Merge branch 'main' into aamgayle/managedBySPCLabels

Azure · Oct 19, 2023 · 60b6925 · 60b6925
2 parents b232c42 + 4d1b718
commit 60b6925
Show file tree

Hide file tree

Showing 6 changed files with 18 additions and 6 deletions.
diff --git a/pkg/manifests/fixtures/nginx/full.json b/pkg/manifests/fixtures/nginx/full.json
@@ -509,14 +509,15 @@
             "containers": [
               {
                 "name": "controller",
-                "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.4",
+                "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.9.3",
                 "args": [
                   "/nginx-ingress-controller",
                   "--ingress-class=webapprouting.kubernetes.azure.com",
                   "--controller-class=webapprouting.kubernetes.azure.com/nginx",
                   "--election-id=nginx",
                   "--publish-service=$(POD_NAMESPACE)/nginx",
                   "--configmap=$(POD_NAMESPACE)/nginx",
+                  "--enable-annotation-validation=true",
                   "--http-port=8080",
                   "--https-port=8443"
                 ],
@@ -662,6 +663,7 @@
         ]
       },
       "data": {
+        "allow-snippet-annotations": "true",
         "annotation-value-word-blocklist": "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},'"
       }
     },

diff --git a/pkg/manifests/fixtures/nginx/internal.json b/pkg/manifests/fixtures/nginx/internal.json
@@ -509,14 +509,15 @@
             "containers": [
               {
                 "name": "controller",
-                "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.4",
+                "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.9.3",
                 "args": [
                   "/nginx-ingress-controller",
                   "--ingress-class=nginx-private",
                   "--controller-class=test-controller-class",
                   "--election-id=nginx",
                   "--publish-service=$(POD_NAMESPACE)/nginx",
                   "--configmap=$(POD_NAMESPACE)/nginx",
+                  "--enable-annotation-validation=true",
                   "--http-port=8080",
                   "--https-port=8443"
                 ],
@@ -662,6 +663,7 @@
         ]
       },
       "data": {
+        "allow-snippet-annotations": "true",
         "annotation-value-word-blocklist": "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},'"
       }
     },

diff --git a/pkg/manifests/fixtures/nginx/kube-system.json b/pkg/manifests/fixtures/nginx/kube-system.json
@@ -431,14 +431,15 @@
             "containers": [
               {
                 "name": "controller",
-                "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.4",
+                "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.9.3",
                 "args": [
                   "/nginx-ingress-controller",
                   "--ingress-class=webapprouting.kubernetes.azure.com",
                   "--controller-class=webapprouting.kubernetes.azure.com/nginx",
                   "--election-id=nginx",
                   "--publish-service=$(POD_NAMESPACE)/nginx",
                   "--configmap=$(POD_NAMESPACE)/nginx",
+                  "--enable-annotation-validation=true",
                   "--http-port=8080",
                   "--https-port=8443"
                 ],
@@ -576,6 +577,7 @@
         }
       },
       "data": {
+        "allow-snippet-annotations": "true",
         "annotation-value-word-blocklist": "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},'"
       }
     },

diff --git a/pkg/manifests/fixtures/nginx/no-ownership.json b/pkg/manifests/fixtures/nginx/no-ownership.json
@@ -445,14 +445,15 @@
             "containers": [
               {
                 "name": "controller",
-                "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.4",
+                "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.9.3",
                 "args": [
                   "/nginx-ingress-controller",
                   "--ingress-class=webapprouting.kubernetes.azure.com",
                   "--controller-class=webapprouting.kubernetes.azure.com/nginx",
                   "--election-id=nginx",
                   "--publish-service=$(POD_NAMESPACE)/nginx",
                   "--configmap=$(POD_NAMESPACE)/nginx",
+                  "--enable-annotation-validation=true",
                   "--http-port=8080",
                   "--https-port=8443"
                 ],
@@ -590,6 +591,7 @@
         }
       },
       "data": {
+        "allow-snippet-annotations": "true",
         "annotation-value-word-blocklist": "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},'"
       }
     },

diff --git a/pkg/manifests/fixtures/nginx/optional-features-disabled.json b/pkg/manifests/fixtures/nginx/optional-features-disabled.json
@@ -444,14 +444,15 @@
             "containers": [
               {
                 "name": "controller",
-                "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.4",
+                "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.9.3",
                 "args": [
                   "/nginx-ingress-controller",
                   "--ingress-class=webapprouting.kubernetes.azure.com",
                   "--controller-class=webapprouting.kubernetes.azure.com/nginx",
                   "--election-id=nginx",
                   "--publish-service=$(POD_NAMESPACE)/nginx",
                   "--configmap=$(POD_NAMESPACE)/nginx",
+                  "--enable-annotation-validation=true",
                   "--http-port=8080",
                   "--https-port=8443"
                 ],
@@ -589,6 +590,7 @@
         }
       },
       "data": {
+        "allow-snippet-annotations": "true",
         "annotation-value-word-blocklist": "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},'"
       }
     },

diff --git a/pkg/manifests/nginx.go b/pkg/manifests/nginx.go
@@ -23,7 +23,7 @@ import (
 )
 
 const (
-	controllerImageTag = "v1.8.4"
+	controllerImageTag = "v1.9.3"
 	prom               = "prometheus"
 )
 
@@ -423,6 +423,7 @@ func newNginxIngressControllerDeployment(conf *config.Config, ingressConfig *Ngi
 							"--election-id=" + ingressConfig.ResourceName,
 							"--publish-service=$(POD_NAMESPACE)/" + ingressConfig.ResourceName,
 							"--configmap=$(POD_NAMESPACE)/" + ingressConfig.ResourceName,
+							"--enable-annotation-validation=true",
 							"--http-port=8080",
 							"--https-port=8443",
 						},
@@ -472,6 +473,7 @@ func newNginxIngressControllerConfigmap(conf *config.Config, ingressConfig *Ngin
 			// Can't use 'allow-snippet-annotations=false' to reduce injection risk, since we require snippet functionality for OSM routing.
 			// But we can still protect against leaked service account tokens.
 			// See: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#annotation-value-word-blocklist
+			"allow-snippet-annotations":       "true",
 			"annotation-value-word-blocklist": "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},'",
 		},
 	}