whc4: front bluejay tenant route with CRS WAF

2026-06-17 19:54:26 -05:00
parent 193b167d10
commit ee14d3a2d0
4 changed files with 261 additions and 8 deletions
--- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs
+++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs
@@ -1071,6 +1071,55 @@ public sealed class FleetManifestLintTests
        serviceRef.GetProperty("port").GetInt32().Should().Be(8080);
    }

+    [Fact]
+    public void Gx10BluejayDevTenantRoute_IsFrontedByOwaspCrsWaf()
+    {
+        var appRoot = Path.Combine(Inventory.BluejayRoot, "apps-gx10", "fc-tenant-andrew");
+        var wafContainer = Gx10DeploymentContainer("fc-tenant-andrew", "deployment-andrew-web-waf.json");
+        wafContainer.GetProperty("image").GetString()
+            .Should()
+            .Be("owasp/modsecurity-crs:4.25-nginx-alpine-lts@sha256:88b59911549723e71beabf3b4aa47bbd31b00e79401f442e65ddfc430ae46343");
+        JsonEnvValue(wafContainer, "BACKEND").Should().Be("http://andrew-web.fc-tenant-andrew.svc.cluster.local:80");
+        JsonEnvValue(wafContainer, "SERVER_NAME").Should().Be("bluejay.dev www.bluejay.dev");
+        JsonEnvValue(wafContainer, "MODSEC_RULE_ENGINE").Should().Be("On");
+        JsonEnvValue(wafContainer, "MODSEC_AUDIT_ENGINE").Should().Be("RelevantOnly");
+        JsonEnvValue(wafContainer, "MODSEC_AUDIT_LOG").Should().Be("/dev/stdout");
+
+        using var wafDeployment = JsonDocument.Parse(File.ReadAllText(Path.Combine(appRoot, "deployment-andrew-web-waf.json")));
+        var podSpec = wafDeployment.RootElement
+            .GetProperty("spec")
+            .GetProperty("template")
+            .GetProperty("spec");
+        podSpec.GetProperty("enableServiceLinks").GetBoolean().Should().BeFalse();
+        podSpec.GetProperty("securityContext").GetProperty("runAsUser").GetInt32().Should().Be(101);
+        podSpec.GetProperty("securityContext").GetProperty("runAsNonRoot").GetBoolean().Should().BeTrue();
+        wafContainer.GetProperty("readinessProbe")
+            .GetProperty("httpGet")
+            .GetProperty("httpHeaders")[0]
+            .GetProperty("value")
+            .GetString()
+            .Should()
+            .Be("bluejay.dev");
+
+        using var service = JsonDocument.Parse(File.ReadAllText(Path.Combine(appRoot, "service-andrew-web-waf.json")));
+        service.RootElement.GetProperty("spec").GetProperty("selector").GetProperty("app.kubernetes.io/name").GetString().Should().Be("andrew-web-waf");
+        var servicePort = service.RootElement.GetProperty("spec").GetProperty("ports").EnumerateArray().Should().ContainSingle().Subject;
+        servicePort.GetProperty("port").GetInt32().Should().Be(8080);
+        servicePort.GetProperty("targetPort").GetInt32().Should().Be(8080);
+
+        using var ingressRoute = JsonDocument.Parse(File.ReadAllText(Path.Combine(appRoot, "ingressroute-andrew-web.json")));
+        var serviceRef = ingressRoute.RootElement
+            .GetProperty("spec")
+            .GetProperty("routes")[0]
+            .GetProperty("services")
+            .EnumerateArray()
+            .Should()
+            .ContainSingle()
+            .Subject;
+        serviceRef.GetProperty("name").GetString().Should().Be("andrew-web-waf");
+        serviceRef.GetProperty("port").GetInt32().Should().Be(8080);
+    }
+
    [Fact]
    public void Gx10HostingManagers_ProvisioningCrdsAndRbacMustBeGitOpsOwned()
    {