Implement WAFPolicy controller #3532
Draft
+3,000
−27
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
enhancement
This was
linked to
issues
Jun 21, 2025
ciarams87
force-pushed
the
feat/wafpolicy-ctlr
branch
2 times, most recently
from
e3a3e51 to
89122cd
Compare
6 tasks
ciarams87
force-pushed
the
feat/wafpolicy-ctlr
branch
from
89122cd to
469bfd8
Compare
tataruty
reviewed
Jun 24, 2025
internal/controller/nginx/config/policies/wafsettings/generator.go
Outdated
Show resolved
Hide resolved
ciarams87
force-pushed
the
feat/wafpolicy-ctlr
branch
from
469bfd8 to
77a793f
Compare
ciarams87
force-pushed
the
feat/wafpolicy-ctlr
branch
from
ddeaa8e to
499cfed
Compare
tataruty
reviewed
Jun 25, 2025
| if conds := validator.ValidateGlobalSettings(policy.Source, globalSettings); len(conds) > 0 { | ||
| ancestor.Conditions = conds | ||
| policy.Ancestors = append(policy.Ancestors, ancestor) | ||
| return |
There was a problem hiding this comment.
is there any mechanism to log failed validation if it takes a place?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed changes
Problem:
As a user of NGF
I want NGF to fetch my NAP WAF Policy bundle from a remote location and I want my WafPolicy configuration applied to NGINX for the Gateway or Route scope and
So that that this bundle can be applied and I can enable WAF protection on my traffic
Solution: Implement the policy fetcher and the WAFPolicy controller.
This solution deliberately omits status, polling, and authentication, as they will be done in future PRs.
Testing: Over 90% unit test coverage, added and extended BDD tests where appropriate, and manual testing in a GKE cluster
Please focus on (optional): I split out the policy fetcher into a separate PR. The WAFPolicy controller code is the final commit in this PR, as it depends on the policy fetcher functionality.
Closes: #3454
Checklist
Before creating a PR, run through this checklist and mark each as complete.
Release notes
If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.