diff --git a/pkg/manifests/fixtures/nginx/full.json b/pkg/manifests/fixtures/nginx/full.json index cd5c0ff2..67ca9db7 100644 --- a/pkg/manifests/fixtures/nginx/full.json +++ b/pkg/manifests/fixtures/nginx/full.json @@ -509,7 +509,7 @@ "containers": [ { "name": "controller", - "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.4", + "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.9.3", "args": [ "/nginx-ingress-controller", "--ingress-class=webapprouting.kubernetes.azure.com", @@ -517,6 +517,7 @@ "--election-id=nginx", "--publish-service=$(POD_NAMESPACE)/nginx", "--configmap=$(POD_NAMESPACE)/nginx", + "--enable-annotation-validation=true", "--http-port=8080", "--https-port=8443" ], @@ -662,6 +663,7 @@ ] }, "data": { + "allow-snippet-annotations": "true", "annotation-value-word-blocklist": "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},'" } }, diff --git a/pkg/manifests/fixtures/nginx/internal.json b/pkg/manifests/fixtures/nginx/internal.json index 5750def7..f9c36dc8 100644 --- a/pkg/manifests/fixtures/nginx/internal.json +++ b/pkg/manifests/fixtures/nginx/internal.json @@ -509,7 +509,7 @@ "containers": [ { "name": "controller", - "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.4", + "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.9.3", "args": [ "/nginx-ingress-controller", "--ingress-class=nginx-private", @@ -517,6 +517,7 @@ "--election-id=nginx", "--publish-service=$(POD_NAMESPACE)/nginx", "--configmap=$(POD_NAMESPACE)/nginx", + "--enable-annotation-validation=true", "--http-port=8080", "--https-port=8443" ], @@ -662,6 +663,7 @@ ] }, "data": { + "allow-snippet-annotations": "true", "annotation-value-word-blocklist": "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},'" } }, diff --git a/pkg/manifests/fixtures/nginx/kube-system.json b/pkg/manifests/fixtures/nginx/kube-system.json index 25b21d9c..b1673b3a 100644 --- a/pkg/manifests/fixtures/nginx/kube-system.json +++ b/pkg/manifests/fixtures/nginx/kube-system.json @@ -431,7 +431,7 @@ "containers": [ { "name": "controller", - "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.4", + "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.9.3", "args": [ "/nginx-ingress-controller", "--ingress-class=webapprouting.kubernetes.azure.com", @@ -439,6 +439,7 @@ "--election-id=nginx", "--publish-service=$(POD_NAMESPACE)/nginx", "--configmap=$(POD_NAMESPACE)/nginx", + "--enable-annotation-validation=true", "--http-port=8080", "--https-port=8443" ], @@ -576,6 +577,7 @@ } }, "data": { + "allow-snippet-annotations": "true", "annotation-value-word-blocklist": "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},'" } }, diff --git a/pkg/manifests/fixtures/nginx/no-ownership.json b/pkg/manifests/fixtures/nginx/no-ownership.json index b74f8f70..68133959 100644 --- a/pkg/manifests/fixtures/nginx/no-ownership.json +++ b/pkg/manifests/fixtures/nginx/no-ownership.json @@ -445,7 +445,7 @@ "containers": [ { "name": "controller", - "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.4", + "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.9.3", "args": [ "/nginx-ingress-controller", "--ingress-class=webapprouting.kubernetes.azure.com", @@ -453,6 +453,7 @@ "--election-id=nginx", "--publish-service=$(POD_NAMESPACE)/nginx", "--configmap=$(POD_NAMESPACE)/nginx", + "--enable-annotation-validation=true", "--http-port=8080", "--https-port=8443" ], @@ -590,6 +591,7 @@ } }, "data": { + "allow-snippet-annotations": "true", "annotation-value-word-blocklist": "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},'" } }, diff --git a/pkg/manifests/fixtures/nginx/optional-features-disabled.json b/pkg/manifests/fixtures/nginx/optional-features-disabled.json index 1075fb99..3a3a3fce 100644 --- a/pkg/manifests/fixtures/nginx/optional-features-disabled.json +++ b/pkg/manifests/fixtures/nginx/optional-features-disabled.json @@ -444,7 +444,7 @@ "containers": [ { "name": "controller", - "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.4", + "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.9.3", "args": [ "/nginx-ingress-controller", "--ingress-class=webapprouting.kubernetes.azure.com", @@ -452,6 +452,7 @@ "--election-id=nginx", "--publish-service=$(POD_NAMESPACE)/nginx", "--configmap=$(POD_NAMESPACE)/nginx", + "--enable-annotation-validation=true", "--http-port=8080", "--https-port=8443" ], @@ -589,6 +590,7 @@ } }, "data": { + "allow-snippet-annotations": "true", "annotation-value-word-blocklist": "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},'" } }, diff --git a/pkg/manifests/nginx.go b/pkg/manifests/nginx.go index 17c56578..61ecb46a 100644 --- a/pkg/manifests/nginx.go +++ b/pkg/manifests/nginx.go @@ -23,7 +23,7 @@ import ( ) const ( - controllerImageTag = "v1.8.4" + controllerImageTag = "v1.9.3" prom = "prometheus" ) @@ -423,6 +423,7 @@ func newNginxIngressControllerDeployment(conf *config.Config, ingressConfig *Ngi "--election-id=" + ingressConfig.ResourceName, "--publish-service=$(POD_NAMESPACE)/" + ingressConfig.ResourceName, "--configmap=$(POD_NAMESPACE)/" + ingressConfig.ResourceName, + "--enable-annotation-validation=true", "--http-port=8080", "--https-port=8443", }, @@ -472,6 +473,7 @@ func newNginxIngressControllerConfigmap(conf *config.Config, ingressConfig *Ngin // Can't use 'allow-snippet-annotations=false' to reduce injection risk, since we require snippet functionality for OSM routing. // But we can still protect against leaked service account tokens. // See: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#annotation-value-word-blocklist + "allow-snippet-annotations": "true", "annotation-value-word-blocklist": "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},'", }, }