Skip to content

Commit

Permalink
Set cfgmap values based on cadence and ingress-nginx version
Browse files Browse the repository at this point in the history 
Signed-off-by: David.Houck <David.Houck@sas.com>
  • Loading branch information
@dhoucgitter
dhoucgitter committed Dec 13, 2024
1 parent a2f1e58 commit 226a5da
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 2 deletions.
14 changes: 12 additions & 2 deletions roles/baseline/defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,8 +61,6 @@ INGRESS_NGINX_CONFIG:
use-forwarded-headers: "false"
hsts-max-age: "63072000"
hide-headers: Server,X-Powered-By
annotations-risk-level: "Critical"
strict-validate-path-type: "false"
tcp: {}
udp: {}
lifecycle:
Expand Down Expand Up @@ -100,6 +98,18 @@ INGRESS_NGINX_CVE_2021_25742_PATCH:
large-client-header-buffers: 4 32k
annotation-value-word-blocklist: load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},\

# Ingress-nginx - Required for <= 2024.11 with v1.12+
INGRESS_NGINX_STRICT_VALIDATE_PATH_TYPE:
controller:
config:
strict-validate-path-type: "false"

# Ingress-nginx - Required for 2024.12 or later with v1.12+ but OK for any ingress-nginx version
INGRESS_NGINX_ANNOTATIONS_RISK_LEVEL:
controller:
config:
annotations-risk-level: "Critical"

## Nfs-subdir-external-provisioner
NFS_CLIENT_NAME: nfs-subdir-external-provisioner-sas
NFS_CLIENT_NAMESPACE: nfs-client
Expand Down
16 changes: 16 additions & 0 deletions roles/baseline/tasks/ingress-nginx.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,22 @@
- INGRESS_NGINX_CHART_VERSION is version('4.0.10', ">=") or (INGRESS_NGINX_CHART_VERSION is version('3.40.0', ">=") and INGRESS_NGINX_CHART_VERSION is version('4.0.0',
"<"))

- name: Disable strict_validate_path_type in INGRESS_NGINX_CONFIG
set_fact:
INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG | combine(INGRESS_NGINX_STRICT_VALIDATE_PATH_TYPE, recursive=True) }}"
when: V4_CFG_CADENCE_VERSION is version('2024.11', "<=") and V4_CFG_CADENCE_NAME|lower != "fast"
tags:
- install
- update

- name: Add annotations_risk_level to INGRESS_NGINX_CONFIG
set_fact:
INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG | combine(INGRESS_NGINX_ANNOTATIONS_RISK_LEVEL, recursive=True) }}"
when: (V4_CFG_CADENCE_VERSION is version('2024.12', ">=") or V4_CFG_CADENCE_NAME|lower == "fast") or INGRESS_NGINX_CHART_VERSION is version('4.12.0', ">=")
tags:
- install
- update

- name: Deploy ingress-nginx
kubernetes.core.helm:
name: "{{ INGRESS_NGINX_NAME }}"
Expand Down

0 comments on commit 226a5da

Please sign in to comment.