NGINX: disable allowSnippetAnnotations by default (!2689) · Merge requests · GitLab.org / charts / GitLab Chart

Mitchell Nielsen requested to merge 2941-disable-snippet-annotations into master Jul 25, 2022

What does this MR do?

NGINX: disable allowSnippetAnnotations by default

Disables `nginx-ingress.controller.allowSnippetAnnotations` by
default to address CVE-2021-25742.

Related issue:
https://github.com/kubernetes/ingress-nginx/issues/7837

Docs:
https://github.com/kubernetes/ingress-nginx/blob/helm-chart-4.0.6/docs/user-guide/nginx-configuration/configmap.md#allow-snippet-annotations

Closes https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2941

Changelog: changed

Related issues

Closes #2941

Testing

$ helm template gitlab . --set certmanager-issuer.email=a@b.com --show-only charts/nginx-ingress/templates/controller-configmap.yaml | grep allow-snippet-annotations
  allow-snippet-annotations: "false"

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion.

Required

Merge Request Title and Description are up to date, accurate, and descriptive
MR targeting the appropriate branch
MR has a green pipeline on GitLab.com

Expected (please provide an explanation if not completing)

Test plan indicating conditions for success has been posted and passes
Documentation created/updated
Tests added
Integration tests added to GitLab QA
Equivalent MR/issue for omnibus-gitlab opened

Closes #2941

Edited Jul 25, 2022 by Mitchell Nielsen

NGINX: disable allowSnippetAnnotations by default

What does this MR do?

Related issues

Testing

Checklist

Required

Expected (please provide an explanation if not completing)

Merge request reports