[v3.24] fix(crds): install applicationlayer WAF CRDs in v1-CRD mode

Makefile

@@ -412,6 +412,7 @@ deploy-crds: kubectl
 		$(BINDIR)/kubectl apply -f pkg/imports/crds/calico/policy.networking.k8s.io/ && \
 		$(BINDIR)/kubectl apply -f pkg/imports/crds/enterprise/v1.crd.projectcalico.org/ && \
 		$(BINDIR)/kubectl apply -f pkg/imports/crds/enterprise/policy.networking.k8s.io/ && \
+		$(BINDIR)/kubectl apply -f pkg/imports/crds/enterprise/applicationlayer.projectcalico.org/ && \
 		$(BINDIR)/kubectl apply -f pkg/imports/crds/enterprise/01-crd-eck-bundle.yaml && \
 		$(BINDIR)/kubectl create -f deploy/crds/prometheus
 
@@ -634,6 +635,7 @@ define prep_local_crds
 	mkdir -p pkg/imports/crds/$(product)/v1.crd.projectcalico.org/
 	mkdir -p pkg/imports/crds/$(product)/v3.projectcalico.org/
 	mkdir -p pkg/imports/crds/$(product)/policy.networking.k8s.io/
+	mkdir -p pkg/imports/crds/$(product)/applicationlayer.projectcalico.org/
 	mkdir -p pkg/imports/admission/$(product)
 	mkdir -p .crds/$(product)
 endef
@@ -663,6 +665,11 @@ define copy_k8s_policy_crds
 	@mv pkg/imports/crds/$(product)/v1.crd.projectcalico.org/policy.networking.k8s.io_* pkg/imports/crds/$(product)/policy.networking.k8s.io/ 2>/dev/null; true
 	@echo "Moved $(product) K8s policy CRDs to dedicated directory"
 endef
+define copy_applicationlayer_crds
+    $(eval product := $(1))
+	@mv pkg/imports/crds/$(product)/v3.projectcalico.org/applicationlayer.projectcalico.org_* pkg/imports/crds/$(product)/applicationlayer.projectcalico.org/ 2>/dev/null; true
+	@echo "Moved $(product) ApplicationLayer CRDs to dedicated directory"
+endef
 define copy_eck_crds
     $(eval dir := $(1))
 		$(eval product := $(2))
@@ -713,6 +720,7 @@ update-enterprise-crds: fetch-enterprise-crds
 	$(call copy_v1_crds,$(ENTERPRISE_CRDS_DIR),"enterprise")
 	$(call copy_v3_crds, $(ENTERPRISE_CRDS_DIR),"enterprise")
 	$(call copy_k8s_policy_crds,"enterprise")
+	$(call copy_applicationlayer_crds,"enterprise")
 	$(call copy_eck_crds,$(ENTERPRISE_CRDS_DIR),"enterprise")
 	$(call copy_admission_policies,$(ENTERPRISE_CRDS_DIR),"enterprise")
 

pkg/imports/crds/crds.go

@@ -147,6 +147,34 @@ func getK8sPolicyCRDSource(variant opv1.ProductVariant) map[string][]byte {
 	return ret
 }
 
+// getApplicationLayerCRDSource returns the applicationlayer.projectcalico.org CRDs
+// (the gateway WAF kinds). This is a distinct, CRD-only API group that is not served
+// by the aggregated apiserver and has a single v3 schema, so - unlike the
+// projectcalico.org datastore CRDs - it is installed in both v1-CRD and v3-CRD modes.
+// Enterprise only.
+func getApplicationLayerCRDSource() map[string][]byte {
+	ret := map[string][]byte{}
+	dir := "enterprise/applicationlayer.projectcalico.org"
+	entries, err := enterpriseCRDFiles.ReadDir(dir)
+	if err != nil {
+		panic(fmt.Sprintf("Failed to read ApplicationLayer CRDs: %v", err))
+	}
+
+	for _, entry := range entries {
+		b, err := enterpriseCRDFiles.ReadFile(path.Join(dir, entry.Name()))
+		if err != nil {
+			panic(fmt.Sprintf("Failed to read ApplicationLayer CRD %s: %v", entry.Name(), err))
+		}
+
+		crds := bytes.Split(b, []byte("\n---"))
+		for i, crd := range crds {
+			ret[fmt.Sprintf("%s_%d", entry.Name(), i)] = crd
+		}
+	}
+
+	return ret
+}
+
 func getOperatorCRDSource(variant opv1.ProductVariant) map[string][]byte {
 	ret := map[string][]byte{}
 	entries, err := operatorCRDFiles.ReadDir("operator")
@@ -204,7 +232,7 @@ func GetCRDs(variant opv1.ProductVariant, v3 bool) []*apiextenv1.CustomResourceD
 		crds = calicoCRDs
 	} else {
 		if len(enterpriseCRDs) == 0 {
-			enterpriseCRDs = convertYamlsToCRDs(getEnterpriseCRDSource(v3), getK8sPolicyCRDSource(variant), getOperatorCRDSource(variant))
+			enterpriseCRDs = convertYamlsToCRDs(getEnterpriseCRDSource(v3), getK8sPolicyCRDSource(variant), getOperatorCRDSource(variant), getApplicationLayerCRDSource())
 		}
 		crds = enterpriseCRDs
 	}

pkg/imports/crds/crds_test.go

@@ -63,6 +63,25 @@ var _ = Describe("test crds pkg", func() {
 			Expect(crdNames).To(HaveKey("adminnetworkpolicies.policy.networking.k8s.io"))
 			Expect(crdNames).To(HaveKey("baselineadminnetworkpolicies.policy.networking.k8s.io"))
 		})
+
+		It(fmt.Sprintf("includes applicationlayer WAF CRDs for Enterprise in both CRD modes (v3=%t)", v3), func() {
+			enterpriseCRDs = nil
+			crds := GetCRDs(opv1.CalicoEnterprise, v3)
+			crdNames := map[string]bool{}
+			for _, crd := range crds {
+				crdNames[crd.Name] = true
+			}
+			// The applicationlayer.projectcalico.org group is CRD-only (not served by the
+			// aggregated apiserver) and has a single v3 schema, so its CRDs must install in
+			// both v1-CRD and v3-CRD modes - otherwise gateway WAF is unusable on standard
+			// apiserver-backed installs.
+			Expect(crdNames).To(HaveKey("wafpolicies.applicationlayer.projectcalico.org"))
+			Expect(crdNames).To(HaveKey("globalwafpolicies.applicationlayer.projectcalico.org"))
+			Expect(crdNames).To(HaveKey("wafplugins.applicationlayer.projectcalico.org"))
+			Expect(crdNames).To(HaveKey("globalwafplugins.applicationlayer.projectcalico.org"))
+			Expect(crdNames).To(HaveKey("wafvalidationpolicies.applicationlayer.projectcalico.org"))
+			Expect(crdNames).To(HaveKey("globalwafvalidationpolicies.applicationlayer.projectcalico.org"))
+		})
 	}
 
 	It("can parse Operator CRDs used with calico", func() {