feat(webhook): validate AnnotationWebSocket

Author: Kamil Przybyl

pkg/alb/ingress/ingress_webhook_test.go

@@ -112,6 +112,69 @@ func TestIngressValidator_Handle(t *testing.T) {
 			},
 			expectAllowed: false,
 		},
+		{
+			name:      "Valid WAF Name (Allowed)",
+			operation: admissionv1.Create,
+			className: &managedIngressClassName,
+			annotations: map[string]string{
+				AnnotationWAFName: "my-valid-waf-123",
+			},
+			expectAllowed: true,
+		},
+		{
+			name:      "Valid WAF Name Single Char (Allowed)",
+			operation: admissionv1.Create,
+			className: &managedIngressClassName,
+			annotations: map[string]string{
+				AnnotationWAFName: "a",
+			},
+			expectAllowed: true,
+		},
+		{
+			name:      "Denied - Invalid WAF Name (Uppercase)",
+			operation: admissionv1.Create,
+			className: &managedIngressClassName,
+			annotations: map[string]string{
+				AnnotationWAFName: "My-Waf-Name",
+			},
+			expectAllowed: false,
+		},
+		{
+			name:      "Denied - Invalid WAF Name (Starts with hyphen)",
+			operation: admissionv1.Create,
+			className: &managedIngressClassName,
+			annotations: map[string]string{
+				AnnotationWAFName: "-my-waf",
+			},
+			expectAllowed: false,
+		},
+		{
+			name:      "Denied - Invalid WAF Name (Ends with hyphen)",
+			operation: admissionv1.Create,
+			className: &managedIngressClassName,
+			annotations: map[string]string{
+				AnnotationWAFName: "my-waf-",
+			},
+			expectAllowed: false,
+		},
+		{
+			name:      "Denied - Invalid WAF Name (Invalid Character)",
+			operation: admissionv1.Create,
+			className: &managedIngressClassName,
+			annotations: map[string]string{
+				AnnotationWAFName: "my_waf_name",
+			},
+			expectAllowed: false,
+		},
+		{
+			name:      "Denied - Invalid WAF Name (Too Long - 64 chars)",
+			operation: admissionv1.Create,
+			className: &managedIngressClassName,
+			annotations: map[string]string{
+				AnnotationWAFName: "a123456789012345678901234567890123456789012345678901234567890123",
+			},
+			expectAllowed: false,
+		},
 	}
 
 	for _, tt := range tests {

pkg/alb/ingress/ingress_webook.go

@@ -5,6 +5,7 @@ import (
 	"context"
 	"net/http"
 	"strconv"
+	"regexp"
 
 	networkingv1 "k8s.io/api/networking/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -80,6 +81,15 @@ func (v *IngressValidator) handleUpdate(ctx context.Context, req admission.Reque
 
 // validateBaseAnnotations checks simple formatting, allowed values, and basic constraints for all relevant annotations.
 func (v *IngressValidator) validateBaseAnnotations(ctx context.Context, ingress *networkingv1.Ingress) admission.Response {
+	// Validate WAF Name using the provided regex constraint
+	if val, ok := ingress.Annotations[AnnotationWAFName]; ok {
+		wafRegex := `^[0-9a-z](?:(?:[0-9a-z]|-){0,61}[0-9a-z])?$`
+		matched, _ := regexp.MatchString(wafRegex, val)
+		if !matched {
+			return admission.Denied(fmt.Sprintf("Annotation '%s' has an invalid value '%s'. It must match the pattern: %s", AnnotationWAFName, val, wafRegex))
+		}
+	}
+
 	// Validate Booleans
 	boolAnnotations := []string{
 		AnnotationTargetPoolTLSEnabled,