Add Kubernetes Gateway API integration for NGWAF

.github/workflows/ngwaf-k8s-gateway-api.yaml

@@ -0,0 +1,96 @@
+name: k8s Gateway API NGWAF Deployment
+
+on:
+  workflow_dispatch:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    environment: staging
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Set up kind
+        uses: engineerd/[email protected]
+
+      - name: Set up kubectl
+        uses: azure/setup-kubectl@v4
+
+      - name: Install Gateway API CRDs
+        run: |
+          kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml
+          sleep 5
+
+      - name: Install Envoy Gateway
+        run: |
+          kubectl apply -f https://github.com/envoyproxy/gateway/releases/download/v1.0.0/install.yaml
+          kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available
+
+      - name: Create Kubernetes Secret
+        run: |
+          kubectl create secret generic sigsci.my-site-name-here \
+            --from-literal=accesskeyid=${{ secrets.NGWAF_STAGING_ACCESSKEYID }} \
+            --from-literal=secretaccesskey=${{ secrets.NGWAF_STAGING_SECRETACCESSKEY }}
+
+      - name: Deploy resources from file
+        run: kubectl apply -f on-prem-ngwaf-integrations/k8s-gateway-api/deployment.yaml
+
+      - name: Wait for NGINX backend rollout
+        run: kubectl rollout status deployment/nginx-backend-deployment --timeout=30s
+
+      - name: Wait for sigsci-agent rollout
+        run: kubectl rollout status deployment/sigsci-revproxy-deployment --timeout=30s
+
+      - name: Wait for Gateway to be ready
+        run: |
+          kubectl wait --timeout=60s --for=condition=Programmed gateway/sigsci-gateway
+          sleep 5
+
+      - name: Check Gateway and HTTPRoute status
+        run: |
+          kubectl get gateway sigsci-gateway -o yaml
+          kubectl get httproute nginx-route -o yaml
+
+      - name: Port-forward Gateway
+        run: |
+          nohup kubectl port-forward gateway/sigsci-gateway 10000:8000 &
+          sleep 5
+
+      - name: Test with curl
+        run: |
+          response=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:10000/)
+          if [ "$response" -ne 200 ]; then
+            echo "Received HTTP status code $response"
+            exit 1
+          fi
+
+      - name: Check health
+        if: always()
+        run: |
+          echo "=== Pods ==="
+          kubectl get pods
+          echo "=== Services ==="
+          kubectl get services
+          echo "=== Gateways ==="
+          kubectl get gateway
+          echo "=== HTTPRoutes ==="
+          kubectl get httproute
+          echo "=== Pod Descriptions ==="
+          kubectl describe pods
+          echo "=== Gateway Description ==="
+          kubectl describe gateway sigsci-gateway
+          echo "=== HTTPRoute Description ==="
+          kubectl describe httproute nginx-route
+          echo "=== NGINX Backend Logs ==="
+          kubectl logs -l app=nginx-backend --all-containers=true || true
+          echo "=== sigsci-agent Logs ==="
+          kubectl logs -l app=sigsci-revproxy --all-containers=true || true
+
+      - name: Wait for logs to upload
+        if: always()
+        run: |
+          # Wait for agent to upload logs
+          sleep 15

README.md

@@ -1,6 +1,7 @@
 [![Build ngwaf-compute-integration](https://github.com/fastly/security-use-cases/actions/workflows/build-ngwaf-compute-integration.yaml/badge.svg)](https://github.com/fastly/security-use-cases/actions/workflows/build-ngwaf-compute-integration.yaml)
 [![Envoy NGWAF Deployment Test](https://github.com/fastly/security-use-cases/actions/workflows/ngwaf-envoy.yaml/badge.svg)](https://github.com/fastly/security-use-cases/actions/workflows/ngwaf-envoy.yaml)
 [![k8s module-agent NGWAF Deployment](https://github.com/fastly/security-use-cases/actions/workflows/ngwaf-k8s-module-agent.yaml/badge.svg)](https://github.com/fastly/security-use-cases/actions/workflows/ngwaf-k8s-module-agent.yaml)
+[![k8s Gateway API NGWAF Deployment](https://github.com/fastly/security-use-cases/actions/workflows/ngwaf-k8s-gateway-api.yaml/badge.svg)](https://github.com/fastly/security-use-cases/actions/workflows/ngwaf-k8s-gateway-api.yaml)
 
 # Fastly Next-Gen WAF (NGWAF) Edge Deployment Quick Start
 This repository allows you to quickly deploy a the NextGen WAF Edge integrations.

on-prem-ngwaf-integrations/k8s-gateway-api/Makefile

@@ -0,0 +1,47 @@
+.DEFAULT_GOAL = help
+
+KUBEDEPLOYMENT?=k8-gateway-api
+DEPLOYMENTFILE?=deployment.yaml
+
+help: # Show all commands
+	@egrep -h '\s#\s' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?\# "}; {printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}'
+
+# Environment variables $NGWAFACCESSKEYID and $NGWAFACCESSKEYSECRET must already be set before running `make build`
+build: # Deploy the sigsci-agent reverse proxy with Gateway API
+	-@ kubectl create secret generic sigsci.my-site-name-here --from-literal=accesskeyid=${NGWAFACCESSKEYID} --from-literal=secretaccesskey=${NGWAFACCESSKEYSECRET}  
+	kubectl apply -f deployment.yaml
+	-@ sleep 2
+
+demo: # Forward port to test the deployment locally
+	@echo "Testing deployment with: curl http://127.0.0.1:8000"
+	kubectl port-forward gateway/sigsci-gateway 8000:8000
+
+logs: # Show logs from sigsci-agent
+	kubectl get pods -l app=sigsci-revproxy | tail -n1 | awk '{print $$1}' | xargs -I {} kubectl logs {} -c sigsci-agent
+
+logs-nginx: # Show logs from NGINX backend
+	kubectl get pods -l app=nginx-backend | tail -n1 | awk '{print $$1}' | xargs -I {} kubectl logs {} -c nginx
+
+clean: # Delete all resources
+	- kubectl delete -f deployment.yaml
+	- kubectl delete secret sigsci.my-site-name-here
+	sleep 3
+
+describe: # Describe all pods
+	kubectl describe pods 
+
+get: # Get all pods, services, gateways and httproutes
+	- kubectl get pods
+	- kubectl get services
+	- kubectl get gateway
+	- kubectl get httproute
+
+rebuild: # Clean and rebuild
+	make clean; make build
+
+# helpful command when troubleshooting kubectl secrets
+# https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/
+# kubectl get secrets
+# kubectl describe secret sigsci.my-site-name-here
+# kubectl get secret sigsci.my-site-name-here -o jsonpath='{.data}' | jq .accesskeyid -r | base64 -D
+# kubectl delete secret sigsci.my-site-name-here

on-prem-ngwaf-integrations/k8s-gateway-api/README.md

@@ -0,0 +1,181 @@
+# Kubernetes Gateway API: sigsci-agent Reverse Proxy to NGINX
+
+This deployment demonstrates how to use the Kubernetes Gateway API with the Fastly Next-Gen WAF (sigsci-agent) in reverse proxy mode to protect a minimal NGINX backend server running in a separate pod.
+
+## Architecture
+
+This deployment leverages the Kubernetes Gateway API to route traffic through the sigsci-agent for inspection before reaching the backend NGINX service.
+
+The deployment creates:
+
+1. **NGINX Backend Pod**: A minimal NGINX server using the `nginx:alpine` image
+2. **sigsci-agent Reverse Proxy Pod**: The Fastly NGWAF agent configured in reverse proxy mode
+3. **Gateway**: A Kubernetes Gateway API Gateway resource that defines the ingress point
+4. **HTTPRoute**: A Kubernetes Gateway API HTTPRoute resource that defines routing rules
+
+Traffic flows through the Gateway API components to the sigsci-agent, which inspects and protects requests before forwarding them to the NGINX backend service.
+
+```
+Client → Gateway (port 8000) → HTTPRoute → sigsci-revproxy-service → sigsci-agent pod → nginx-backend-service → nginx pod
+```
+
+## Prerequisites
+
+- A Kubernetes cluster (local or cloud-based)
+- `kubectl` configured to access your cluster
+- **Gateway API CRDs installed** (see [Installation](#gateway-api-installation))
+- **Gateway API controller** (e.g., Envoy Gateway, Istio, or other Gateway API implementation)
+- Fastly NGWAF access key ID and secret access key
+- Set environment variables:
+  ```bash
+  export NGWAFACCESSKEYID="your-access-key-id"
+  export NGWAFACCESSKEYSECRET="your-secret-access-key"
+  ```
+
+### Gateway API Installation
+
+The Kubernetes Gateway API requires CRDs to be installed in your cluster. Choose one of the following methods:
+
+#### Option 1: Install Gateway API CRDs Only
+
+If you have an existing Gateway controller:
+
+```bash
+kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml
+```
+
+#### Option 2: Install Envoy Gateway (includes CRDs)
+
+For a complete Gateway API implementation:
+
+```bash
+helm install eg oci://docker.io/envoyproxy/gateway-helm --version v1.0.0 -n envoy-gateway-system --create-namespace
+```
+
+Or using kubectl:
+
+```bash
+kubectl apply -f https://github.com/envoyproxy/gateway/releases/download/v1.0.0/install.yaml
+```
+
+For more details, see:
+- [Gateway API Installation Guide](https://gateway-api.sigs.k8s.io/guides/)
+- [Envoy Gateway Documentation](https://gateway.envoyproxy.io/latest/user/quickstart/)
+
+## Deployment
+
+### Build and Deploy
+
+```bash
+make build
+```
+
+This will:
+1. Create a Kubernetes secret with your NGWAF credentials
+2. Deploy the NGINX backend pod and service
+3. Deploy the sigsci-agent reverse proxy pod and service
+4. Create the Gateway and HTTPRoute resources
+
+### Test the Deployment
+
+Forward the Gateway port to your local machine:
+
+```bash
+make demo
+```
+
+Then in another terminal, test the deployment:
+
+```bash
+curl http://127.0.0.1:8000
+```
+
+You should see the default NGINX welcome page, and the request will be logged in your Fastly NGWAF dashboard.
+
+## Useful Commands
+
+### View Logs
+
+View sigsci-agent logs:
+```bash
+make logs
+```
+
+View NGINX backend logs:
+```bash
+make logs-nginx
+```
+
+### Get Status
+
+View all pods, services, gateways and httproutes:
+```bash
+make get
+```
+
+View detailed pod information:
+```bash
+make describe
+```
+
+### Clean Up
+
+Remove all deployed resources:
+```bash
+make clean
+```
+
+## Configuration
+
+The deployment uses the following default configuration:
+
+- **NGINX Backend**: 
+  - Image: `nginx:alpine`
+  - Internal port: 80
+  - Service: `nginx-backend-service` (ClusterIP)
+
+- **sigsci-agent Reverse Proxy**:
+  - Image: `signalsciences/sigsci-agent:latest`
+  - Listen port: 8080
+  - Service: `sigsci-revproxy-service` (ClusterIP)
+  - Upstream: `http://nginx-backend-service.default.svc.cluster.local:80/`
+
+- **Gateway API Resources**:
+  - Gateway: `sigsci-gateway` (listens on port 8000)
+  - Gateway Class: `envoy-gateway` (change based on your Gateway controller)
+  - HTTPRoute: `nginx-route` (routes all paths to sigsci-revproxy-service)
+
+### Customizing the Deployment
+
+To modify the configuration:
+
+1. Edit `deployment.yaml` to change pod specifications or Gateway resources
+2. Update the `gatewayClassName` in the Gateway resource to match your Gateway controller
+3. Modify the HTTPRoute rules to customize routing behavior
+4. Update the `SIGSCI_REVPROXY_LISTENER` environment variable to change upstream or listener settings
+5. Modify the Makefile to add custom commands or change default behavior
+
+## About Kubernetes Gateway API
+
+The Kubernetes Gateway API is the next-generation API for routing and load balancing in Kubernetes. It provides:
+
+- **Role-oriented design**: Separation of concerns between infrastructure providers and application developers
+- **Expressive and extensible**: More powerful routing capabilities than Ingress
+- **Portable**: Consistent API across different implementations
+- **Type-safe**: Strongly typed API with proper validation
+
+Key resources:
+- **Gateway**: Defines how traffic enters the cluster (like an Ingress with more capabilities)
+- **HTTPRoute**: Defines HTTP routing rules (more expressive than Ingress rules)
+- **GatewayClass**: Defines the controller that will manage Gateways
+
+For more information, see the [Gateway API documentation](https://gateway-api.sigs.k8s.io/).
+
+## Notes
+
+- The NGINX backend uses the minimal `nginx:alpine` image with default configuration
+- The sigsci-agent is configured with debug logging enabled for troubleshooting
+- Both pods run in the `default` namespace
+- The Gateway listens on port 8000 for HTTP traffic
+- The default `gatewayClassName` is set to `envoy-gateway`, which works with Envoy Gateway controller
+- If using a different Gateway controller (e.g., Istio, Kong), update the `gatewayClassName` accordingly