Enable "allow-snippet-annotations" in ingress-nginx static values

amantri · ayyappa · commit 556c6a09e216 · 2023-11-16T19:23:10.000Z
nginx v1.9.0 onwards, "allow-snippet-annotations" is disabled by default due to security vulnerability reported here https://github.com/kubernetes/ingress-nginx/issues/7837, openstack failed to apply due to this change since it is using "configuration-snippet" under annotations in its openstack ingress definition.we are changing this default behavior to let openstack apply successfully until this upstream PR kubernetes/ingress-nginx#9742 is addressed. once we upversion the nginx with the fix, we disable "allow-snippet-annotations" and openstack team will have to change their configuration. Test Cases: PASS: Enable "allow-snippet-annotations" in nginx configmap and apply the openstack app successfully PASS: Test stx-openstack with installation and verify openstack is applied successfully Closes-bug: 2042957 Change-Id: Ic6c379803f17998ef7f573fa1fffa566b9e74e39 Signed-off-by: amantri <ayyappa.mantri@windriver.com>
diff --git a/stx-nginx-ingress-controller-helm/stx-nginx-ingress-controller-helm/fluxcd-manifests/ingress-nginx/ingress-nginx-static-overrides.yaml b/stx-nginx-ingress-controller-helm/stx-nginx-ingress-controller-helm/fluxcd-manifests/ingress-nginx/ingress-nginx-static-overrides.yaml
@@ -16,6 +16,7 @@ controller:
     useHostPort: false
   nodeSelector:
     node-role.kubernetes.io/control-plane: ""
+  allowSnippetAnnotations: true
   config:
     # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
     nginx-status-ipv4-whitelist: 0.0.0.0/0
