From a2f1e58b7d8a08448dfdf4bf20032b816e0389db Mon Sep 17 00:00:00 2001
From: "David.Houck" <David.Houck@sas.com>
Date: Thu, 12 Dec 2024 16:56:58 -0500
Subject: [PATCH 1/4] feat: (PSKD-957) ingress-nginx configmap changes for
 v1.12+

Signed-off-by: David.Houck <David.Houck@sas.com>
---
 roles/baseline/defaults/main.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/roles/baseline/defaults/main.yml b/roles/baseline/defaults/main.yml
index 5df47f33..141e02d7 100644
--- a/roles/baseline/defaults/main.yml
+++ b/roles/baseline/defaults/main.yml
@@ -61,6 +61,8 @@ INGRESS_NGINX_CONFIG:
       use-forwarded-headers: "false"
       hsts-max-age: "63072000"
       hide-headers: Server,X-Powered-By
+      annotations-risk-level: "Critical"
+      strict-validate-path-type: "false"
     tcp: {}
     udp: {}
     lifecycle:

From 226a5da37fc88c4409324ad2d79720fed058090c Mon Sep 17 00:00:00 2001
From: "David.Houck" <David.Houck@sas.com>
Date: Fri, 13 Dec 2024 16:00:14 -0500
Subject: [PATCH 2/4] Set cfgmap values based on cadence and ingress-nginx
 version

Signed-off-by: David.Houck <David.Houck@sas.com>
---
 roles/baseline/defaults/main.yml        | 14 ++++++++++++--
 roles/baseline/tasks/ingress-nginx.yaml | 16 ++++++++++++++++
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/roles/baseline/defaults/main.yml b/roles/baseline/defaults/main.yml
index 141e02d7..8eb971a1 100644
--- a/roles/baseline/defaults/main.yml
+++ b/roles/baseline/defaults/main.yml
@@ -61,8 +61,6 @@ INGRESS_NGINX_CONFIG:
       use-forwarded-headers: "false"
       hsts-max-age: "63072000"
       hide-headers: Server,X-Powered-By
-      annotations-risk-level: "Critical"
-      strict-validate-path-type: "false"
     tcp: {}
     udp: {}
     lifecycle:
@@ -100,6 +98,18 @@ INGRESS_NGINX_CVE_2021_25742_PATCH:
       large-client-header-buffers: 4 32k
       annotation-value-word-blocklist: load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},\
 
+# Ingress-nginx - Required for <= 2024.11 with v1.12+
+INGRESS_NGINX_STRICT_VALIDATE_PATH_TYPE:
+  controller:
+    config:
+      strict-validate-path-type: "false"
+
+# Ingress-nginx - Required for 2024.12 or later with v1.12+ but OK for any ingress-nginx version
+INGRESS_NGINX_ANNOTATIONS_RISK_LEVEL:
+  controller:
+    config:
+      annotations-risk-level: "Critical"
+
 ## Nfs-subdir-external-provisioner
 NFS_CLIENT_NAME: nfs-subdir-external-provisioner-sas
 NFS_CLIENT_NAMESPACE: nfs-client
diff --git a/roles/baseline/tasks/ingress-nginx.yaml b/roles/baseline/tasks/ingress-nginx.yaml
index 5530b5ce..1d823e95 100644
--- a/roles/baseline/tasks/ingress-nginx.yaml
+++ b/roles/baseline/tasks/ingress-nginx.yaml
@@ -82,6 +82,22 @@
         - INGRESS_NGINX_CHART_VERSION is version('4.0.10', ">=") or (INGRESS_NGINX_CHART_VERSION is version('3.40.0', ">=") and INGRESS_NGINX_CHART_VERSION is version('4.0.0',
           "<"))
 
+- name: Disable strict_validate_path_type in INGRESS_NGINX_CONFIG
+  set_fact:
+    INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG | combine(INGRESS_NGINX_STRICT_VALIDATE_PATH_TYPE, recursive=True) }}"
+  when: V4_CFG_CADENCE_VERSION is version('2024.11', "<=") and V4_CFG_CADENCE_NAME|lower != "fast"
+  tags:
+    - install
+    - update
+
+- name: Add annotations_risk_level to INGRESS_NGINX_CONFIG
+  set_fact:
+    INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG | combine(INGRESS_NGINX_ANNOTATIONS_RISK_LEVEL, recursive=True) }}"
+  when: (V4_CFG_CADENCE_VERSION is version('2024.12', ">=") or V4_CFG_CADENCE_NAME|lower == "fast") or INGRESS_NGINX_CHART_VERSION is version('4.12.0', ">=")
+  tags:
+    - install
+    - update
+
 - name: Deploy ingress-nginx
   kubernetes.core.helm:
     name: "{{ INGRESS_NGINX_NAME }}"

From 69e2552f011df3da7bb3372e1973562255c34acd Mon Sep 17 00:00:00 2001
From: "David.Houck" <David.Houck@sas.com>
Date: Fri, 13 Dec 2024 17:08:54 -0500
Subject: [PATCH 3/4] Add ingress-nginx version to strict-validate-path-type
 use expression

Signed-off-by: David.Houck <David.Houck@sas.com>
---
 roles/baseline/defaults/main.yml        | 2 +-
 roles/baseline/tasks/ingress-nginx.yaml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/roles/baseline/defaults/main.yml b/roles/baseline/defaults/main.yml
index 8eb971a1..ec37a676 100644
--- a/roles/baseline/defaults/main.yml
+++ b/roles/baseline/defaults/main.yml
@@ -104,7 +104,7 @@ INGRESS_NGINX_STRICT_VALIDATE_PATH_TYPE:
     config:
       strict-validate-path-type: "false"
 
-# Ingress-nginx - Required for 2024.12 or later with v1.12+ but OK for any ingress-nginx version
+# Ingress-nginx - Required for ingress-nginx v1.12+
 INGRESS_NGINX_ANNOTATIONS_RISK_LEVEL:
   controller:
     config:
diff --git a/roles/baseline/tasks/ingress-nginx.yaml b/roles/baseline/tasks/ingress-nginx.yaml
index 1d823e95..eddb9237 100644
--- a/roles/baseline/tasks/ingress-nginx.yaml
+++ b/roles/baseline/tasks/ingress-nginx.yaml
@@ -85,7 +85,7 @@
 - name: Disable strict_validate_path_type in INGRESS_NGINX_CONFIG
   set_fact:
     INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG | combine(INGRESS_NGINX_STRICT_VALIDATE_PATH_TYPE, recursive=True) }}"
-  when: V4_CFG_CADENCE_VERSION is version('2024.11', "<=") and V4_CFG_CADENCE_NAME|lower != "fast"
+  when: (V4_CFG_CADENCE_VERSION is version('2024.11', "<=") and V4_CFG_CADENCE_NAME|lower != "fast") and INGRESS_NGINX_CHART_VERSION is version('4.12.0', ">=")
   tags:
     - install
     - update
@@ -93,7 +93,7 @@
 - name: Add annotations_risk_level to INGRESS_NGINX_CONFIG
   set_fact:
     INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG | combine(INGRESS_NGINX_ANNOTATIONS_RISK_LEVEL, recursive=True) }}"
-  when: (V4_CFG_CADENCE_VERSION is version('2024.12', ">=") or V4_CFG_CADENCE_NAME|lower == "fast") or INGRESS_NGINX_CHART_VERSION is version('4.12.0', ">=")
+  when: (V4_CFG_CADENCE_VERSION is version('2024.12', ">=") or V4_CFG_CADENCE_NAME|lower == "fast") and INGRESS_NGINX_CHART_VERSION is version('4.12.0', ">=")
   tags:
     - install
     - update

From d52f2a337c36aee59aa64a86e829bcc9d3083b77 Mon Sep 17 00:00:00 2001
From: "David.Houck" <David.Houck@sas.com>
Date: Mon, 16 Dec 2024 14:43:50 -0500
Subject: [PATCH 4/4] annotation-risk-level depends on ingress-nginx version

Signed-off-by: David.Houck <David.Houck@sas.com>
---
 roles/baseline/tasks/ingress-nginx.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/baseline/tasks/ingress-nginx.yaml b/roles/baseline/tasks/ingress-nginx.yaml
index eddb9237..45a51f80 100644
--- a/roles/baseline/tasks/ingress-nginx.yaml
+++ b/roles/baseline/tasks/ingress-nginx.yaml
@@ -93,7 +93,7 @@
 - name: Add annotations_risk_level to INGRESS_NGINX_CONFIG
   set_fact:
     INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG | combine(INGRESS_NGINX_ANNOTATIONS_RISK_LEVEL, recursive=True) }}"
-  when: (V4_CFG_CADENCE_VERSION is version('2024.12', ">=") or V4_CFG_CADENCE_NAME|lower == "fast") and INGRESS_NGINX_CHART_VERSION is version('4.12.0', ">=")
+  when: INGRESS_NGINX_CHART_VERSION is version('4.12.0', ">=")
   tags:
     - install
     - update