add support and specific values file for waf deployment

PHOENIX-MEDIA · Dec 2, 2024 · 4696b57 · 4696b57
1 parent 640fe51
commit 4696b57
Show file tree

Hide file tree

Showing 4 changed files with 503 additions and 0 deletions.
diff --git a/templates/modsecurity-crs-deployment.yaml b/templates/modsecurity-crs-deployment.yaml
@@ -0,0 +1,36 @@
+{{- if and .Values.waf .Values.waf.enabled -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: modsecurity-crs
+  annotations: {{ toYaml .Values.waf.annotations | nindent 4 }}
+  labels: {{ toYaml .Values.waf.labels | nindent 4 }}
+spec:
+  replicas: {{ .Values.waf.replicas | default 1 }}
+  selector:
+    matchLabels:
+      app: modsecurity-crs
+  template:
+    metadata:
+      labels:
+        app: modsecurity-crs
+    spec:
+      containers:
+        - name: modsecurity-crs
+          image: {{ .Values.waf.image.repository }}:{{ .Values.waf.image.tag }}
+          imagePullPolicy: {{ .Values.waf.image.pullPolicy | default "Always" }}
+          resources: {{ toYaml .Values.waf.resources | nindent 12 }}
+          readinessProbe: {{ toYaml .Values.waf.readinessProbe | nindent 12 }}
+          livenessProbe: {{ toYaml .Values.waf.livenessProbe | nindent 12 }}
+          startupProbe: {{ toYaml .Values.waf.startupProbe | nindent 12 }}
+          ports:
+            - containerPort: 8080
+              name: http
+          readinessProbe: {{ toYaml .Values.waf.readinessProbe | nindent 12 }}
+          livenessProbe: {{ toYaml .Values.waf.livenessProbe | nindent 12 }}
+          env:
+            - name: PORT
+              value: "8080"
+            {{ toYaml .Values.waf.env | nindent 12 }}
+    dnsPolicy: ClusterFirst
+{{- end -}}
diff --git a/templates/modsecurity-crs-service.yaml b/templates/modsecurity-crs-service.yaml
@@ -0,0 +1,15 @@
+{{- if and .Values.waf .Values.waf.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: modsecurity-crs
+spec:
+  type: ClusterIP
+  clusterIP: None
+  selector:
+    app: modsecurity-crs
+  ports:
+  - name: http
+    port: 8080
+    targetPort: http
+{{- end -}}
diff --git a/values.yaml b/values.yaml
@@ -843,6 +843,44 @@ imgproxy:
     fallbackImage:
       httpCode: 404
 
+waf:
+  enabled: false
+  #replicas: 1
+  #annotations: {}
+  #labels: {}
+  #image:
+  #  repository: phoenixmedia/modsecurity-crs
+  #  tag: main
+  #  pullPolicy: Always
+  #env:
+  #  # see more configuration options here: https://github.com/coreruleset/modsecurity-crs-docker/blob/main/README.md
+  #  # keep in mind that this is a nginx image...
+  #  - name: BACKEND
+  #    value: "http://magento.${NAMESPACE}.svc.cluster.local:80"  # Forward traffic to magento
+  #resources:
+  #  requests:
+  #    memory: 512Mi
+  #    cpu: 300m
+
+  #readinessProbe:
+  #  httpGet:
+  #    path: /healthz
+  #    port: 8080
+  #    # if the probe fails 2 times within 10 secondary, the pod is considered as "not ready"
+  #  periodSeconds: 5
+  #  timeoutSeconds: 1
+  #  successThreshold: 2
+  #  failureThreshold: 2
+
+  #livenessProbe:
+  #  httpGet:
+  #    path: /healthz
+  #    port: 8080
+  #  # if the probe fails 3 times within 30 seconds, the pod will get restarted
+  #  periodSeconds: 10
+  #  timeoutSeconds: 1
+  #  failureThreshold: 3
+
 
 persistence:
   enabled: true