feat(applicationlayer): WAF v3 (Coraza WASM) render — kube-controllers plumbing + admission webhook

[electricjesus]

Summary

Operator-side render for WAF v3 (Coraza WASM) on calico-kube-controllers. Pairs with the merged reconcilers (tigera/calico-private#11834) and the in-process SecLang validating admission webhook (tigera/calico-private#12141, EV-6657). Design: tigera/designs#25 (PMREQ-384).

Review scope — 3 commits, ~470 lines:

Commit	What
feat(api): add GatewayAPI WAF extension gating field	GatewayAPI.spec.extensions.waf.state (Enabled/Disabled, default off) + deepcopy + CRD
feat(applicationlayer): render WAF v3 + in-process admission webhook	gateway_waf.go (webhook Service + VWC), kube-controllers env/RBAC/cert/port, coraza-wasm component
feat(applicationlayer): wire WAF v3 render + webhook into installation controller	cert issuance + render wiring in core controller

Everything is gated on GatewayAPI.spec.extensions.waf.state == Enabled — non-WAF / OSS / WAF-disabled installs render a byte-identical kube-controllers Deployment.

Merge order (why hold merge): the webhook render is failurePolicy: Fail against the in-process server on :9443, which ships in tigera/calico-private#12141 (open). Merging this before cp#12141 is in the hashrelease kube-controllers image would brick wafplugins/wafpolicies writes once WAF is enabled. Review now; merge lands right after cp#12141. The plumbing half pairs with already-merged cp#11834.

WAF SecLang admission webhook — in-process (calico-kube-controllers)

The webhook runs in-process inside the existing calico-kube-controllers Pod (the applicationlayer manager's webhook server) — not a standalone Deployment. pkg/render/applicationlayer/gateway_waf.go renders only:

• a Service (tigera-waf-webhook) fronting the kube-controllers Pod (:443 → :9443), and
• a ValidatingWebhookConfiguration intercepting CREATE/UPDATE on wafplugins + wafpolicies at /validate-waf, failurePolicy: Fail (the reconciler backstop is status-only, so the webhook is the hard admission gate), caBundle = the operator CA.

No dedicated ServiceAccount/ClusterRole/ClusterRoleBinding/Deployment — the webhook reuses the kube-controllers ServiceAccount + ClusterRole.

kube-controllers plumbing (gated on GatewayAPI.spec.extensions.waf.state == Enabled)

• WASM_IMAGE / WASM_PULL_SECRET / WASM_CA_CERT env + ENABLED_CONTROLLERS=applicationlayer (names verified against the merged reconcilers' manager.go).
• WAF reconciler RBAC: the 6 applicationlayer.projectcalico.org resources + /status + /finalizers, EnvoyExtensionPolicy CRUD, events (core + events.k8s.io), secret/ConfigMap replication, Gateway/HTTPRoute reads for targetRef validation, namespaces patch/update for the upcoming per-namespace waf-id-range annotation.
• The webhook serving cert (WAFWebhookServerTLS, issued for tigera-waf-webhook.calico-system.svc) mounted into the Pod; WAF_WEBHOOK_CERT_DIR env; container port 9443.

Controller wiring (installation core controller)

Issues the serving cert via CertificateManager, materializes it into calico-system through the existing CertificateManagement render, threads it into the kube-controllers config, and renders the webhook Service + ValidatingWebhookConfiguration — all behind the WAF-enabled gate.

Test plan

• go test ./pkg/render/applicationlayer/... ./pkg/render/kubecontrollers/... — webhook contract (resources/path/failurePolicy/caBundle), kube-controllers cert mount + env + port, RBAC.
• go build ./..., go vet, gofmt clean; full Operator CI green (2424 tests).
• RBAC audited against the merged reconcilers' kubebuilder markers + client-call sweep — no missing grants (incl. the controller-runtime cached-client list/watch for Gateway/HTTPRoute Gets, and */finalizers for OCP OwnerReferencesPermissionEnforcement).
• End-to-end admission round-trip on a cluster (apiserver → in-process webhook TLS handshake) once cp#12141 is in a hashrelease image.

Release Note

Add operator render for the WAF v3 (Coraza WASM) SecLang validating admission
webhook — served in-process by calico-kube-controllers — plus the WASM_* env
vars and serving-cert / RBAC plumbing (paired with tigera/calico-private#11834
and #12141). The existing WAF v1 (sidecar / ModSecurity) render path is untouched.

Linked

• Jira: EV-6462 (operator integration) + EV-6657 (admission webhook)
• Design: tigera/designs#25 (PMREQ-384)
• calico-private reconcilers: tigera/calico-private#11834 (merged)
• SecLang admission webhook: tigera/calico-private#12141 (EV-6657, open — must merge before this PR)
• Hashrelease CRD-update RBAC hotfix (operator install manifest side): tigera/calico-private#12215 (merged)
• Split out of this PR: feat(applicationlayer): WAF observability — gateway audit-log capture + Felix/fluentd event log (EV-6650) #4895 (EV-6650 observability, stacked on this), fix(gatewayapi): split envoy-gateway NetworkPolicy ingress by IP family #4894 (envoy-gateway NetworkPolicy dual-stack fix)
• Builds on: Gatewayapi Namespaced Mode #4690 (merged)

[rene-dekker]

Nit: It would be possible to cut down on the code comments. Especially when the comments don't add any information you couldn't get directly from reading the code.
Everyone has AI agents now, so the reader could even consult these to help them read/navigate the code.

[rene-dekker]

Can you remind me if we could put this in an existing image and then change the run cmd when it is used. What was the motivation for an extra image again?

[electricjesus]

we needed this extra image because this is an oci image that the envoy gateway controller consumes and distributes it out to gateway proxies. it's a scratch oci image with just 1 file, a .wasm file which contains coraza engine + rules. needs to be small so it gets distributed fast, i think we set our benchmark to be roughly 30mb, we're well under that i think

[rene-dekker]

It adds extra maintenance on our side and the customer when we add extra images. We could add the WASM image to an existing image like envoyproxy and eliminate needing to pull anything altogether, which would result in better performance. File loading is also supported, we could even point to a file path, rather than an image path.