Deploy WAF containers when enabled in NGINXProxy

Makefile

@@ -45,7 +45,6 @@ HELM_SCHEMA_VERSION = 0.18.1
 PREFIX ?= nginx-gateway-fabric## The name of the NGF image. For example, nginx-gateway-fabric
 NGINX_PREFIX ?= $(PREFIX)/nginx## The name of the nginx image. For example: nginx-gateway-fabric/nginx
 NGINX_PLUS_PREFIX ?= $(PREFIX)/nginx-plus## The name of the nginx plus image. For example: nginx-gateway-fabric/nginx-plus
-NGINX_PLUS_WAF_PREFIX ?= $(PREFIX)/nginx-plus-waf## The name of the nginx plus image with NAP WAF. For example: nginx-gateway-fabric/nginx-plus-waf
 TAG ?= $(VERSION:v%=%)## The tag of the image. For example, 1.1.0
 TARGET ?= local## The target of the build. Possible values: local and container
 OUT_DIR ?= build/out## The folder where the binary will be stored
@@ -110,7 +109,7 @@ build-nginx-plus-image-with-nap-waf: check-for-docker ## Build the custom nginx
 	@if [ $(GOARCH) = "arm64" ]; then \
 		echo "\033[0;31mIMPORTANT:\033[0m The nginx-plus-waf image cannot be built for arm64 architecture and will be built for amd64."; \
 	fi
-	docker build --platform linux/amd64 $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) $(strip $(NGINX_DOCKER_BUILD_PLUS_ARGS)) $(strip $(NGINX_DOCKER_BUILD_NAP_WAF_ARGS)) -f $(SELF_DIR)build/Dockerfile.nginxplus -t $(strip $(NGINX_PLUS_WAF_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR))
+	docker build --platform linux/amd64 $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) $(strip $(NGINX_DOCKER_BUILD_PLUS_ARGS)) $(strip $(NGINX_DOCKER_BUILD_NAP_WAF_ARGS)) -f $(SELF_DIR)build/Dockerfile.nginxplus -t $(strip $(NGINX_PLU_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR))
 
 .PHONY: check-for-docker
 check-for-docker: ## Check if Docker is installed

apis/v1alpha2/nginxproxy_types.go

@@ -75,10 +75,10 @@ type NginxProxySpec struct {
 	// WAF enables NGINX App Protect WAF functionality.
 	// When enabled, NGINX Gateway Fabric will deploy additional WAF containers
 	// (waf-enforcer and waf-config-mgr) alongside the main NGINX container.
-	// Default is "Disabled".
+	// Default is "disabled".
 	//
 	// +optional
-	// +kubebuilder:default:=Disabled
+	// +kubebuilder:default:=disabled
 	WAF *WAFState `json:"waf,omitempty"`
 	// Kubernetes contains the configuration for the NGINX Deployment and Service Kubernetes objects.
 	//
@@ -88,17 +88,17 @@ type NginxProxySpec struct {
 
 // WAFState defines the state of WAF functionality.
 //
-// +kubebuilder:validation:Enum=Enabled;Disabled
+// +kubebuilder:validation:Enum=enabled;disabled
 type WAFState string
 
 const (
 	// WAFEnabled enables NGINX App Protect WAF functionality.
 	// This will deploy additional containers for WAF enforcement and configuration management.
-	WAFEnabled WAFState = "Enabled"
+	WAFEnabled WAFState = "enabled"
 
 	// WAFDisabled disables NGINX App Protect WAF functionality.
 	// Only the standard NGINX container will be deployed.
-	WAFDisabled WAFState = "Disabled"
+	WAFDisabled WAFState = "disabled"
 )
 
 // Telemetry specifies the OpenTelemetry configuration.

charts/nginx-gateway-fabric/values.schema.json

@@ -272,8 +272,8 @@
             "waf": {
               "description": "WAF enables NGINX App Protect WAF functionality.",
               "enum": [
-                "Enabled",
-                "Disabled"
+                "enabled",
+                "disabled"
               ],
               "required": [],
               "type": "string"

charts/nginx-gateway-fabric/values.yaml

@@ -371,8 +371,8 @@ nginx:
   #     type: string
   #     description: WAF enables NGINX App Protect WAF functionality.
   #     enum:
-  #       - Enabled
-  #       - Disabled
+  #       - enabled
+  #       - disabled
   # @schema
   # -- The configuration for the data plane that is contained in the NginxProxy resource. This is applied globally to all Gateways
   # managed by this instance of NGINX Gateway Fabric.

config/crd/bases/gateway.nginx.org_nginxproxies.yaml

@@ -7771,15 +7771,15 @@ spec:
                     x-kubernetes-list-type: map
                 type: object
               waf:
-                default: Disabled
+                default: disabled
                 description: |-
                   WAF enables NGINX App Protect WAF functionality.
                   When enabled, NGINX Gateway Fabric will deploy additional WAF containers
                   (waf-enforcer and waf-config-mgr) alongside the main NGINX container.
-                  Default is "Disabled".
+                  Default is "disabled".
                 enum:
-                - Enabled
-                - Disabled
+                - enabled
+                - disabled
                 type: string
             type: object
         required:

deploy/crds.yaml

@@ -8356,15 +8356,15 @@ spec:
                     x-kubernetes-list-type: map
                 type: object
               waf:
-                default: Disabled
+                default: disabled
                 description: |-
                   WAF enables NGINX App Protect WAF functionality.
                   When enabled, NGINX Gateway Fabric will deploy additional WAF containers
                   (waf-enforcer and waf-config-mgr) alongside the main NGINX container.
-                  Default is "Disabled".
+                  Default is "disabled".
                 enum:
-                - Enabled
-                - Disabled
+                - enabled
+                - disabled
                 type: string
             type: object
         required:

internal/controller/provisioner/objects.go

@@ -33,10 +33,8 @@
 	defaultServiceType   = corev1.ServiceTypeLoadBalancer
 	defaultServicePolicy = corev1.ServiceExternalTrafficPolicyLocal
 
-	defaultNginxImagePath        = "ghcr.io/nginx/nginx-gateway-fabric/nginx"
-	defaultNginxPlusImagePath    = "private-registry.nginx.com/nginx-gateway-fabric/nginx-plus"
-	defaultNginxPlusWafImagePath = "private-registry.nginx.com/nginx-gateway-fabric/nginx-plus-waf"
-	defaultImagePullPolicy       = corev1.PullIfNotPresent
+	defaultNginxImagePath  = "ghcr.io/nginx/nginx-gateway-fabric/nginx"
+	defaultImagePullPolicy = corev1.PullIfNotPresent
 
 	// WAF container defaults.
 	defaultWAFEnforcerImagePath  = "private-registry.nginx.com/nap/waf-enforcer"
@@ -878,9 +876,9 @@
 		container.VolumeMounts = append(container.VolumeMounts, containerSpec.VolumeMounts...)
 
 		if containerSpec.Debug != nil && *containerSpec.Debug {
 			container.Command = append(container.Command, "/agent/entrypoint.sh")
 			container.Args = append(container.Args, "debug")
 		}
 		spec.Spec.Containers[0] = container
 	}
 }
@@ -914,7 +912,8 @@
 	initCmd = append(initCmd,
 		"--source", "/includes/mgmt.conf",
 		"--destination", "/etc/nginx/main-includes",
-		"--nginx-plus")
+		"--nginx-plus",
+	)
 	spec.Spec.InitContainers[0].Command = initCmd
 
 	// Add NGINX Plus volumes and volume mounts
@@ -984,10 +983,6 @@
 	tag := p.cfg.GatewayPodConfig.Version
 	pullPolicy := defaultImagePullPolicy
 
-	if graph.WAFEnabledForNginxProxy(nProxyCfg) {
-		image = defaultNginxPlusWafImagePath
-	}
-
 	getImageAndPullPolicy := func(container ngfAPIv1alpha2.ContainerSpec) (string, string, corev1.PullPolicy) {
 		if container.Image != nil {
 			if container.Image.Repository != nil {
@@ -1114,7 +1109,12 @@
 		Image:           image,
 		ImagePullPolicy: defaultImagePullPolicy,
 		SecurityContext: &corev1.SecurityContext{
-			RunAsUser: helpers.GetPointer[int64](101),
+			RunAsUser:                helpers.GetPointer[int64](101),
+			AllowPrivilegeEscalation: helpers.GetPointer(false),
+			RunAsNonRoot:             helpers.GetPointer(false),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"all"},
+			},
 		},
 		Env: []corev1.EnvVar{
 			{Name: "ENFORCER_PORT", Value: "50000"},
@@ -1186,8 +1186,8 @@
 			container.Resources = *wafContainersCfg.ConfigManager.Resources
 		}
 		if len(wafContainersCfg.ConfigManager.VolumeMounts) > 0 {
 			container.VolumeMounts = append(container.VolumeMounts, wafContainersCfg.ConfigManager.VolumeMounts...)
 		}
 	}
 
 	return container

internal/controller/provisioner/objects_test.go

@@ -1114,7 +1114,7 @@ func TestBuildNginxResourceObjects_WAF(t *testing.T) {
 	// Validate NGINX container (first container)
 	nginxContainer := template.Spec.Containers[0]
 	g.Expect(nginxContainer.Name).To(Equal("nginx"))
-	g.Expect(nginxContainer.Image).To(Equal(fmt.Sprintf("%s:1.0.0", defaultNginxPlusWafImagePath)))
+	g.Expect(nginxContainer.Image).To(Equal(fmt.Sprintf("%s:1.0.0", defaultNginxImagePath)))
 
 	// Check NGINX container has WAF volume mounts
 	wafVolumeMountNames := []string{

internal/controller/state/graph/nginxproxy_test.go

@@ -536,6 +536,22 @@ func TestBuildEffectiveNginxProxy_WAF(t *testing.T) {
 				WAF: helpers.GetPointer(ngfAPIv1alpha2.WAFDisabled),
 			},
 		},
+		{
+			name: "both have WAF unset",
+			gcNp: &NginxProxy{
+				Valid: true,
+				Source: &ngfAPIv1alpha2.NginxProxy{
+					Spec: ngfAPIv1alpha2.NginxProxySpec{},
+				},
+			},
+			gwNp: &NginxProxy{
+				Valid: true,
+				Source: &ngfAPIv1alpha2.NginxProxy{
+					Spec: ngfAPIv1alpha2.NginxProxySpec{},
+				},
+			},
+			exp: &EffectiveNginxProxy{},
+		},
 	}
 
 	for _, test := range tests {