extra waf rules per ingress (#2315)

* extra waf rules per ingress * document annotation nginx.ingress.kubernetes.io/lua-resty-waf-extra-rules * regenerate internal/file/bindata.go
2018-04-09 06:14:30 -04:00 · 2018-04-09 06:14:30 -04:00 · bad8295a42
commit bad8295a42
parent 16faf309ca
5 changed files with 67 additions and 8 deletions
--- a/internal/file/bindata.go
+++ b/internal/file/bindata.go
--- a/internal/ingress/annotations/luarestywaf/main.go
+++ b/internal/ingress/annotations/luarestywaf/main.go
@ -28,9 +28,10 @@ import (

 // Config returns lua-resty-waf configuration for an Ingress rule
 type Config struct {
-	Enabled         bool     `json:"enabled"`
-	Debug           bool     `json:"debug"`
-	IgnoredRuleSets []string `json: "ignored-rulesets"`
+	Enabled            bool     `json:"enabled"`
+	Debug              bool     `json:"debug"`
+	IgnoredRuleSets    []string `json: "ignored-rulesets"`
+	ExtraRulesetString string   `json: "extra-ruleset-string"`
 }

 // Equal tests for equality between two Config types
@ -50,6 +51,9 @@ func (e1 *Config) Equal(e2 *Config) bool {
 	if !reflect.DeepEqual(e1.IgnoredRuleSets, e2.IgnoredRuleSets) {
 		return false
 	}
+	if e1.ExtraRulesetString != e2.ExtraRulesetString {
+		return false
+	}

 	return true
 }
@ -80,9 +84,13 @@ func (a luarestywaf) Parse(ing *extensions.Ingress) (interface{}, error) {
 		return strC == "," || strC == " "
 	})

+	// TODO(elvinefendi) maybe validate the ruleset string here
+	extraRulesetString, _ := parser.GetStringAnnotation("lua-resty-waf-extra-rules", ing)
+
 	return &Config{
-		Enabled:         enabled,
-		Debug:           debug,
-		IgnoredRuleSets: ignoredRuleSets,
+		Enabled:            enabled,
+		Debug:              debug,
+		IgnoredRuleSets:    ignoredRuleSets,
+		ExtraRulesetString: extraRulesetString,
 	}, nil
 }