Can't create server annotation anymore

[SebastienTolron]

What happened:

admission webhook "validate.nginx.ingress.kubernetes.io" denied the request: nginx.ingress.kubernetes.io/server-snippet annotation cannot be used. Snippet directives are disabled by the Ingress administrator

What you expected to happen:

I should be able to add server-snippet

NGINX Ingress controller version -------------------------------------------------------------------------------

NGINX Ingress controller
  Release:       v1.9.3
  Build:         be93503b57a0ba2ea2e0631031541ca07515913a
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.21.6

Kubernetes version (use kubectl version):

v1.28.2

Environment:

k8srouter             Ready    router          7d2h   v1.28.2   192.168.10.60   <none>        Debian GNU/Linux 12 (bookworm)   6.1.0-13-amd64   cri-o://1.28.1

Installed using kubeadm on private cloud ( Ovh / proxmox )

How was the ingress-nginx-controller installed:

• Helm with argocd.
• Chart Version : 4.8.2

values.yml

    controller:
                    allowSnippetAnnotations: true
                    podAnnotations:
                       prometheus.io/scrape: true
                       prometheus.io/port: 10254
                    image:
                        pullPolicy: Always
                    config:
                        service-upstream: true
                        force-ssl-redirect: true
                        allow-snippet-annotations: true
                    ingressClass: nginx
                    ingressClassResource:
                        name: nginx

• Current state of ingress object, if applicable:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nextcloud-ingresscustom
  namespace:  st350-nextcloud
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: 4G
    nginx.ingress.kubernetes.io/server-snippet: |-
      server_tokens off;
      proxy_hide_header X-Powered-By;
      rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger last;
      rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo last;
      rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
      rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json;
      location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
      }
      location = /.well-known/caldav {
        return 301 $scheme://$host/remote.php/dav;
      }
      location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
      }
      location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
      }
      location ~ ^/(?:autotest|occ|issue|indie|db_|console) {
        deny all;
      }
spec:
  tls:
    - hosts:
        - "nextcloud.***"
      secretName: nextcloud-cert
  ingressClassName: nginx
  rules:
    - host: nextcloud.***
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: nextcloud-helm
                port:
                  number: 8080

• Others:

Configmap seems ok with theses values :

kubectl get cm ingress-nginx-controller -o yaml
apiVersion: v1
data:
  allow-snippet-annotations: "true"
  force-ssl-redirect: "true"
  service-upstream: "true"
kind: ConfigMap
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"allow-snippet-annotations":"true","force-ssl-redirect":"true","service-upstream":"true"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app.kubernetes.io/component":"controller","app.kubernetes.io/instance":"ingress-nginx","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"ingress-nginx","app.kubernetes.io/part-of":"ingress-nginx","app.kubernetes.io/version":"1.9.3","helm.sh/chart":"ingress-nginx-4.8.2","tolron/app":"ingress-nginx"},"name":"ingress-nginx-controller","namespace":"st030-routing"}}
  creationTimestamp: "2023-10-14T09:16:54Z"
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.9.3
    helm.sh/chart: ingress-nginx-4.8.2
    tolron/app: ingress-nginx
  name: ingress-nginx-controller
  namespace: st030-routing

I know there was some upgrade on that param on 1.9.0 and I had to set to to true. But it seems that it is not taken into account.

Did I miss something ?

Thanks

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jkeech]

This might be related to the breaking change in 1.9 which disables server snippet annotations by default: #10393

[longwuyuan]

https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#allow-snippet-annotations

/remove-kind bug
/close

[k8s-ci-robot]

@longwuyuan: Closing this issue.

In response to this:

https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#allow-snippet-annotations

/remove-kind bug
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[SebastienTolron]

Hello ,

As you can see , this parameters is already set to true in my values. It is also ok in configmap but it is not taken into account. I still get the error message from webhook

This a fresh install of the ingress controller not an update.

So in the values :

controller:
          allowSnippetAnnotations: true
          config:
                 allow-snippet-annotations: true

( See original post )

What should I do to make it work ?

I wouldn't open an issue if this was just a mistake of configuration....

Thanks for your help.

[zadigus]

I tested this morning because I updated my ingress controller to one of the latest versions (4.9.1). I set

controller:
    allowSnippetAnnotations: true

and the error

admission webhook "validate.nginx.ingress.kubernetes.io" denied the request: nginx.ingress.kubernetes.io/configuration-snippet annotation cannot be used. Snippet directives are disabled by the Ingress administrator

disappeared.