add support and specific values file for waf deployment

Chart.yaml

@@ -1,7 +1,7 @@
 name: magento
 apiVersion: v2
 appVersion: 2.4.6
-version: 2.7.0
+version: 2.8.0
 description: Magento chart to deploy the application including services.
 type: application
 keywords:

templates/modsecurity-crs-configmap.yaml

@@ -0,0 +1,11 @@
+{{- if and .Values.waf .Values.waf.enabled -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.waf.name | default "modsecurity-crs" }}
+data:
+{{- range $key, $value := .Values.waf.config }}
+  {{ $key }}: |-
+{{ $value | indent 4 }}
+{{- end }}
+{{- end -}}

templates/modsecurity-crs-deployment.yaml

@@ -0,0 +1,45 @@
+{{- if and .Values.waf .Values.waf.enabled -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Values.waf.name | default "modsecurity-crs" }}
+  annotations: {{ toYaml .Values.waf.annotations | nindent 4 }}
+  labels: {{ toYaml .Values.waf.labels | nindent 4 }}
+spec:
+  replicas: {{ .Values.waf.replicas | default 1 }}
+  selector:
+    matchLabels:
+      app: modsecurity-crs
+  template:
+    metadata:
+      labels:
+        app: modsecurity-crs
+    spec:
+      containers:
+        - name: modsecurity-crs
+          image: {{ .Values.waf.image.repository }}:{{ .Values.waf.image.tag }}
+          imagePullPolicy: {{ .Values.waf.image.pullPolicy | default "Always" }}
+          resources: {{ toYaml .Values.waf.resources | nindent 12 }}
+          readinessProbe: {{ toYaml .Values.waf.readinessProbe | nindent 12 }}
+          livenessProbe: {{ toYaml .Values.waf.livenessProbe | nindent 12 }}
+          startupProbe: {{ toYaml .Values.waf.startupProbe | nindent 12 }}
+          ports:
+            - containerPort: 8080
+              name: http
+          env:
+            - name: PORT
+              value: "8080"
+            {{ toYaml .Values.waf.env | nindent 12 }}
+
+          volumeMounts:
+            - name: modsecurity-configmap
+              mountPath: /docker-entrypoint.d/999-phoenix-proxy-behaviour.sh
+              subPath: entrypoint.sh
+
+      volumes:
+        - name: modsecurity-configmap
+          configMap:
+            name: {{ .Values.waf.name | default "modsecurity-crs" }}
+            defaultMode: 0777
+    dnsPolicy: ClusterFirst
+{{- end -}}

templates/modsecurity-crs-service.yaml

@@ -0,0 +1,15 @@
+{{- if and .Values.waf .Values.waf.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.waf.name | default "modsecurity-crs" }}
+spec:
+  type: ClusterIP
+  clusterIP: None
+  selector:
+    app: modsecurity-crs
+  ports:
+  - name: http
+    port: 8080
+    targetPort: http
+{{- end -}}

values.yaml

@@ -843,6 +843,44 @@
     fallbackImage:
       httpCode: 404
 
+waf:
+  enabled: false
+  #replicas: 1
+  #annotations: {}
+  #labels: {}
+  #image:
+  #  repository: owasp/modsecurity-crs:nginx-alpine
+  #  tag: 4.9.0-nginx-alpine-202412020312
+  #  pullPolicy: Always
+  #env:
+  #  # see more configuration options here: https://github.com/coreruleset/modsecurity-crs-docker/blob/main/README.md
+  #  # keep in mind that this is a nginx image...
+  #  - name: BACKEND
+  #    value: "http://magento.${NAMESPACE}.svc.cluster.local:80"  # Forward traffic to magento
+  #resources:
+  #  requests:
+  #    memory: 512Mi
+  #    cpu: 300m
+
+  #readinessProbe:
+  #  httpGet:
+  #    path: /healthz
+  #    port: 8080
+  #    # if the probe fails 2 times within 10 secondary, the pod is considered as "not ready"
+  #  periodSeconds: 5
+  #  timeoutSeconds: 1
+  #  successThreshold: 2
+  #  failureThreshold: 2
+
+  #livenessProbe:
+  #  httpGet:
+  #    path: /healthz
+  #    port: 8080
+  #  # if the probe fails 3 times within 30 seconds, the pod will get restarted
+  #  periodSeconds: 10
+  #  timeoutSeconds: 1
+  #  failureThreshold: 3
+
 
 persistence:
   enabled: true