Skip to content

Commit ac6953f

Browse files
authored
Merge branch 'main' into fix/activity-policy-2xx-gate
2 parents b89540a + 411d117 commit ac6953f

30 files changed

Lines changed: 2434 additions & 9 deletions

.claude/settings.json

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
{
2+
"extraKnownMarketplaces": {
3+
"datum-claude-code-plugins": {
4+
"source": {
5+
"source": "github",
6+
"repo": "datum-cloud/claude-code-plugins"
7+
}
8+
}
9+
},
10+
"enabledPlugins": {
11+
"datum-platform@datum-claude-code-plugins": true,
12+
"datum-gtm@datum-claude-code-plugins": true
13+
}
14+
}

Taskfile.yaml

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,10 @@
11
version: '3'
22

33
includes:
4+
# Documentation tasks
5+
docs:
6+
taskfile: ./docs/Taskfile.yaml
7+
dir: ./docs
48
dev:
59
taskfile: ./Taskfile.dev.yaml
610

@@ -77,4 +81,9 @@ tasks:
7781
echo ""
7882
echo "🎉 All Prometheus rule tests passed."
7983
fi
80-
silent: false
84+
silent: false
85+
86+
generate:
87+
desc: Run code generation (deepcopy, defaults)
88+
deps:
89+
- task: docs:generate

api/v1alpha/trafficprotectionpolicy_types.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -91,7 +91,7 @@ type OWASPCRS struct {
9191
// ParanoiaLevels specifies the OWASP ModSecurity Core Rule Set (CRS)
9292
// paranoia levels to use.
9393
//
94-
// +kubebuilder:default={}
94+
// +kubebuilder:default={blocking:1,detection:1}
9595
ParanoiaLevels ParanoiaLevels `json:"paranoiaLevels,omitempty"`
9696

9797
// ScoreThresholds specifies the OWASP ModSecurity Core Rule Set (CRS)
@@ -110,6 +110,7 @@ type OWASPCRS struct {
110110
RuleExclusions *OWASPRuleExclusions `json:"ruleExclusions,omitempty"`
111111
}
112112

113+
// +kubebuilder:validation:XValidation:message="detection paranoia level must be greater than or equal to blocking paranoia level",rule="self.detection >= self.blocking"
113114
type ParanoiaLevels struct {
114115
// Blocking specifies the paranoia level for blocking requests or responses.
115116
//

config/crd/bases/networking.datumapis.com_trafficprotectionpolicies.yaml

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -67,7 +67,9 @@ spec:
6767
Core Rule Set (CRS).
6868
properties:
6969
paranoiaLevels:
70-
default: {}
70+
default:
71+
blocking: 1
72+
detection: 1
7173
description: |-
7274
ParanoiaLevels specifies the OWASP ModSecurity Core Rule Set (CRS)
7375
paranoia levels to use.
@@ -89,6 +91,10 @@ spec:
8991
minimum: 1
9092
type: integer
9193
type: object
94+
x-kubernetes-validations:
95+
- message: detection paranoia level must be greater than
96+
or equal to blocking paranoia level
97+
rule: self.detection >= self.blocking
9298
ruleExclusions:
9399
description: |-
94100
RuleExclusions can be used to disable specific OWASP ModSecurity Rules.

config/dev/downstream_resources/downstream-gateway.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@ spec:
6363
mountPath: /opt/coraza-waf
6464
initContainers:
6565
- name: coraza-waf
66-
image: coraza-waf:v1.1.1-dev2
66+
image: ghcr.io/datum-labs/coraza-envoy-go-filter/coraza-waf:v1.3.0-alpha10
6767
imagePullPolicy: IfNotPresent
6868
command:
6969
- cp

docs/Taskfile.yaml

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
version: '3'
2+
3+
vars:
4+
DIAGRAMS_DIR: "{{.ROOT_DIR}}/docs/diagrams"
5+
OUTPUT_FORMAT: "png"
6+
PLANTUML_IMAGE: plantuml/plantuml:1.2026.4
7+
8+
tasks:
9+
generate:
10+
desc: Generate all documentation artifacts (diagrams, etc.)
11+
cmds:
12+
- task: diagrams:render
13+
silent: true
14+
15+
diagrams:
16+
desc: Generate all architecture diagrams from PlantUML
17+
cmds:
18+
- task: diagrams:render
19+
silent: true
20+
21+
diagrams:render:
22+
desc: Render PlantUML diagrams to PNG format using Docker
23+
cmds:
24+
- |
25+
set -e
26+
echo "Rendering PlantUML diagrams..."
27+
echo ""
28+
29+
# Check if PlantUML files exist
30+
if ! ls {{.DIAGRAMS_DIR}}/*.puml >/dev/null 2>&1; then
31+
echo "❌ Error: PlantUML source files (*.puml) not found in {{.DIAGRAMS_DIR}}"
32+
exit 1
33+
fi
34+
35+
# Render using Docker (no local installation required)
36+
docker run --rm \
37+
-v "{{.DIAGRAMS_DIR}}":/data \
38+
{{.PLANTUML_IMAGE}} \
39+
-t{{.OUTPUT_FORMAT}} \
40+
/data/*.puml
41+
42+
echo ""
43+
echo "✅ Diagrams rendered in {{.DIAGRAMS_DIR}}"
44+
echo ""
45+
echo "Generated files:"
46+
ls -1 {{.DIAGRAMS_DIR}}/*.{{.OUTPUT_FORMAT}} 2>/dev/null | xargs -n1 basename || echo "No output files found"
47+
silent: true
48+
49+
diagrams:clean:
50+
desc: Remove generated diagram files
51+
cmds:
52+
- |
53+
rm -f {{.DIAGRAMS_DIR}}/*.png {{.DIAGRAMS_DIR}}/*.svg
54+
echo "✅ Generated diagram files removed"
55+
silent: true
56+
57+
diagrams:validate:
58+
desc: Validate PlantUML syntax using Docker
59+
cmds:
60+
- |
61+
set -e
62+
echo "Validating PlantUML diagrams..."
63+
docker run --rm \
64+
-v "{{.DIAGRAMS_DIR}}":/data \
65+
{{.PLANTUML_IMAGE}} \
66+
-syntax \
67+
/data/*.puml
68+
echo "✅ All diagrams are valid"
69+
silent: true

docs/api/trafficprotectionpolicies.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -191,6 +191,7 @@ Core Rule Set (CRS).
191191
ParanoiaLevels specifies the OWASP ModSecurity Core Rule Set (CRS)
192192
paranoia levels to use.<br/>
193193
<br/>
194+
<i>Validations</i>:<li>self.detection >= self.blocking: detection paranoia level must be greater than or equal to blocking paranoia level</li>
194195
<i>Default</i>: map[]<br/>
195196
</td>
196197
<td>false</td>

docs/diagrams/http-metering-c4.png

46.1 KB
Loading
Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
@startuml http-metering-c4
2+
!include https://raw.githubusercontent.com/plantuml-stdlib/C4-PlantUML/master/C4_Container.puml
3+
4+
LAYOUT_WITH_LEGEND()
5+
6+
title C4 Container Diagram - HTTP Traffic Metering System
7+
8+
Person(client, "End User / Client", "Requests services exposed via Datum Cloud Edge")
9+
10+
System_Boundary(edge_cluster, "Edge Cluster") {
11+
Container(envoy, "Envoy Gateway Proxy", "Envoy/Go", "Handles ingress HTTP traffic, terminates TLS, enforces WAF/rate-limiting, emits JSON access logs to stdout")
12+
Container(vector_collector, "billing-usage-collector-vector", "Vector DaemonSet (Billing)", "Tails Envoy container logs, parses JSON access logs, translates to CloudEvents, and forwards them to the Billing System")
13+
Container(nso, "Network Services Operator", "Go", "Deploys Envoy Gateway and configures EnvoyProxy logging policies")
14+
}
15+
16+
System_Boundary(control_plane, "Platform Control Plane") {
17+
Container(billing_system, "Billing System & Service Catalog", "Platform Service", "Handles service registration, event validation, attribution, and storage")
18+
}
19+
20+
Rel(client, envoy, "Sends HTTPS requests to", "HTTPS")
21+
Rel(nso, envoy, "Configures & manages", "Kubernetes API / EnvoyProxy CR")
22+
Rel_D(envoy, vector_collector, "Outputs JSON access logs to", "stdout / container logs")
23+
Rel_D(vector_collector, billing_system, "Forwards batched events to", "HTTPS CloudEvents")
24+
25+
@enduml
55.5 KB
Loading

0 commit comments

Comments
 (0)