Set up WAF Web-acl (#376)

Rub21 · web-flow · commit b1bc774cc4e7 · 2025-10-16T10:57:22.000-05:00
* Add env vars for wikipedia-wikiledia

* Add configuration to support a custom ingressClassName

* Add configuration to support a custom ingressClassName - overpass-api

* Set gitsha for taginfo image

* Rename ClusterIssuer and point to ingressClassName

* Set global ingressClassName value

* Support ALB for web service

* Update ingress and service config to support aws ALB

* Set annotations for ingress

* Use ClusterIssuer only if it is NLB

* Update configs

* Add healthcheck-path for services - alb

* Anable waf ACL
diff --git a/osm-seed/templates/nominatim-api/nominatim-ingress.yaml b/osm-seed/templates/nominatim-api/nominatim-ingress.yaml
@@ -22,6 +22,10 @@ metadata:
     alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}'
     alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}"
     alb.ingress.kubernetes.io/ssl-redirect: '443'
+    # Enable WAF
+    {{- if .Values.alb.enableWaf.enabled }}
+    alb.ingress.kubernetes.io/waf-acl-arn: "{{ .Values.alb.enableWaf.wafAclArn }}"
+    {{- end }}
     {{- end }}
 spec:
   ingressClassName: {{ .Values.ingressClassName }}
diff --git a/osm-seed/templates/overpass-api/overpass-api-ingress.yaml b/osm-seed/templates/overpass-api/overpass-api-ingress.yaml
@@ -22,6 +22,10 @@ metadata:
     alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}'
     alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}"
     alb.ingress.kubernetes.io/ssl-redirect: '443'
+    # Enable WAF
+    {{- if .Values.alb.enableWaf.enabled }}
+    alb.ingress.kubernetes.io/waf-acl-arn: "{{ .Values.alb.enableWaf.wafAclArn }}"
+    {{- end }}
     {{- end }}
 spec:
   ingressClassName: {{ .Values.ingressClassName }}
diff --git a/osm-seed/templates/taginfo/taginfo-ingress.yaml b/osm-seed/templates/taginfo/taginfo-ingress.yaml
@@ -22,6 +22,10 @@ metadata:
     alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}'
     alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}"
     alb.ingress.kubernetes.io/ssl-redirect: '443'
+    # Enable WAF
+    {{- if .Values.alb.enableWaf.enabled }}
+    alb.ingress.kubernetes.io/waf-acl-arn: "{{ .Values.alb.enableWaf.wafAclArn }}"
+    {{- end }}
     {{- end }}
 spec:
   ingressClassName: {{ .Values.ingressClassName }}
diff --git a/osm-seed/templates/tasking-manager-api/tm-ingress.yaml b/osm-seed/templates/tasking-manager-api/tm-ingress.yaml
@@ -22,6 +22,10 @@ metadata:
     alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}'
     alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}"
     alb.ingress.kubernetes.io/ssl-redirect: '443'
+    # Enable WAF
+    {{- if .Values.alb.enableWaf.enabled }}
+    alb.ingress.kubernetes.io/waf-acl-arn: "{{ .Values.alb.enableWaf.wafAclArn }}"
+    {{- end }}
     {{- end }}
 spec:
   ingressClassName: {{ .Values.ingressClassName }}
diff --git a/osm-seed/templates/tiler-server/tiler-server-ingress.yaml b/osm-seed/templates/tiler-server/tiler-server-ingress.yaml
@@ -22,6 +22,10 @@ metadata:
     alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}'
     alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}"
     alb.ingress.kubernetes.io/ssl-redirect: '443'
+    # Enable WAF
+    {{- if .Values.alb.enableWaf.enabled }}
+    alb.ingress.kubernetes.io/waf-acl-arn: "{{ .Values.alb.enableWaf.wafAclArn }}"
+    {{- end }}
     {{- end }}
 spec:
   ingressClassName: {{ .Values.ingressClassName }}
diff --git a/osm-seed/templates/web/web-ingress.yaml b/osm-seed/templates/web/web-ingress.yaml
@@ -22,6 +22,10 @@ metadata:
     alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}'
     alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}"
     alb.ingress.kubernetes.io/ssl-redirect: '443'
+    ## Enable WAF
+    {{- if .Values.alb.enableWaf.enabled }}
+    alb.ingress.kubernetes.io/waf-acl-arn: "{{ .Values.alb.enableWaf.wafAclArn }}"
+    {{- end }}
     {{- end }}
 spec:
   ingressClassName: {{ .Values.ingressClassName }}
diff --git a/osm-seed/values.yaml b/osm-seed/values.yaml
@@ -46,8 +46,10 @@ createClusterIssuer: false
 ingressClassNameType: "alb" #Type can be alb or nlb
 ingressClassName: alb #nginx,  nginx-nlb, alb
 alb:
-  certificateArn: "arn:aws:acm:us-east-1:618380242247:certificate/498e3dc0-843b-4c98-8d41-861775806e86"
-
+  certificateArn: "arn:aws:acm:us-east-1:1234567890:certificate/abcdeffff-843b-4c98-8d41-abcdeffff"
+  enableWaf:
+    enabled: false
+    wafAclArn: arn:aws:wafv2:us-east-1:123456789:regional/webacl/webacl-alb/abcdeffff-ddddd-ddddd-bbbb-abcdeffff
 # Domain that is pointed to the clusterIP
 # You will need to create an A record like *.osmseed.example.com pointed to the ClusterIP
 # Then, the cluster configuration will setup services at their respective subdomains:
