diff --git a/osm-seed/templates/nominatim-api/nominatim-ingress.yaml b/osm-seed/templates/nominatim-api/nominatim-ingress.yaml index c65bfb4b..b45b2e45 100644 --- a/osm-seed/templates/nominatim-api/nominatim-ingress.yaml +++ b/osm-seed/templates/nominatim-api/nominatim-ingress.yaml @@ -22,6 +22,10 @@ metadata: alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}' alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}" alb.ingress.kubernetes.io/ssl-redirect: '443' + # Enable WAF + {{- if .Values.alb.enableWaf.enabled }} + alb.ingress.kubernetes.io/waf-acl-arn: "{{ .Values.alb.enableWaf.wafAclArn }}" + {{- end }} {{- end }} spec: ingressClassName: {{ .Values.ingressClassName }} diff --git a/osm-seed/templates/overpass-api/overpass-api-ingress.yaml b/osm-seed/templates/overpass-api/overpass-api-ingress.yaml index 7bb6f8dd..73d46c8c 100644 --- a/osm-seed/templates/overpass-api/overpass-api-ingress.yaml +++ b/osm-seed/templates/overpass-api/overpass-api-ingress.yaml @@ -22,6 +22,10 @@ metadata: alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}' alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}" alb.ingress.kubernetes.io/ssl-redirect: '443' + # Enable WAF + {{- if .Values.alb.enableWaf.enabled }} + alb.ingress.kubernetes.io/waf-acl-arn: "{{ .Values.alb.enableWaf.wafAclArn }}" + {{- end }} {{- end }} spec: ingressClassName: {{ .Values.ingressClassName }} diff --git a/osm-seed/templates/taginfo/taginfo-ingress.yaml b/osm-seed/templates/taginfo/taginfo-ingress.yaml index a9aa70f8..1f6373c6 100644 --- a/osm-seed/templates/taginfo/taginfo-ingress.yaml +++ b/osm-seed/templates/taginfo/taginfo-ingress.yaml @@ -22,6 +22,10 @@ metadata: alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}' alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}" alb.ingress.kubernetes.io/ssl-redirect: '443' + # Enable WAF + {{- if .Values.alb.enableWaf.enabled }} + alb.ingress.kubernetes.io/waf-acl-arn: "{{ .Values.alb.enableWaf.wafAclArn }}" + {{- end }} {{- end }} spec: ingressClassName: {{ .Values.ingressClassName }} diff --git a/osm-seed/templates/tasking-manager-api/tm-ingress.yaml b/osm-seed/templates/tasking-manager-api/tm-ingress.yaml index 82a44ad4..bc522afa 100644 --- a/osm-seed/templates/tasking-manager-api/tm-ingress.yaml +++ b/osm-seed/templates/tasking-manager-api/tm-ingress.yaml @@ -22,6 +22,10 @@ metadata: alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}' alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}" alb.ingress.kubernetes.io/ssl-redirect: '443' + # Enable WAF + {{- if .Values.alb.enableWaf.enabled }} + alb.ingress.kubernetes.io/waf-acl-arn: "{{ .Values.alb.enableWaf.wafAclArn }}" + {{- end }} {{- end }} spec: ingressClassName: {{ .Values.ingressClassName }} diff --git a/osm-seed/templates/tiler-server/tiler-server-ingress.yaml b/osm-seed/templates/tiler-server/tiler-server-ingress.yaml index 7bc066cb..d5ae551d 100644 --- a/osm-seed/templates/tiler-server/tiler-server-ingress.yaml +++ b/osm-seed/templates/tiler-server/tiler-server-ingress.yaml @@ -22,6 +22,10 @@ metadata: alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}' alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}" alb.ingress.kubernetes.io/ssl-redirect: '443' + # Enable WAF + {{- if .Values.alb.enableWaf.enabled }} + alb.ingress.kubernetes.io/waf-acl-arn: "{{ .Values.alb.enableWaf.wafAclArn }}" + {{- end }} {{- end }} spec: ingressClassName: {{ .Values.ingressClassName }} diff --git a/osm-seed/templates/web/web-ingress.yaml b/osm-seed/templates/web/web-ingress.yaml index 77f9b810..caedffaf 100644 --- a/osm-seed/templates/web/web-ingress.yaml +++ b/osm-seed/templates/web/web-ingress.yaml @@ -22,6 +22,10 @@ metadata: alb.ingress.kubernetes.io/listen-ports: '{{ .Values.alb.listenPorts | default "[{\"HTTP\":80},{\"HTTPS\":443}]" }}' alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.alb.certificateArn }}" alb.ingress.kubernetes.io/ssl-redirect: '443' + ## Enable WAF + {{- if .Values.alb.enableWaf.enabled }} + alb.ingress.kubernetes.io/waf-acl-arn: "{{ .Values.alb.enableWaf.wafAclArn }}" + {{- end }} {{- end }} spec: ingressClassName: {{ .Values.ingressClassName }} diff --git a/osm-seed/values.yaml b/osm-seed/values.yaml index 6d41c018..7158b8f2 100644 --- a/osm-seed/values.yaml +++ b/osm-seed/values.yaml @@ -46,8 +46,10 @@ createClusterIssuer: false ingressClassNameType: "alb" #Type can be alb or nlb ingressClassName: alb #nginx, nginx-nlb, alb alb: - certificateArn: "arn:aws:acm:us-east-1:618380242247:certificate/498e3dc0-843b-4c98-8d41-861775806e86" - + certificateArn: "arn:aws:acm:us-east-1:1234567890:certificate/abcdeffff-843b-4c98-8d41-abcdeffff" + enableWaf: + enabled: false + wafAclArn: arn:aws:wafv2:us-east-1:123456789:regional/webacl/webacl-alb/abcdeffff-ddddd-ddddd-bbbb-abcdeffff # Domain that is pointed to the clusterIP # You will need to create an A record like *.osmseed.example.com pointed to the ClusterIP # Then, the cluster configuration will setup services at their respective subdomains: