Implement basic file fetcher (#3577)

Problem: As a user
I want NGF to fetch my NAP WAF Policy bundle from a remote location
So that this bundle can be applied by the data plane to protect my traffic

Solution: Create a Policy Fetcher utility in framework which can pull files from a remote location, as configured in the WafPolicy resource.
Implement policy validation via Checksum validation (compute checksum locally and compare to remote provided checksum).

Author: ciarams87

docs/proposals/nap-waf.md

@@ -296,6 +296,9 @@ sha256sum compiled-policy.tgz > compiled-policy.tgz.sha256
 aws s3 cp compiled-policy.tgz s3://company-policies/prod-policy.tgz
 aws s3 cp compiled-policy.tgz.sha256 s3://company-policies/prod-policy.tgz.sha256
 
+# Note: In WAFPolicy, reference S3 objects using HTTPS URLs:
+# fileLocation: "https://company-policies.s3.amazonaws.com/prod-policy.tgz"
+
 # No Kubernetes resource changes needed - NGF automatically detects the update
 echo "Policy updated. NGF will detect changes within polling interval."
 ```
@@ -427,6 +430,8 @@ spec:
 
 ### WAFPolicy Custom Resource with Policy Attachment
 
+**Note**: When referencing S3 objects, use HTTPS URLs (e.g., `https://bucket.s3.amazonaws.com/path/file.tgz`) rather than S3 protocol URLs (`s3://bucket/path/file.tgz`).
+
 ```yaml
 apiVersion: gateway.nginx.org/v1alpha1
 kind: WAFPolicy
@@ -442,7 +447,7 @@ spec:
     namespace: applications
 
   policySource:
-    fileLocation: "s3://ngf-waf-policies/production/gateway-policy-v1.2.3.tgz"
+    fileLocation: "https://ngf-waf-policies.s3.amazonaws.com/production/gateway-policy-v1.2.3.tgz"
     authSecret:
       name: "policy-store-credentials"
     validation:
@@ -456,7 +461,7 @@ spec:
       interval: "5m"        # Check every 5 minutes
       # Optional: explicit checksum location
       # If not specified, defaults to <fileLocation>.sha256
-      checksumLocation: "s3://ngf-waf-policies/production/gateway-policy-v1.2.3.tgz"
+      checksumLocation: "https://ngf-waf-policies.s3.amazonaws.com/production/gateway-policy-v1.2.3.tgz.sha256"
 
     # Retry configuration for policy fetch failures
     retryPolicy:
@@ -480,7 +485,7 @@ spec:
     # Custom logging profile bundle (similar to policy bundle)
     # logProfile and logProfileBundle are mutually exclusive per security log configuration entry
     logProfileBundle:
-      fileLocation: "s3://ngf-waf-policies/logging/custom-log-profile.tgz"
+      fileLocation: "https://ngf-waf-policies.s3.amazonaws.com/logging/custom-log-profile.tgz"
       authSecret:
         name: "policy-store-credentials"
       validation:
@@ -527,7 +532,7 @@ spec:
 
   # Stricter policy for admin endpoints
   policySource:
-    fileLocation: "s3://ngf-waf-policies/production/admin-strict-policy-v1.0.0.tgz"
+    fileLocation: "https://ngf-waf-policies.s3.amazonaws.com/production/admin-strict-policy-v1.0.0.tgz"
     authSecret:
       name: "policy-store-credentials"
     polling:
@@ -664,7 +669,7 @@ metadata:
 # NGF service account in nginx-gateway namespace provides IRSA authentication
 spec:
   policySource:
-    fileLocation: "s3://company-waf-policies/policy.tgz"
+    fileLocation: "https://company-waf-policies.s3.amazonaws.com/policy.tgz"
     # No authSecret needed - uses IRSA automatically
 ```
 
@@ -1009,7 +1014,7 @@ spec:
     namespace: applications
 
   policySource:
-    fileLocation: "s3://company-waf-policies/production/base-policy.tgz"
+    fileLocation: "https://company-waf-policies.s3.amazonaws.com/production/base-policy.tgz"
     # Secret referenced for fallback - NGF will use IRSA if available, secret if not
     authSecret:
       name: "policy-store-credentials"
@@ -1020,7 +1025,7 @@ spec:
       interval: "5m"
       # Optional explicit checksum location
       # If not specified, defaults to base-policy.tgz.sha256
-      checksumLocation: "s3://company-waf-policies/production/base-policy.tgz.sha256"
+      checksumLocation: "https://company-waf-policies.s3.amazonaws.com/production/base-policy.tgz.sha256"
 
   securityLogs:
   - name: "gateway-logging"
@@ -1044,7 +1049,7 @@ spec:
     namespace: applications
 
   policySource:
-    fileLocation: "s3://company-waf-policies/production/admin-strict-policy.tgz"
+    fileLocation: "https://company-waf-policies.s3.amazonaws.com/production/admin-strict-policy.tgz"
     polling:
       enabled: true
 

internal/framework/fetch/errors.go

@@ -0,0 +1,23 @@
+package fetch
+
+import "fmt"
+
+// ChecksumMismatchError represents an error when the calculated checksum doesn't match the expected checksum.
+// This type of error should not trigger retries as it indicates data corruption or tampering.
+type ChecksumMismatchError struct {
+	Expected string
+	Actual   string
+}
+
+func (e *ChecksumMismatchError) Error() string {
+	return fmt.Sprintf("checksum mismatch: expected %s, got %s", e.Expected, e.Actual)
+}
+
+// HTTPStatusError represents an HTTP status code error for retry logic.
+type HTTPStatusError struct {
+	StatusCode int
+}
+
+func (e *HTTPStatusError) Error() string {
+	return fmt.Sprintf("unexpected status code: %d", e.StatusCode)
+}