Finalize validation changes

docs/user-guide/cli-arguments.md

@@ -15,6 +15,7 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment
 | `--default-backend-service`        | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form "namespace/name". The controller configures NGINX to forward requests to the first port of this Service. |
 | `--default-server-port`            | Port to use for exposing the default server (catch-all). (default 8181) |
 | `--default-ssl-certificate`        | Secret containing a SSL certificate to be used by the default HTTPS server (catch-all). Takes the form "namespace/name". |
+| `--disable-annotation-validation`  | If true, will disable the annotation validation feature. This value will be defaulted to false on a future release. |
 | `--disable-catch-all`              | Disable support for catch-all Ingresses. (default false) |
 | `--disable-full-test` | Disable full test of all merged ingresses at the admission stage and tests the template of the ingress being created or updated  (full test of all ingresses is enabled by default). |
 | `--disable-svc-external-name` | Disable support for Services of type ExternalName. (default false) |

docs/user-guide/nginx-configuration/configmap.md

@@ -29,7 +29,9 @@ The following table shows a configuration option's name, type, and the default v
 |:---|:---|:------|:----|
 |[add-headers](#add-headers)|string|""||
 |[allow-backend-server-header](#allow-backend-server-header)|bool|"false"||
+|[allow-cross-namespace-resources](#allow-cross-namespace-resources)|bool|"true"||
 |[allow-snippet-annotations](#allow-snippet-annotations)|bool|true||
+|[annotation-risk](#annotation-risk)|string|Critical||
 |[annotation-value-word-blocklist](#annotation-value-word-blocklist)|string array|""||
 |[hide-headers](#hide-headers)|string array|empty||
 |[access-log-params](#access-log-params)|string|""||
@@ -239,6 +241,20 @@ Sets custom headers from named configmap before sending traffic to the client. S
 
 Enables the return of the header Server from the backend instead of the generic nginx string. _**default:**_ is disabled
 
+## allow-cross-namespace-resources
+
+Enables users to consume cross namespace resource on annotations, when was previously enabled . _**default:**_ true
+
+**Annotations that may be impacted with this change**:
+* `auth-secret`
+* `auth-proxy-set-header`
+* `auth-tls-secret`
+* `fastcgi-params-configmap`
+* `proxy-ssl-secret`
+
+
+**This option will be defaulted to false in the next major release**
+
 ## allow-snippet-annotations
 
 Enables Ingress to parse and add *-snippet annotations/directives created by the user. _**default:**_ `true`
@@ -246,6 +262,16 @@ Enables Ingress to parse and add *-snippet annotations/directives created by the
 Warning: We recommend enabling this option only if you TRUST users with permission to create Ingress objects, as this
 may allow a user to add restricted configurations to the final nginx.conf file
 
+**This option will be defaulted to false in the next major release**
+
+## annotation-risk
+
+Represents the risk accepted on an annotation. If the risk is, for instance `Medium`, annotations with risk High and Critical will not be accepted.
+
+Accepted values are `Critical`, `High`, `Medium` and `Low`.
+
+Defaults to `Critical` but will be changed to `High` on the next minor release
+
 ## annotation-value-word-blocklist
 
 Contains a comma-separated value of chars/words that are well known of being used to abuse Ingress configuration

internal/ingress/annotations/parser/validators.go

@@ -90,6 +90,8 @@ func ValidateArrayOfServerName(value string) error {
 	return nil
 }
 
+// ValidateServerName validates if the passed value is an acceptable server name. The server name
+// can contain regex characters, as those are accepted values on nginx configuration
 func ValidateServerName(value string) error {
 	value = strings.TrimSpace(value)
 	if !IsValidRegex.MatchString(value) {
@@ -144,7 +146,7 @@ func ValidateInt(value string) error {
 	return err
 }
 
-// ValidateInt validates if the specified value is an array of IPs and CIDRs
+// ValidateCIDRs validates if the specified value is an array of IPs and CIDRs
 func ValidateCIDRs(value string) error {
 	_, err := net.ParseCIDRs(value)
 	return err

internal/ingress/controller/config/config.go

@@ -100,7 +100,7 @@ type Configuration struct {
 	// AllowCrossNamespaceResources enables users to consume cross namespace resource on annotations
 	// Case disabled, attempts to use secrets or configmaps from a namespace different from Ingress will
 	// be denied
-	// This valid will default to `false` on future releases
+	// This value will default to `false` on future releases
 	AllowCrossNamespaceResources bool `json:"allow-cross-namespace-resources"`
 
 	// AnnotationsRisk represents the risk accepted on an annotation. If the risk is, for instance `Medium`, annotations

pkg/flags/flags.go

@@ -153,7 +153,7 @@ Requires the update-status parameter.`)
 			`Prefix of the Ingress annotations specific to the NGINX controller.`)
 
 		disableAnnotationValidation = flags.Bool("disable-annotation-validation", true,
-			`Prefix of the Ingress annotations specific to the NGINX controller.`)
+			`If true, will disable the annotation validation feature. This value will be defaulted to false on a future release`)
 
 		enableSSLChainCompletion = flags.Bool("enable-ssl-chain-completion", false,
 			`Autocomplete SSL certificate chains with missing intermediate CA certificates.

test/e2e-image/e2e.sh

@@ -24,7 +24,7 @@ E2E_CHECK_LEAKS=${E2E_CHECK_LEAKS:-""}
 
 reportFile="report-e2e-test-suite.xml"
 ginkgo_args=(
-#  "--fail-fast"
+  "--fail-fast"
   "--flake-attempts=2"
   "--junit-report=${reportFile}"
   "--nodes=${E2E_NODES}"