e2e test suite for NGINX Ingress Controller ¶
[Default Backend] change default settings ¶
[Default Backend] ¶
- should return 404 sending requests when only a default backend is running
- enables access logging for default backend
- disables access logging for default backend
[Default Backend] custom service ¶
[Default Backend] SSL ¶
[TCP] tcp-services ¶
auth-* ¶
- should return status code 200 when no authentication is configured
- should return status code 503 when authentication is configured with an invalid secret
- should return status code 401 when authentication is configured but Authorization header is not configured
- should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials
- should return status code 200 when authentication is configured and Authorization header is sent
- should return status code 200 when authentication is configured with a map and Authorization header is sent
- should return status code 401 when authentication is configured with invalid content and Authorization header is sent
- proxy_set_header My-Custom-Header 42;
- proxy_set_header My-Custom-Header 42;
- proxy_set_header 'My-Custom-Header' '42';
- retains cookie set by external authentication server
- should return status code 200 when signed in
- should redirect to signin url when not signed in
- keeps processing new ingresses even if one of the existing ingresses is misconfigured
- should return status code 200 when signed in
- should redirect to signin url when not signed in
- keeps processing new ingresses even if one of the existing ingresses is misconfigured
- should return status code 200 when signed in after auth backend is deleted
- should deny login for different location on same server
- should deny login for different servers
- should redirect to signin url when not signed in
affinitymode ¶
proxy-* ¶
- should set proxy_redirect to off
- should set proxy_redirect to default
- should set proxy_redirect to hello.com goodbye.com
- should set proxy client-max-body-size to 8m
- should not set proxy client-max-body-size to incorrect value
- should set valid proxy timeouts
- should not set invalid proxy timeouts
- should turn on proxy-buffering
- should turn off proxy-request-buffering
- should build proxy next upstream
- should setup proxy cookies
- should change the default proxy HTTP version
affinity session-cookie-name ¶
- should set sticky cookie SERVERID
- should change cookie name on ingress definition change
- should set the path to /something on the generated cookie
- does not set the path to / on the generated cookie if there's more than one rule referring to the same backend
- should set cookie with expires
- should work with use-regex annotation and session-cookie-path
- should warn user when use-regex is true and session-cookie-path is not set
- should not set affinity across all server locations when using separate ingresses
- should set sticky cookie without host
- should work with server-alias annotation
mirror-* ¶
- should set mirror-target to http://localhost/mirror
- should set mirror-target to https://test.env.com/$request_uri
- should disable mirror-request-body
canary-* ¶
- should response with a 200 status from the mainline upstream when requests are made to the mainline ingress
- should return 404 status for requests to the canary if no matching ingress is found
- should return the correct status codes when endpoints are unavailable
- should route requests to the correct upstream if mainline ingress is created before the canary ingress
- should route requests to the correct upstream if mainline ingress is created after the canary ingress
- should route requests to the correct upstream if the mainline ingress is modified
- should route requests to the correct upstream if the canary ingress is modified
- should route requests to the correct upstream
- should route requests to the correct upstream
- should route requests to the correct upstream
- should route requests to the correct upstream
- should routes to mainline upstream when the given Regex causes error
- should route requests to the correct upstream
- should route requests to the correct upstream
- should route requests to the correct upstream
- should not use canary as a catch-all server
- should not use canary with domain as a server
- does not crash when canary ingress has multiple paths to the same non-matching backend
limit-rate ¶
force-ssl-redirect ¶
http2-push-preload ¶
proxy-ssl-* ¶
- should set valid proxy-ssl-secret
- should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on
- should set valid proxy-ssl-secret, proxy-ssl-ciphers to HIGH:!AES
- should set valid proxy-ssl-secret, proxy-ssl-protocols
- proxy-ssl-location-only flag should change the nginx config server part
modsecurity owasp ¶
- should enable modsecurity
- should enable modsecurity with transaction ID and OWASP rules
- should disable modsecurity
- should enable modsecurity with snippet
- should enable modsecurity without using 'modsecurity on;'
- should disable modsecurity using 'modsecurity off;'
- should enable modsecurity with snippet and block requests
- should enable modsecurity globally and with modsecurity-snippet block requests
backend-protocol - GRPC ¶
- should use grpc_pass in the configuration file
- should return OK for service with backend protocol GRPC
- should return OK for service with backend protocol GRPCS
cors-* ¶
- should enable cors
- should set cors methods to only allow POST, GET
- should set cors max-age
- should disable cors allow credentials
- should allow origin for cors
- should allow headers for cors
- should expose headers for cors
influxdb-* ¶
Annotation - limit-connections ¶
client-body-buffer-size ¶
- should set client_body_buffer_size to 1000
- should set client_body_buffer_size to 1K
- should set client_body_buffer_size to 1k
- should set client_body_buffer_size to 1m
- should set client_body_buffer_size to 1M
- should not set client_body_buffer_size to invalid 1b
default-backend ¶
connection-proxy-header ¶
upstream-vhost ¶
custom-http-errors ¶
disable-access-log disable-http-access-log disable-stream-access-log ¶
server-snippet ¶
rewrite-target use-regex enable-rewrite-log ¶
- should write rewrite logs
- should use correct longest path match
- should use ~* location modifier if regex annotation is present
- should fail to use longest match for documented warning
- should allow for custom rewrite parameters
app-root ¶
whitelist-source-range ¶
enable-access-log enable-rewrite-log ¶
x-forwarded-prefix ¶
- should set the X-Forwarded-Prefix to the annotation value
- should not add X-Forwarded-Prefix if the annotation value is empty
configuration-snippet ¶
backend-protocol - FastCGI ¶
- should use fastcgi_pass in the configuration file
- should add fastcgi_index in the configuration file
- should add fastcgi_param in the configuration file
- should return OK for service with backend protocol FastCGI
from-to-www-redirect ¶
permanent-redirect permanent-redirect-code ¶
upstream-hash-by-* ¶
annotation-global-rate-limit ¶
backend-protocol ¶
- should set backend protocol to https:// and use proxy_pass
- should set backend protocol to grpc:// and use grpc_pass
- should set backend protocol to grpcs:// and use grpc_pass
- should set backend protocol to '' and use fastcgi_pass
- should set backend protocol to '' and use ajp_pass
satisfy ¶
server-alias ¶
- should return status code 200 for host 'foo' and 404 for 'bar'
- should return status code 200 for host 'foo' and 'bar'
- should return status code 200 for hosts defined in two ingresses, different path with one alias
ssl-ciphers ¶
auth-tls-* ¶
- should set valid auth-tls-secret
- should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2
- should set valid auth-tls-secret, pass certificate to upstream, and error page
- should validate auth-tls-verify-client
[Status] status update ¶
Debug CLI ¶
- should list the backend servers
- should get information for a specific backend server
- should produce valid JSON for /dbg general
[Memory Leak] Dynamic Certificates ¶
[Ingress] [PathType] mix Exact and Prefix paths ¶
[Ingress] definition without host ¶
- should set ingress details variables for ingresses without a host
- should set ingress details variables for ingresses with host without IngressRuleValue, only Backend
single ingress - multiple hosts ¶
[Ingress] [PathType] exact ¶
[Ingress] [PathType] prefix checks ¶
[Security] request smuggling ¶
[SSL] [Flag] default-ssl-certificate ¶
- uses default ssl certificate for catch-all ingress
- uses default ssl certificate for host based ingress when configured certificate does not match host
enable-real-ip ¶
- trusts X-Forwarded-For header only when setting is true
- should not trust X-Forwarded-For header when setting is false
access-log ¶
- use the default configuration
- use the specified configuration
- use the specified configuration
- use the specified configuration
- use the specified configuration
[Lua] lua-shared-dicts ¶
server-tokens ¶
- should not exists Server header in the response
- should exists Server header in the response when is enabled
use-proxy-protocol ¶
- should respect port passed by the PROXY Protocol
- should respect proto passed by the PROXY Protocol server port
- should enable PROXY Protocol for HTTPS
- should enable PROXY Protocol for TCP
[Flag] custom HTTP and HTTPS ports ¶
- should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port
- should set X-Forwarded-Port header to 443
- should set the X-Forwarded-Port header to 443
[Security] no-auth-locations ¶
- should return status code 401 when accessing '/' unauthentication
- should return status code 200 when accessing '/' authentication
- should return status code 200 when accessing '/noauth' unauthenticated
Dynamic $proxy_host ¶
proxy-connect-timeout ¶
- should set valid proxy timeouts using configmap values
- should not set invalid proxy timeouts using configmap values
[Security] Pod Security Policies ¶
Geoip2 ¶
[Security] Pod Security Policies with volumes ¶
enable-multi-accept ¶
- should be enabled by default
- should be enabled when set to true
- should be disabled when set to false
log-format-* ¶
- should disable the log-format-escape-json by default
- should enable the log-format-escape-json
- should disable the log-format-escape-json
- log-format-escape-json enabled
- log-format-escape-json disabled
[Flag] ingress-class ¶
- should ignore Ingress with class
- should ignore Ingress with no class
- should delete Ingress when class is removed
- check scenarios for IngressClass and ingress.class annotation
ssl-ciphers ¶
proxy-next-upstream ¶
[Security] global-auth-url ¶
- should return status code 401 when request any protected service
- should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service
- should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service
- should still return status code 200 after auth backend is deleted using cache
[Security] block-* ¶
- should block CIDRs defined in the ConfigMap
- should block User-Agents defined in the ConfigMap
- should block Referers defined in the ConfigMap
plugins ¶
Configmap - limit-rate ¶
Configure OpenTracing ¶
- should not exists opentracing directive
- should exists opentracing directive when is enabled
- should not exists opentracing_operation_name directive when is empty
- should exists opentracing_operation_name directive when is configured
- should not exists opentracing_location_operation_name directive when is empty
- should exists opentracing_location_operation_name directive when is configured
- should enable opentracing using zipkin
- should enable opentracing using jaeger
- should enable opentracing using jaeger with sampler host
- should enable opentracing using datadog
use-forwarded-headers ¶
- should trust X-Forwarded headers when setting is true
- should not trust X-Forwarded headers when setting is false
proxy-send-timeout ¶
- should set valid proxy send timeouts using configmap values
- should not set invalid proxy send timeouts using configmap values
Add no tls redirect locations ¶
settings-global-rate-limit ¶
add-headers ¶
hash size ¶
- should set server_names_hash_bucket_size
- should set server_names_hash_max_size
- should set proxy-headers-hash-bucket-size
- should set proxy-headers-hash-max-size
- should set variables-hash-bucket-size
- should set variables-hash-max-size
- should set vmap-hash-bucket-size
keep-alive keep-alive-requests ¶
- should set keepalive_timeout
- should set keepalive_requests
- should set keepalive connection to upstream server
- should set keep alive connection timeout to upstream server
- should set the request count to upstream server through one keep alive connection
[Flag] disable-catch-all ¶
- should ignore catch all Ingress
- should delete Ingress updated to catch-all
- should allow Ingress with both a default backend and rules
main-snippet ¶
[SSL] TLS protocols, ciphers and headers) ¶
- setting cipher suite
- enforcing TLS v1.0
- setting max-age parameter
- setting includeSubDomains parameter
- setting preload parameter
- overriding what's set from the upstream
- should not use ports during the HTTP to HTTPS redirection
- should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection
Configmap change ¶
proxy-read-timeout ¶
- should set valid proxy read timeouts using configmap values
- should not set invalid proxy read timeouts using configmap values
[Security] modsecurity-snippet ¶
OCSP ¶
reuse-port ¶
[Shutdown] Graceful shutdown with pending request ¶
[Shutdown] ingress controller ¶
- should shutdown in less than 60 secons without pending connections
- should shutdown after waiting 60 seconds for pending connections to be closed
- should shutdown after waiting 150 seconds for pending connections to be closed
[Service] backend status code 503 ¶
- should return 503 when backend service does not exist
- should return 503 when all backend service endpoints are unavailable
[Service] Type ExternalName ¶
- works with external name set to incomplete fqdn
- should return 200 for service type=ExternalName without a port defined
- should return 200 for service type=ExternalName with a port defined
- should return status 502 for service type=ExternalName with an invalid host
- should return 200 for service type=ExternalName using a port name
- should return 200 for service type=ExternalName using FQDN with trailing dot
- should update the external name after a service update