Add WAF Bundle example

docs/content/app-protect-waf/configuration.md

@@ -19,11 +19,30 @@ The NGINX Ingress Controller has a set of global configuration parameters that a
 
 You can enable and configure NGINX App Protect WAF on the Custom Resources (VirtualServer, VirtualServerRoute) or on the Ingress-resource basis.
 
-To configure NGINX App Protect WAF on a VirtualServer resource, you would create a Policy Custom Resource referencing the APPolicy Custom Resource, and add this to the VirtualServer definition. See the documentation on the [App Protect WAF Policy](/nginx-ingress-controller/configuration/policy-resource/#waf).
+To configure NGINX App Protect WAF on a VirtualServer resource, you would create a Policy Custom Resource referencing the APPolicy Custom Resource or APPolicy Bundle, and add this to the VirtualServer definition. See the documentation on the [App Protect WAF Policy](/nginx-ingress-controller/configuration/policy-resource/#waf).
 
 To configure NGINX App Protect WAF on an Ingress resource, you would apply the [App Protect annotations](/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/#app-protect) to each desired resource.
 
 
+## App Proptect WAF Bundles
+
+You can define App Protect WAF bundles for VirtualServers by creating policy bundles and putting them on a mounted volume accessible from NGINX Ingress Controller.
+
+For example, you can configure a policy by referencing generated WAF Policy Bundle:
+
+```yaml
+apiVersion: k8s.nginx.org/v1
+kind: Policy
+metadata:
+  name: <your-policy-name>
+spec:
+  waf:
+    enable: true
+    apBundle: "<your-bundle-name>.tgz"
+```
+
+> **Note**: Before applying policy, WAF Policy bundle must be created and put on the volume.
+
 ## App Protect WAF Policies
 
 You can define App Protect WAF policies for your VirtualServer, VirtualServerRoute, or Ingress resources by creating an `APPolicy` [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/).

docs/content/app-protect-waf/installation.md

@@ -63,4 +63,38 @@ Take the steps below to set up and deploy the NGINX Ingress Controller and App P
 3. Enable the App Protect WAF module by adding the `enable-app-protect` [cli argument](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-app-protect) to your Deployment or DaemonSet file.
 4. [Deploy the Ingress Controller](/nginx-ingress-controller/installation/installation-with-manifests/#3-deploy-the-ingress-controller).
 
+Take the steps below to setup and deploy the NGINX Ingress Controller and App Protect WAF module if you want to use App Portect policy bundles in your Kubernetes cluster.
+
+1. [Configure role-based access control (RBAC)](/nginx-ingress-controller/installation/installation-with-manifests/#1-configure-rbac).
+
+    > **Important**: You must have an admin role to configure RBAC in your Kubernetes cluster.
+
+2. [Create the common Kubernetes resources](/nginx-ingress-controller/installation/installation-with-manifests/#2-create-common-resources).
+
+3. Create and configure [Persistent Volume and Persistent Volume Claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) in your Kubernetes cluster.
+
+4. [Deploy the Ingress Controller](/nginx-ingress-controller/installation/installation-with-manifests/#3-deploy-the-ingress-controller).
+
+    > **Important**: You must configure Ingress Controller deployment to mount the volume.
+
+    Following snippets illustrate changes that must be applied to deployment file:
+
+    Add `volumes` section to deployment template spec:
+    ```yaml
+    ...
+    volumes:
+    - name: <your volume name>
+      persistentVolumeClaim:
+        claimName: <your claim name>
+    ...
+    ```
+    Add volume mounts to `containers` section:
+    ```yaml
+    ...
+    volumeMounts:
+      - name: blob
+        mountPath: <your mount path>
+    ...
+    ```
+
 For more information, see the [Configuration guide](/nginx-ingress-controller/app-protect/configuration) and the NGINX Ingress Controller with App Protect example resources on GitHub [for VirtualServer resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.0.2/examples/custom-resources/app-protect-waf) and [for Ingress resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.0.2/examples/ingress-resources/app-protect-waf).

docs/content/installation/installation-with-manifests.md

@@ -148,6 +148,26 @@ If you would like to use the App Protect DoS module, you will need to deploy the
 
     **Note**: Update the `nginx-plus-ingress.yaml` with the chosen image from the F5 Container registry; or the container image that you have built.
 
+    **Note**: Update the `nginx-plus-ingress.yaml` with the chosen persistent volume and persitent volume claim if you run the `NGINX Ingress Controller` with [`AppProtect`](../app-protect/waf/installation#install-the-ingress-controller) and use WAF Policy bundles:
+
+    Add `volumes` section to deployment template spec:
+    ```yaml
+    ...
+    volumes:
+    - name: <your volume name>
+      persistentVolumeClaim:
+        claimName: <your claim name>
+    ...
+    ```
+    Add volume mounts to `containers` section:
+    ```yaml
+    ...
+    volumeMounts:
+      - name: blob
+        mountPath: <your mount path>
+    ...
+    ```
+
 * *Use a DaemonSet*:
     When you run the Ingress Controller by using a DaemonSet, Kubernetes will create an Ingress Controller pod on every node of the cluster.