1614027cd4
* clarify link * Add section headers * console blocks * grpc example json was not valid * multi-tls update text The preceding point 1 related to4f2cb51ef8/ingress/controllers/nginx/examples/ingress.yamland the deployments referenced in4f2cb51ef8/ingress/controllers/nginx/examples/README.mdThey are not relevant to the current instructions. * add whitespace around parens * grammar setup would be a proper noun, but it is not the intended concept, which is a state * grammar * is-only * via * Use bullets for choices * ingress-controller nginx is a distinct brand. generally this repo talks about ingress-controller, although it is quite inconsistent about how... * drop stray paren * OAuth is a brand and needs an article here also GitHub is a brand * Indent text under numbered lists * use e.g. * Document that customer header config maps changes do not trigger updates This should be removed if https://github.com/kubernetes/ingress-nginx/issues/5238 is fixed. * article * period * infinitive verb + period * clarify that the gRPC server is responsible for listening for TCP traffic and not some other part of the backend application * avoid using ; and reword * whitespace * brand: gRPC * only-does is the right form `for` adds nothing here * spelling: GitHub * punctuation `;` is generally not the right punctuation... * drop stray `to` * sentence * backticks * fix link * Improve readability of compare/vs * Renumber list * punctuation * Favor Ingress-NGINX and Ingress NGINX * Simplify custom header restart text * Undo typo damage Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
53 KiB
53 KiB
e2e test suite for Ingress NGINX Controller
[Default Backend] change default settings
[Default Backend]
- should return 404 sending requests when only a default backend is running
- enables access logging for default backend
- disables access logging for default backend
[Default Backend] custom service
[Default Backend] SSL
[TCP] tcp-services
auth-*
- should return status code 200 when no authentication is configured
- should return status code 503 when authentication is configured with an invalid secret
- should return status code 401 when authentication is configured but Authorization header is not configured
- should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials
- should return status code 200 when authentication is configured and Authorization header is sent
- should return status code 200 when authentication is configured with a map and Authorization header is sent
- should return status code 401 when authentication is configured with invalid content and Authorization header is sent
- proxy_set_header My-Custom-Header 42;
- proxy_set_header My-Custom-Header 42;
- proxy_set_header 'My-Custom-Header' '42';
- retains cookie set by external authentication server
- should return status code 200 when signed in
- should redirect to signin url when not signed in
- keeps processing new ingresses even if one of the existing ingresses is misconfigured
- should return status code 200 when signed in
- should redirect to signin url when not signed in
- keeps processing new ingresses even if one of the existing ingresses is misconfigured
- should return status code 200 when signed in after auth backend is deleted
- should deny login for different location on same server
- should deny login for different servers
- should redirect to signin url when not signed in
affinitymode
proxy-*
- should set proxy_redirect to off
- should set proxy_redirect to default
- should set proxy_redirect to hello.com goodbye.com
- should set proxy client-max-body-size to 8m
- should not set proxy client-max-body-size to incorrect value
- should set valid proxy timeouts
- should not set invalid proxy timeouts
- should turn on proxy-buffering
- should turn off proxy-request-buffering
- should build proxy next upstream
- should setup proxy cookies
- should change the default proxy HTTP version
affinity session-cookie-name
- should set sticky cookie SERVERID
- should change cookie name on ingress definition change
- should set the path to /something on the generated cookie
- does not set the path to / on the generated cookie if there's more than one rule referring to the same backend
- should set cookie with expires
- should work with use-regex annotation and session-cookie-path
- should warn user when use-regex is true and session-cookie-path is not set
- should not set affinity across all server locations when using separate ingresses
- should set sticky cookie without host
- should work with server-alias annotation
mirror-*
- should set mirror-target to http://localhost/mirror
- should set mirror-target to https://test.env.com/$request_uri
- should disable mirror-request-body
canary-*
- should response with a 200 status from the mainline upstream when requests are made to the mainline ingress
- should return 404 status for requests to the canary if no matching ingress is found
- should return the correct status codes when endpoints are unavailable
- should route requests to the correct upstream if mainline ingress is created before the canary ingress
- should route requests to the correct upstream if mainline ingress is created after the canary ingress
- should route requests to the correct upstream if the mainline ingress is modified
- should route requests to the correct upstream if the canary ingress is modified
- should route requests to the correct upstream
- should route requests to the correct upstream
- should route requests to the correct upstream
- should route requests to the correct upstream
- should routes to mainline upstream when the given Regex causes error
- should route requests to the correct upstream
- should route requests to the correct upstream
- should route requests to the correct upstream
- should not use canary as a catch-all server
- should not use canary with domain as a server
- does not crash when canary ingress has multiple paths to the same non-matching backend
limit-rate
force-ssl-redirect
http2-push-preload
proxy-ssl-*
- should set valid proxy-ssl-secret
- should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on
- should set valid proxy-ssl-secret, proxy-ssl-ciphers to HIGH:!AES
- should set valid proxy-ssl-secret, proxy-ssl-protocols
- proxy-ssl-location-only flag should change the nginx config server part
modsecurity owasp
- should enable modsecurity
- should enable modsecurity with transaction ID and OWASP rules
- should disable modsecurity
- should enable modsecurity with snippet
- should enable modsecurity without using 'modsecurity on;'
- should disable modsecurity using 'modsecurity off;'
- should enable modsecurity with snippet and block requests
- should enable modsecurity globally and with modsecurity-snippet block requests
backend-protocol - GRPC
- should use grpc_pass in the configuration file
- should return OK for service with backend protocol GRPC
- should return OK for service with backend protocol GRPCS
cors-*
- should enable cors
- should set cors methods to only allow POST, GET
- should set cors max-age
- should disable cors allow credentials
- should allow origin for cors
- should allow headers for cors
- should expose headers for cors
influxdb-*
Annotation - limit-connections
client-body-buffer-size
- should set client_body_buffer_size to 1000
- should set client_body_buffer_size to 1K
- should set client_body_buffer_size to 1k
- should set client_body_buffer_size to 1m
- should set client_body_buffer_size to 1M
- should not set client_body_buffer_size to invalid 1b
default-backend
connection-proxy-header
upstream-vhost
custom-http-errors
disable-access-log disable-http-access-log disable-stream-access-log
server-snippet
rewrite-target use-regex enable-rewrite-log
- should write rewrite logs
- should use correct longest path match
- should use ~* location modifier if regex annotation is present
- should fail to use longest match for documented warning
- should allow for custom rewrite parameters
app-root
whitelist-source-range
enable-access-log enable-rewrite-log
x-forwarded-prefix
- should set the X-Forwarded-Prefix to the annotation value
- should not add X-Forwarded-Prefix if the annotation value is empty
configuration-snippet
backend-protocol - FastCGI
- should use fastcgi_pass in the configuration file
- should add fastcgi_index in the configuration file
- should add fastcgi_param in the configuration file
- should return OK for service with backend protocol FastCGI
from-to-www-redirect
permanent-redirect permanent-redirect-code
upstream-hash-by-*
annotation-global-rate-limit
backend-protocol
- should set backend protocol to https:// and use proxy_pass
- should set backend protocol to grpc:// and use grpc_pass
- should set backend protocol to grpcs:// and use grpc_pass
- should set backend protocol to '' and use fastcgi_pass
- should set backend protocol to '' and use ajp_pass
satisfy
server-alias
- should return status code 200 for host 'foo' and 404 for 'bar'
- should return status code 200 for host 'foo' and 'bar'
- should return status code 200 for hosts defined in two ingresses, different path with one alias
ssl-ciphers
auth-tls-*
- should set valid auth-tls-secret
- should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2
- should set valid auth-tls-secret, pass certificate to upstream, and error page
- should validate auth-tls-verify-client
[Status] status update
Debug CLI
- should list the backend servers
- should get information for a specific backend server
- should produce valid JSON for /dbg general
[Memory Leak] Dynamic Certificates
[Ingress] [PathType] mix Exact and Prefix paths
[Ingress] definition without host
- should set ingress details variables for ingresses without a host
- should set ingress details variables for ingresses with host without IngressRuleValue, only Backend
single ingress - multiple hosts
[Ingress] [PathType] exact
[Ingress] [PathType] prefix checks
[Security] request smuggling
[SSL] [Flag] default-ssl-certificate
- uses default ssl certificate for catch-all ingress
- uses default ssl certificate for host based ingress when configured certificate does not match host
enable-real-ip
- trusts X-Forwarded-For header only when setting is true
- should not trust X-Forwarded-For header when setting is false
access-log
- use the default configuration
- use the specified configuration
- use the specified configuration
- use the specified configuration
- use the specified configuration
[Lua] lua-shared-dicts
server-tokens
- should not exists Server header in the response
- should exists Server header in the response when is enabled
use-proxy-protocol
- should respect port passed by the PROXY Protocol
- should respect proto passed by the PROXY Protocol server port
- should enable PROXY Protocol for HTTPS
- should enable PROXY Protocol for TCP
[Flag] custom HTTP and HTTPS ports
- should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port
- should set X-Forwarded-Port header to 443
- should set the X-Forwarded-Port header to 443
[Security] no-auth-locations
- should return status code 401 when accessing '/' unauthentication
- should return status code 200 when accessing '/' authentication
- should return status code 200 when accessing '/noauth' unauthenticated
Dynamic $proxy_host
proxy-connect-timeout
- should set valid proxy timeouts using configmap values
- should not set invalid proxy timeouts using configmap values
[Security] Pod Security Policies
Geoip2
[Security] Pod Security Policies with volumes
enable-multi-accept
- should be enabled by default
- should be enabled when set to true
- should be disabled when set to false
log-format-*
- should disable the log-format-escape-json by default
- should enable the log-format-escape-json
- should disable the log-format-escape-json
- log-format-escape-json enabled
- log-format-escape-json disabled
[Flag] ingress-class
- should ignore Ingress with class
- should ignore Ingress with no class
- should delete Ingress when class is removed
- check scenarios for IngressClass and ingress.class annotation
ssl-ciphers
proxy-next-upstream
[Security] global-auth-url
- should return status code 401 when request any protected service
- should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service
- should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service
- should still return status code 200 after auth backend is deleted using cache
[Security] block-*
- should block CIDRs defined in the ConfigMap
- should block User-Agents defined in the ConfigMap
- should block Referers defined in the ConfigMap
plugins
Configmap - limit-rate
Configure OpenTracing
- should not exists opentracing directive
- should exists opentracing directive when is enabled
- should not exists opentracing_operation_name directive when is empty
- should exists opentracing_operation_name directive when is configured
- should not exists opentracing_location_operation_name directive when is empty
- should exists opentracing_location_operation_name directive when is configured
- should enable opentracing using zipkin
- should enable opentracing using jaeger
- should enable opentracing using jaeger with sampler host
- should propagate the w3c header when configured with jaeger
- should enable opentracing using datadog
use-forwarded-headers
- should trust X-Forwarded headers when setting is true
- should not trust X-Forwarded headers when setting is false
proxy-send-timeout
- should set valid proxy send timeouts using configmap values
- should not set invalid proxy send timeouts using configmap values
Add no tls redirect locations
settings-global-rate-limit
add-headers
hash size
- should set server_names_hash_bucket_size
- should set server_names_hash_max_size
- should set proxy-headers-hash-bucket-size
- should set proxy-headers-hash-max-size
- should set variables-hash-bucket-size
- should set variables-hash-max-size
- should set vmap-hash-bucket-size
keep-alive keep-alive-requests
- should set keepalive_timeout
- should set keepalive_requests
- should set keepalive connection to upstream server
- should set keep alive connection timeout to upstream server
- should set the request count to upstream server through one keep alive connection
[Flag] disable-catch-all
- should ignore catch all Ingress
- should delete Ingress updated to catch-all
- should allow Ingress with both a default backend and rules
main-snippet
[SSL] TLS protocols, ciphers and headers)
- setting cipher suite
- enforcing TLS v1.0
- setting max-age parameter
- setting includeSubDomains parameter
- setting preload parameter
- overriding what's set from the upstream
- should not use ports during the HTTP to HTTPS redirection
- should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection
Configmap change
proxy-read-timeout
- should set valid proxy read timeouts using configmap values
- should not set invalid proxy read timeouts using configmap values
[Security] modsecurity-snippet
OCSP
reuse-port
[Shutdown] Graceful shutdown with pending request
[Shutdown] ingress controller
- should shutdown in less than 60 secons without pending connections
- should shutdown after waiting 60 seconds for pending connections to be closed
- should shutdown after waiting 150 seconds for pending connections to be closed
[Service] backend status code 503
- should return 503 when backend service does not exist
- should return 503 when all backend service endpoints are unavailable
[Service] Type ExternalName
- works with external name set to incomplete fqdn
- should return 200 for service type=ExternalName without a port defined
- should return 200 for service type=ExternalName with a port defined
- should return status 502 for service type=ExternalName with an invalid host
- should return 200 for service type=ExternalName using a port name
- should return 200 for service type=ExternalName using FQDN with trailing dot
- should update the external name after a service update