[FEATURE] K8S - Ability to ignore/use Ingresses based on IngressClass

bunkerity / bunkerweb

🛡️ Open-source and next-generation Web Application Firewall (WAF)

https://www.bunkerweb.io

GNU Affero General Public License v3.0

6.55k stars 371 forks source link

[FEATURE] K8S - Ability to ignore/use Ingresses based on IngressClass #970

Open Regulus-Regulus opened 8 months ago

Regulus-Regulus commented 8 months ago

What's needed and why?

Hi there,

currently Bunkerweb takes into account all ingresses in all namespaces. Other Ingress Controllers (like Ingress-Nginx) are able to only apply configurations from Ingresses with, for instance, the IngressClass "Nginx".

It would be great if Bunkerweb was able to do the same and ignore/use Ingresses based on their IngresClass, which would allow the usage of multiple IngressControllers within the same cluster.

If this is already possible and I couldn't find how to configure it correctly, I apologize.

Thank you for your work!

Some links: https://docs.nginx.com/nginx-ingress-controller/installation/running-multiple-ingress-controllers/ https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class

Implementations ideas (optional)

No response

Code of Conduct

[X] I agree to follow this project's Code of Conduct

fl0ppy-d1sk commented 8 months ago

Hello @Jobuen,

You are right, it's not documented because it's not implemented ATM.

We will add it in 1.5.7 because 1.5.6 is coming soon.

On top of that, we will try our best to improve the k8s integration : helm chart, documentation about tls support (e.g. cert-manager), scoping for annotations, ...

Don't hesitate to share some feedbacks about the ingress controller.

Regulus-Regulus commented 8 months ago

Hey @fl0ppy-d1sk ,

sounds great, looking forward to 1.5.6 and 1.5.7, and also very curious about "Bunkerweb Pro" and what that will entail. As soon as I have feedback of value, I'll share it with you. As of now, I feel most of the problems I have setting up Bunkerweb as an Ingress Controller stem from my own mistakes.

I will actually be spending some more time on trying to integrate Bunekrweb with cert-manager next week, with the main problem I've been having being that Bunkerweb didn't correctly route the challenge-solving to the acme-pod, and instead tried to resolve it within itself. My guess was that it stems from some problem with two ingresses being setup pointing at the same domain, and that causing issues somehow (eventhough they pointed at different paths). Spending more time on it next week and will let you know if I can't find any mistake in my own setup.