Ingress controller does not allow snippets

Question

I'm trying to add a snippet to an existing Ingress that is attached to an ingress-controller. However, when trying this, i get an error which is:

for: "app-ingress.yml": error when patching "app-ingress.yml": admission webhook "validate.nginx.ingress.kubernetes.io" denied the request: nginx.ingress.kubernetes.io/server-snippet annotation cannot be used. Snippet directives are disabled by the Ingress administrator

the ingress already exists and I'm trying to patch it to add a header. The updated ingress yaml is as follows:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: app-web-dev
  namespace: application
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/server-snippet: |
      expires 1M;
      add_header Cache-Control "public";

spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - dev.address.nl
    secretName: app-wildcard
  rules:
  - host: dev.address.nl
    http:
      paths:
      - path: /?(.*)
        pathType: Prefix
        backend:
          service:
            name: appwebsvc
            port:
              number: 80

I'm trying to use helm to update my ingress controller to enable snippets, but i can't find the right commands to do this.

Any ideas?

I am trying something like this:

helm upgrade --namespace ingress-nginx --install --set controller.config.server-snippet=true,controller.service.annotations.nginx\.ingress\.kubernetes\.io/allow-snippet-annotations=true --wait ingress-nginx ingress-nginx/ingress-nginx

Answer 1

If your ingress controller was previously installed using helm chart then you can use helm upgrade.

Please note that you should do an upgrade if and only if you have access to the exact chart with the same values file which was used to install nginx ingress earlier. You cannot just use a new chart to try to upgrade an existing installation which will cause all the earlier settings to be lost.

I am assuming your nginx ingress helm chart is

https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx

the allowSnippetAnnotations is the setting which needs to be turned on.

Option 1: set allowSnippetAnnotations=true in values file under the controller

Option 2: try to set setting the value "--set controller.allowSnippetAnnotations=true" in your helm upgrade command.

Please share more details on how your nginx ingress controller was installed if you need more help as my answer is on the assumptions I have mentioned above.

Answer 2

If you need just a temporary solution to patch your ingress, try this:

1. Get the config map related to your ingress controller

   $ kubectl get -A cm | grep ingress | grep controller
     kube-system                   rke2-ingress-nginx-controller      1      377d
   

2. Edit the config map by changing allow-snippet-annotations: "false" to allow-snippet-annotations: "true"

   $ kubectl -n kube-system edit cm rke2-ingress-nginx-controller
   "/tmp/kubectl-edit-1940673600.yaml" 25L, 910C written
   configmap/rke2-ingress-nginx-controller edited
   

3. Retart the controller

   $ k -n kube-system rollout restart ds rke2-ingress-nginx-controller
   daemonset.apps/rke2-ingress-nginx-controller restarted
   

4. If you want to see the rollout, do

   kubectl -n kube-system rollout status ds rke2-ingress-nginx-controller
   Waiting for daemon set "rke2-ingress-nginx-controller" rollout to finish: 0 out 
   of 17 new pods have been updated...
   Waiting for daemon set "rke2-ingress-nginx-controller" rollout to finish: 1 out 
   of 17 new pods have been updated...
   [...]
   daemon set "rke2-ingress-nginx-controller" successfully rolled out
   

After you patch your ingress, I suggest to revert the changes, so you'll not be vulnerable by some bad user by adding something that shouldn't be on ingress by patching it.