Add custom modsecurity template to ingress-controller

Disable default `SecRuleEngine` configuration, allowing override via
`Ingress` resource instead.

Part of the work to implement https://gitlab.com/gitlab-org/gitlab/issues/8558

app/models/clusters/applications/ingress.rb

@@ -78,10 +78,40 @@ module Clusters
           "controller" => {
             "config" => {
               "enable-modsecurity" => "true",
-              "enable-owasp-modsecurity-crs" => "true"
+              "enable-owasp-modsecurity-crs" => "true",
+              "modsecurity.conf" => modsecurity_config_content
+            },
+            "extraVolumeMounts" => [
+              {
+                "name" => "modsecurity-template-volume",
+                "mountPath" => "/etc/nginx/modsecurity/modsecurity.conf",
+                "subPath" => "modsecurity.conf"
+              }
+            ],
+            "extraVolumes" => [
+              {
+                "name" => "modsecurity-template-volume",
+                "configMap" => {
+                  "name" => "ingress-nginx-ingress-controller",
+                  "items" => [
+                    {
+                      "key" => "modsecurity.conf",
+                      "path" => "modsecurity.conf"
+                    }
+                  ]
                 }
               }
+            ]
           }
+        }
+      end
+
+      def modsecurity_config_content
+        File.read(modsecurity_config_file_path)
+      end
+
+      def modsecurity_config_file_path
+        Rails.root.join('vendor', 'ingress', 'modsecurity.conf')
       end
 
       def content_values

changelogs/unreleased/8558-use-custom-modsecurity-ingress-config.yml

+---
+title: Add modsecurity template for ingress-controller
+merge_request: 18485
+author:
+type: changed

spec/models/clusters/applications/ingress_spec.rb

@@ -156,6 +156,15 @@ describe Clusters::Applications::Ingress do
       it 'includes modsecurity core ruleset enablement' do
         expect(subject.values).to include("enable-owasp-modsecurity-crs: 'true'")
       end
+
+      it 'includes modsecurity.conf content' do
+        expect(subject.values).to include('modsecurity.conf')
+        # Includes file content from Ingress#modsecurity_config_content
+        expect(subject.values).to include('SecAuditLog')
+
+        expect(subject.values).to include('extraVolumes')
+        expect(subject.values).to include('extraVolumeMounts')
+      end
     end
 
     context 'when ingress_modsecurity is disabled' do
@@ -172,6 +181,15 @@ describe Clusters::Applications::Ingress do
       it 'excludes modsecurity core ruleset enablement' do
         expect(subject.values).not_to include('enable-owasp-modsecurity-crs')
       end
+
+      it 'excludes modsecurity.conf content' do
+        expect(subject.values).not_to include('modsecurity.conf')
+        # Excludes file content from Ingress#modsecurity_config_content
+        expect(subject.values).not_to include('SecAuditLog')
+
+        expect(subject.values).not_to include('extraVolumes')
+        expect(subject.values).not_to include('extraVolumeMounts')
+      end
     end
   end
 end