Skip to content

[EV-6466]: Add Gateway WAF (per-route & namespaced) docs section#2758

Open
electricjesus wants to merge 15 commits into
tigera:mainfrom
electricjesus:seth/EV-6466-gateway-waf-docs
Open

[EV-6466]: Add Gateway WAF (per-route & namespaced) docs section#2758
electricjesus wants to merge 15 commits into
tigera:mainfrom
electricjesus:seth/EV-6466-gateway-waf-docs

Conversation

@electricjesus

@electricjesus electricjesus commented May 29, 2026

Copy link
Copy Markdown
Member

Product Version(s):
Calico Enterprise (next / unreleased), tech preview. Not for Calico OSS or Calico Cloud.

Issue:

  • EV-6466: docs for WAF per-route
  • Design: tigera/designs#25 (2026/PMREQ-384-per-route-namespaced-waf). Rego engine: calico-private#12137 (EV-6656).

Link to docs preview:

SME review:

  • An SME has approved this change.

DOCS review:

  • A member of the docs team has approved this change.

Additional information:

Adds a Gateway WAF section under calico-enterprise/threat/gateway-waf/. It documents the per-route and per-namespace WAF feature (OWASP CRS via a Coraza WASM filter on Envoy Gateway). The section is 11 task-based pages:

  • Overview: the concepts home. Big picture, the resource model, and how it works (merge order, inheritance, the admission webhook, validation). It also holds the architecture diagram.
  • Get started: a short signpost. Prerequisites, then the path from enabling to the tutorial to the production tasks.
  • Tutorial: a hands-on that blocks a SQL injection and an XSS attempt in about five minutes.
  • Enable Gateway WAF: turn it on or off with GatewayAPI.spec.extensions.waf.state.
  • Set a baseline, Attach WAF to a route, Write custom rules, Validate config, Multi-tenant setup: one page per production task.
  • Troubleshooting: symptom to fix, plus how to observe WAF activity.
  • Reference: the six CRDs, the Rego input schema, SecRule ID ranges, and status conditions.

It also adds a deprecation note to threat/deploying-waf-ingress-gateway.mdx, which this feature supersedes.

Notes for reviewers:

  • Reorganized into task pages after docs-team feedback. The prose stays lean. It's split by task now, and the CO/AO persona labels are gone. Each task page opens with a short what-and-why line.
  • Observability: a gateway-WAF hit lands in the tigera_secure_ee_waf index with gateway_name and gateway_namespace. It does not show up as a Security Event on this release. The intrusion-detection GatewayName filter drops it by design. Bringing it back is a later-release item.
  • Uses the design-renamed kinds (WAFPolicy, GlobalWAFPolicy, WAFPlugin, and so on) from designs#25, not the older WebApplicationFirewall* names.
  • Validation is documented with Rego (package waf / violations), not the prototype's CEL.
  • sectionName (per-listener targeting) is documented as supported.
  • Enablement is operator-native. There's no standalone Helm chart.
  • The kubectl waf plugin and the web UI/BFF (PMREQ-857) are out of scope here. They're called "coming" at most.
  • The prototype-to-GA migration guide from EV-6466's acceptance criteria is deferred to GA. This content is tech preview.
  • Follow-up: remove and redirect the legacy deploying-waf-ingress-gateway page.

Merge checklist:

  • Deploy preview inspected wherever changes were made
  • Build completed successfully
  • Tests have passed

Add a Calico Enterprise docs section for the Gateway-API WAF feature
(OWASP CRS via a Coraza WASM filter on Envoy Gateway): overview,
concepts (families, global vs namespaced, merge order + enforcement),
get-started (operator-native enable + quickstart), persona-oriented
how-tos (CO baseline, AO attach/rules/validate, multi-tenant), and a
CRD / Rego / SecRule-ID-range / status-condition reference, plus
troubleshooting.

- New section under threat/gateway-waf/ (16 pages) + sidebar category.
- Deprecation note on deploying-waf-ingress-gateway (superseded by the
  new per-route/namespaced model).

Refs: PMREQ-384, designs#25, cp#12137 (Rego engine, EV-6656). Docs: EV-6466.
Copilot AI review requested due to automatic review settings May 29, 2026 11:18
@netlify

netlify Bot commented May 29, 2026

Copy link
Copy Markdown

Deploy Preview for tigera failed. Why did it fail? →

Built without sensitive environment variables

Name Link
🔨 Latest commit 1f47add
🔍 Latest deploy log https://app.netlify.com/projects/tigera/deploys/6a551a8f705ddb0008a58d36

@netlify

netlify Bot commented May 29, 2026

Copy link
Copy Markdown

Deploy Preview for calico-docs-preview-next ready!

Name Link
🔨 Latest commit 1f47add
🔍 Latest deploy log https://app.netlify.com/projects/calico-docs-preview-next/deploys/6a551a8fe7fe2a0008d0d1ba
😎 Deploy Preview https://deploy-preview-2758--calico-docs-preview-next.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@electricjesus

Copy link
Copy Markdown
Member Author

Build statusBUILD_NEXT=true yarn build (Docusaurus 3.10.1, Node 22.22, yarn 4.9.2):

✅ The new calico-enterprise/threat/gateway-waf/ pages compile cleanly and pass the broken-link check — the MDX build reaches the link checker (so all 16 pages parsed), and none of the flagged broken links are in this section.

⚠️ The full next build is currently red on pre-existing broken links in unrelated docs, not touched by this PR:

  • /calico-cloud/next/networking/add-maglev-load-balancing, mark-lb-node-for-maintenance
  • /calico/next/networking/configuring/add-maglev-load-balancing../../../operations/ebpf/enabling-ebpf#try-out-direct-server-return-mode

These are outside this PR's scope. Leaving the "Build completed successfully" checkbox unchecked until they're resolved (or confirmed handled by CI's build matrix).

- Add WAF terms to the CalicoTerminology vocab (Rego, allowlist,
  the six WAF CRD kinds, and targetRefs/namespaceSelector/paranoiaLevel/
  coreRuleSet/defaultAction/enforcementMode/SecLang).
- Reword two "another's" possessives (Vale.Spelling false positive).
- "walks through" -> "walks you through" (CalicoStyle.Walkthrough).

Verified with scripts/vale-lint.sh --minAlertLevel=error: 0 errors.
The reviewdog/Vale gate fails on warnings too, and Vale.Terms flagged the
bare acronym "CRS" as a miscasing of "CRs" (the custom-resources term).
Replace the bare acronym in prose with "Core Rule Set"; code blocks and
inline-code literals (e.g. the Rego rule messages) are left unchanged so
examples stay accurate.

Verified with scripts/vale-lint.sh: 0 errors, 0 warnings, 0 suggestions.
Replace the ASCII architecture diagram in the Gateway WAF overview with a
Mermaid flowchart, and introduce @docusaurus/theme-mermaid to the repo
(first Mermaid usage here).

The repo builds with future.faster.ssgWorkerThreads, under which
theme-mermaid's context hooks (useColorMode/useThemeConfig) throw during
worker-thread SSG. So the diagram is rendered client-side via
<BrowserOnly> + @theme/Mermaid, and markdown.mermaid is intentionally NOT
enabled (it would auto-transform ```mermaid fences and crash SSG repo-wide).

Verified BUILD_NEXT build: the gateway-waf pages render cleanly; the only
build failure is pre-existing broken links in unrelated calico/calico-cloud
next docs.
@electricjesus

Copy link
Copy Markdown
Member Author

Heads-up for reviewers: this PR introduces Mermaid to the docs site for the first time.

  • Adds @docusaurus/theme-mermaid (package.json + yarn.lock) and registers it via themes: in docusaurus.config.js.
  • The Gateway WAF overview's architecture diagram is now a Mermaid flowchart instead of ASCII — chosen over a static SVG so the diagram source stays diffable and reviewable (and editable by tooling).
  • SSG note: the site builds with future.faster.ssgWorkerThreads, under which theme-mermaid's context hooks (useColorMode/useThemeConfig) throw a ReactContextError during worker-thread SSG. So the diagram renders client-side via <BrowserOnly> + @theme/Mermaid, and markdown.mermaid is deliberately left off — enabling it would auto-transform ```mermaid fences and crash the SSG build repo-wide. Future Mermaid diagrams should follow the same <BrowserOnly> pattern (or we revisit the worker-thread SSG flag).
  • Verified locally with BUILD_NEXT=true yarn build: the gateway-waf pages SSG cleanly (the only build failure is pre-existing broken links in unrelated calico/calico-cloud next docs).

Replace the overview's ASCII pipeline with a static SVG
(static/img/calico-enterprise/gateway-waf-architecture.svg) and revert the
Mermaid introduction.

@docusaurus/theme-mermaid is incompatible with this repo's multi-docs-instance
+ yarn-berry setup: @docusaurus/theme-common (peer dep
@docusaurus/plugin-content-docs: "*") is instantiated as two virtual copies,
so the classic theme's <ColorModeProvider> and theme-mermaid's useColorMode()
bind different React contexts -> ReactContextError during both worker-thread
SSG and client render. The SVG carries descriptive alt text for accessibility.
@electricjesus

Copy link
Copy Markdown
Member Author

Update — reverted the Mermaid introduction; the architecture diagram is now a static SVG.

@docusaurus/theme-mermaid turned out to be incompatible with this repo's setup. Because the site runs three docs-plugin instances, @docusaurus/theme-common (which declares a @docusaurus/plugin-content-docs: "*" peer) gets instantiated as two yarn-berry virtual copies — the classic theme's <ColorModeProvider> and theme-mermaid's useColorMode() then bind different React contexts, throwing ReactContextError in both worker-thread SSG (future.faster.ssgWorkerThreads) and the browser.

Rather than repo-wide yarn packageExtensions/hoisting surgery, the diagram is now a static SVG at static/img/calico-enterprise/gateway-waf-architecture.svg (with descriptive alt text). The @docusaurus/theme-mermaid dependency and config change are removed (dcbfd002). This supersedes the earlier "introducing Mermaid" note above.

Fix text overflow and tighten spacing flagged in review: widen the canvas
to 940x360, split the admission-webhook caption to two lines, widen the
input/process boxes so every label fits with margin, and clean up the
pass/fail arrow routing. Same colour palette.
@electricjesus electricjesus marked this pull request as ready for review May 29, 2026 22:12
@electricjesus electricjesus requested a review from a team as a code owner May 29, 2026 22:12
…ique reservation (EV-6757)

The range page implied each namespace gets a private, collision-free block. Reword to say the range is the set of IDs your rules may use, note it isn't globally unique (two namespaces can map to the same block, harmlessly), and that tenant isolation comes from per-namespace engines plus the protected ranges.
Fold the concepts/, get-started/, how-to/, and reference/ subpages into single Overview, How it works, Get started, Common tasks, Reference, and Troubleshooting pages, flattening the section to match the threat/ layout. Content preserved; sidebar updated.

Ref: EV-6466
Verbosity-only pass over Common tasks, Reference, How it works, and Troubleshooting: cut repeated narrative and duplicate YAML, keep one representative example per task. No facts, tables, field/rule/status-condition names, or meaning changed. ~10.0k -> ~8.5k words.

Ref: EV-6466
…ditions

- Gateway-WAF hits are recorded in tigera_secure_ee_waf (with gateway_name/gateway_namespace) but are not raised as Security Events on this release (intrusion-detection GatewayName filter); re-surfacing is a later-release item.

- sectionName is supported: drop the "reserved for a future release" wording and the SectionNameNotYetSupported status reason.

- Status-condition reasons corrected to match the reconciler: LicenseRequired (not LicenseBlocked); TargetNotFound and RenderTooLarge under Programmed; add Invalid/ValidationFailed/PluginNotFound under Accepted; drop UnsupportedTarget; Accepted=True reason is Accepted (not Reconciled).

Ref: EV-6466 EV-6650 EV-6786
The deprecation note on deploying-waf-ingress-gateway.mdx linked to gateway-waf/how-to/attach-waf-to-a-route.mdx, which the 16->6 consolidation removed. Repoint it to the merged Common tasks section (#attach-waf-to-a-gateway-or-route).

Ref: EV-6466
Per docs-team feedback, reorganize (not further shrink) the section:

- Overview becomes the concepts home: absorbs How it works (resource model, singleton, inheritance, load order, guardrails) and the architecture diagram; the standalone How-it-works page is removed.

- Get started slims to a signpost (prerequisites + enable -> tutorial -> tasks); the hands-on walkthrough moves to a new Tutorial page.

- Enable/disable becomes its own page (Enable Gateway WAF).

- Common tasks split into one page per task (set a baseline, attach WAF, write custom rules, validate config, multi-tenant); persona labels dropped, each gains a what/why lead.

- Sidebar reordered to the new layout; inbound links (incl. the deprecation note) repointed.

Ref: EV-6466
Gateway WAF is gated by the GatewayAPI CR (spec.extensions.waf.state), not the ApplicationLayer resource (that gates the legacy ext_proc WAF). Confirmed against tigera/operator origin/master (IsWAFGatewayExtensionEnabled). Drop the stale ApplicationLayer mention and let the Enable page own the mechanism.

Ref: EV-6466
Restructure the Gateway WAF section per review:
- make the category an empty expansion; move its landing content to overview
- drop the Get started page; put prerequisites on each task page
- add the tech-preview banner to every page
- convert procedures to numbered steps (the tutorial is now one list)
- rename the baseline page title to name the feature
- move the plugin slot table to overview; trim the Rego example on the validation page
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant