Enforcer nmap v5 crashes on startup with no active waf policy configured

[anderius]

Describe the bug
Enforcer container fails to start without sites configured. NginxIC container also fails to start, waiting for the enforcer container.

To Reproduce
Deploy the Helm chart with Nginx App Protect V5 enabled, but no resources that uses the WAF. That is, no VirtualServer with apBundle.

Expected behavior
We expect the nginx ic and the enforcer container to start without errors, even when no virtualserver with WAF is deployed.

Your environment

• Version of the Ingress Controller - 3.6.0, with Helm chart 1.3.0
• Version of Kubernetes: 1.29.9
• Kubernetes platform: AKS
• Using NGINX Plus

Additional context
Log from the enforcer container:

│ setting memory control callbacks for XML                                                                                                                                           │
│ BD_MISC|CRIT  |Aug 13 13:16:22.079|0013|/builds/6x631E1L/0/waf/waf-general/secore/bd/bd/manifest_listener.cpp:0198|failed to get manifest last modification time, err: No such fil │
│ Timeout detected while waiting for configuration. time since last config: 40 BD aborting                                                                                           │
│ BD_MISC|WARN  |Aug 13 13:16:22.080|0013|/builds/6x631E1L/0/waf/waf-general/secore/bd/bd/manifest_listener.cpp:0199|Timeout detected while waiting for configuration. time since la │
│                                                                                                                                                                                    │
│ BD_MISC|ERR   |Aug 13 13:16:22.081|0013|/builds/6x631E1L/0/waf/waf-general/secore/bd/bd/manifest_listener.cpp:0114|failed opening manifest out file. path=/opt/app_protect/bd_conf │
│ 2024/08/13 13:16:22 Execution failed: exit status 1

[github-actions]

Hi @anderius thanks for reporting!

Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this 🙂

Cheers!

[janibashamd]

I'm also facing similar issue.

[AlexFenlon]

Hi Folks, we are currently looking into this.

[shaun-nx]

Hi folks @anderius @janibashamd
We've been in contact with the team that owns the development of this component of AppProtect v5. They are working on ensure the waf-enforcer wont crash in this scenario.

As soon as we have more info, we'll share it in this thread.

[anderius]

@shaun-nx Is there any news about this? Currently we have to deploy failing dummy-applications (with ap-policies) to be able to roll out App Protect at all.

[shaun-nx]

Hi @anderius
This fix for the waf-enforcer will be made available in our next release, v4.0.0
That version of the NGINX Ingress Controller will use v5.4.0 of the waf-enforcer which will no longer fail if a policy is not deployed.

[github-actions]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days.

[github-actions]

This issue was closed because it has been stalled for 10 days with no activity.