whc4: front PHP route with CRS WAF

2026-06-17 19:24:36 -05:00
parent 41fb117ff0
commit ef782ed56d
4 changed files with 247 additions and 2 deletions
--- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs
+++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs
@@ -1014,6 +1014,49 @@ public sealed class FleetManifestLintTests
        tlsOption.RootElement.GetProperty("spec").GetProperty("minVersion").GetString().Should().Be("VersionTLS13");
    }

+    [Fact]
+    public void Gx10PhpManagerRoute_IsFrontedByOwaspCrsWaf()
+    {
+        var appRoot = Path.Combine(Inventory.BluejayRoot, "apps-gx10", "fc-php");
+        var wafContainer = Gx10DeploymentContainer("fc-php", "deployment-php-waf.json");
+        wafContainer.GetProperty("image").GetString()
+            .Should()
+            .Be("owasp/modsecurity-crs:4.25-nginx-alpine-lts@sha256:88b59911549723e71beabf3b4aa47bbd31b00e79401f442e65ddfc430ae46343");
+        wafContainer.GetProperty("imagePullPolicy").GetString().Should().Be("IfNotPresent");
+        JsonEnvValue(wafContainer, "BACKEND").Should().Be("http://php-web.fc-php.svc.cluster.local:5400");
+        JsonEnvValue(wafContainer, "SERVER_NAME").Should().Be("php.iamworkin.lan");
+        JsonEnvValue(wafContainer, "MODSEC_RULE_ENGINE").Should().Be("On");
+        JsonEnvValue(wafContainer, "MODSEC_AUDIT_ENGINE").Should().Be("RelevantOnly");
+        JsonEnvValue(wafContainer, "MODSEC_AUDIT_LOG").Should().Be("/dev/stdout");
+
+        using var wafDeployment = JsonDocument.Parse(File.ReadAllText(Path.Combine(appRoot, "deployment-php-waf.json")));
+        var podSpec = wafDeployment.RootElement
+            .GetProperty("spec")
+            .GetProperty("template")
+            .GetProperty("spec");
+        podSpec.GetProperty("enableServiceLinks").GetBoolean().Should().BeFalse();
+        podSpec.GetProperty("securityContext").GetProperty("runAsUser").GetInt32().Should().Be(101);
+        podSpec.GetProperty("securityContext").GetProperty("runAsNonRoot").GetBoolean().Should().BeTrue();
+
+        using var service = JsonDocument.Parse(File.ReadAllText(Path.Combine(appRoot, "service-php-waf.json")));
+        service.RootElement.GetProperty("spec").GetProperty("selector").GetProperty("app.kubernetes.io/name").GetString().Should().Be("php-waf");
+        var servicePort = service.RootElement.GetProperty("spec").GetProperty("ports").EnumerateArray().Should().ContainSingle().Subject;
+        servicePort.GetProperty("port").GetInt32().Should().Be(8080);
+        servicePort.GetProperty("targetPort").GetInt32().Should().Be(8080);
+
+        using var ingressRoute = JsonDocument.Parse(File.ReadAllText(Path.Combine(appRoot, "ingressroute-php-web.json")));
+        var serviceRef = ingressRoute.RootElement
+            .GetProperty("spec")
+            .GetProperty("routes")[0]
+            .GetProperty("services")
+            .EnumerateArray()
+            .Should()
+            .ContainSingle()
+            .Subject;
+        serviceRef.GetProperty("name").GetString().Should().Be("php-waf");
+        serviceRef.GetProperty("port").GetInt32().Should().Be(8080);
+    }
+
    [Fact]
    public void Gx10HostingManagers_ProvisioningCrdsAndRbacMustBeGitOpsOwned()
    {
@@ -1231,6 +1274,14 @@ public sealed class FleetManifestLintTests
            : null;
    }

+    private static string? JsonEnvValue(JsonElement container, string name)
+    {
+        return JsonEnvMapping(container, name) is { } env
+            && env.TryGetProperty("value", out var value)
+            ? value.GetString()
+            : null;
+    }
+
    private static JsonElement? JsonEnvMapping(JsonElement container, string name)
    {
        foreach (var env in container.GetProperty("env").EnumerateArray())