Disabling allowSnippetAnnotations prevents smartcard ingress configuration snippet from being set
Summary
In NGINX: disable allowSnippetAnnotations by default (!2689 - merged) we set the default value for allowSnippetAnnotations
to false
in order to mitigate CVE-2021-25742
Unfortunately, this has the side effect of preventing the use of the nginx.ingress.kubernetes.io/configuration-snippet
annotation in order to add configuration settings to the nginx.conf
within the nginx-ingress controller.
We make use of this annotation in the smartcard ingress when enabled. (Added in Add support for configuring smartcard authentic... (!1510 - merged))
Steps to reproduce
- Minimally enable the smartcard ingress by deploying the helm chart with
--set global.appConfig.smartcard.enabled=true
and--set global.appConfig.smartcard.CASecret=gitlab-smartcard-ca
( creating aca.crt
secret ingitlab-smartcard-ca
as documented ) - Cat the
/etc/nginx/nginx.conf
in one or both of the deployedgitlab-nginx-ingress-controller-
pods. - Observe that there's no
proxy_set_header X-SSL-Client-Certificate $ssl_client_escaped_cert;
set.
By comparison:
- Deploy the chart in a trusted environment with
--set nginx-ingress.controller.allowSnippetAnnotations=true
in addition to--set global.appConfig.smartcard.enabled=true
and--set global.appConfig.smartcard.CASecret=gitlab-smartcard-ca
- Cat the
/etc/nginx/nginx.conf
in one or both of the deployedgitlab-nginx-ingress-controller-
pods. - Observe that there is a
proxy_set_header X-SSL-Client-Certificate $ssl_client_escaped_cert;
set in theserver smartcard.gitlab.domain
section.
Potential Fix
We may be able to re-enable allowSnippetAnnotations
- and add a annotation-value-word-blocklist to our nginx-ingress.controller.config
settings using the suggested values instead.