Merge pull request #205 from sassoftware/staging

Monthly Release - 4.10.0
sassoftware · Apr 7, 2022 · 000145c · 000145c
2 parents fc35e57 + cb4c374
commit 000145c
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 4 deletions.
diff --git a/docs/user/Dependencies.md b/docs/user/Dependencies.md
@@ -13,7 +13,7 @@ SOURCE | NAME | VERSION
 ~ | docker | any
 ~ | git | any
 ~ | kustomize | 3.7.0
-~ | kubectl | 1.19.9
+~ | kubectl | 1.20 - 1.22
 ~ | AWS IAM Authenticator | 1.18.9/2020-11-02
 ~ | Helm | 3
 pip3 | ansible | 2.10.7

diff --git a/roles/baseline/defaults/main.yml b/roles/baseline/defaults/main.yml
@@ -54,9 +54,6 @@ INGRESS_NGINX_CONFIG:
 
     config:
       use-forwarded-headers: "true"
-      allow-snippet-annotations: "true"
-      large-client-header-buffers: "4 32k"
-      annotation-value-word-blocklist: "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},\\"
     tcp: {}
     udp: {}
     lifecycle:
@@ -65,6 +62,15 @@ INGRESS_NGINX_CONFIG:
           command: ["/bin/sh", "-c", "sleep 5; /usr/local/nginx/sbin/nginx -c /etc/nginx/nginx.conf -s quit; while pgrep -x nginx; do sleep 1; done"]
     terminationGracePeriodSeconds: 600
 
+# Ingress-nginx - CVE-2021-25742 Mitigation
+INGRESS_NGINX_CVE_2021_25742_PATCH:
+  controller:
+    config:
+      allow-snippet-annotations: "true"
+      large-client-header-buffers: "4 32k"
+      use-forwarded-headers: "true"
+      annotation-value-word-blocklist: "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},\\"
+
 ## Nfs-subdir-external-provisioner
 NFS_CLIENT_NAME: nfs-subdir-external-provisioner
 NFS_CLIENT_NAMESPACE: nfs-client

diff --git a/roles/baseline/tasks/ingress-nginx.yaml b/roles/baseline/tasks/ingress-nginx.yaml
@@ -28,6 +28,23 @@
     - install
     - update
 
+- name: Apply Mitigation for CVE-2021-25742
+  block:
+    - name: Retreive K8s cluster information
+      community.kubernetes.k8s_cluster_info:
+        kubeconfig: "{{ KUBECONFIG }}"
+      register: cluster_info
+    - name: Update INGRESS_NGINX_CONFIG
+      set_fact:
+        INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG|combine(INGRESS_NGINX_CVE_2021_25742_PATCH, recursive=True)}}"
+      when:
+        - cluster_info.version.server.kubernetes.minor is version(ingressVersions.k8sMinorVersionFloor.value, 'ge')
+        - INGRESS_NGINX_CHART_VERSION is version('4.0.10', ">=") or
+          (INGRESS_NGINX_CHART_VERSION is version('3.40.0', ">=") and INGRESS_NGINX_CHART_VERSION is version('4.0.0', "<"))
+  tags:
+    - install
+    - update
+
 - name: Deploy ingress-nginx
   community.kubernetes.helm:
     name: "{{ INGRESS_NGINX_NAME }}"