diff --git a/roles/baseline/defaults/main.yml b/roles/baseline/defaults/main.yml index 5df47f33..8eb971a1 100644 --- a/roles/baseline/defaults/main.yml +++ b/roles/baseline/defaults/main.yml @@ -98,6 +98,18 @@ INGRESS_NGINX_CVE_2021_25742_PATCH: large-client-header-buffers: 4 32k annotation-value-word-blocklist: load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},\ +# Ingress-nginx - Required for <= 2024.11 with v1.12+ +INGRESS_NGINX_STRICT_VALIDATE_PATH_TYPE: + controller: + config: + strict-validate-path-type: "false" + +# Ingress-nginx - Required for 2024.12 or later with v1.12+ but OK for any ingress-nginx version +INGRESS_NGINX_ANNOTATIONS_RISK_LEVEL: + controller: + config: + annotations-risk-level: "Critical" + ## Nfs-subdir-external-provisioner NFS_CLIENT_NAME: nfs-subdir-external-provisioner-sas NFS_CLIENT_NAMESPACE: nfs-client diff --git a/roles/baseline/tasks/ingress-nginx.yaml b/roles/baseline/tasks/ingress-nginx.yaml index 5530b5ce..1d823e95 100644 --- a/roles/baseline/tasks/ingress-nginx.yaml +++ b/roles/baseline/tasks/ingress-nginx.yaml @@ -82,6 +82,22 @@ - INGRESS_NGINX_CHART_VERSION is version('4.0.10', ">=") or (INGRESS_NGINX_CHART_VERSION is version('3.40.0', ">=") and INGRESS_NGINX_CHART_VERSION is version('4.0.0', "<")) +- name: Disable strict_validate_path_type in INGRESS_NGINX_CONFIG + set_fact: + INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG | combine(INGRESS_NGINX_STRICT_VALIDATE_PATH_TYPE, recursive=True) }}" + when: V4_CFG_CADENCE_VERSION is version('2024.11', "<=") and V4_CFG_CADENCE_NAME|lower != "fast" + tags: + - install + - update + +- name: Add annotations_risk_level to INGRESS_NGINX_CONFIG + set_fact: + INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG | combine(INGRESS_NGINX_ANNOTATIONS_RISK_LEVEL, recursive=True) }}" + when: (V4_CFG_CADENCE_VERSION is version('2024.12', ">=") or V4_CFG_CADENCE_NAME|lower == "fast") or INGRESS_NGINX_CHART_VERSION is version('4.12.0', ">=") + tags: + - install + - update + - name: Deploy ingress-nginx kubernetes.core.helm: name: "{{ INGRESS_NGINX_NAME }}"