Skip to content

Commit

Permalink
feat: (IAC-1228) Support Azure Application Gateway with Azure WAF
Browse files Browse the repository at this point in the history
  • Loading branch information
riragh committed Jan 19, 2024
1 parent 4ef9108 commit 7970fa7
Show file tree
Hide file tree
Showing 4 changed files with 51 additions and 0 deletions.
16 changes: 16 additions & 0 deletions docs/CONFIG-VARS.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ Supported configuration variables are listed in the table below. All variables
- [NFS Client](#nfs-client)
- [Postgres NFS Client](#postgres-nfs-client)
- [Multi-tenancy](#multi-tenancy)
- [Azure Application Gateway with WAF](#azure-application-gateway-with-waf)

## BASE

Expand Down Expand Up @@ -499,3 +500,18 @@ V4MT_TENANT_CAS_CUSTOMIZATION:
worker_count: 1
backup_controller_enabled: true
```

## Azure Application Gateway with WAF

| Name | Description | Type | Default | Required | Notes | Tasks |
| :--- | :--- | :--- | :--- | :--- | :--- | :--- |
| V4_CFG_APPLICATION_GATEWAY_ENABLED | Enables Azure Application Gateway | bool | false | false | If not set, the value for this variable will be read from tfstate file | baseline |
| INGRESS_NGINX_AZURE_DNS_LABEL_NAME | Setting this variable lets user use Azure public DNS by adding DNS label for Ingress loadbalancer | string | null | false | | baseline |

**Additional setting required for Azure application gateway:**

In your `ansible-vars.yaml` file, the variable `V4_CFG_INGRESS_FQDN` should be setup with hostname of your application gateway. And for secure communication, ingress certificates should be set correctly. Following variables should help setting up the ingress certificate.
```
V4_CFG_TLS_CERT: "<Path to ingress certificate file>" ## This file should have all, leaf (server) → intermediate → root certs
V4_CFG_TLS_KEY: "<Path to ingress key file>"
```
10 changes: 10 additions & 0 deletions roles/baseline/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,16 @@ INGRESS_NGINX_CONFIG:
command: [/bin/sh, -c, sleep 5; /usr/local/nginx/sbin/nginx -c /etc/nginx/nginx.conf -s quit; while pgrep -x nginx; do sleep 1; done]
terminationGracePeriodSeconds: 600

# Add config and annotation for Azure Application Gateway
V4_CFG_APPLICATION_GATEWAY_ENABLED: false
INGRESS_NGINX_AZURE_GATEWAY_CONFIG:
controller:
config:
use-forwarded-headers: "true"
service:
annotations:
service.beta.kubernetes.io/azure-dns-label-name: "{{ INGRESS_NGINX_AZURE_DNS_LABEL_NAME | default(None) }}"

# Add annotation to include Azure load-balancer health probe request path
INGRESS_NGINX_AZURE_LB_HEALTH_PROBE_CONFIG:
controller:
Expand Down
10 changes: 10 additions & 0 deletions roles/baseline/tasks/ingress-nginx.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,16 @@
- install
- update

- name: Update INGRESS_NGINX_CONFIG to add Azure Application Gateway Config changes
set_fact:
INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG | combine(INGRESS_NGINX_AZURE_GATEWAY_CONFIG, recursive=True) }}"
when:
- PROVIDER == "azure"
- V4_CFG_APPLICATION_GATEWAY_ENABLED
tags:
- install
- update

- name: Apply Mitigation for CVE-2021-25742
tags:
- install
Expand Down
15 changes: 15 additions & 0 deletions roles/common/tasks/main.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -280,6 +280,21 @@
- tfstate.message_broker_primary_key is defined
- tfstate.message_broker_primary_key.value|length > 0
- V4_CFG_MESSAGE_BROKER_PASSWORD is not defined
- name: tfstate - azure application gateway enabled # noqa: name[casing]
set_fact:
V4_CFG_APPLICATION_GATEWAY_ENABLED: "{{ tfstate.app_gateway_enabled.value }}"
when:
- PROVIDER == "azure"
- tfstate.app_gateway_enabled is defined
- V4_CFG_APPLICATION_GATEWAY_ENABLED is not defined
- name: tfstate - Add azure application gateway public ip to LOADBALANCER_SOURCE_RANGES # noqa: name[casing]
set_fact:
LOADBALANCER_SOURCE_RANGES: "{{ LOADBALANCER_SOURCE_RANGES + [tfstate.app_gateway_frontend_ip.value + '/32'] }}"
when:
- PROVIDER == "azure"
- tfstate.app_gateway_frontend_ip is defined
- tfstate.app_gateway_frontend_ip.value|length > 0
- V4_CFG_APP_GATEWAY_IP is not defined
- name: tfstate - set tfstate to empty string # noqa: name[casing]
set_fact:
tfstate: ""
Expand Down

0 comments on commit 7970fa7

Please sign in to comment.