diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 49b39a7a3..d240181c3 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -258,7 +258,7 @@ jobs: strategy: matrix: - k8s: [v1.26.15, v1.27.13, v1.28.9, v1.29.4, v1.30.0] + k8s: [v1.28.13, v1.29.8, v1.30.4, v1.31.0] steps: - name: Checkout @@ -309,26 +309,11 @@ jobs: (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }} strategy: matrix: - k8s: [v1.26.15, v1.27.13, v1.28.9, v1.29.4, v1.30.0] + k8s: [v1.28.13, v1.29.8, v1.30.4, v1.31.0] uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml with: k8s-version: ${{ matrix.k8s }} - kubernetes-validations: - name: Kubernetes with Validations - needs: - - changes - - build - if: | - (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }} - strategy: - matrix: - k8s: [v1.26.15, v1.27.13, v1.28.9, v1.29.4, v1.30.0] - uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml - with: - k8s-version: ${{ matrix.k8s }} - variation: "VALIDATIONS" - kubernetes-chroot: name: Kubernetes chroot needs: @@ -338,7 +323,7 @@ jobs: (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }} strategy: matrix: - k8s: [v1.26.15, v1.27.13, v1.28.9, v1.29.4, v1.30.0] + k8s: [v1.28.13, v1.29.8, v1.30.4, v1.31.0] uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml with: k8s-version: ${{ matrix.k8s }} diff --git a/.github/workflows/zz-tmpl-k8s-e2e.yaml b/.github/workflows/zz-tmpl-k8s-e2e.yaml index adf1dc0e8..7ab75feab 100644 --- a/.github/workflows/zz-tmpl-k8s-e2e.yaml +++ b/.github/workflows/zz-tmpl-k8s-e2e.yaml @@ -43,7 +43,6 @@ jobs: SKIP_CLUSTER_CREATION: true SKIP_INGRESS_IMAGE_CREATION: true SKIP_E2E_IMAGE_CREATION: true - ENABLE_VALIDATIONS: ${{ inputs.variation == 'VALIDATIONS' }} IS_CHROOT: ${{ inputs.variation == 'CHROOT' }} run: | kind get kubeconfig > $HOME/.kube/kind-config-kind diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index c1d1dfb66..f69d2951b 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -304,7 +304,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. | | controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' | | controller.electionTTL | string | `""` | Duration a leader election is valid before it's getting re-elected, e.g. `15s`, `10m` or `1h`. (Default: 30s) | -| controller.enableAnnotationValidations | bool | `false` | | +| controller.enableAnnotationValidations | bool | `true` | | | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # | | controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false | | controller.existingPsp | string | `""` | Use an existing PSP instead of creating one | diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 55d6c9a92..89cb718c4 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -17,7 +17,7 @@ commonLabels: {} controller: name: controller - enableAnnotationValidations: false + enableAnnotationValidations: true image: ## Keep false as default for now! chroot: false diff --git a/docs/user-guide/cli-arguments.md b/docs/user-guide/cli-arguments.md index f8fdc2ddb..8ada854bf 100644 --- a/docs/user-guide/cli-arguments.md +++ b/docs/user-guide/cli-arguments.md @@ -15,7 +15,7 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment | `--default-backend-service` | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form "namespace/name". The controller configures NGINX to forward requests to the first port of this Service. | | `--default-server-port` | Port to use for exposing the default server (catch-all). (default 8181) | | `--default-ssl-certificate` | Secret containing a SSL certificate to be used by the default HTTPS server (catch-all). Takes the form "namespace/name". | -| `--enable-annotation-validation` | If true, will enable the annotation validation feature. This value will be defaulted to true on a future release. | +| `--enable-annotation-validation` | If true, will enable the annotation validation feature. Defaults to true | | `--disable-catch-all` | Disable support for catch-all Ingresses. (default false) | | `--disable-full-test` | Disable full test of all merged ingresses at the admission stage and tests the template of the ingress being created or updated (full test of all ingresses is enabled by default). | | `--disable-svc-external-name` | Disable support for Services of type ExternalName. (default false) | diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index 337cb9e86..63029bbbe 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -776,10 +776,10 @@ func NewDefault() Configuration { cfg := Configuration{ AllowSnippetAnnotations: false, - AllowCrossNamespaceResources: true, + AllowCrossNamespaceResources: false, AllowBackendServerHeader: false, AnnotationValueWordBlocklist: "", - AnnotationsRiskLevel: "Critical", + AnnotationsRiskLevel: "High", AccessLogPath: "/var/log/nginx/access.log", AccessLogParams: "", EnableAccessLogForDefaultBackend: false, @@ -924,7 +924,7 @@ func NewDefault() Configuration { GlobalRateLimitMemcachedPoolSize: 50, GlobalRateLimitStatusCode: 429, DebugConnections: []string{}, - StrictValidatePathType: false, // TODO: This will be true in future releases + StrictValidatePathType: true, GRPCBufferSizeKb: 0, } diff --git a/pkg/flags/flags.go b/pkg/flags/flags.go index 5891f636b..aed7d5c9a 100644 --- a/pkg/flags/flags.go +++ b/pkg/flags/flags.go @@ -158,7 +158,7 @@ Requires the update-status parameter.`) annotationsPrefix = flags.String("annotations-prefix", parser.DefaultAnnotationsPrefix, `Prefix of the Ingress annotations specific to the NGINX controller.`) - enableAnnotationValidation = flags.Bool("enable-annotation-validation", false, + enableAnnotationValidation = flags.Bool("enable-annotation-validation", true, `If true, will enable the annotation validation feature. This value will be defaulted to true on a future release`) enableSSLChainCompletion = flags.Bool("enable-ssl-chain-completion", false, diff --git a/test/e2e/admission/admission.go b/test/e2e/admission/admission.go index c41105e2d..124e1784d 100644 --- a/test/e2e/admission/admission.go +++ b/test/e2e/admission/admission.go @@ -127,14 +127,8 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", }) ginkgo.It("should return an error if there is an error validating the ingress definition", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := admissionTestHost @@ -241,14 +235,8 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", }) ginkgo.It("should return an error if the Ingress V1 definition contains invalid annotations", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() out, err := createIngress(f.Namespace, invalidV1Ingress) assert.Empty(ginkgo.GinkgoT(), out) @@ -261,14 +249,8 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", }) ginkgo.It("should not return an error for an invalid Ingress when it has unknown class", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() out, err := createIngress(f.Namespace, invalidV1IngressWithOtherClass) assert.Equal(ginkgo.GinkgoT(), "ingress.networking.k8s.io/extensions-invalid-other created\n", out) assert.Nil(ginkgo.GinkgoT(), err, "creating an invalid ingress with unknown class using kubectl") diff --git a/test/e2e/annotations/auth.go b/test/e2e/annotations/auth.go index ea33fdf32..01c14be39 100644 --- a/test/e2e/annotations/auth.go +++ b/test/e2e/annotations/auth.go @@ -277,14 +277,8 @@ var _ = framework.DescribeAnnotation("auth-*", func() { "nginx.ingress.kubernetes.io/auth-snippet": ` proxy_set_header My-Custom-Header 42;`, } - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -297,15 +291,8 @@ var _ = framework.DescribeAnnotation("auth-*", func() { ginkgo.It(`should not set snippet "proxy_set_header My-Custom-Header 42;" when external auth is not configured`, func() { host := authHost - - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() annotations := map[string]string{ "nginx.ingress.kubernetes.io/auth-snippet": ` diff --git a/test/e2e/annotations/fromtowwwredirect.go b/test/e2e/annotations/fromtowwwredirect.go index b69cce93e..f578963ed 100644 --- a/test/e2e/annotations/fromtowwwredirect.go +++ b/test/e2e/annotations/fromtowwwredirect.go @@ -62,14 +62,8 @@ var _ = framework.DescribeAnnotation("from-to-www-redirect", func() { }) ginkgo.It("should redirect from www HTTPS to HTTPS", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() ginkgo.By("setting up server for redirect from www") diff --git a/test/e2e/annotations/grpc.go b/test/e2e/annotations/grpc.go index 530d16729..2a9c5a983 100644 --- a/test/e2e/annotations/grpc.go +++ b/test/e2e/annotations/grpc.go @@ -193,14 +193,8 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { ginkgo.It("should return OK for service with backend protocol GRPCS", func() { f.NewGRPCBinDeployment() - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := echoHost diff --git a/test/e2e/annotations/modsecurity/modsecurity.go b/test/e2e/annotations/modsecurity/modsecurity.go index a3e7d80ba..730fc76e7 100644 --- a/test/e2e/annotations/modsecurity/modsecurity.go +++ b/test/e2e/annotations/modsecurity/modsecurity.go @@ -100,14 +100,8 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity with snippet", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := modSecurityFooHost nameSpace := f.Namespace @@ -173,14 +167,8 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity with snippet and block requests", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := modSecurityFooHost nameSpace := f.Namespace @@ -212,14 +200,8 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity globally and with modsecurity-snippet block requests", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := modSecurityFooHost nameSpace := f.Namespace @@ -251,16 +233,11 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity when enable-owasp-modsecurity-crs is set to true", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - "enable-modsecurity": "true", - "enable-owasp-modsecurity-crs": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() + + f.UpdateNginxConfigMapData("enable-modsecurity", "true") + f.UpdateNginxConfigMapData("enable-owasp-modsecurity-crs", "true") host := modSecurityFooHost nameSpace := f.Namespace @@ -290,6 +267,8 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity through the config map", func() { + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := modSecurityFooHost nameSpace := f.Namespace @@ -310,17 +289,9 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { f.EnsureIngress(ing) expectedComment := "SecRuleEngine On" - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - "enable-modsecurity": "true", - "enable-owasp-modsecurity-crs": "true", - "modsecurity-snippet": expectedComment, - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + f.UpdateNginxConfigMapData("enable-modsecurity", "true") + f.UpdateNginxConfigMapData("enable-owasp-modsecurity-crs", "true") + f.UpdateNginxConfigMapData("modsecurity-snippet", expectedComment) f.WaitForNginxServer(host, func(server string) bool { @@ -339,6 +310,9 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { host := modSecurityFooHost nameSpace := f.Namespace + f.UpdateNginxConfigMapData("annotations-risk-level", "Critical") // To enable snippet configurations + defer f.UpdateNginxConfigMapData("annotations-risk-level", "High") + snippet := `SecRequestBodyAccess On SecAuditEngine RelevantOnly SecAuditLogParts ABIJDEFHZ @@ -378,14 +352,9 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should disable default modsecurity conf setting when modsecurity-snippet is specified", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() + host := modSecurityFooHost nameSpace := f.Namespace diff --git a/test/e2e/annotations/serversnippet.go b/test/e2e/annotations/serversnippet.go index 1195b728a..c94960a3d 100644 --- a/test/e2e/annotations/serversnippet.go +++ b/test/e2e/annotations/serversnippet.go @@ -33,14 +33,8 @@ var _ = framework.DescribeAnnotation("server-snippet", func() { }) ginkgo.It(`add valid directives to server via server snippet`, func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := "serversnippet.foo.com" annotations := map[string]string{ @@ -68,14 +62,8 @@ var _ = framework.DescribeAnnotation("server-snippet", func() { }) ginkgo.It(`drops server snippet if disabled by the administrator`, func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + f.UpdateNginxConfigMapData("annotations-risk-level", "Critical") // To enable snippet configurations + defer f.UpdateNginxConfigMapData("annotations-risk-level", "High") host := "noserversnippet.foo.com" annotations := map[string]string{ @@ -85,11 +73,6 @@ var _ = framework.DescribeAnnotation("server-snippet", func() { } ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.UpdateNginxConfigMapData("allow-snippet-annotations", "false") - defer func() { - // Return to the original value - f.UpdateNginxConfigMapData("allow-snippet-annotations", "true") - }() // Sleep a while just to guarantee that the configmap is applied framework.Sleep() f.EnsureIngress(ing) diff --git a/test/e2e/annotations/snippet.go b/test/e2e/annotations/snippet.go index 0c6148a4f..9e3160dcc 100644 --- a/test/e2e/annotations/snippet.go +++ b/test/e2e/annotations/snippet.go @@ -33,15 +33,8 @@ var _ = framework.DescribeAnnotation("configuration-snippet", func() { ginkgo.It("set snippet more_set_headers in all locations", func() { host := "configurationsnippet.foo.com" - - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() annotations := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_headers "Foo1: Bar1";`, @@ -71,6 +64,8 @@ var _ = framework.DescribeAnnotation("configuration-snippet", func() { }) ginkgo.It("drops snippet more_set_header in all locations if disabled by admin", func() { + f.UpdateNginxConfigMapData("annotations-risk-level", "Critical") // To enable snippet configurations + defer f.UpdateNginxConfigMapData("annotations-risk-level", "High") host := "noconfigurationsnippet.foo.com" annotations := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_headers "Foo1: Bar1";`, diff --git a/test/e2e/annotations/streamsnippet.go b/test/e2e/annotations/streamsnippet.go index 432537b4a..f91cdc34e 100644 --- a/test/e2e/annotations/streamsnippet.go +++ b/test/e2e/annotations/streamsnippet.go @@ -39,14 +39,8 @@ var _ = framework.DescribeSetting("stream-snippet", func() { }) ginkgo.It("should add value of stream-snippet to nginx config", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := "foo.com" diff --git a/test/e2e/framework/exec.go b/test/e2e/framework/exec.go index 580a8f58e..8d528c37a 100644 --- a/test/e2e/framework/exec.go +++ b/test/e2e/framework/exec.go @@ -117,11 +117,7 @@ func (f *Framework) newIngressController(namespace, namespaceOverlay string) err isChroot = "false" } - enableAnnotationValidations, ok := os.LookupEnv("ENABLE_VALIDATIONS") - if !ok { - enableAnnotationValidations = "false" - } - cmd := exec.Command("./wait-for-nginx.sh", namespace, namespaceOverlay, isChroot, enableAnnotationValidations) + cmd := exec.Command("./wait-for-nginx.sh", namespace, namespaceOverlay, isChroot) out, err := cmd.CombinedOutput() if err != nil { return fmt.Errorf("unexpected error waiting for ingress controller deployment: %v.\nLogs:\n%v", err, string(out)) diff --git a/test/e2e/framework/framework.go b/test/e2e/framework/framework.go index b71d84baa..6e62a1df3 100644 --- a/test/e2e/framework/framework.go +++ b/test/e2e/framework/framework.go @@ -383,6 +383,20 @@ func (f *Framework) SetNginxConfigMapData(cmData map[string]string) { f.WaitForReload(fn) } +// SetNginxConfigMapData sets ingress-nginx's nginx-ingress-controller configMap data +func (f *Framework) AllowSnippetConfiguration() func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + "annotations-risk-level": "Critical", // To enable snippet configurations + }) + return func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + "annotations-risk-level": "High", + }) + } +} + // CreateConfigMap creates a new configmap in the current namespace func (f *Framework) CreateConfigMap(name string, data map[string]string) { _, err := f.KubeClientSet.CoreV1().ConfigMaps(f.Namespace).Create(context.TODO(), &v1.ConfigMap{ diff --git a/test/e2e/ingress/multiple_rules.go b/test/e2e/ingress/multiple_rules.go index f44b2f8dd..9247dc1d3 100644 --- a/test/e2e/ingress/multiple_rules.go +++ b/test/e2e/ingress/multiple_rules.go @@ -36,14 +36,8 @@ var _ = framework.IngressNginxDescribe("single ingress - multiple hosts", func() }) ginkgo.It("should set the correct $service_name NGINX variable", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() annotations := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "service-name: $service_name";`, diff --git a/test/e2e/ingress/pathtype_exact.go b/test/e2e/ingress/pathtype_exact.go index d0564cbf6..2660e32a4 100644 --- a/test/e2e/ingress/pathtype_exact.go +++ b/test/e2e/ingress/pathtype_exact.go @@ -35,14 +35,8 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] exact", func() { }) ginkgo.It("should choose exact location for /exact", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := "exact.path" diff --git a/test/e2e/ingress/pathtype_mixed.go b/test/e2e/ingress/pathtype_mixed.go index e7bf2532e..3212089c9 100644 --- a/test/e2e/ingress/pathtype_mixed.go +++ b/test/e2e/ingress/pathtype_mixed.go @@ -37,14 +37,8 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] mix Exact and Prefi exactPathType := networking.PathTypeExact ginkgo.It("should choose the correct location", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := "mixed.path" diff --git a/test/e2e/run-e2e-suite.sh b/test/e2e/run-e2e-suite.sh index 9333ee61f..909368e96 100755 --- a/test/e2e/run-e2e-suite.sh +++ b/test/e2e/run-e2e-suite.sh @@ -78,7 +78,6 @@ kubectl run --rm \ --env="E2E_NODES=${E2E_NODES}" \ --env="FOCUS=${FOCUS}" \ --env="IS_CHROOT=${IS_CHROOT:-false}"\ - --env="ENABLE_VALIDATIONS=${ENABLE_VALIDATIONS:-false}"\ --env="SKIP_OPENTELEMETRY_TESTS=${SKIP_OPENTELEMETRY_TESTS:-false}"\ --env="E2E_CHECK_LEAKS=${E2E_CHECK_LEAKS}" \ --env="NGINX_BASE_IMAGE=${NGINX_BASE_IMAGE}" \ diff --git a/test/e2e/run-kind-e2e.sh b/test/e2e/run-kind-e2e.sh index ab2cb2dd7..9b4e82932 100755 --- a/test/e2e/run-kind-e2e.sh +++ b/test/e2e/run-kind-e2e.sh @@ -39,7 +39,6 @@ fi KIND_LOG_LEVEL="1" IS_CHROOT="${IS_CHROOT:-false}" -ENABLE_VALIDATIONS="${ENABLE_VALIDATIONS:-false}" export KIND_CLUSTER_NAME=${KIND_CLUSTER_NAME:-ingress-nginx-dev} DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" # Use 1.0.0-dev to make sure we use the latest configuration in the helm template diff --git a/test/e2e/settings/badannotationvalues.go b/test/e2e/settings/badannotationvalues.go index f61b5bada..aa9906909 100644 --- a/test/e2e/settings/badannotationvalues.go +++ b/test/e2e/settings/badannotationvalues.go @@ -34,14 +34,8 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { }) ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := "invalid-value-test" annotations := map[string]string{ @@ -50,7 +44,6 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { } ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.UpdateNginxConfigMapData("allow-snippet-annotations", "true") f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "something_forbidden,otherthing_forbidden,{") f.EnsureIngress(ing) @@ -73,14 +66,8 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { }) ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := "forbidden-value-test" @@ -93,7 +80,6 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { } ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.UpdateNginxConfigMapData("allow-snippet-annotations", "true") f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "something_forbidden,otherthing_forbidden,content_by_lua_block") // Sleep a while just to guarantee that the configmap is applied framework.Sleep() @@ -117,14 +103,9 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { }) ginkgo.It("[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() + hostValid := "custom-allowed-value-test" annotationsValid := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": ` @@ -155,14 +136,8 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { }) ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() host := "custom-forbidden-value-test" annotations := map[string]string{ diff --git a/test/e2e/settings/geoip2.go b/test/e2e/settings/geoip2.go index 064863734..9c6d59dc5 100644 --- a/test/e2e/settings/geoip2.go +++ b/test/e2e/settings/geoip2.go @@ -69,15 +69,9 @@ var _ = framework.DescribeSetting("Geoip2", func() { ginkgo.It("should only allow requests from specific countries", func() { ginkgo.Skip("GeoIP test are temporarily disabled") - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - "use-geoip2": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() + f.UpdateNginxConfigMapData("use-geoip2", "true") httpSnippetAllowingOnlyAustralia := `map $geoip2_city_country_code $blocked_country { default 1; diff --git a/test/e2e/settings/proxy_host.go b/test/e2e/settings/proxy_host.go index 35aafc53d..3ce86127e 100644 --- a/test/e2e/settings/proxy_host.go +++ b/test/e2e/settings/proxy_host.go @@ -34,14 +34,9 @@ var _ = framework.IngressNginxDescribe("Dynamic $proxy_host", func() { }) ginkgo.It("should exist a proxy_host", func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "true", - }) - defer func() { - f.SetNginxConfigMapData(map[string]string{ - "allow-snippet-annotations": "false", - }) - }() + disableSnippet := f.AllowSnippetConfiguration() + defer disableSnippet() + upstreamName := fmt.Sprintf("%v-%v-80", f.Namespace, framework.EchoService) annotations := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_headers "Custom-Header: $proxy_host"`, @@ -65,10 +60,12 @@ var _ = framework.IngressNginxDescribe("Dynamic $proxy_host", func() { ginkgo.It("should exist a proxy_host using the upstream-vhost annotation value", func() { f.SetNginxConfigMapData(map[string]string{ "allow-snippet-annotations": "true", + "annotations-risk-level": "Critical", // To allow Configuration Snippet }) defer func() { f.SetNginxConfigMapData(map[string]string{ "allow-snippet-annotations": "false", + "annotations-risk-level": "High", }) }() diff --git a/test/e2e/settings/server_snippet.go b/test/e2e/settings/server_snippet.go index 8ddf10fd9..1e2084bd8 100644 --- a/test/e2e/settings/server_snippet.go +++ b/test/e2e/settings/server_snippet.go @@ -38,6 +38,7 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() { f.SetNginxConfigMapData(map[string]string{ "allow-snippet-annotations": "true", + "annotations-risk-level": "Critical", "server-snippet": ` more_set_headers "Globalfoo: Foooo";`, }) @@ -45,6 +46,7 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() { defer func() { f.SetNginxConfigMapData(map[string]string{ "allow-snippet-annotations": "false", + "annotations-risk-level": "High", }) }() annotations := map[string]string{ @@ -101,6 +103,7 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() { f.SetNginxConfigMapData(map[string]string{ "allow-snippet-annotations": "false", + "annotations-risk-level": "Critical", // To allow Configuration Snippet "server-snippet": ` more_set_headers "Globalfoo: Foooo";`, }) @@ -108,6 +111,7 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() { defer func() { f.SetNginxConfigMapData(map[string]string{ "allow-snippet-annotations": "false", + "annotations-risk-level": "High", }) }() annotations := map[string]string{ diff --git a/test/e2e/settings/validations/validations.go b/test/e2e/settings/validations/validations.go index ac95a453a..881de39b4 100644 --- a/test/e2e/settings/validations/validations.go +++ b/test/e2e/settings/validations/validations.go @@ -48,8 +48,8 @@ var _ = framework.IngressNginxDescribeSerial("annotation validations", func() { framework.Sleep() annotations := map[string]string{ - "nginx.ingress.kubernetes.io/default-backend": "default/bla", // low risk - "nginx.ingress.kubernetes.io/denylist-source-range": "1.1.1.1/32", // medium risk + "nginx.ingress.kubernetes.io/default-backend": "bla", // low risk + "nginx.ingress.kubernetes.io/denylist-source-range": "1.1.1.1/32", // medium risk } ginkgo.By("allow ingress with low/medium risk annotations") @@ -82,8 +82,8 @@ var _ = framework.IngressNginxDescribeSerial("annotation validations", func() { framework.Sleep() annotations := map[string]string{ - "nginx.ingress.kubernetes.io/default-backend": "default/bla", // low risk - "nginx.ingress.kubernetes.io/denylist-source-range": "1.1.1.1/32", // medium risk + "nginx.ingress.kubernetes.io/default-backend": "bla", // low risk + "nginx.ingress.kubernetes.io/denylist-source-range": "1.1.1.1/32", // medium risk } ginkgo.By("allow ingress with low/medium risk annotations") diff --git a/test/e2e/wait-for-nginx.sh b/test/e2e/wait-for-nginx.sh index ac0584962..506c4e03f 100755 --- a/test/e2e/wait-for-nginx.sh +++ b/test/e2e/wait-for-nginx.sh @@ -24,7 +24,6 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" export NAMESPACE=$1 export NAMESPACE_OVERLAY=$2 export IS_CHROOT=$3 -export ENABLE_VALIDATIONS=$4 echo "deploying NGINX Ingress controller in namespace $NAMESPACE" @@ -59,7 +58,7 @@ else # TODO: remove the need to use fullnameOverride fullnameOverride: nginx-ingress controller: - enableAnnotationValidations: ${ENABLE_VALIDATIONS} + enableAnnotationValidations: true image: repository: ingress-controller/controller chroot: ${IS_CHROOT}