Add ingress.modSecurity.secRuleEngine support

Update ingress template to support ingress.modSecurity.secRuleEngine configuration, per https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#modsecurity.

Implementation

As modsecurity has already been enabled at the ingress-controller with https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/32905 this change will optionally override the default configuration by using nginx.ingress.kubernetes.io/modsecurity-snippet, which takes priority over the ingress-controller configuration nginx.ingress.kubernetes.io/enable-modsecurity-crs.

Since the snippet will completely override the inclusion of the core rule set, we instead manually include it here first with our Include, then set the SecRuleEngine to the passed value (enum: On | Off | DetectionOnly). As DetectionOnly is the default behavior defined by the ingress-controller's config map we use the same default here.

Next Steps

This MR is part of gitlab-org/gitlab#8558 (closed). Next step will be configuring auto-deploy-image with the following, done with gitlab-org/cluster-integration/auto-deploy-image!28 (merged):

diff --git a/src/bin/auto-deploy b/src/bin/auto-deploy
index b3d91ac..195cef1 100755
--- a/src/bin/auto-deploy
+++ b/src/bin/auto-deploy
@@ -161,6 +161,7 @@ function deploy() {
       --set postgresql.postgresDatabase="$POSTGRES_DB" \
       --set postgresql.imageTag="$POSTGRES_VERSION" \
       --set application.initializeCommand="$DB_INITIALIZE" \
+      --set ingress.modsecurity.enabled="$modsecurity_enabled" \
+      --set ingress.modsecurity.secRuleEngine="$MODSECURITY_SEC_RULE_ENGINE" \
       $HELM_UPGRADE_EXTRA_ARGS \
       --namespace="$KUBE_NAMESPACE" \
       "$name" \