1 files changed, 70 insertions, 3 deletions

diff --git a/app/models/clusters/applications/ingress.rb b/app/models/clusters/applications/ingress.rb
index 885e4ff7197..d140649af3c 100644
--- a/app/models/clusters/applications/ingress.rb
+++ b/app/models/clusters/applications/ingress.rb
@@ -21,6 +21,7 @@ module Clusters
       }
 
       FETCH_IP_ADDRESS_DELAY = 30.seconds
+      MODSEC_SIDECAR_INITIAL_DELAY_SECONDS = 10
 
       state_machine :status do
         after_transition any => [:installed] do |application|
@@ -40,7 +41,7 @@ module Clusters
       end
 
       def allowed_to_uninstall?
-        external_ip_or_hostname? && application_jupyter_nil_or_installable?
+        external_ip_or_hostname? && application_jupyter_nil_or_installable? && application_elastic_stack_nil_or_installable?
       end
 
       def install_command
@@ -78,12 +79,74 @@ module Clusters
           "controller" => {
             "config" => {
               "enable-modsecurity" => "true",
-              "enable-owasp-modsecurity-crs" => "true"
-            }
+              "enable-owasp-modsecurity-crs" => "true",
+              "modsecurity.conf" => modsecurity_config_content
+            },
+            "extraContainers" => [
+              {
+                "name" => "modsecurity-log",
+                "image" => "busybox",
+                "args" => [
+                  "/bin/sh",
+                  "-c",
+                  "tail -f /var/log/modsec/audit.log"
+                ],
+                "volumeMounts" => [
+                  {
+                    "name" => "modsecurity-log-volume",
+                    "mountPath" => "/var/log/modsec",
+                    "readOnly" => true
+                  }
+                ],
+                "startupProbe" => {
+                  "exec" => {
+                    "command" => ["ls", "/var/log/modsec"]
+                  },
+                  "initialDelaySeconds" => MODSEC_SIDECAR_INITIAL_DELAY_SECONDS
+                }
+              }
+            ],
+            "extraVolumeMounts" => [
+              {
+                "name" => "modsecurity-template-volume",
+                "mountPath" => "/etc/nginx/modsecurity/modsecurity.conf",
+                "subPath" => "modsecurity.conf"
+              },
+              {
+                "name" => "modsecurity-log-volume",
+                "mountPath" => "/var/log/modsec"
+              }
+            ],
+            "extraVolumes" => [
+              {
+                "name" => "modsecurity-template-volume",
+                "configMap" => {
+                  "name" => "ingress-nginx-ingress-controller",
+                  "items" => [
+                    {
+                      "key" => "modsecurity.conf",
+                      "path" => "modsecurity.conf"
+                    }
+                  ]
+                }
+              },
+              {
+                "name" => "modsecurity-log-volume",
+                "emptyDir" => {}
+              }
+            ]
           }
         }
       end
 
+      def modsecurity_config_content
+        File.read(modsecurity_config_file_path)
+      end
+
+      def modsecurity_config_file_path
+        Rails.root.join('vendor', 'ingress', 'modsecurity.conf')
+      end
+
       def content_values
         YAML.load_file(chart_values_file).deep_merge!(specification)
       end
@@ -91,6 +154,10 @@ module Clusters
       def application_jupyter_nil_or_installable?
         cluster.application_jupyter.nil? || cluster.application_jupyter&.installable?
       end
+
+      def application_elastic_stack_nil_or_installable?
+        cluster.application_elastic_stack.nil? || cluster.application_elastic_stack&.installable?
+      end
     end
   end
 end