diff --git a/roles/baseline/defaults/main.yml b/roles/baseline/defaults/main.yml index 5df47f33..ec37a676 100644 --- a/roles/baseline/defaults/main.yml +++ b/roles/baseline/defaults/main.yml @@ -98,6 +98,18 @@ INGRESS_NGINX_CVE_2021_25742_PATCH: large-client-header-buffers: 4 32k annotation-value-word-blocklist: load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},\ +# Ingress-nginx - Required for <= 2024.11 with v1.12+ +INGRESS_NGINX_STRICT_VALIDATE_PATH_TYPE: + controller: + config: + strict-validate-path-type: "false" + +# Ingress-nginx - Required for ingress-nginx v1.12+ +INGRESS_NGINX_ANNOTATIONS_RISK_LEVEL: + controller: + config: + annotations-risk-level: "Critical" + ## Nfs-subdir-external-provisioner NFS_CLIENT_NAME: nfs-subdir-external-provisioner-sas NFS_CLIENT_NAMESPACE: nfs-client diff --git a/roles/baseline/tasks/ingress-nginx.yaml b/roles/baseline/tasks/ingress-nginx.yaml index 5530b5ce..45a51f80 100644 --- a/roles/baseline/tasks/ingress-nginx.yaml +++ b/roles/baseline/tasks/ingress-nginx.yaml @@ -82,6 +82,22 @@ - INGRESS_NGINX_CHART_VERSION is version('4.0.10', ">=") or (INGRESS_NGINX_CHART_VERSION is version('3.40.0', ">=") and INGRESS_NGINX_CHART_VERSION is version('4.0.0', "<")) +- name: Disable strict_validate_path_type in INGRESS_NGINX_CONFIG + set_fact: + INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG | combine(INGRESS_NGINX_STRICT_VALIDATE_PATH_TYPE, recursive=True) }}" + when: (V4_CFG_CADENCE_VERSION is version('2024.11', "<=") and V4_CFG_CADENCE_NAME|lower != "fast") and INGRESS_NGINX_CHART_VERSION is version('4.12.0', ">=") + tags: + - install + - update + +- name: Add annotations_risk_level to INGRESS_NGINX_CONFIG + set_fact: + INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG | combine(INGRESS_NGINX_ANNOTATIONS_RISK_LEVEL, recursive=True) }}" + when: INGRESS_NGINX_CHART_VERSION is version('4.12.0', ">=") + tags: + - install + - update + - name: Deploy ingress-nginx kubernetes.core.helm: name: "{{ INGRESS_NGINX_NAME }}"