Add WAFv2ACLArn field to IngressClassParams

Author: mikutas

apis/elbv2/v1beta1/ingressclassparams_types.go

@@ -156,6 +156,10 @@ type IngressClassParamsSpec struct {
 	// MinimumLoadBalancerCapacity define the capacity reservation for LoadBalancers for all Ingress that belong to IngressClass with this IngressClassParams.
 	// +optional
 	MinimumLoadBalancerCapacity *MinimumLoadBalancerCapacity `json:"minimumLoadBalancerCapacity,omitempty"`
+
+	// WAFv2ACLArn specifies ARN for the Amazon WAFv2 web ACL.
+	// +optional
+	WAFv2ACLArn string `json:"wafv2AclArn"`
 }
 
 // +kubebuilder:object:root=true

config/crd/bases/elbv2.k8s.aws_ingressclassparams.yaml

@@ -246,6 +246,9 @@ spec:
                   - value
                   type: object
                 type: array
+              wafv2AclArn:
+                description: WAFv2ACLArn specifies ARN for the Amazon WAFv2 web ACL.
+                type: string
             type: object
         type: object
     served: true

config/webhook/manifests.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:

docs/guide/ingress/ingress_class.md

@@ -187,8 +187,9 @@ Cluster administrators can use the optional `inboundCIDRs` field to specify the
 If the field is specified, LBC will ignore the `alb.ingress.kubernetes.io/inbound-cidrs` annotation.
 
 #### spec.certificateArn
+
 Cluster administrators can use the optional `certificateARN` field to specify the ARN of the certificates for all Ingresses that belong to IngressClass with this IngressClassParams.
-    
+
 If the field is specified, LBC will ignore the `alb.ingress.kubernetes.io/certificate-arn` annotation.
 
 #### spec.sslPolicy
@@ -251,4 +252,10 @@ They may specify `capacityUnits`. If the field is specified, LBC will ignore the
 
 ##### spec.minimumLoadBalancerCapacity.capacityUnits
 
-If `capacityUnits` is specified, it must be to valid positive value greater than 0. If set to 0, the LBC will reset the capacity reservation for the load balancer.
+If `capacityUnits` is specified, it must be to valid positive value greater than 0. If set to 0, the LBC will reset the capacity reservation for the load balancer.
+
+#### spec.wafv2AclArn
+
+Cluster administrators can use the optional `wafv2AclArn` field to specify ARN for the Amazon WAFv2 web ACL.
+Only Regional WAFv2 is supported.
+When this annotation is absent or empty, the controller will keep LoadBalancer WAFv2 settings unchanged. To disable WAFv2, explicitly set the annotation value to 'none'.

helm/aws-load-balancer-controller/crds/crds.yaml

@@ -245,6 +245,9 @@ spec:
                   - value
                   type: object
                 type: array
+              wafv2AclArn:
+                description: WAFv2ACLArn specifies ARN for the Amazon WAFv2 web ACL.
+                type: string
             type: object
         type: object
     served: true

pkg/ingress/model_build_load_balancer_addons.go

@@ -2,6 +2,7 @@ package ingress
 
 import (
 	"context"
+
 	"github.com/pkg/errors"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/annotations"
@@ -39,6 +40,10 @@ func (t *defaultModelBuildTask) buildWAFv2WebACLAssociation(_ context.Context, l
 		if rawWebACLARN != "" {
 			explicitWebACLARNs.Insert(rawWebACLARN)
 		}
+		params := member.IngClassConfig.IngClassParams
+		if params != nil && params.Spec.WAFv2ACLArn != "" {
+			explicitWebACLARNs.Insert(params.Spec.WAFv2ACLArn)
+		}
 	}
 	if len(explicitWebACLARNs) == 0 {
 		return nil, nil