeMount `json:"volumeMounts,omitempty"`
+}
+
 // Image is the NGINX image to use.
 type Image struct {
 	// Repository is the image path.

apis/v1alpha2/zz_generated.deepcopy.go

@@ -259,7 +259,7 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 | `certGenerator.serverTLSSecretName` | The name of the Secret containing TLS CA, certificate, and key for the NGINX Gateway Fabric control plane to securely communicate with the NGINX Agent. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `"server-tls"` |
 | `clusterDomain` | The DNS cluster domain of your Kubernetes cluster. | string | `"cluster.local"` |
 | `gateways` | A list of Gateway objects. View https://gateway-api.sigs.k8s.io/reference/spec/#gateway for full Gateway reference. | list | `[]` |
-| `nginx` | The nginx section contains the configuration for all NGINX data plane deployments installed by the NGINX Gateway Fabric control plane. | object | `{"config":{},"container":{},"debug":false,"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric/nginx","tag":"edge"},"imagePullSecret":"","imagePullSecrets":[],"kind":"deployment","plus":false,"pod":{},"replicas":1,"service":{"externalTrafficPolicy":"Local","loadBalancerClass":"","loadBalancerIP":"","loadBalancerSourceRanges":[],"nodePorts":[],"type":"LoadBalancer"},"usage":{"caSecretName":"","clientSSLSecretName":"","endpoint":"","resolver":"","secretName":"nplus-license","skipVerify":false}}` |
+| `nginx` | The nginx section contains the configuration for all NGINX data plane deployments installed by the NGINX Gateway Fabric control plane. | object | `{"config":{},"container":{},"debug":false,"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric/nginx","tag":"edge"},"imagePullSecret":"","imagePullSecrets":[],"kind":"deployment","plus":false,"pod":{},"replicas":1,"service":{"externalTrafficPolicy":"Local","loadBalancerClass":"","loadBalancerIP":"","loadBalancerSourceRanges":[],"nodePorts":[],"type":"LoadBalancer"},"usage":{"caSecretName":"","clientSSLSecretName":"","endpoint":"","resolver":"","secretName":"nplus-license","skipVerify":false},"wafContainers":{}}` |
 | `nginx.config` | The configuration for the data plane that is contained in the NginxProxy resource. This is applied globally to all Gateways managed by this instance of NGINX Gateway Fabric. | object | `{}` |
 | `nginx.container` | The container configuration for the NGINX container. This is applied globally to all Gateways managed by this instance of NGINX Gateway Fabric. | object | `{}` |
 | `nginx.debug` | Enable debugging for NGINX. Uses the nginx-debug binary. The NGINX error log level should be set to debug in the NginxProxy resource. | bool | `false` |
@@ -283,6 +283,7 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 | `nginx.usage.resolver` | The nameserver used to resolve the NGINX Plus usage reporting endpoint. Used with NGINX Instance Manager. | string | `""` |
 | `nginx.usage.secretName` | The name of the Secret containing the JWT for NGINX Plus usage reporting. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `"nplus-license"` |
 | `nginx.usage.skipVerify` | Disable client verification of the NGINX Plus usage reporting server certificate. | bool | `false` |
+| `nginx.wafContainers` | Configuration for NGINX App Protect WAF v5 containers. These containers are only deployed when WAF is enabled via nginx.config.waf: "Enabled". All settings are optional overrides - defaults are provided by NGF. | object | `{}` |
 | `nginxGateway` | The nginxGateway section contains configuration for the NGINX Gateway Fabric control plane deployment. | object | `{"affinity":{},"config":{"logging":{"level":"info"}},"configAnnotations":{},"extraVolumeMounts":[],"extraVolumes":[],"gatewayClassAnnotations":{},"gatewayClassName":"nginx","gatewayControllerName":"gateway.nginx.org/nginx-gateway-controller","gwAPIExperimentalFeatures":{"enable":false},"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric","tag":"edge"},"kind":"deployment","labels":{},"leaderElection":{"enable":true,"lockName":""},"lifecycle":{},"metrics":{"enable":true,"port":9113,"secure":false},"nodeSelector":{},"podAnnotations":{},"productTelemetry":{"enable":true},"readinessProbe":{"enable":true,"initialDelaySeconds":3,"port":8081},"replicas":1,"resources":{},"service":{"annotations":{}},"serviceAccount":{"annotations":{},"imagePullSecret":"","imagePullSecrets":[],"name":""},"snippetsFilters":{"enable":false},"terminationGracePeriodSeconds":30,"tolerations":[],"topologySpreadConstraints":[]}` |
 | `nginxGateway.affinity` | The affinity of the NGINX Gateway Fabric control plane pod. | object | `{}` |
 | `nginxGateway.config.logging.level` | Log level. | string | `"info"` |

charts/nginx-gateway-fabric/README.md

@@ -26,6 +26,10 @@ spec:
         {{- if .Values.nginx.debug }}
         debug: {{ .Values.nginx.debug }}
         {{- end }}
+      {{- if and .Values.nginx.wafContainers }}
+      wafContainers:
+        {{- toYaml .Values.nginx.wafContainers | nindent 8 }}
+      {{- end }}
     {{- end }}
     {{- if eq .Values.nginx.kind "daemonSet" }}
     daemonSet:
@@ -42,6 +46,10 @@ spec:
         {{- if .Values.nginx.debug }}
         debug: {{ .Values.nginx.debug }}
         {{- end }}
+      {{- if and .Values.nginx.wafContainers }}
+      wafContainers:
+        {{- toYaml .Values.nginx.wafContainers | nindent 8 }}
+      {{- end }}
     {{- end }}
     {{- if .Values.nginx.service }}
     service:

charts/nginx-gateway-fabric/templates/nginxproxy.yaml

@@ -268,6 +268,15 @@
               },
               "required": [],
               "type": "object"
+            },
+            "waf": {
+              "description": "WAF enables NGINX App Protect WAF functionality.",
+              "enum": [
+                "Enabled",
+                "Disabled"
+              ],
+              "required": [],
+              "type": "string"
             }
           },
           "required": [],
@@ -488,6 +497,12 @@
           "required": [],
           "title": "usage",
           "type": "object"
+        },
+        "wafContainers": {
+          "description": "Configuration for NGINX App Protect WAF v5 containers.\nThese containers are only deployed when WAF is enabled via nginx.config.waf: \"Enabled\".\nAll settings are optional overrides - defaults are provided by NGF.",
+          "required": [],
+          "title": "wafContainers",
+          "type": "object"
         }
       },
       "required": [],

charts/nginx-gateway-fabric/values.schema.json

@@ -367,6 +367,12 @@ nginx:
   #                 - IPAddress
   #             value:
   #               type: string
+  #   waf:
+  #     type: string
+  #     description: WAF enables NGINX App Protect WAF functionality.
+  #     enum:
+  #       - Enabled
+  #       - Disabled
   # @schema
   # -- The configuration for the data plane that is contained in the NginxProxy resource. This is applied globally to all Gateways
   # managed by this instance of NGINX Gateway Fabric.
@@ -406,6 +412,33 @@ nginx:
     # -- extraVolumeMounts are the additional volume mounts for the NGINX container.
     # extraVolumeMounts: []
 
+  # -- Configuration for NGINX App Protect WAF v5 containers.
+  # These containers are only deployed when WAF is enabled via nginx.config.waf: "Enabled".
+  # All settings are optional overrides - defaults are provided by NGF.
+  wafContainers: {}
+    # -- WAF Enforcer container configuration.
+    # enforcer:
+    #   image: {}
+
+    # -- The resource requirements of the WAF Enforcer container.
+    #   resources: {}
+    #
+    #   # -- Additional volume mounts for the WAF enforcer container.
+    #   # NAP v5 shared volumes are automatically configured by NGF.
+    #   volumeMounts: []
+
+    # -- WAF Configuration Manager container configuration.
+    # configManager:
+    #   # -- Container image configuration
+    #   image: {}
+    #
+    #   # -- The resource requirements of the WAF config manager container.
+    #   resources: {}
+
+    #   # -- Additional volume mounts for the WAF config manager container.
+    #   # NAP v5 shared volumes are automatically configured by NGF.
+    #   volumeMounts: []
+
   # -- The service configuration for the NGINX data plane. This is applied globally to all Gateways managed by this
   # instance of NGINX Gateway Fabric.
   service: