From a2f1e58b7d8a08448dfdf4bf20032b816e0389db Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Thu, 12 Dec 2024 16:56:58 -0500 Subject: [PATCH 1/2] feat: (PSKD-957) ingress-nginx configmap changes for v1.12+ Signed-off-by: David.Houck --- roles/baseline/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/baseline/defaults/main.yml b/roles/baseline/defaults/main.yml index 5df47f33..141e02d7 100644 --- a/roles/baseline/defaults/main.yml +++ b/roles/baseline/defaults/main.yml @@ -61,6 +61,8 @@ INGRESS_NGINX_CONFIG: use-forwarded-headers: "false" hsts-max-age: "63072000" hide-headers: Server,X-Powered-By + annotations-risk-level: "Critical" + strict-validate-path-type: "false" tcp: {} udp: {} lifecycle: From 226a5da37fc88c4409324ad2d79720fed058090c Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Fri, 13 Dec 2024 16:00:14 -0500 Subject: [PATCH 2/2] Set cfgmap values based on cadence and ingress-nginx version Signed-off-by: David.Houck --- roles/baseline/defaults/main.yml | 14 ++++++++++++-- roles/baseline/tasks/ingress-nginx.yaml | 16 ++++++++++++++++ 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/roles/baseline/defaults/main.yml b/roles/baseline/defaults/main.yml index 141e02d7..8eb971a1 100644 --- a/roles/baseline/defaults/main.yml +++ b/roles/baseline/defaults/main.yml @@ -61,8 +61,6 @@ INGRESS_NGINX_CONFIG: use-forwarded-headers: "false" hsts-max-age: "63072000" hide-headers: Server,X-Powered-By - annotations-risk-level: "Critical" - strict-validate-path-type: "false" tcp: {} udp: {} lifecycle: @@ -100,6 +98,18 @@ INGRESS_NGINX_CVE_2021_25742_PATCH: large-client-header-buffers: 4 32k annotation-value-word-blocklist: load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},\ +# Ingress-nginx - Required for <= 2024.11 with v1.12+ +INGRESS_NGINX_STRICT_VALIDATE_PATH_TYPE: + controller: + config: + strict-validate-path-type: "false" + +# Ingress-nginx - Required for 2024.12 or later with v1.12+ but OK for any ingress-nginx version +INGRESS_NGINX_ANNOTATIONS_RISK_LEVEL: + controller: + config: + annotations-risk-level: "Critical" + ## Nfs-subdir-external-provisioner NFS_CLIENT_NAME: nfs-subdir-external-provisioner-sas NFS_CLIENT_NAMESPACE: nfs-client diff --git a/roles/baseline/tasks/ingress-nginx.yaml b/roles/baseline/tasks/ingress-nginx.yaml index 5530b5ce..1d823e95 100644 --- a/roles/baseline/tasks/ingress-nginx.yaml +++ b/roles/baseline/tasks/ingress-nginx.yaml @@ -82,6 +82,22 @@ - INGRESS_NGINX_CHART_VERSION is version('4.0.10', ">=") or (INGRESS_NGINX_CHART_VERSION is version('3.40.0', ">=") and INGRESS_NGINX_CHART_VERSION is version('4.0.0', "<")) +- name: Disable strict_validate_path_type in INGRESS_NGINX_CONFIG + set_fact: + INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG | combine(INGRESS_NGINX_STRICT_VALIDATE_PATH_TYPE, recursive=True) }}" + when: V4_CFG_CADENCE_VERSION is version('2024.11', "<=") and V4_CFG_CADENCE_NAME|lower != "fast" + tags: + - install + - update + +- name: Add annotations_risk_level to INGRESS_NGINX_CONFIG + set_fact: + INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG | combine(INGRESS_NGINX_ANNOTATIONS_RISK_LEVEL, recursive=True) }}" + when: (V4_CFG_CADENCE_VERSION is version('2024.12', ">=") or V4_CFG_CADENCE_NAME|lower == "fast") or INGRESS_NGINX_CHART_VERSION is version('4.12.0', ">=") + tags: + - install + - update + - name: Deploy ingress-nginx kubernetes.core.helm: name: "{{ INGRESS_NGINX_NAME }}"