update CoreRuleset payload for dikastes' new WAF engine (#2991)

- move and reorganise coreruleset delivery
- now embedded, no need to rely on go:generate
- reorganise how we do the customisations, put all our custom CRS behaviour in its own tigera.conf file
-  replace generated files with embedded
- update files-to-skip
- dikastes now provides a basedir option for enhanced security
- bump coreruleset from v3.3.5 -> v4.0.0-rc2

git-hooks/files-to-skip

@@ -1,4 +1,3 @@
 api/v1/zz_generated.deepcopy.go
 api/v1beta1/zz_generated.deepcopy.go
 pkg/apis/crd.projectcalico.org/v1/zz_generated.deepcopy.go
-pkg/render/applicationlayer/modsecurityrules.go

pkg/controller/applicationlayer/applicationlayer_controller.go

@@ -16,7 +16,6 @@ package applicationlayer
 
 import (
 	"context"
-	"encoding/base64"
 	"errors"
 	"fmt"
 
@@ -29,6 +28,7 @@ import (
 	"github.com/tigera/operator/pkg/controller/utils/imageset"
 	"github.com/tigera/operator/pkg/render"
 	"github.com/tigera/operator/pkg/render/applicationlayer"
+	"github.com/tigera/operator/pkg/render/applicationlayer/embed"
 	rmeta "github.com/tigera/operator/pkg/render/common/meta"
 
 	corev1 "k8s.io/api/core/v1"
@@ -419,23 +419,19 @@ func (r *ReconcileApplicationLayer) getModSecurityRuleSet(ctx context.Context) (
 }
 
 func getDefaultCoreRuleset(ctx context.Context) (*corev1.ConfigMap, error) {
+	data, err := embed.AsMap()
+	if err != nil {
+		return nil, err
+	}
+
 	ruleset := &corev1.ConfigMap{
 		TypeMeta: metav1.TypeMeta{Kind: "ConfigMap", APIVersion: "v1"},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      applicationlayer.ModSecurityRulesetConfigMapName,
 			Namespace: common.OperatorNamespace(),
 		},
-		Data: make(map[string]string),
+		Data: data,
 	}
-
-	for filename, dataBase64 := range applicationlayer.ModsecurityCoreRuleSet {
-		if data, err := base64.StdEncoding.DecodeString(dataBase64); err == nil {
-			ruleset.Data[filename] = string(data)
-		} else {
-			return nil, err
-		}
-	}
-
 	return ruleset, nil
 }
 

pkg/render/applicationlayer/applicationlayer.go

@@ -12,8 +12,6 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-//go:generate go run gen.go
-
 package applicationlayer
 
 import (
@@ -59,9 +57,11 @@ const (
 	DikastesSyncVolumeName           = "dikastes-sync"
 	DikastesContainerName            = "dikastes"
 	ModSecurityRulesetVolumeName     = "modsecurity-ruleset"
+	ModSecurityRulesetVolumePath     = "/etc/modsecurity-ruleset"
 	ModSecurityRulesetConfigMapName  = "modsecurity-ruleset"
 	ModSecurityRulesetHashAnnotation = "hash.operator.tigera.io/modsecurity-ruleset"
 	CalicoLogsVolumeName             = "var-log-calico"
+	CalicologsVolumePath             = "/var/log/calico"
 )
 
 func ApplicationLayer(
@@ -295,17 +295,25 @@ func (c *component) containers() []corev1.Container {
 		}
 
 		if c.config.WAFEnabled {
-			commandArgs = append(commandArgs, "--rules", "/etc/modsecurity-ruleset")
+			commandArgs = append(
+				commandArgs,
+				"--waf-enabled",
+				"--waf-ruleset-base-dir", ModSecurityRulesetVolumePath,
+				"--waf-directive", "Include modsecdefault.conf",
+				"--waf-directive", "Include crs-setup.conf",
+				"--waf-directive", "Include tigera.conf",
+				"--waf-directive", "Include rules/*.conf",
+			)
 			volMounts = append(
 				volMounts,
 				[]corev1.VolumeMount{
 					{
 						Name:      CalicoLogsVolumeName,
-						MountPath: "/var/log/calico",
+						MountPath: CalicologsVolumePath,
 					},
 					{
 						Name:      ModSecurityRulesetVolumeName,
-						MountPath: "/etc/modsecurity-ruleset",
+						MountPath: ModSecurityRulesetVolumePath,
 						ReadOnly:  true,
 					},
 				}...,