Malformed Waf breaks routing

[edubonifs]

Gloo Edge Version

1.14.x (latest stable)

Kubernetes Version

None

Describe the bug

If you apply a waf policy to any of your routes which is not in a good state, you get the following message:

gRPC config for type.googleapis.com/envoy.config.route.v3.RouteConfiguration rejected: Rules error. File: <<reference missing or not informed>>. Line: 3. Column: 19.

And every new gateway pod that comes in place won't be able to get any dynamic_routes, as routing will get broken, so if you have this in place and then restart any gateway pod you will get the behavior reproduced

Steps to reproduce the bug

Example of WAF policy that would break routing:

apiVersion: gateway.solo.io/v1
kind: RouteTable
metadata:
  labels:
    rt: app
  name: test-one
  namespace: default
spec:
  routes:
    - directResponseAction:
        body: Hello, local batatas
        status: 200
      matchers:
        - caseSensitive: false
          exact: /batatas
      options:
        waf:
          ruleSets:
            - ruleStr: >
                SecRuleEngine On


                SecRule REMOTE_ADDR "@ipMatch
                51.222.86.154/11,0.0.0.0/5,2001:0db8:85a3:0000:0000:8a2e:0370:7334/120,2001:0db8:85a3:0000:0000:8a2e:0370:7334,2001:0db8:85a:0000:0000:8a2e:0370:7334,2001:0db8:85a3:0000:0000:8a2e:0:7334/12,2001:0db8:85a3:0000:0000:8a2e:0370:7334/128,2001:0db8:0000:0000:0000:ff00:0042:8329,2001:db8:3333:4444:5555:6666:7777:8888,2001:db8:3333:4444:CCCC:DDDD:EEEE:FFFF,2001:db8:3333:4444:0:DDDD:EEEE:FFFF,0:0:0:0:0:0:0:0/1,8000:0:0:0:0:0:0:0/1,0:0:0:0:0:0:0:0/1,8000:0:0:0:0:0:0:0/1"
                "phase:1,allow,id:1"

The cluster had a virtualService that matched with the rt: app label and also another simple RouteTable with no WAF rule on a different endpoint /.

Once the waf rule was added to that RouteTable, both endpoints from each RouteTable continued to work, although I guess the waf rule was not being respected

When I restarted the gateway-proxy pod, both endpoints started returning 404 NR

As soon as I removed the waf rule from the RouteTable, both endpoints started working again with 200. No need for pod restarts

Expected Behavior

Don' break routing of new gateway pods

Additional Context

No response

[DuncanDoyle]

Same issue here: #5082

Some additional context: After you've applied an incorrect WAF policy:

• There are no errors or warnings in the logs of the gloo pod.
• Adding new virtual services does not work. Configuration does not get applied and routes are not available.
• Existing virtualservices continue to work, including their existing, correctly configured, WAF policies.
• VirtualService CR shows the incorrect WAF policy, and the status of the CR is Accepted. Nothing indicates that there is something wrong with the CR.
• After fixing the incorrect WAF policy in your VirtualService or Routetable, all other VirtualServices that were applied when the system was in a bad state start working without having to reapply their CRs.

Also note that the gateway-proxy log keeps printing the warning:

[2024-02-05 15:14:04.245][1][warning][config] [external/envoy/source/common/config/grpc_subscription_impl.cc:128] gRPC config for type.googleapis.com/envoy.config.route.v3.RouteConfiguration rejected: Rules error. File: <<reference missing or not informed>>. Line: 3. Column: 19.

... until you resolve the invalid WAF policy configuration.

[DuncanDoyle]

Fixed in 1.17.0.