feat(applicationlayer): WAF v3 render + kube-controllers config plumbing

Makefile

@@ -248,21 +248,13 @@ $(ISTIO_RESOURCES_DIR)/%.tgz:
 # Envoy Gateway" in docs/common_tasks.md.
 ENVOY_GATEWAY_HELM_CHART ?= oci://docker.io/envoyproxy/gateway-helm
 ENVOY_GATEWAY_VERSION ?= v1.7.2
-ENVOY_GATEWAY_PREFIX ?= tigera-gateway-api
-ENVOY_GATEWAY_NAMESPACE ?= tigera-gateway
-ENVOY_GATEWAY_RESOURCES = pkg/render/gatewayapi/gateway_api_resources.yaml
-
-$(ENVOY_GATEWAY_RESOURCES): $(HACK_BIN)/helm-$(BUILDARCH)
-	echo "---" > $@
-	echo "apiVersion: v1" >> $@
-	echo "kind: Namespace" >> $@
-	echo "metadata:" >> $@
-	echo "  name: $(ENVOY_GATEWAY_NAMESPACE)" >> $@
-	$(HELM_BUILDARCH_BINARY) template $(ENVOY_GATEWAY_PREFIX) $(ENVOY_GATEWAY_HELM_CHART) \
+ENVOY_GATEWAY_CHART = pkg/render/gatewayapi/gateway-helm.tgz
+
+$(ENVOY_GATEWAY_CHART): $(HACK_BIN)/helm-$(BUILDARCH)
+	$(HELM_BUILDARCH_BINARY) pull $(ENVOY_GATEWAY_HELM_CHART) \
 		--version $(ENVOY_GATEWAY_VERSION) \
-		-n $(ENVOY_GATEWAY_NAMESPACE) \
-		--include-crds \
-	>> $@
+		--destination pkg/render/gatewayapi/
+	@mv pkg/render/gatewayapi/gateway-helm-$(ENVOY_GATEWAY_VERSION).tgz $@
 
 $(HELM_BUILDARCH_BINARY): $(HELM_BUILDARCH_VERSIONED_BINARY)
 	$(info ░▒▓ symlink $(HELM_BUILDARCH_VERSIONED_BINARY) -> $(HELM_BUILDARCH_BINARY))
@@ -276,7 +268,7 @@ $(HELM_BUILDARCH_VERSIONED_BINARY): | $(HACK_BIN)
 
 
 build: $(BINDIR)/operator-$(ARCH)
-$(BINDIR)/operator-$(ARCH): $(SRC_FILES) $(ENVOY_GATEWAY_RESOURCES) $(ISTIO_CHART_FILES)
+$(BINDIR)/operator-$(ARCH): $(SRC_FILES) $(ENVOY_GATEWAY_CHART) $(ISTIO_CHART_FILES)
 	mkdir -p $(BINDIR)
 	$(CONTAINERIZED) -e CGO_ENABLED=$(CGO_ENABLED) -e GOEXPERIMENT=$(GOEXPERIMENT) $(CALICO_BUILD) \
 	sh -c '$(GIT_CONFIG_SSH) \
@@ -339,7 +331,7 @@ GINKGO_FOCUS?=.*
 ENVTEST_K8S_VERSION?=1.34.x
 
 .PHONY: ut
-ut: $(ENVOY_GATEWAY_RESOURCES) $(ISTIO_CHART_FILES)
+ut: $(ENVOY_GATEWAY_CHART) $(ISTIO_CHART_FILES)
 	-mkdir -p .go-pkg-cache report
 	$(CONTAINERIZED) $(CALICO_BUILD) sh -c '$(GIT_CONFIG_SSH) \
 	go install sigs.k8s.io/controller-runtime/tools/setup-envtest@release-0.22 && \
@@ -348,7 +340,7 @@ ut: $(ENVOY_GATEWAY_RESOURCES) $(ISTIO_CHART_FILES)
 
 ## Run the functional tests
 fv: cluster-create load-container-images run-fvs cluster-destroy
-run-fvs: $(ENVOY_GATEWAY_RESOURCES) $(ISTIO_CHART_FILES)
+run-fvs: $(ENVOY_GATEWAY_CHART) $(ISTIO_CHART_FILES)
 	-mkdir -p .go-pkg-cache report
 	$(CONTAINERIZED) $(CALICO_BUILD) sh -c '$(GIT_CONFIG_SSH) \
 	ginkgo -focus="$(GINKGO_FOCUS)" $(GINKGO_ARGS) "$(FV_DIR)"'

api/v1/gatewayapi_types.go

@@ -79,6 +79,51 @@ type GatewayAPISpec struct {
 	// does not yet have any version of those CRDs.
 	// +optional
 	CRDManagement *CRDManagement `json:"crdManagement,omitempty"`
+
+	// Extensions enables and configures Tigera-built add-ons that sit on top of the
+	// Gateway API data plane.  Each add-on is opt-in: an unset Extensions, an unset
+	// add-on field, and an empty add-on object all leave the add-on disabled.
+	// +optional
+	Extensions *GatewayAPIExtensions `json:"extensions,omitempty"`
+}
+
+// GatewayAPIExtensions enables and configures Tigera-built Gateway API add-ons.
+type GatewayAPIExtensions struct {
+	// WAF enables and configures the Tigera Web Application Firewall (Coraza WASM
+	// + applicationlayer reconcilers).  Default-off semantics: when WAF is nil,
+	// when WAF.State is nil, and when WAF.State is "Disabled", the operator does
+	// not render the WAF env vars or RBAC on calico-kube-controllers.  Set
+	// WAF.State = "Enabled" to turn the feature on.  See design
+	// `tigera/designs#25` (PMREQ-384) for the full surface.
+	// +optional
+	WAF *WAFExtensionSpec `json:"waf,omitempty"`
+}
+
+// WAFExtensionSpec configures the WAF Gateway API add-on.
+type WAFExtensionSpec struct {
+	// State turns the WAF Gateway API add-on on or off.  Default (nil or
+	// "Disabled") means the operator does not render the WAF surface on
+	// calico-kube-controllers.  Set to "Enabled" to opt in.
+	// +optional
+	State *WAFExtensionState `json:"state,omitempty"`
+}
+
+// WAFExtensionState is the on/off enum for the WAF Gateway API add-on.
+// +kubebuilder:validation:Enum=Enabled;Disabled
+type WAFExtensionState string
+
+const (
+	WAFExtensionStateEnabled  WAFExtensionState = "Enabled"
+	WAFExtensionStateDisabled WAFExtensionState = "Disabled"
+)
+
+// IsWAFGatewayExtensionEnabled returns true iff spec.extensions.waf.state == Enabled.
+// Unset Extensions, unset WAF, unset State, and explicit Disabled all return false.
+func (s *GatewayAPISpec) IsWAFGatewayExtensionEnabled() bool {
+	if s == nil || s.Extensions == nil || s.Extensions.WAF == nil || s.Extensions.WAF.State == nil {
+		return false
+	}
+	return *s.Extensions.WAF.State == WAFExtensionStateEnabled
 }
 
 type GatewayClassSpec struct {

docs/common_tasks.md

@@ -182,15 +182,9 @@ spec:
 
 1. In `Makefile`, update `ENVOY_GATEWAY_VERSION`.
 
-1. Delete `pkg/render/gatewayapi/gateway_api_resources.yaml`.
+1. Delete `pkg/render/gatewayapi/gateway-helm.tgz`.
 
-1. Run `make build`.  This will generate a new version of `pkg/render/gateway_api_resources.yaml` and then build the operator image.
-
-1. Review diffs between the old and new versions of `pkg/render/gateway_api_resources.yaml` (e.g. using `git diff`) to identify:
-
-   - any incompatible changes that would need changes in our Gateway-related operator coding or image building
-
-   - any entirely new CRDs or resources, that would need changes in `pkg/render/gateway_api.go`.
+1. Run `make build`.  This will download the new version of the Envoy Gateway helm chart and build the operator image.  The chart is embedded in the binary and rendered at runtime using the Helm SDK.
 
 1. Address build issues if there are any.
 
@@ -200,11 +194,11 @@ spec:
 
 1. Identify the corresponding new versions of the `gateway`, `proxy` and `ratelimit` images.
 
-   - The `gateway` version can be found by looking for "envoyproxy/gateway" in `pkg/render/gateway_api_resources.yaml`, and probably also in the Envoy Gateway release notes ([for example](https://github.com/envoyproxy/gateway/releases/tag/v1.3.2)).  It should be the same as the nominal Envoy Gateway version that you're updating to.
+   - The `gateway` version can be found in the Envoy Gateway release notes ([for example](https://github.com/envoyproxy/gateway/releases/tag/v1.3.2)).  It should be the same as the nominal Envoy Gateway version that you're updating to.
 
    - The `proxy` version can be found in the Envoy Gateway release notes, or by referring to [this compatibility matrix](https://gateway.envoyproxy.io/news/releases/matrix/).
 
-   - The `ratelimit` version can be found by looking for "envoyproxy/ratelimit" in `pkg/render/gateway_api_resources.yaml`, and probably also in the Envoy Gateway release notes.
+   - The `ratelimit` version can be found in the Envoy Gateway release notes.
 
 1. Switching to the `projectcalico/calico` repo, update the code under `third_party/envoy-{gateway,proxy,ratelimit}` to build those new image versions.  In each case:
 

pkg/common/common.go

@@ -36,6 +36,10 @@ const (
 	EgressAccessControlFeature = "egress-access-control"
 	// PolicyRecommendation feature name
 	PolicyRecommendationFeature = "policy-recommendation"
+	// GatewayAddonsFeature gates Tigera-built add-ons that layer on top of an
+	// ingress gateway (currently the WAF v2/v3 admission webhook). The bare
+	// ingress gateway data path is NOT licensed by this feature.
+	GatewayAddonsFeature = "ingress-gateway-addons"
 	// MultipleOwnersLabel used to indicate multiple owner references.
 	// If the render code places this label on an object, the object mergeState machinery will merge owner
 	// references with any that already exist on the object rather than replace the owner references. Further

pkg/components/enterprise.go

@@ -162,6 +162,30 @@ var (
 		variant:   enterpriseVariant,
 	}
 
+	ComponentCorazaWASM = Component{
+		Version:   "master",
+		Image:     "coraza-wasm",
+		Registry:  "",
+		imagePath: "",
+		variant:   enterpriseVariant,
+	}
+
+	ComponentQueryServer = Component{
+		Version:   "master",
+		Image:     "queryserver",
+		Registry:  "",
+		imagePath: "",
+		variant:   enterpriseVariant,
+	}
+
+	ComponentL7AdmissionController = Component{
+		Version:   "master",
+		Image:     "l7-admission-controller",
+		Registry:  "",
+		imagePath: "",
+		variant:   enterpriseVariant,
+	}
+
 	ComponentCoreOSPrometheus = Component{
 		Version: "v3.9.1",
 		variant: enterpriseVariant,
@@ -283,6 +307,8 @@ var (
 		ComponentGatewayL7Collector,
 		ComponentEnvoyProxy,
 		ComponentDikastes,
+		ComponentCorazaWASM,
+		ComponentQueryServer,
 		ComponentPrometheus,
 		ComponentPrometheusAlertmanager,
 		ComponentTigeraNode,