Merge pull request #203 from wallarm/NODE-5873-IPFW-params

NODE-5873 add configurable APIWF parameters to Sidecar Helm chart

TAG

@@ -1 +1 @@
-1.3.11
+1.4.0

cmd/config.go

@@ -229,6 +229,7 @@ func (c *Config) InitTemplate(templatefile string) error {
 		"b64dec":               B64dec,
 		"withAnnotationPrefix": WithAnnotationPrefix,
 		"withAP":               WithAnnotationPrefix,
+		"int64":                ToInt64,
 	}
 
 	tmpl, errNewTemplate := template.New("basic").Funcs(tmplfuncs).Parse(string(content))

cmd/template.go

@@ -152,3 +152,25 @@ func WithAnnotationPrefix(suffix string) string {
 	prefix := fmt.Sprintf("%v", config.Settings["annotationPrefix"])
 	return prefix + "/" + suffix
 }
+
+func ToInt64(input interface{}) (int64, error) {
+    switch v := input.(type) {
+    case string:
+        num, err := strconv.ParseInt(v, 10, 64)
+        if err != nil {
+            fmt.Println("Error converting string to int64:", err)
+            return 0, err
+        }
+        return num, nil
+    case int:
+        return int64(v), nil
+    case int64:
+        return v, nil
+    case float64:
+        return int64(v), nil
+    case float32:
+        return int64(v), nil
+    default:
+        return 0, fmt.Errorf("unsupported type: %T", v)
+    }
+}

files/template.yaml.tpl

@@ -67,7 +67,19 @@ volumes:
     - name: WALLARM_UPSTREAM_RECONNECT_INTERVAL
       value: "{{ getAnnotation .ObjectMeta (withAP `wallarm-upstream-reconnect-interval`) .Config.wallarm.upstream.reconnectInterval }}"
     - name: WALLARM_APIFW_ENABLE
-      value: "{{ getAnnotation .ObjectMeta (withAP `api-firewall-enabled`) .Config.wallarm.apiFirewallMode }}"
+      value: "{{ getAnnotation .ObjectMeta (withAP `api-firewall-enabled`) .Config.wallarm.apiFirewall.mode }}"
+    - name: APIFW_READ_BUFFER_SIZE
+      value: "{{ .Config.wallarm.apiFirewall.readBufferSize | int64 }}"
+    - name: APIFW_WRITE_BUFFER_SIZE
+      value: "{{ .Config.wallarm.apiFirewall.writeBufferSize | int64 }}"
+    - name: APIFW_MAX_REQUEST_BODY_SIZE
+      value: "{{ .Config.wallarm.apiFirewall.maxRequestBodySize | int64 }}"
+    - name: APIFW_DISABLE_KEEPALIVE
+      value: "{{ .Config.wallarm.apiFirewall.disableKeepalive }}"
+    - name: APIFW_MAX_CONNS_PER_IP
+      value: "{{ .Config.wallarm.apiFirewall.maxConnectionsPerIp }}"
+    - name: APIFW_MAX_REQUESTS_PER_CONN
+      value: "{{ .Config.wallarm.apiFirewall.maxRequestsPerConnection }}"
     - name: NGINX_LISTEN_PORT
       value: "{{ getAnnotation .ObjectMeta (withAP `nginx-listen-port`) .Config.nginx.listenPort }}"
     - name: NGINX_PROXY_PASS_PORT

helm/Chart.yaml

@@ -23,6 +23,6 @@ annotations:
     - name: sidecar
       image: wallarm/sidecar:5.2.11
     - name: sidecar-controller
-      image: wallarm/sidecar-controller:1.3.11
+      image: wallarm/sidecar-controller:1.4.0
     - name: node-helpers
       image: wallarm/node-helpers:5.2.11

helm/values.yaml

@@ -76,10 +76,6 @@ config:
     ### https://docs.wallarm.com/admin-en/configure-parameters-en/#wallarm_unpack_response
     ###
     unpackResponse: "on"
-    ### Global setting to turn Wallarm API Firewall component on or off
-    ### https://wallarm.github.io/api-firewall/
-    ###
-    apiFirewallMode: "on"
     ### Post-analytics node endpoint configuration
     ###
     upstream:
@@ -91,6 +87,32 @@ config:
       ### https://docs.wallarm.com/admin-en/configure-parameters-en/#wallarm_upstream_reconnect_interval
       ###
       reconnectInterval: 15s
+    apiFirewall:
+      ### Global setting to turn Wallarm API Firewall component on or off
+      ### https://wallarm.github.io/api-firewall/
+      ###
+      mode: "on"
+      ### Per-connection buffer size (in bytes) for requests' reading. This also limits the maximum header size.
+      ### Increase this buffer if your clients send multi-KB RequestURIs and/or multi-KB headers (for example, BIG cookies)
+      ###
+      readBufferSize: 8192
+      ### Per-connection buffer size (in bytes) for responses' writing.
+      ###
+      writeBufferSize: 8192
+      ### Maximum request body size (in bytes). The server rejects requests with bodies exceeding this limit.
+      ###
+      maxRequestBodySize: 4194304
+      ### Whether to disable keep-alive connections. The server will close all the incoming connections after sending
+      ## the first response to client if this option is set to 'true'
+      ###
+      disableKeepalive: false
+      ### Maximum number of concurrent client connections allowed per IP. '0' means unlimited
+      ###
+      maxConnectionsPerIp: 0
+      ### Maximum number of requests served per connection. The server closes connection after the last request.
+      ### 'Connection: close' header is added to the last response. '0' means unlimited
+      ###
+      maxRequestsPerConnection: 0
   ### Default Annotation prefix which is used in sidecar template to overwrite default values
   annotationPrefix: sidecar.wallarm.io
   ### Default sidecar injection strategy. Parameters in this section can be overwritten individually
@@ -765,7 +787,7 @@ controller:
   image:
     registry: docker.io
     image: wallarm/sidecar-controller
-    tag: 1.3.11
+    tag: 1.4.0
     pullPolicy: IfNotPresent
   # -- Admission webhook configuration
   # @default -- *See below for details*

test/smoke/functions.sh

@@ -113,7 +113,7 @@ function get_logs() {
     echo "#################################"
     echo "######## Post-analytics Pod #####"
     echo "#################################"
-    for CONTAINER in antibot appstructure supervisord tarantool ; do
+    for CONTAINER in appstructure supervisord tarantool ; do
       echo "#######################################"
       echo "###### ${CONTAINER} container logs ######"
       echo -e "#######################################\n"

test/smoke/run.sh

@@ -161,3 +161,4 @@ kubectl wait --for=condition=Ready pods --all --timeout=140s || (kubectl describ
 
 echo "[test-env] running smoke tests suite ..."
 make -C "${DIR}"/../../ smoke-test
+