Skip to content

Disabling allowSnippetAnnotations prevents smartcard ingress configuration snippet from being set

Summary

In NGINX: disable allowSnippetAnnotations by default (!2689 - merged) we set the default value for allowSnippetAnnotations to false in order to mitigate CVE-2021-25742

Unfortunately, this has the side effect of preventing the use of the nginx.ingress.kubernetes.io/configuration-snippet annotation in order to add configuration settings to the nginx.conf within the nginx-ingress controller.

We make use of this annotation in the smartcard ingress when enabled. (Added in Add support for configuring smartcard authentic... (!1510 - merged))

Steps to reproduce

  1. Minimally enable the smartcard ingress by deploying the helm chart with --set global.appConfig.smartcard.enabled=true and --set global.appConfig.smartcard.CASecret=gitlab-smartcard-ca ( creating a ca.crt secret in gitlab-smartcard-ca as documented )
  2. Cat the /etc/nginx/nginx.conf in one or both of the deployed gitlab-nginx-ingress-controller- pods.
  3. Observe that there's no proxy_set_header X-SSL-Client-Certificate $ssl_client_escaped_cert; set.

By comparison:

  1. Deploy the chart in a trusted environment with --set nginx-ingress.controller.allowSnippetAnnotations=true in addition to --set global.appConfig.smartcard.enabled=true and --set global.appConfig.smartcard.CASecret=gitlab-smartcard-ca
  2. Cat the /etc/nginx/nginx.conf in one or both of the deployed gitlab-nginx-ingress-controller- pods.
  3. Observe that there is a proxy_set_header X-SSL-Client-Certificate $ssl_client_escaped_cert; set in the server smartcard.gitlab.domain section.

Potential Fix

We may be able to re-enable allowSnippetAnnotations - and add a annotation-value-word-blocklist to our nginx-ingress.controller.config settings using the suggested values instead.