Enable "allow-snippet-annotations" in ingress-nginx static values

nginx v1.9.0 onwards, "allow-snippet-annotations" is disabled by default due to security vulnerability reported here https://github.com/kubernetes/ingress-nginx/issues/7837, openstack failed to apply due to this change since it is using "configuration-snippet" under annotations in its openstack ingress definition.we are changing this default behavior to let openstack apply successfully until this upstream PR https://github.com/kubernetes/ingress-nginx/pull/9742 is addressed. once we upversion the nginx with the fix, we disable "allow-snippet-annotations" and openstack team will have to change their configuration. Test Cases: PASS: Enable "allow-snippet-annotations" in nginx configmap and apply the openstack app successfully PASS: Test stx-openstack with installation and verify openstack is applied successfully Closes-bug: 2042957 Change-Id: Ic6c379803f17998ef7f573fa1fffa566b9e74e39 Signed-off-by: amantri <ayyappa.mantri@windriver.com>
2023-11-15 09:55:44 -05:00 · 2023-11-15 09:55:44 -05:00 · 556c6a09e2
commit 556c6a09e2
parent aaac53a74a
1 changed files with 1 additions and 0 deletions
--- a/stx-nginx-ingress-controller-helm/stx-nginx-ingress-controller-helm/fluxcd-manifests/ingress-nginx/ingress-nginx-static-overrides.yaml
+++ b/stx-nginx-ingress-controller-helm/stx-nginx-ingress-controller-helm/fluxcd-manifests/ingress-nginx/ingress-nginx-static-overrides.yaml
@ -16,6 +16,7 @@ controller:
    useHostPort: false
  nodeSelector:
    node-role.kubernetes.io/control-plane: ""
+  allowSnippetAnnotations: true
  config:
    # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
    nginx-status-ipv4-whitelist: 0.0.0.0/0