feat: Convert K8s configuration to includes for both cases

Author: ADubhlaoich

content/includes/nap-waf/nap-k8s-mtls-deployment.md

@@ -0,0 +1,90 @@
+To secure traffic between NGINX and App Protect Enforcer using mTLS, follow the steps below:
+
+{{< note >}} Refer to the [Configuration Guide]({{< relref "/nap-waf/v5/configuration-guide/configuration.md#secure-traffic-between-nginx-and-app-protect-enforcer-using-mtls" >}}) to generate certificates and modify the `nginx.conf` for mTLS.
+{{< /note >}}
+
+First, create a Kubernetes Secret that contains the certificate and key files:
+	
+```shell
+	kubectl create secret generic enforcer-certificates \
+	--from-file=app_protect_server.crt=/path/to/app_protect_server.crt \
+	--from-file=app_protect_server.key=/path/to/app_protect_server.key \
+	--from-file=app_protect_client_ca.crt=/path/to/app_protect_client_ca.crt
+```
+
+Next, update or create the `nap5-deployment.yaml` to mount the Secret as a volume and set the environment variables to point to the mounted files: 
+
+```yaml
+	apiVersion: apps/v1
+	kind: Deployment
+	metadata:
+	  name: nap5-deployment
+	spec:
+	  selector:
+	    matchLabels:
+	      app: nap5
+	  replicas: 2
+	  template:
+	    metadata:
+	      labels:
+	        app: nap5
+	    spec:
+	      imagePullSecrets:
+	          - name: regcred
+	      containers:
+	        - name: nginx
+	          image: <your-private-registry>/nginx-app-protect-5:<your-tag>
+	          imagePullPolicy: IfNotPresent
+	          volumeMounts:
+	            - name: app-protect-bd-config
+	              mountPath: /opt/app_protect/bd_config
+	            - name: app-protect-config
+	              mountPath: /opt/app_protect/config
+	            - name: certs
+	              mountPath: /etc/ssl/certs
+	              readOnly: true
+	            - name: waf-enforcer
+	              image: private-registry.nginx.com/nap/waf-enforcer:<version-tag>
+	              imagePullPolicy: IfNotPresent
+	              env:
+	                - name: ENFORCER_PORT
+	                  value: "4431"
+	                - name: ENFORCER_SERVER_CERT
+	                  value: "/etc/ssl/certs/app_protect_server.crt"
+	                - name: ENFORCER_SERVER_KEY
+	                  value: "/etc/ssl/certs/app_protect_server.key"
+	                - name: ENFORCER_CA_FILE
+	                  value: "/etc/ssl/certs/app_protect_client_ca.crt"
+	              volumeMounts:
+	                - name: app-protect-bd-config
+	                  mountPath: /opt/app_protect/bd_config
+	                - name: certs
+	                  mountPath: /etc/ssl/certs
+	                  readOnly: true
+	            - name: waf-config-mgr
+	              image: private-registry.nginx.com/nap/waf-config-mgr:<version-tag>
+	              imagePullPolicy: IfNotPresent
+	              securityContext:
+	                allowPrivilegeEscalation: false
+	                capabilities:
+	                  drop:
+	                    - all
+	              volumeMounts:
+	                - name: app-protect-bd-config
+	                  mountPath: /opt/app_protect/bd_config
+	                - name: app-protect-config
+	                  mountPath: /opt/app_protect/config
+	                - name: app-protect-bundles
+	                  mountPath: /etc/app_protect/bundles
+	          volumes:
+	            - name: app-protect-bd-config
+	              emptyDir: {}
+	            - name: app-protect-config
+	              emptyDir: {}
+	            - name: app-protect-bundles
+	              persistentVolumeClaim:
+	                claimName: nap5-bundles-pvc
+	            - name: certs
+	              secret:
+	                secretName: enforcer-certificates
+```

content/includes/nap-waf/nap-k8s-readonly-context.md

@@ -0,0 +1,129 @@
+The first step is to add the `readOnlyRootFilesystem` value (as *true*) to your Kubernetes pod security context as follows:
+
+```yaml
+containers:
+    - name: nginx
+      ...
+      securityContext:
+          readOnlyRootFilesystem: true
+    - name: waf-enforcer
+      ...
+      securityContext:
+          readOnlyRootFilesystem: true
+    - name: waf-config-mgr
+      ...
+      securityContext:
+          readOnlyRootFilesystem: true
+```
+
+With a read-only root file system, you will likely still require write access for certain directories, such as logs and temporary files. You can add these directories by mounting them as writable volumes in your Kubernetes deployment. 
+
+In this example, `/tmp` and `/var/log/nginx` are writable directories, essential for NGINX and App Protect operations.
+
+```yaml
+containers:
+    - name: nginx
+      ...
+      volumeMounts:
+           - name: app-protect-bd-config
+             mountPath: /opt/app_protect/bd_config
+           - name: app-protect-config
+             mountPath: /opt/app_protect/config
+           - name: tmp-volume
+             mountPath: /tmp
+           - name: nginx-log
+             mountPath: /var/log/nginx
+           - name: app-protect-bundles
+             mountPath: /etc/app_protect/bundles
+...
+
+volumes:
+        - name: app-protect-bd-config
+          emptyDir: {}
+        - name: app-protect-config
+          emptyDir: {}
+        - name: nginx-log
+          emptyDir: {}
+        - name: tmp-volume
+          emptyDir: {}
+        - name: app-protect-bundles
+          persistentVolumeClaim:
+            claimName: nap5-bundles-pvc 
+```
+
+A full example might look like the following:
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nap5-deployment
+spec:
+  selector:
+    matchLabels:
+      app: nap5
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: nap5
+    spec:
+      imagePullSecrets:
+        - name: regcred
+      containers:
+        - name: nginx
+          image: <your-private-registry>/nginx-app-protect-5:<your-tag>
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - name: app-protect-bd-config
+              mountPath: /opt/app_protect/bd_config
+            - name: app-protect-config
+              mountPath: /opt/app_protect/config
+            - name: tmp-volume
+              mountPath: /tmp
+            - name: nginx-log
+              mountPath: /var/log/nginx
+            - name: app-protect-bundles
+              mountPath: /etc/app_protect/bundles
+        - name: waf-enforcer
+          image: private-registry.nginx.com/nap/waf-enforcer:<version-tag>
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            readOnlyRootFilesystem: true
+          env:
+            - name: ENFORCER_PORT
+              value: "50000"
+          volumeMounts:
+            - name: app-protect-bd-config
+              mountPath: /opt/app_protect/bd_config
+        - name: waf-config-mgr
+          image: private-registry.nginx.com/nap/waf-config-mgr:<version-tag>
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - all
+          volumeMounts:
+            - name: app-protect-bd-config
+              mountPath: /opt/app_protect/bd_config
+            - name: app-protect-config
+              mountPath: /opt/app_protect/config
+            - name: app-protect-bundles
+              mountPath: /etc/app_protect/bundles
+      volumes:
+        - name: app-protect-bd-config
+          emptyDir: {}
+        - name: app-protect-config
+          emptyDir: {}
+        - name: nginx-log
+          emptyDir: {}
+        - name: tmp-volume
+          emptyDir: {}
+        - name: app-protect-bundles
+          persistentVolumeClaim:
+            claimName: nap5-bundles-pvc 
+```

content/includes/nap-waf/nap-k8s-readonly-introduction.md

@@ -0,0 +1,6 @@
+NGINX App Protect WAF v5 allows you to enable the `readOnlyRootFilesystem` option in your [Kubernetes Configuration](
+https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). This option restricts the root filesystem to read-only mode, which improves security by limiting potential write access in case of compromise.
+
+To enable this feature, you will need a Kubernetes cluster that supports read-only root file systems, and you access to the NGINX and NGINX App Protect WAF configurations. 
+
+You may need to identify any extra paths that need to be writable by App Protect during runtime: the following steps assume you are using the defaults path.

content/includes/nap-waf/nap-k8s-readonly-issues.md

@@ -0,0 +1,9 @@
+**Permission denied errors**
+
+If you encounter file permission issues, verify that the paths requiring write access are correctly configured as writable volumes in the pod manifest.
+ 
+**NGINX App Protect WAF initialization errors**:  
+
+Check the NGINX and NGINX App Protect Logs to ensure that App Protect can write to necessary files like logs and temporary directories.
+
+For general issues, read the [Troubleshooting]({{< ref "/nap-waf/v5/troubleshooting-guide/troubleshooting.md" >}}) topic.

content/includes/nap-waf/nap-k8s-readonly-paths.md

@@ -0,0 +1,65 @@
+Once you have created writable paths in your Kubernetes cluster, you should update your NGINX configuration to use these paths.
+
+The following are fields in `nginx.conf` you should update, which correspond to writable volumes configured during the last step:
+
+```nginx
+pid        /tmp/nginx.pid;
+...
+http {
+...
+    # Temporary directories for kubernetes "readonlyfilesystem"
+    client_body_temp_path /tmp/nginx-client-body;
+    proxy_temp_path       /tmp/nginx-proxy;    
+    fastcgi_temp_path     /tmp/nginx-fastcgi;    
+    uwsgi_temp_path       /tmp/nginx-uwsgi;    
+    scgi_temp_path        /tmp/nginx-scgi;
+...
+}
+```
+
+A full example might look like the following:
+
+```nginx
+user  nginx;
+worker_processes  auto;
+
+# NGINX App Protect WAF
+load_module modules/ngx_http_app_protect_module.so;
+
+error_log  /var/log/nginx/error.log debug;
+pid        /tmp/nginx.pid; 
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log;
+
+    # Temporary directories for kubernetes "readonlyfilesystem"
+    client_body_temp_path /tmp/nginx-client-body;
+    proxy_temp_path       /tmp/nginx-proxy;
+    fastcgi_temp_path     /tmp/nginx-fastcgi;
+    uwsgi_temp_path       /tmp/nginx-uwsgi;
+    scgi_temp_path        /tmp/nginx-scgi;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    # NGINX App Protect WAF
+    app_protect_enforcer_address 127.0.0.1:50000;
+
+    include /etc/nginx/conf.d/*.conf;
+}
+```

content/includes/nap-waf/nap-k8s-use-compiled-bundles.md

@@ -0,0 +1,7 @@
+In this setup, copy your compiled policy and logging profile bundles to `/mnt/nap5_bundles_pv_data` on a cluster node. Make sure that input files are accessible to UID 101. Then, in your NGINX configuration, refer to these files from `/etc/app_protect/bundles`.
+
+For example, to apply `custom_policy.tgz` that you've placed in `/mnt/nap5_bundles_pv_data/`, use:
+
+```nginx
+app_protect_policy_file "/etc/app_protect/bundles/custom_policy.tgz";
+```