Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VirtualServer that references a WAF policy which uses a bundle does not recover if the bundle is missing on startup #5530

Open
shaun-nx opened this issue May 9, 2024 · 2 comments
Open

VirtualServer that references a WAF policy which uses a bundle does not recover if the bundle is missing on startup #5530

shaun-nx opened this issue May 9, 2024 · 2 comments
Labels
bug An issue reporting a potential bug ready for refinement An issue that was triaged and it is ready to be refined

Comments

@shaun-nx
Copy link
Contributor

shaun-nx commented May 9, 2024
edited

Describe the bug
When deploying a VirtualServer with a WAF policy which uses the apBundle setting, the VirtualServer will remain go into a Warning state if the expected .tgz bundle file is not present. The VirtualServer will subsequently stay in this Warning state even after the .tgz bundle file is put into the expected directory afterwords.

Example warning message:

Events:
  Type     Reason                     Age                    From                      Message
  ----     ------                     ----                   ----                      -------
  Warning  AddedOrUpdatedWithWarning  4m58s (x3 over 4m58s)  nginx-ingress-controller  Configuration for default/webapp was added or updated ; with warning(s): WAF policy default/waf-policy references an invalid or non-existing App Protect bundle /etc/app_protect/bundles/compiled_policy.tgz

To Reproduce
Steps to reproduce the behavior:

  1. Deploy NIC v3.5.0 with WAF v4.8.1
  2. Deploy a Policy of kind waf, with the apBundle option as shown in the Policy Resource docs
  3. Deploy a VirtualServer referencing this poilicy.
  4. Ensure the bundle is not present on the file system.,
  5. Add the bundle to the expected directory after deployment.

Expected behavior
The VirtualServer will go from a Warning state to a Valid state after the bundle file has been placed in the expected directory.

Your environment

  • Version of the Ingress Controller - release version or a specific commit: 3.5.0
  • Version of Kubernetes: 1.29
  • Kubernetes platform (e.g. Mini-kube or GCP): GCP
  • Using NGINX or NGINX Plus: NGINX Plus
@shaun-nx shaun-nx mentioned this issue May 9, 2024
Closed
@github-actions GitHub Actions
Copy link

github-actions bot commented May 9, 2024

Hi @shaun-nx thanks for reporting!

Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this 🙂

Cheers!

@shaun-nx shaun-nx added the bug An issue reporting a potential bug label May 9, 2024
@brianehlert
Copy link
Collaborator

This appears to be a workflow or order of operations problem.
If a bundle is referenced in a config, it must be present.
The question comes if or how the system responds to that.

@danielnginx danielnginx added the ready for refinement An issue that was triaged and it is ready to be refined label May 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug An issue reporting a potential bug ready for refinement An issue that was triaged and it is ready to be refined
Projects
NGINX Ingress Controller
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
3 participants
@brianehlert @shaun-nx @danielnginx