Refactor WAF API routing and configuration to streamline endpoint structure...

Refactor WAF API routing and configuration to streamline endpoint structure and enhance clarity. Update region configuration to include WAF API server details, improving integration with the WAF controller.

Refactor WAF API routing and configuration to streamline endpoint structure...
Refactor WAF API routing and configuration to streamline endpoint structure and enhance clarity. Update region configuration to include WAF API server details, improving integration with the WAF controller.
93b57d55 · qiuqunfeng · a7499cb1 · 93b57d55 · 93b57d55 · 93b57d55
Commit 93b57d55 authored Jun 23, 2025 by qiuqunfeng
7 changed files
--- a/api/waf-api-server.go
+++ b/api/waf-api-server.go
@@ -10,7 +10,7 @@ import (

 func SetWafApiServerRouter(e *gin.Engine, clusterClientManager *utils.ClusterClientManager, db *gorm.DB, gatewayUrl string, elasticClient *elastic.Client) {
 	wafController := controller.NewWafController(clusterClientManager, db, gatewayUrl, elasticClient)
-	v2 := e.Group("api/v2/containerSec/waf")
+	v2 := e.Group("api/v2/waf")
 	v2.GET("attack/log/list", wafController.ListAttackLogs)
 	v2.GET("attack/log/details", wafController.GetAttackLogDetails)
 	v2.GET("attack/log/rspPkg", wafController.GetAttackLogRsp)

--- a/api/waf.go
+++ b/api/waf.go
@@ -26,11 +26,11 @@ func SetWafRouter(e *gin.Engine, clusterClientManager *utils.ClusterClientManage
 	v1.GET("listener/history", wafController.ListListenerHistory)

 	v2 := e.Group("api/v2/containerSec/waf")
-	// wafLogController := controller.NewWafLogController(regionUrlMap)
-	// v2.Any("attack/log/*", wafLogController.WafLogProxy)
-	v2.GET("attack/log/list", wafController.ListAttackLogs)
-	v2.GET("attack/log/details", wafController.GetAttackLogDetails)
-	v2.GET("attack/log/rspPkg", wafController.GetAttackLogRsp)
+	wafLogController := controller.NewWafLogController(regionUrlMap)
+	v2.Any("attack/log/*", wafLogController.WafLogProxy)
+	// v2.GET("attack/log/list", wafController.ListAttackLogs)
+	// v2.GET("attack/log/details", wafController.GetAttackLogDetails)
+	// v2.GET("attack/log/rspPkg", wafController.GetAttackLogRsp)

 	v2.GET("rules", wafController.ListRules)
 	v2.PUT("rules", wafController.UpdateRule)

--- a/build/api-server/Dockerfile
+++ b/build/api-server/Dockerfile
@@ -3,8 +3,7 @@ FROM ubuntu:22.04
 ARG MIRROR_SOURCE=mirrors.aliyun.com

 ADD dist/waf-api-server /
-
-
+ADD config/waf_detection_index_template.json /

 RUN sed -i "s!archive.ubuntu.com/!${MIRROR_SOURCE}/!g" /etc/apt/sources.list \
    && sed -i "s!ports.ubuntu.com/!${MIRROR_SOURCE}/!g" /etc/apt/sources.list \

--- a/cmd/app/cmd.go
+++ b/cmd/app/cmd.go
@@ -77,7 +77,7 @@ func NewRootCommand() *cobra.Command {
 			}
 			regionUrlMap := make(map[string]string)
 			for _, regionConfig := range config.RegionConfigs {
-				regionUrlMap[regionConfig.RegionCode] = regionConfig.ApiServer
+				regionUrlMap[regionConfig.RegionCode] = regionConfig.WafApiServer
 			}
 			e := api.SetRouters(db, clusterClientManager, config.GatewayUrl, config.SSOUrl, esClient, config.Debug, regionUrlMap)
 			esStore := es.NewESStore(es.Config{

--- a/cmd/config/config.go
+++ b/cmd/config/config.go
@@ -38,6 +38,7 @@ type DBConfig struct {
 type RegionConfig struct {
 	RegionCode     string `json:"region_code"`
 	ApiServer      string `json:"api_server"`
+	WafApiServer   string `json:"waf_api_server"`
 	CAData         string `json:"ca_data"`
 	Token          string `json:"token"`
 	ClientCertData string `json:"client_cert_data"`

--- a/config/clustered-role.yaml
+++ b/config/clustered-role.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: clustered-cluster-manager
+    app.kubernetes.io/name: clustered-cluster-manager
+    version: 0.1.0
+  name: clustered-cluster-manager
+rules:
+- apiGroups:
+  - 'cluster.security.io'
+  resources:
+  - 'managedclusters'
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: clustered-cluster-manager
+    app.kubernetes.io/name: clustered-cluster-manager
+    version: 0.1.0
+  name: clustered-cluster-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: clustered-cluster-manager
+subjects:
+- kind: ServiceAccount
+  name: cluster-manager
+  namespace: tensorsec
\ No newline at end of file
--- a/config/tensorsec-role.yml
+++ b/config/tensorsec-role.yml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app: cluster-manager
+    app.kubernetes.io/name: cluster-manager
+    helm.sh/chart: cluster-manager-0.1.0
+    version: 0.1.0
+  name: cluster-manager
+  namespace: tensorsec
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - defense.security.cn
+  resources:
+  - honeypots
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - defense.security.cn
+  resources:
+  - honeypots/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - defense.security.cn
+  resources:
+  - honeypots/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - microseg.security.cn
+  resources:
+  - microsegnetworkpolicies
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - microseg.security.cn
+  resources:
+  - microsegnetworkpolicies/status
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - nodes
+  - namespaces
+  - endpoints
+  - services
+  verbs:
+  - list
+  - get
+  - patch
+  - update
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  - jobs
+  verbs:
+  - get
+  - list
+  - deletecollection
+- apiGroups:
+  - extensions
+  - apps
+  resources:
+  - daemonsets
+  - deployments
+  - networkpolicies
+  - replicasets
+  - statefulsets
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - crd.projectcalico.org
+  resources:
+  - globalnetworkpolicies
+  - networkpolicies
+  verbs:
+  - get
+  - list
+  - create
+  - update
+  - delete
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - networkpolicies
+  verbs:
+  - get
+  - list
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  - services
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - extensions
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - waf.security.io
+  resources:
+  - services
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - waf.security.io
+  resources:
+  - services/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - waf.security.io
+  resources:
+  - services/status
+  verbs:
+  - get
+  - patch
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: cluster-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cluster-manager
+    helm.sh/chart: cluster-manager-0.1.0
+    version: 0.1.0
+  name: cluster-manager
+  namespace: tensorsec
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cluster-manager
+subjects:
+- kind: ServiceAccount
+  name: cluster-manager
+  namespace: tensorsec
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: cluster-manager
+  name: cluster-manager
+  namespace: tensorsec
+type: kubernetes.io/service-account-token