add policy module

api/ingress/v1alpha1/httpsedge_types.go

@@ -73,6 +73,8 @@ type HTTPSEdgeRouteSpec struct {
 
 	// WebhookVerification is webhook verification configuration to apply to this route
 	WebhookVerification *EndpointWebhookVerification `json:"webhookVerification,omitempty"`
+
+	Policies *EndpointPolicies `json:"policies,omitempty"`
 }
 
 // HTTPSEdgeSpec defines the desired state of HTTPSEdge

api/ingress/v1alpha1/ngrok_common.go

@@ -428,3 +428,69 @@ func (amazon *EndpointOAuthAmazon) ToNgrok(clientSecret *string) *ngrok.Endpoint
 	}
 	return mod
 }
+
+type EndpointPolicies struct {
+	Enabled  *bool            `json:"enabled,omitempty"`
+	Inbound  []EndpointPolicy `json:"inbound,omitempty"`
+	Outbound []EndpointPolicy `json:"outbound,omitempty"`
+}
+
+type EndpointPolicy struct {
+	Expressions []string         `json:"expressions,omitempty"`
+	Actions     []EndpointAction `json:"actions,omitempty"`
+	Name        string           `json:"name,omitempty"`
+}
+
+type EndpointAction struct {
+	Type   string `json:"type,omitempty"`
+	Config any    `json:"config,omitempty"`
+}
+
+func (policies *EndpointPolicies) ToNgrok() *ngrok.EndpointPolicies {
+	if policies == nil {
+		return nil
+	}
+
+  inbound := make([]ngrok.EndpointPolicy, len(policies.Inbound))
+  for _, policy := range policies.Inbound {
+    inbound = append(inbound, *policy.ToNgrok())
+  }
+  outbound := make([]ngrok.EndpointPolicy, len(policies.Outbound))
+  for _, policy := range policies.Outbound {
+    outbound = append(outbound, *policy.ToNgrok())
+  }
+
+	return &ngrok.EndpointPolicies{
+		Enabled: policies.Enabled,
+		Inbound: inbound,
+    Outbound: outbound,
+	}
+}
+
+func (policy *EndpointPolicy) ToNgrok() *ngrok.EndpointPolicy {
+  if policy == nil {
+    return nil
+  }
+
+  actions := make([]ngrok.EndpointAction, len(policy.Actions))
+  for _, action := range policy.Actions {
+    actions = append(actions, *action.ToNgrok())
+  }
+
+	return &ngrok.EndpointPolicy{
+		Expressions: policy.Expressions,
+		Actions:     actions,
+		Name:        policy.Name,
+	}
+}
+
+func (action *EndpointAction) ToNgrok() *ngrok.EndpointAction {
+  if action == nil {
+    return nil
+  }
+
+  return &ngrok.EndpointAction{
+    Type: action.Type,
+    Config: action.Config,
+  }
+}

api/ingress/v1alpha1/ngrokmoduleset_types.go

@@ -39,6 +39,8 @@ type NgrokModuleSetModules struct {
 	IPRestriction *EndpointIPPolicy `json:"ipRestriction,omitempty"`
 	// OAuth configuration for this module set
 	OAuth *EndpointOAuth `json:"oauth,omitempty"`
+	// Policies configuration for this module set
+	Policies *EndpointPolicies `json:"policies,omitempty"`
 	// OIDC configuration for this module set
 	OIDC *EndpointOIDC `json:"oidc,omitempty"`
 	// SAML configuration for this module set
@@ -83,6 +85,9 @@ func (ms *NgrokModuleSet) Merge(o *NgrokModuleSet) {
 	if omod.OAuth != nil {
 		msmod.OAuth = omod.OAuth
 	}
+	if omod.Policies != nil {
+		msmod.Policies = omod.Policies
+	}
 	if omod.OIDC != nil {
 		msmod.OIDC = omod.OIDC
 	}

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/go-logr/logr v1.2.4
 	github.com/golang/mock v1.4.4
 	github.com/imdario/mergo v0.3.16
-	github.com/ngrok/ngrok-api-go/v5 v5.0.0
+	github.com/ngrok/ngrok-api-go/v5 v5.2.1-0.20240117170843-c468056fd303
 	github.com/onsi/ginkgo/v2 v2.11.0
 	github.com/onsi/gomega v1.27.10
 	github.com/spf13/cobra v1.7.0

go.sum

@@ -417,6 +417,8 @@ github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRW
 github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d/go.mod h1:o96djdrsSGy3AWPyBgZMAGfxZNfgntdJG+11KU4QvbU=
 github.com/ngrok/ngrok-api-go/v5 v5.0.0 h1:eksowVztKNQU0JBaYS2hXGiC/xtGXj8LAx8lAuzYlsw=
 github.com/ngrok/ngrok-api-go/v5 v5.0.0/go.mod h1:cxMRsWuE0EwK/JB/5prvHK0LEWB3KP16iwvIMqvDVP0=
+github.com/ngrok/ngrok-api-go/v5 v5.2.1-0.20240117170843-c468056fd303 h1:td6hx8jy4X+U/Ed/zl6gTrCVmyldZ7tMNJQHa2YvcXc=
+github.com/ngrok/ngrok-api-go/v5 v5.2.1-0.20240117170843-c468056fd303/go.mod h1:UVTaHI5B4gEsfHCOZTlRg8WkT6+KBijIkVtjpDqCyIU=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=

internal/controller/ingress/httpsedge_controller.go

@@ -37,7 +37,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/record"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
@@ -342,7 +342,7 @@ func (r *HTTPSEdgeReconciler) setEdgeTLSTermination(ctx context.Context, edge *n
 	_, err := client.Replace(ctx, &ngrok.EdgeTLSTerminationAtEdgeReplace{
 		ID: edge.ID,
 		Module: ngrok.EndpointTLSTerminationAtEdge{
-			MinVersion: pointer.String(tlsTermination.MinVersion),
+			MinVersion: ptr.To(tlsTermination.MinVersion),
 		},
 	})
 	return err
@@ -523,6 +523,7 @@ func (u *edgeRouteModuleUpdater) updateModulesForRoute(ctx context.Context, rout
 		u.setEdgeRouteOIDC,
 		u.setEdgeRouteSAML,
 		u.setEdgeRouteWebhookVerification,
+		u.setEdgeRoutePolicies,
 	}
 
 	for _, f := range funcs {
@@ -605,7 +606,7 @@ func (u *edgeRouteModuleUpdater) setEdgeRouteCompression(ctx context.Context, ro
 		EdgeID: route.EdgeID,
 		ID:     route.ID,
 		Module: ngrok.EndpointCompression{
-			Enabled: pointer.Bool(routeSpec.Compression.Enabled),
+			Enabled: ptr.To(routeSpec.Compression.Enabled),
 		},
 	})
 	return err
@@ -1028,3 +1029,29 @@ func (r *HTTPSEdgeReconciler) takeOfflineWithoutAuth(ctx context.Context, route
 
 	return nil
 }
+
+func (u *edgeRouteModuleUpdater) setEdgeRoutePolicies(ctx context.Context, route *ngrok.HTTPSEdgeRoute, routeSpec *ingressv1alpha1.HTTPSEdgeRouteSpec) error {
+	log := ctrl.LoggerFrom(ctx)
+	policies := routeSpec.Policies
+	client := u.clientset.Policies()
+
+	module := policies.ToNgrok()
+	// Early return if nothing to be done
+	if module == nil {
+		if route.Policies == nil {
+			u.logMatches(log, "Policies", routeModuleComparisonBothNil)
+			return nil
+		}
+
+		log.Info("Deleting Policies module")
+		return client.Delete(ctx, edgeRouteItem(route))
+	}
+
+	log.Info("Updating Policies module")
+	_, err := client.Replace(ctx, &ngrok.EdgeRoutePoliciesReplace{
+		EdgeID: route.EdgeID,
+		ID:     route.ID,
+		Module: *module,
+	})
+	return err
+}

internal/ngrokapi/edge_modules_https.go

@@ -9,6 +9,7 @@ import (
 	"github.com/ngrok/ngrok-api-go/v5/edge_modules/https_edge_route_ip_restriction"
 	"github.com/ngrok/ngrok-api-go/v5/edge_modules/https_edge_route_oauth"
 	"github.com/ngrok/ngrok-api-go/v5/edge_modules/https_edge_route_oidc"
+	"github.com/ngrok/ngrok-api-go/v5/edge_modules/https_edge_route_policies"
 	"github.com/ngrok/ngrok-api-go/v5/edge_modules/https_edge_route_request_headers"
 	"github.com/ngrok/ngrok-api-go/v5/edge_modules/https_edge_route_response_headers"
 	"github.com/ngrok/ngrok-api-go/v5/edge_modules/https_edge_route_saml"
@@ -55,6 +56,7 @@ type HTTPSEdgeRouteModulesClientset interface {
 	Compression() *https_edge_route_compression.Client
 	IPRestriction() *https_edge_route_ip_restriction.Client
 	OAuth() *https_edge_route_oauth.Client
+	Policies() *https_edge_route_policies.Client
 	OIDC() *https_edge_route_oidc.Client
 	RequestHeaders() *https_edge_route_request_headers.Client
 	ResponseHeaders() *https_edge_route_response_headers.Client
@@ -69,6 +71,7 @@ type defaultHTTPSEdgeRouteModulesClientset struct {
 	compression           *https_edge_route_compression.Client
 	ipRestriction         *https_edge_route_ip_restriction.Client
 	oauth                 *https_edge_route_oauth.Client
+	policies              *https_edge_route_policies.Client
 	oidc                  *https_edge_route_oidc.Client
 	requestHeaders        *https_edge_route_request_headers.Client
 	responseHeaders       *https_edge_route_response_headers.Client
@@ -84,6 +87,7 @@ func newHTTPSEdgeRouteModulesClient(config *ngrok.ClientConfig) *defaultHTTPSEdg
 		compression:           https_edge_route_compression.NewClient(config),
 		ipRestriction:         https_edge_route_ip_restriction.NewClient(config),
 		oauth:                 https_edge_route_oauth.NewClient(config),
+		policies:               https_edge_route_policies.NewClient(config),
 		oidc:                  https_edge_route_oidc.NewClient(config),
 		requestHeaders:        https_edge_route_request_headers.NewClient(config),
 		responseHeaders:       https_edge_route_response_headers.NewClient(config),
@@ -113,6 +117,10 @@ func (c *defaultHTTPSEdgeRouteModulesClientset) OAuth() *https_edge_route_oauth.
 	return c.oauth
 }
 
+func (c *defaultHTTPSEdgeRouteModulesClientset) Policies() *https_edge_route_policies.Client {
+	return c.policies
+}
+
 func (c *defaultHTTPSEdgeRouteModulesClientset) OIDC() *https_edge_route_oidc.Client {
 	return c.oidc
 }

internal/store/driver.go

@@ -629,6 +629,7 @@ func (d *Driver) calculateHTTPSEdges() map[string]ingressv1alpha1.HTTPSEdge {
 					IPRestriction:       modSet.Modules.IPRestriction,
 					Headers:             modSet.Modules.Headers,
 					OAuth:               modSet.Modules.OAuth,
+					Policies:            modSet.Modules.Policies,
 					OIDC:                modSet.Modules.OIDC,
 					SAML:                modSet.Modules.SAML,
 					WebhookVerification: modSet.Modules.WebhookVerification,