lua-resty-waf controller (#2304)

internal/ingress/controller/template/template.go

@@ -119,29 +119,30 @@ var (
 			}
 			return true
 		},
-		"buildLocation":            buildLocation,
-		"buildAuthLocation":        buildAuthLocation,
-		"buildAuthResponseHeaders": buildAuthResponseHeaders,
-		"buildLoadBalancingConfig": buildLoadBalancingConfig,
-		"buildProxyPass":           buildProxyPass,
-		"filterRateLimits":         filterRateLimits,
-		"buildRateLimitZones":      buildRateLimitZones,
-		"buildRateLimit":           buildRateLimit,
-		"buildResolvers":           buildResolvers,
-		"buildUpstreamName":        buildUpstreamName,
-		"isLocationInLocationList": isLocationInLocationList,
-		"isLocationAllowed":        isLocationAllowed,
-		"buildLogFormatUpstream":   buildLogFormatUpstream,
-		"buildDenyVariable":        buildDenyVariable,
-		"getenv":                   os.Getenv,
-		"contains":                 strings.Contains,
-		"hasPrefix":                strings.HasPrefix,
-		"hasSuffix":                strings.HasSuffix,
-		"toUpper":                  strings.ToUpper,
-		"toLower":                  strings.ToLower,
-		"formatIP":                 formatIP,
-		"buildNextUpstream":        buildNextUpstream,
-		"getIngressInformation":    getIngressInformation,
+		"buildLuaSharedDictionaries": buildLuaSharedDictionaries,
+		"buildLocation":              buildLocation,
+		"buildAuthLocation":          buildAuthLocation,
+		"buildAuthResponseHeaders":   buildAuthResponseHeaders,
+		"buildLoadBalancingConfig":   buildLoadBalancingConfig,
+		"buildProxyPass":             buildProxyPass,
+		"filterRateLimits":           filterRateLimits,
+		"buildRateLimitZones":        buildRateLimitZones,
+		"buildRateLimit":             buildRateLimit,
+		"buildResolvers":             buildResolvers,
+		"buildUpstreamName":          buildUpstreamName,
+		"isLocationInLocationList":   isLocationInLocationList,
+		"isLocationAllowed":          isLocationAllowed,
+		"buildLogFormatUpstream":     buildLogFormatUpstream,
+		"buildDenyVariable":          buildDenyVariable,
+		"getenv":                     os.Getenv,
+		"contains":                   strings.Contains,
+		"hasPrefix":                  strings.HasPrefix,
+		"hasSuffix":                  strings.HasSuffix,
+		"toUpper":                    strings.ToUpper,
+		"toLower":                    strings.ToLower,
+		"formatIP":                   formatIP,
+		"buildNextUpstream":          buildNextUpstream,
+		"getIngressInformation":      getIngressInformation,
 		"serverConfig": func(all config.TemplateConfig, server *ingress.Server) interface{} {
 			return struct{ First, Second interface{} }{all, server}
 		},
@@ -167,6 +168,47 @@ func formatIP(input string) string {
 	return fmt.Sprintf("[%s]", input)
 }
 
+func buildLuaSharedDictionaries(s interface{}, dynamicConfigurationEnabled bool, disableLuaRestyWAF bool) string {
+	servers, ok := s.([]*ingress.Server)
+	if !ok {
+		glog.Errorf("expected an '[]*ingress.Server' type but %T was returned", s)
+		return ""
+	}
+
+	out := []string{}
+
+	if dynamicConfigurationEnabled {
+		out = append(out,
+			"lua_shared_dict configuration_data 5M",
+			"lua_shared_dict round_robin_state 1M",
+			"lua_shared_dict locks 512k",
+			"lua_shared_dict balancer_ewma 1M",
+			"lua_shared_dict balancer_ewma_last_touched_at 1M",
+		)
+	}
+
+	if !disableLuaRestyWAF {
+		luaRestyWAFEnabled := func() bool {
+			for _, server := range servers {
+				for _, location := range server.Locations {
+					if location.LuaRestyWAF.Enabled {
+						return true
+					}
+				}
+			}
+			return false
+		}()
+		if luaRestyWAFEnabled {
+			out = append(out, "lua_shared_dict waf_storage 64M")
+		}
+	}
+
+	if len(out) == 0 {
+		return ""
+	}
+	return strings.Join(out, ";\n\r") + ";"
+}
+
 // buildResolvers returns the resolvers reading the /etc/resolv.conf file
 func buildResolvers(res interface{}, disableIpv6 interface{}) string {
 	// NGINX need IPV6 addresses to be surrounded by brackets

internal/ingress/controller/template/template_test.go

@@ -32,6 +32,7 @@ import (
 	"k8s.io/ingress-nginx/internal/file"
 	"k8s.io/ingress-nginx/internal/ingress"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/authreq"
+	"k8s.io/ingress-nginx/internal/ingress/annotations/luarestywaf"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/rewrite"
 	"k8s.io/ingress-nginx/internal/ingress/controller/config"
 )
@@ -296,6 +297,46 @@ var (
 	}
 )
 
+func TestBuildLuaSharedDictionaries(t *testing.T) {
+	servers := []*ingress.Server{
+		{
+			Hostname:  "foo.bar",
+			Locations: []*ingress.Location{{Path: "/", LuaRestyWAF: luarestywaf.Config{}}},
+		},
+		{
+			Hostname:  "another.host",
+			Locations: []*ingress.Location{{Path: "/", LuaRestyWAF: luarestywaf.Config{}}},
+		},
+	}
+
+	config := buildLuaSharedDictionaries(servers, false, false)
+	if config != "" {
+		t.Errorf("expected to not configure any lua shared dictionary, but generated %s", config)
+	}
+	config = buildLuaSharedDictionaries(servers, true, false)
+	if !strings.Contains(config, "lua_shared_dict configuration_data") {
+		t.Errorf("expected to include 'configuration_data' but got %s", config)
+	}
+	if strings.Contains(config, "waf_storage") {
+		t.Errorf("expected to not include 'waf_storage' but got %s", config)
+	}
+
+	servers[1].Locations[0].LuaRestyWAF = luarestywaf.Config{Enabled: true}
+	config = buildLuaSharedDictionaries(servers, false, false)
+	if !strings.Contains(config, "lua_shared_dict waf_storage") {
+		t.Errorf("expected to configure 'waf_storage', but got %s", config)
+	}
+	config = buildLuaSharedDictionaries(servers, true, false)
+	if !strings.Contains(config, "lua_shared_dict waf_storage") {
+		t.Errorf("expected to configure 'waf_storage', but got %s", config)
+	}
+
+	config = buildLuaSharedDictionaries(servers, false, true)
+	if config != "" {
+		t.Errorf("expected to not configure any lua shared dictionary, but generated %s", config)
+	}
+}
+
 func TestFormatIP(t *testing.T) {
 	cases := map[string]struct {
 		Input, Output string