openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity
5a13be8559
openova/platform/coraza
History
hatiyildiz 5834daec14 docs(pass-10): banners on 7 more components + opentofu active-active drift fix 
7 more component READMEs got role-in-Catalyst banners:

- vpa, keda, reloader → per-host-cluster scaling/ops layer (§3.4).
  Reloader specifically calls out its role in Catalyst's secret-
  rotation flow (rolling deploy on K8s Secret hash change).
- external-dns → per-host-cluster DNS-sync (§3.1); pairs with k8gb
  for the GSLB zone separation.
- coraza → DMZ-block WAF on every host cluster (§3.1).
- crossplane → per-Sovereign on the management cluster (§3.2);
  banner explicitly emphasizes the agreed "never a user-facing
  surface" rule (Users don't write Compositions in Application
  configs; Blueprint authors and advanced contributors do). Cross-
  references the no-fourth-surface clause in ARCHITECTURE §4/§7
  and the Crossplane Composition section in BLUEPRINT-AUTHORING §8.
- opentofu → repositioned as Phase-0-only, runs on `catalyst-
  provisioner` only, NOT installed on host clusters at runtime.

opentofu drift fixes (uncovered by line-by-line read):
- Section 5 line 182: "Bootstrap Wizard prompts for cloud credentials"
  → "Catalyst Bootstrap (Phase 0) prompts for cloud credentials"
  (banned term).
- Same section line 186: "ESO PushSecrets sync to both regional
  OpenBao instances" — the active-active drift Pass 7 corrected
  elsewhere, still here. Replaced with "writes go to the primary
  OpenBao region only; replicas pick up via async perf replication".

VALIDATION-LOG: Pass 10 entry added.

Refs #37
2026-04-27 21:43:45 +02:00
..
README.md docs(pass-10): banners on 7 more components + opentofu active-active drift fix 2026-04-27 21:43:45 +02:00

README.md

Coraza

Web Application Firewall with OWASP Core Rule Set. Per-host-cluster infrastructure (see docs/PLATFORM-TECH-STACK.md §3.1) — runs at the DMZ edge of every host cluster Catalyst manages.

Category: WAF | Type: Mandatory per host cluster (DMZ block)

Overview

Coraza is a high-performance WAF that integrates with Cilium/Envoy to provide application-layer protection using the OWASP Core Rule Set (CRS). Protects against SQL injection, XSS, and other OWASP Top 10 threats.

Key Features

  • OWASP Core Rule Set (CRS) compliance
  • Envoy external processing filter integration
  • Request/response inspection
  • Custom rule support
  • Low-latency inline processing

Integration

Component Integration
Cilium/Envoy Inline WAF via ext_proc filter
Grafana WAF metrics and blocked request dashboards
Falco Correlate WAF blocks with runtime events
OpenSearch WAF log analysis in SIEM

Deployment

apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: coraza
  namespace: flux-system
spec:
  interval: 10m
  path: ./platform/coraza
  prune: true

Part of OpenOva