[v6.6.7+] annotation-value-word-blocklist may break existing server-snippet annotations

Summary

A change was introduced in !2713 (merged) which configured a default annotation-value-word-blocklist value to the nginx-controller chart.

    config:
      annotation-value-word-blocklist: "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},',\""

If a user has an nginx.ingress.kubernetes.io/server-snippet annotation set up, this change could break those, if the snippet contains any of the blocked characters. This has the impression of GitLab's upgrade process breaking.

Snippets can be added for any user-deemed necessary purpose (for example, force-redirecting traffic to HTTPS) and are likely to contain at least {, }, ' or " - the defaults seem over-zealous.

This change, although made upstream, is no longer recommended by ingress-nginx/controller and these defaults were reverted in 1.1.0:

https://github.com/kubernetes/ingress-nginx/pull/7942

I believe that this setting should default to an empty string as it does in the controller project.

Steps to reproduce

Have a GitLab installation from chart v6.5.4 (where this change is not yet active)

Configure an annotation like so on the ingress:

  webservice:
    ingress:
      annotations:
...
        nginx.ingress.kubernetes.io/server-snippet: |
          if ($proxy_protocol_server_port != '443') {
            return 308 https://$host$request_uri;
          }

Upgrade to GitLab chart v6.6.7+

Observe 404 errors when connecting to the GitLab webserve, and observe logs such as this in the controller logs, and a failure to connect via the provisioned load balancer:

broken header: \"\" while reading PROXY protocol, client: 
invalid word {

Configuration used

See above.

Current behavior

Connecting to the GitLab webserver after upgrading fails with 404s.

Expected behavior

Connecting to the GitLab webserver after upgrading continues to succeed.

There should be no default blocklist configured - it should be empty and up to the user to configure.

Versions

  • Chart: v6.6.7
  • Platform:
    • Cloud: AWS
    • Self-hosted: Self-hosted
  • Kubernetes: EKS v1.22
    • Client: n/a
    • Server: EKS v1.22
  • Helm: (helm version)
    • Client: n/a
    • Server: n/a

Relevant logs

See above