feat: (PSKD-957) ingress-nginx configmap changes for v1.12+ (#586)

roles/baseline/defaults/main.yml

@@ -98,6 +98,18 @@ INGRESS_NGINX_CVE_2021_25742_PATCH:
       large-client-header-buffers: 4 32k
       annotation-value-word-blocklist: load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},\
 
+# Ingress-nginx - Required for <= 2024.11 with v1.12+
+INGRESS_NGINX_STRICT_VALIDATE_PATH_TYPE:
+  controller:
+    config:
+      strict-validate-path-type: "false"
+
+# Ingress-nginx - Required for ingress-nginx v1.12+
+INGRESS_NGINX_ANNOTATIONS_RISK_LEVEL:
+  controller:
+    config:
+      annotations-risk-level: "Critical"
+
 ## Nfs-subdir-external-provisioner
 NFS_CLIENT_NAME: nfs-subdir-external-provisioner-sas
 NFS_CLIENT_NAMESPACE: nfs-client

roles/baseline/tasks/ingress-nginx.yaml

@@ -82,6 +82,22 @@
         - INGRESS_NGINX_CHART_VERSION is version('4.0.10', ">=") or (INGRESS_NGINX_CHART_VERSION is version('3.40.0', ">=") and INGRESS_NGINX_CHART_VERSION is version('4.0.0',
           "<"))
 
+- name: Disable strict_validate_path_type in INGRESS_NGINX_CONFIG
+  set_fact:
+    INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG | combine(INGRESS_NGINX_STRICT_VALIDATE_PATH_TYPE, recursive=True) }}"
+  when: (V4_CFG_CADENCE_VERSION is version('2024.11', "<=") and V4_CFG_CADENCE_NAME|lower != "fast") and INGRESS_NGINX_CHART_VERSION is version('4.12.0', ">=")
+  tags:
+    - install
+    - update
+
+- name: Add annotations_risk_level to INGRESS_NGINX_CONFIG
+  set_fact:
+    INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG | combine(INGRESS_NGINX_ANNOTATIONS_RISK_LEVEL, recursive=True) }}"
+  when: INGRESS_NGINX_CHART_VERSION is version('4.12.0', ">=")
+  tags:
+    - install
+    - update
+
 - name: Deploy ingress-nginx
   kubernetes.core.helm:
     name: "{{ INGRESS_NGINX_NAME }}"