Skip to content

Build WAF image in pipeline #3565

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 6 commits into from
Closed

Build WAF image in pipeline #3565

wants to merge 6 commits into from

Conversation

@ciarams87
Copy link
Contributor

Proposed changes

Problem: The NGINX Plus NAP WAF image is not being built in the pipeline

Solution: Extend the workflow to build the image in the pipeline

Partially implements #3452

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

NONE

ciarams87 and others added 3 commits June 19, 2025 21:02
@ciarams87
Deploy WAF containers when enabled in NGINXProxy (#3481)
0a8caf8 
* Add WAF dockerfile and make targets

* Add WAF parameters to NGINXProxy resource

* Review feedback

* Add plus image path; add readOnlyRootFS to waf containers

* Capitalise WAF
@sjberman @ciarams87
Add WAFPolicy CRD (#3496)
e11a235 
Problem: As a user of NGF with an NGINX One subscription
I want a method to configure WAF protection on my Gateways and Routes
So that I can enable the NAP WAF feature for the applications that need it.

Solution: Define the WafPolicy CRD.

Co-authored-by: Ciara Stacke <[email protected]>
@ciarams87
Generate all CRDs, update RBAC, fix Alpine tag (#3538)
d3c3c8d
@github-actions github-actions bot added the chore Pull requests for routine tasks label Jun 30, 2025
@ciarams87 ciarams87 force-pushed the chore/build-image-pipeline branch from d21f15b to b4a6a0b Compare June 30, 2025 14:04
@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@ciarams87 ciarams87 force-pushed the chore/build-image-pipeline branch from 4500d38 to e40b61f Compare June 30, 2025 14:58
salonichf5
salonichf5 reviewed Jul 1, 2025
View reviewed changes
internal/controller/provisioner/objects.go
defaultImagePullPolicy = corev1.PullIfNotPresent
defaultNginxImagePath = "ghcr.io/nginx/nginx-gateway-fabric/nginx"
defaultNginxPlusImagePath = "private-registry.nginx.com/nginx-gateway-fabric/nginx-plus"
defaultNginxPlusWafImagePath = "private-registry.nginx.com/nginx-gateway-fabric/nginx-plus-nap-waf"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe I am overthinking this but shouldn't the image names be same in pipeline and these defaults?

why is it plus-waf in workflows and different here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, this is still a draft, I haven't finalised the image names with the team managing the registry yet! I just need a PR to make sure the pipeline is working, sorry for the confusion!

@ciarams87 ciarams87 closed this Jul 9, 2025
@github-project-automation github-project-automation bot moved this from 🆕 New to ✅ Done in NGINX Gateway Fabric Jul 9, 2025
@ciarams87 ciarams87 deleted the chore/build-image-pipeline branch July 9, 2025 09:37
@codecov
Copy link

codecov bot commented Jul 9, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 95.19%. Comparing base (f8f5fb7) to head (6c04c85).
Report is 39 commits behind head on feat/nap-waf.

Additional details and impacted files 
@@               Coverage Diff                @@
##           feat/nap-waf    #3565      +/-   ##
================================================
+ Coverage         86.83%   95.19%   +8.36%     
================================================
  Files               127        1     -126     
  Lines             15079      229   -14850     
  Branches             62       62              
================================================
- Hits              13094      218   -12876     
+ Misses             1835       11    -1824     
+ Partials            150        0     -150

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@salonichf5 salonichf5 salonichf5 left review comments

Assignees

No one assigned

Labels

chore Pull requests for routine tasks

Projects

NGINX Gateway Fabric
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ciarams87 @salonichf5 @sjberman