tigera · electricjesus · May 6, 2026 · May 7, 2026 · May 7, 2026 · May 7, 2026
@@ -36,6 +36,10 @@ const (
 	EgressAccessControlFeature = "egress-access-control"
 	// PolicyRecommendation feature name
 	PolicyRecommendationFeature = "policy-recommendation"
+	// GatewayAddonsFeature gates Tigera-built add-ons that layer on top of an
+	// ingress gateway (currently the WAF v2/v3 admission webhook). The bare
+	// ingress gateway data path is NOT licensed by this feature.
+	GatewayAddonsFeature = "ingress-gateway-addons"
 	// MultipleOwnersLabel used to indicate multiple owner references.
 	// If the render code places this label on an object, the object mergeState machinery will merge owner
 	// references with any that already exist on the object rather than replace the owner references. Further

@@ -266,6 +266,14 @@ var (
 		variant:   enterpriseVariant,
 	}
 
+	ComponentCorazaWASM = Component{
+		Version:   "master",
+		Image:     "coraza-wasm",
+		Registry:  "",
+		imagePath: "",
+		variant:   enterpriseVariant,
+	}
+
 	ComponentQueryServer = Component{
 		Version:   "master",
 		Image:     "queryserver",
@@ -430,6 +438,7 @@ var (
 		ComponentGatewayL7Collector,
 		ComponentEnvoyProxy,
 		ComponentDikastes,
+		ComponentCorazaWASM,
 		ComponentQueryServer,
 		ComponentPrometheus,
 		ComponentTigeraPrometheusService,

@@ -0,0 +1,239 @@
+// Copyright (c) 2026 Tigera, Inc. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package applicationlayer
+
+import (
+	"fmt"
+
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/utils/ptr"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	operatorv1 "github.com/tigera/operator/api/v1"
+	"github.com/tigera/operator/pkg/common"
+	rmeta "github.com/tigera/operator/pkg/render/common/meta"
+	"github.com/tigera/operator/pkg/render/common/securitycontext"
+	"github.com/tigera/operator/pkg/tls/certificatemanagement"
+)
+
+const (
+	// WAFWebhookName is the resource name used for all WAF admission webhook objects.
+	WAFWebhookName = "tigera-waf-admission-controller"
+
+	// wafWebhookPort is the HTTPS port exposed by the WAF admission webhook.
+	wafWebhookPort = int32(8443)
+)
+
+// WAFAdmissionWebhookComponents returns the full set of objects required for the WAF
+// admission webhook: Deployment, Service, ServiceAccount, ClusterRole, ClusterRoleBinding,
+// and ValidatingWebhookConfiguration.
+//
+// The caller is responsible for invoking this only when the gateway-addons license feature
+// is present.
+func WAFAdmissionWebhookComponents(install *operatorv1.InstallationSpec, image string, certPair certificatemanagement.KeyPairInterface) []client.Object {
+	return []client.Object{
+		wafWebhookServiceAccount(),
+		wafWebhookClusterRole(),
+		wafWebhookClusterRoleBinding(),
+		wafWebhookDeployment(install, image, certPair),
+		wafWebhookService(),
+		wafValidatingWebhookConfiguration(certPair),
+	}
+}
+
+// ---- WAF admission webhook private constructors ----
+
+func wafWebhookServiceAccount() *corev1.ServiceAccount {
+	return &corev1.ServiceAccount{
+		TypeMeta: metav1.TypeMeta{Kind: "ServiceAccount", APIVersion: "v1"},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      WAFWebhookName,
+			Namespace: common.CalicoNamespace,
+			Labels:    map[string]string{"app": WAFWebhookName},
+		},
+	}
+}
+
+func wafWebhookClusterRole() *rbacv1.ClusterRole {
+	return &rbacv1.ClusterRole{
+		TypeMeta: metav1.TypeMeta{Kind: "ClusterRole", APIVersion: "rbac.authorization.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   WAFWebhookName,
+			Labels: map[string]string{"app": WAFWebhookName},
+		},
+		Rules: []rbacv1.PolicyRule{
+			{
+				// Required to read GatewayExtension CRs when validating admission requests.
+				APIGroups: []string{"applicationlayer.projectcalico.org"},
+				Resources: []string{"gatewayextensions", "globalwafpolicies"},
+				Verbs:     []string{"get", "list", "watch"},
+			},
+		},
+	}
+}
+
+func wafWebhookClusterRoleBinding() *rbacv1.ClusterRoleBinding {
+	return &rbacv1.ClusterRoleBinding{
+		TypeMeta: metav1.TypeMeta{Kind: "ClusterRoleBinding", APIVersion: "rbac.authorization.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   WAFWebhookName,
+			Labels: map[string]string{"app": WAFWebhookName},
+		},
+		RoleRef: rbacv1.RoleRef{
+			APIGroup: "rbac.authorization.k8s.io",
+			Kind:     "ClusterRole",
+			Name:     WAFWebhookName,
+		},
+		Subjects: []rbacv1.Subject{
+			{
+				Kind:      "ServiceAccount",
+				Name:      WAFWebhookName,
+				Namespace: common.CalicoNamespace,
+			},
+		},
+	}
+}
+
+func wafWebhookDeployment(install *operatorv1.InstallationSpec, image string, certPair certificatemanagement.KeyPairInterface) *appsv1.Deployment {
+	var replicas int32 = 1
+	if install.ControlPlaneReplicas != nil {
+		replicas = *install.ControlPlaneReplicas
+	}
+
+	return &appsv1.Deployment{
+		TypeMeta: metav1.TypeMeta{Kind: "Deployment", APIVersion: "apps/v1"},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      WAFWebhookName,
+			Namespace: common.CalicoNamespace,
+			Labels:    map[string]string{"app": WAFWebhookName},
+		},
+		Spec: appsv1.DeploymentSpec{
+			Replicas: &replicas,
+			Selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{"app": WAFWebhookName},
+			},
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{"app": WAFWebhookName},
+				},
+				Spec: corev1.PodSpec{
+					ServiceAccountName: WAFWebhookName,
+					Containers: []corev1.Container{
+						{
+							Name:            WAFWebhookName,
+							Image:           image,
+							ImagePullPolicy: corev1.PullIfNotPresent,
+							SecurityContext: securitycontext.NewNonRootContext(),
+							Args: []string{
+								"--tls-cert-file=" + certPair.VolumeMountCertificateFilePath(),
+								"--tls-private-key-file=" + certPair.VolumeMountKeyFilePath(),
+								fmt.Sprintf("--port=%d", wafWebhookPort),
+							},
+							Ports: []corev1.ContainerPort{
+								{
+									Name:          "https",
+									ContainerPort: wafWebhookPort,
+									Protocol:      corev1.ProtocolTCP,
+								},
+							},
+							VolumeMounts: []corev1.VolumeMount{
+								certPair.VolumeMount(rmeta.OSTypeLinux),
+							},
+						},
+					},
+					Volumes: []corev1.Volume{
+						certPair.Volume(),
+					},
+				},
+			},
+		},
+	}
+}
+
+func wafWebhookService() *corev1.Service {
+	return &corev1.Service{
+		TypeMeta: metav1.TypeMeta{Kind: "Service", APIVersion: "v1"},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      WAFWebhookName,
+			Namespace: common.CalicoNamespace,
+			Labels:    map[string]string{"app": WAFWebhookName},
+		},
+		Spec: corev1.ServiceSpec{
+			Selector: map[string]string{"app": WAFWebhookName},
+			Ports: []corev1.ServicePort{
+				{
+					Name:       "https",
+					Port:       443,
+					Protocol:   corev1.ProtocolTCP,
+					TargetPort: intstr.FromInt32(wafWebhookPort),
+				},
+			},
+			Type: corev1.ServiceTypeClusterIP,
+		},
+	}
+}
+
+func wafValidatingWebhookConfiguration(certPair certificatemanagement.KeyPairInterface) *admissionregistrationv1.ValidatingWebhookConfiguration {
+	failPolicy := admissionregistrationv1.Ignore
+	sideEffects := admissionregistrationv1.SideEffectClassNone
+	timeoutSeconds := int32(10)
+
+	return &admissionregistrationv1.ValidatingWebhookConfiguration{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "ValidatingWebhookConfiguration",
+			APIVersion: "admissionregistration.k8s.io/v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   "tigera-waf.applicationlayer.projectcalico.org",
+			Labels: map[string]string{"app": WAFWebhookName},
+		},
+		Webhooks: []admissionregistrationv1.ValidatingWebhook{
+			{
+				Name: "waf.applicationlayer.projectcalico.org",
+				Rules: []admissionregistrationv1.RuleWithOperations{
+					{
+						Operations: []admissionregistrationv1.OperationType{
+							admissionregistrationv1.Create,
+							admissionregistrationv1.Update,
+						},
+						Rule: admissionregistrationv1.Rule{
+							APIGroups:   []string{"applicationlayer.projectcalico.org"},
+							APIVersions: []string{"v3"},
+							Resources:   []string{"gatewayextensions", "globalwafpolicies"},
+							Scope:       ptr.To(admissionregistrationv1.AllScopes),
+						},
+					},
+				},
+				ClientConfig: admissionregistrationv1.WebhookClientConfig{
+					Service: &admissionregistrationv1.ServiceReference{
+						Namespace: common.CalicoNamespace,
+						Name:      WAFWebhookName,
+						Path:      ptr.To("/validate"),
+					},
+					CABundle: certPair.GetCertificatePEM(),
+				},
+				AdmissionReviewVersions: []string{"v1"},
+				SideEffects:             &sideEffects,
+				TimeoutSeconds:          &timeoutSeconds,
+				FailurePolicy:           &failPolicy,
+			},
+		},
+	}
+}
@@ -0,0 +1,85 @@
+// Copyright (c) 2026 Tigera, Inc. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package applicationlayer_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	operatorv1 "github.com/tigera/operator/api/v1"
+	"github.com/tigera/operator/pkg/render/applicationlayer"
+	rmeta "github.com/tigera/operator/pkg/render/common/meta"
+	"github.com/tigera/operator/pkg/tls/certificatemanagement"
+)
+
+// fakeCertPair is a minimal stub that satisfies certificatemanagement.KeyPairInterface
+// for unit tests that only need the render functions to produce objects without real TLS
+// material.
+type fakeCertPair struct{}
+
+var _ certificatemanagement.KeyPairInterface = (*fakeCertPair)(nil)
+
+func (f *fakeCertPair) UseCertificateManagement() bool { return false }
+func (f *fakeCertPair) BYO() bool                      { return true }
+func (f *fakeCertPair) InitContainer(_ string, _ *corev1.SecurityContext) corev1.Container {
+	return corev1.Container{}
+}
+func (f *fakeCertPair) VolumeMount(_ rmeta.OSType) corev1.VolumeMount {
+	return corev1.VolumeMount{Name: "tls-certs", MountPath: "/tls"}
+}
+func (f *fakeCertPair) VolumeMountKeyFilePath() string         { return "/tls/tls.key" }
+func (f *fakeCertPair) VolumeMountCertificateFilePath() string { return "/tls/tls.crt" }
+func (f *fakeCertPair) Volume() corev1.Volume {
+	return corev1.Volume{
+		Name: "tls-certs",
+		VolumeSource: corev1.VolumeSource{
+			Secret: &corev1.SecretVolumeSource{SecretName: "fake-tls"},
+		},
+	}
+}
+func (f *fakeCertPair) Secret(_ string) *corev1.Secret {
+	return &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "fake-tls"}}
+}
+func (f *fakeCertPair) HashAnnotationKey() string   { return "hash.operator.tigera.io/fake-tls" }
+func (f *fakeCertPair) HashAnnotationValue() string { return "fake-hash" }
+func (f *fakeCertPair) Warnings() string            { return "" }
+func (f *fakeCertPair) GetCertificatePEM() []byte   { return []byte("fake-ca") }
+func (f *fakeCertPair) GetIssuer() certificatemanagement.CertificateInterface {
+	return nil
+}
+func (f *fakeCertPair) GetName() string      { return "fake-tls" }
+func (f *fakeCertPair) GetNamespace() string { return "calico-system" }
+
+var minimalInstallation = operatorv1.InstallationSpec{
+	KubernetesProvider: operatorv1.ProviderNone,
+}
+
+func TestWAFAdmissionWebhookComponents_HasExpectedKinds(t *testing.T) {
+	objs := applicationlayer.WAFAdmissionWebhookComponents(&minimalInstallation, "tigera/waf-admission-controller:v0.1.0", &fakeCertPair{})
+	got := map[string]int{}
+	for _, o := range objs {
+		got[o.GetObjectKind().GroupVersionKind().Kind]++
+	}
+	require.Equal(t, 1, got["Deployment"], "expected 1 Deployment")
+	require.Equal(t, 1, got["Service"], "expected 1 Service")
+	require.Equal(t, 1, got["ServiceAccount"], "expected 1 ServiceAccount")
+	require.Equal(t, 1, got["ClusterRole"], "expected 1 ClusterRole")
+	require.Equal(t, 1, got["ClusterRoleBinding"], "expected 1 ClusterRoleBinding")
+	require.Equal(t, 1, got["ValidatingWebhookConfiguration"], "expected 1 ValidatingWebhookConfiguration")
+	require.Len(t, objs, 6, "expected exactly 6 objects")
+}