Skip to content

NAP WAF Design #3341

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
mpstefan opened this issue Apr 28, 2025 · 1 comment · Fixed by #3398
Closed

NAP WAF Design #3341

mpstefan opened this issue Apr 28, 2025 · 1 comment · Fixed by #3398
Assignees
Labels
enhancement New feature or request refined Requirements are refined and the issue is ready to be implemented.
Milestone

Comments

@mpstefan
Copy link
Member

As a maintainer of NGF
I want a design to describe what the UX and high level implementation details I need for WAF v5
So that I can implement that design later to build the feature in NGF.

Acceptance

  • Design should include UX around:
    • How does the user "enable" WAF v5
    • How does the user update signatures
    • How does the design work with SecOps and cluster operator personas?
  • An extension to the Gateway API is included to configure WAF v5 functionality
  • How NGF deployments change when deploying with WAF v5
  • Identify major UX gaps
@mpstefan mpstefan added the enhancement New feature or request label Apr 28, 2025
@mpstefan mpstefan added this to the v2.1.0 milestone Apr 28, 2025
@mpstefan mpstefan added the refined Requirements are refined and the issue is ready to be implemented. label Apr 28, 2025
@ciarams87 ciarams87 moved this from 🆕 New to 🏗 In Progress in NGINX Gateway Fabric May 14, 2025
@ciarams87 ciarams87 moved this from 🏗 In Progress to 👀 In Review in NGINX Gateway Fabric May 22, 2025
@ciarams87
Copy link
Contributor

ciarams87 commented May 28, 2025

Proposed task breakdown (high-level, pending enhancement proposal acceptance)

  1. Create CRD for WafPolicy
  2. Build Waf enabled NGINX plus image & extend pipelines to publish image
  3. Extend NGINXProxy with waf enabled toggle & conditionally deploy WAF containers as part of the NGINX deployment when enabled
  4. Implement WafPolicy controller & generate the correct NGINX configuration (Route and Gateway; Policy bundle and security logs configurations)
  5. Apply status to WafPolicy and affected resources
  6. Implement Policy Fetcher implementation for WafPolicy (including distributing the policies to NGINX via Agent; policy integrity validation via Checksum validation)
  7. Implement Auth for policy fetcher (native cloud auth, http basic auth, http bearer token auth)
  8. Implement polling for policy bundle changes - checksum-based change detection
  9. Add telemetry for WAF enablement
  10. Complete TMA for WAF integration
  11. Create functional tests for the WAF integration
  12. Extend NFR tests to cover WAF integration
  13. Create user guide for NAP WAF integration
  14. Extend the rest of the documentation for WAF integration where required

@github-project-automation github-project-automation bot moved this from 👀 In Review to ✅ Done in NGINX Gateway Fabric Jun 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request refined Requirements are refined and the issue is ready to be implemented.
Projects
Status: Done
Development

Successfully merging a pull request may close this issue.

2 participants