chore: make the auth verify regex more strict #11718
Merged
GitHub Actions / JEST Tests v1.26.15CHROOT
succeeded
Aug 2, 2024 in 0s
426 passed, 0 failed and 4 skipped
✅ report-e2e-test-suite.xml
430 tests were completed in 2816s with 426 passed, 0 failed and 4 skipped.
| Test suite | Passed | Failed | Skipped | Time |
|---|---|---|---|---|
| nginx-ingress-controller e2e suite | 426✅ | 4⚪ | 2816s |
✅ nginx-ingress-controller e2e suite
nginx-ingress-controller e2e suite
✅ [It] [Annotations] cors-* should enable cors
✅ [It] [Annotations] auth-tls-* should pass URL-encoded certificate to upstream
✅ [It] [Annotations] server-snippet drops server snippet if disabled by the administrator
✅ [It] [Setting] gzip should set gzip_disable to msie6
✅ [It] [Annotations] server-snippet add valid directives to server via server snippet
✅ [It] [Setting] [Security] global-auth-url when global external authentication is configured should add auth headers when global-auth-response-headers is configured
✅ [It] [Annotations] cors-* should allow - single origin with required port
✅ [It] [Annotations] connection-proxy-header set connection header to keep-alive
✅ [It] [Annotations] cors-* should not allow - unmatching origin with wildcard origin (2 subdomains)
✅ [It] Configure Opentelemetry should include opentelemetry_trust_incoming_spans on directive when enabled
✅ [It] [Setting] enable-multi-accept should be enabled when set to true
✅ [It] [Setting] stream-snippet should add stream-snippet and drop annotations per admin config
✅ [It] [Setting] log-format-* Check log-format-escape-json and log-format-escape-none should disable the log-format-escape-json
✅ [It] [Annotations] canary-* canary affinity behavior routes traffic to either mainline or canary backend (legacy behavior)
✅ [It] [Annotations] auth-* when external authentication is configured should not create additional upstream block when auth-keepalive is not set
✅ [It] [Setting] Geoip2 should include geoip2 line in config when enabled and db file exists
✅ [It] [Annotations] proxy-* should change the default proxy HTTP version
✅ [It] [Annotations] Bad annotation values [BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place
✅ [It] [Setting] use-forwarded-headers should not trust X-Forwarded headers when setting is false
✅ [It] [Setting] hash size Check the variable hash size should set variables-hash-bucket-size
✅ [It] [Annotations] cors-* should allow - matching origin with wildcard origin (2 subdomains)
✅ [It] [Setting] [Load Balancer] load-balance should apply the configmap load-balance setting
✅ [It] [Annotations] ssl-ciphers should keep ssl ciphers
✅ [It] [Annotations] auth-* with invalid auth-url should deny whole location should add error to the config
✅ [It] [Setting] keep-alive keep-alive-requests Check the upstream keep alive should set keepalive connection to upstream server
✅ [It] [Lua] dynamic configuration when only backends change handles endpoints only changes
✅ [It] [Annotations] canary-* Single canary Ingress should not use canary as a catch-all server
✅ [It] [Annotations] backend-protocol should set backend protocol to grpc:// and use grpc_pass
✅ [It] [Ingress] [PathType] prefix checks should return 404 when prefix /aaa does not match request /aaaccc
✅ [It] [Flag] disable-catch-all should delete Ingress updated to catch-all
✅ [It] [Annotations] affinity session-cookie-name should work with use-regex annotation and session-cookie-path
✅ [It] [Annotations] auth-* when external authentication with caching is configured should deny login for different location on same server
✅ [It] [Annotations] cors-* should not break functionality
✅ [It] [Annotations] canary-* when canaried by weight should route requests only to canary if canary weight is equal to canary weight total
✅ [It] [Annotations] x-forwarded-prefix should set the X-Forwarded-Prefix to the annotation value
✅ [It] [Lua] dynamic certificates given an ingress with TLS correctly configured falls back to using default certificate when secret gets deleted without reloading
✅ [It] single ingress - multiple hosts should set the correct $service_name NGINX variable
✅ [It] [Flag] disable-catch-all should ignore catch all Ingress with backend
✅ [It] [Annotations] affinity session-cookie-name should work with server-alias annotation
✅ [It] [Setting] server-tokens should exists Server header in the response when is enabled
✅ [It] [Annotations] affinity session-cookie-name should set cookie with domain
✅ [It] [Annotations] cors-* should allow headers for cors
✅ [It] [SSL] secret update should not appear references to secret updates not used in ingress rules
✅ [It] [Security] request smuggling should not return body content from error_page
✅ [It] [Setting] use-proxy-protocol should respect proto passed by the PROXY Protocol server port
✅ [It] [Annotations] affinity session-cookie-name should warn user when use-regex is true and session-cookie-path is not set
✅ [It] [Annotations] mirror-* should disable mirror-request-body
✅ [It] [Annotations] proxy-* should setup proxy cookies
✅ [It] [Setting] nginx-configuration start nginx with default configuration
✅ [It] [Annotations] cors-* should allow correct origins - single origin for multiple cors values
✅ [It] [Annotations] affinity session-cookie-name should set sticky cookie without host
✅ [It] [Annotations] auth-* should return status code 401 and cors headers when authentication and cors is configured but Authorization header is not configured
✅ [It] [Lua] dynamic configuration when only backends change handles endpoints only changes (down scaling of replicas)
✅ [It] [Flag] disable-catch-all should allow Ingress with rules
✅ [It] [Annotations] disable-proxy-intercept-errors configures Nginx correctly
✅ [It] [Annotations] annotation-global-rate-limit generates correct configuration
✅ [It] [Service] Type ExternalName should sync ingress on external name service addition/deletion
✅ [It] annotation validations should allow ingress based on their risk on webhooks
✅ [It] [Admission] admission controller should not return an error if the Ingress V1 definition is valid with IngressClass annotation
✅ [It] [Admission] admission controller should return an error if there is an invalid path and wrong pathType is set
✅ [It] [Admission] admission controller should not return an error for an invalid Ingress when it has unknown class
✅ [It] [Admission] admission controller reject ingress with global-rate-limit annotations when memcached is not configured
✅ [It] [Admission] admission controller should not return an error if the Ingress V1 definition is valid with Ingress Class
✅ [It] annotation validations should allow ingress based on their risk on webhooks
✅ [It] [TopologyHints] topology aware routing should return 200 when service has topology hints
✅ [It] [Admission] admission controller should return an error if there is a forbidden value in some annotation
✅ [It] [Flag] watch namespace selector With specific watch-namespace-selector flags should ignore Ingress of namespace without label foo=bar and accept those of namespace with label foo=bar
✅ [It] [Admission] admission controller should return an error if there is an error validating the ingress definition
✅ [It] [Admission] admission controller should allow overlaps of host and paths with canary annotation
✅ [It] [Admission] admission controller should return an error if there is an invalid value in some annotation
✅ [It] [Admission] admission controller should not allow overlaps of host and paths without canary annotations
✅ [It] [Admission] admission controller should block ingress with invalid path
✅ [It] [Admission] admission controller should return an error if the Ingress V1 definition contains invalid annotations
✅ [It] [Setting] [SSL] TLS protocols, ciphers and headers) should configure HSTS policy header setting preload parameter
✅ [It] [Setting] access-log stream-access-log-path use the specified configuration
✅ [It] [Annotations] disable-access-log disable-http-access-log disable-stream-access-log disable-stream-access-log set access_log off
✅ [It] [Flag] custom HTTP and HTTPS ports with a plain HTTP ingress should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port
✅ [It] [TCP] tcp-services should expose a TCP service
✅ [It] [Service] Type ExternalName should return 200 for service type=ExternalName using FQDN with trailing dot
✅ [It] [Setting] [Security] global-auth-url when global external authentication is configured should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service
✅ [It] [Setting] proxy-send-timeout should not set invalid proxy send timeouts using configmap values
✅ [It] [Setting] gzip should be enabled with default settings
✅ [It] [Setting] log-format-* Check log-format-upstream with log-format-escape-json and log-format-escape-none log-format-escape-none enabled
✅ [It] [Setting] access-log access-log-path use the specified configuration
✅ [It] [Setting] [Load Balancer] round-robin should evenly distribute requests with round-robin (default algorithm)
✅ [It] [Annotations] proxy-* should set proxy_redirect to hello.com goodbye.com
✅ [It] [Annotations] proxy-ssl-* should set valid proxy-ssl-secret, proxy-ssl-ciphers to HIGH:!AES
✅ [It] [Setting] log-format-* Check log-format-escape-json and log-format-escape-none should enable the log-format-escape-json
✅ [It] [Annotations] backend-protocol - GRPC should return OK for service with backend protocol GRPC
✅ [It] [Service] Type ExternalName works with external name set to incomplete fqdn
✅ [It] [Lua] dynamic configuration configures balancer Lua middleware correctly
✅ [It] [Annotations] cors-* should not allow - single origin with port and origin without port
✅ [It] [Annotations] cors-* should allow - single origin for multiple cors values
✅ [It] [Annotations] canary-* when canary is created should route requests to the correct upstream if mainline ingress is created after the canary ingress
✅ [It] [Lua] dynamic certificates picks up the previously missing secret for a given ingress without reloading
✅ [It] [Annotations] service-upstream when enabling in the configmap should use the Service Cluster IP and Port
✅ [It] [Annotations] permanent-redirect permanent-redirect-code should respond with a custom redirect code
✅ [It] [Setting] log-format-* Check log-format-escape-json and log-format-escape-none should enable the log-format-escape-none
✅ [It] [Annotations] modsecurity owasp should enable modsecurity with snippet
✅ [It] [Annotations] backend-protocol - FastCGI should return OK for service with backend protocol FastCGI
✅ [It] [Annotations] affinity session-cookie-name should not set cookie without domain annotation
✅ [It] [Setting] use-proxy-protocol should enable PROXY Protocol for TCP
✅ [It] [Annotations] rewrite-target use-regex enable-rewrite-log should fail to use longest match for documented warning
✅ [It] [Annotations] canary-* when canaried by header with value and pattern should routes to mainline upstream when the given Regex causes error
✅ [It] [Setting] [Security] global-auth-url when global external authentication is configured should add custom error page when global-auth-signin url is configured
✅ [It] [Setting] gzip should set gzip_comp_level to 4
✅ [It] [Flag] enable-ssl-passthrough With enable-ssl-passthrough enabled should enable ssl-passthrough-proxy-port on a different port
✅ [It] [Setting] reuse-port reuse port should be disabled
✅ [It] [Setting] [Security] global-auth-url cookie set by external authentication server user with global-auth-always-set-cookie key in configmap retains cookie if upstream returns error status code
✅ [It] [Setting] [Security] global-auth-url when global external authentication is configured should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service
✅ [It] [Setting] enable-real-ip should not trust X-Forwarded-For header when setting is false
✅ [It] [Annotations] auth-tls-* should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2
✅ [It] [Annotations] auth-* should return status code 200 when authentication is configured with a map and Authorization header is sent
✅ [It] [Annotations] affinitymode Balanced affinity mode should balance
✅ [It] [Annotations] canary-* when canaried by weight should route requests split between mainline and canary if canary weight is 100 and weight total is 200
✅ [It] [Setting] [SSL] TLS protocols, ciphers and headers) ports or X-Forwarded-Host check during HTTP tp HTTPS redirection should not use ports during the HTTP to HTTPS redirection
✅ [It] [Setting] aio-write should be disabled when setting is false
✅ [It] [Annotations] satisfy should allow multiple auth with satisfy any
✅ [It] [Annotations] proxy-* should set proxy_redirect to default
✅ [It] [Annotations] upstream-vhost set host to upstreamvhost.bar.com
✅ [It] [Annotations] upstream-hash-by-* should connect to the same subset of pods
✅ [It] [SSL] redirect to HTTPS should redirect from HTTP to HTTPS when secret is missing
✅ [It] [Setting] hash size Check the map hash size should set vmap-hash-bucket-size
✅ [It] [metrics] exported prometheus metrics exclude socket request metrics are present
✅ [It] [Setting] [Security] no-auth-locations should return status code 200 when accessing '/' authentication
✅ [It] [Annotations] modsecurity owasp should enable modsecurity when enable-owasp-modsecurity-crs is set to true
✅ [It] [Annotations] proxy-* should not set invalid proxy timeouts
✅ [It] [Service] Type ExternalName should return 200 for service type=ExternalName without a port defined
✅ [It] [Annotations] auth-* when external authentication is configured should disable set_all_vars when auth-keepalive-share-vars is not set
✅ [It] [Flag] ingress-class With default ingress class config should ignore Ingress with different controller class
✅ [It] [Annotations] rewrite-target use-regex enable-rewrite-log should allow for custom rewrite parameters
✅ [It] [Annotations] auth-* should return status code 401 when authentication is configured with invalid content and Authorization header is sent
✅ [It] [Setting] [Load Balancer] EWMA does not fail requests
✅ [It] [Ingress] [PathType] mix Exact and Prefix paths should choose the correct location
✅ [It] [Setting] gzip should set gzip_types to text/html
✅ [It] [Ingress] DeepInspection should drop whole ingress if one path matches invalid regex
✅ [It] [Annotations] client-body-buffer-size should set client_body_buffer_size to 1M
✅ [It] [Annotations] auth-* should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials
✅ [It] [Annotations] affinity session-cookie-name should set sticky cookie SERVERID
✅ [It] [Annotations] backend-protocol - FastCGI should use fastcgi_pass in the configuration file
✅ [It] [Annotations] cors-* should expose headers for cors
✅ [It] [Annotations] modsecurity owasp should disable modsecurity
✅ [It] [Setting] aio-write should be enabled by default
✅ [It] [Annotations] backend-protocol should set backend protocol to '' and use fastcgi_pass
✅ [It] [Setting] proxy-connect-timeout should set valid proxy timeouts using configmap values
✅ [It] [Annotations] cors-* should not allow - single origin for multiple cors values
✅ [It] [Annotations] client-body-buffer-size should set client_body_buffer_size to 1K
✅ [It] [Flag] disable-service-external-name should ignore services of external-name type
✅ [It] [Annotations] satisfy should configure satisfy directive correctly
✅ [It] [Annotations] Annotation - limit-connections should limit-connections
✅ [It] [Setting] [Security] block-* should block User-Agents defined in the ConfigMap
✅ [It] [SSL] [Flag] default-ssl-certificate uses default ssl certificate for catch-all ingress
✅ [It] [Setting] [Security] block-* should block CIDRs defined in the ConfigMap
✅ [It] Debug CLI should produce valid JSON for /dbg general
✅ [It] [Service] backend status code 503 should return 503 when all backend service endpoints are unavailable
✅ [It] [Annotations] permanent-redirect permanent-redirect-code should respond with a standard redirect code
✅ [It] [Annotations] canary-* when canaried by weight should route requests only to mainline if canary weight is 0
✅ [It] [Setting] log-format-* Check log-format-escape-json and log-format-escape-none should disable the log-format-escape-none
✅ [It] [Annotations] modsecurity owasp should disable modsecurity using 'modsecurity off;'
✅ [It] [Annotations] limit-rate Check limit-rate annotation
✅ [It] [Setting] server-tokens should not exists Server header in the response
✅ [It] [Annotations] enable-access-log enable-rewrite-log set rewrite_log on
✅ [It] [Annotations] backend-protocol - FastCGI should add fastcgi_param in the configuration file
✅ [It] [Setting] [Security] global-auth-url when global external authentication is configured should still return status code 200 after auth backend is deleted using cache
✅ [It] [Lua] dynamic certificates picks up the certificate when we add TLS spec to existing ingress
✅ [It] [Setting] nginx-configuration fails when using root directive
✅ [It] [Setting] Add no tls redirect locations Check no tls redirect locations config
✅ [It] [Ingress] [PathType] prefix checks should test prefix path using simple regex pattern for /id/{int}
✅ [It] [Flag] ingress-class With default ingress class config should serve Ingress when class is added
✅ [It] [Annotations] proxy-* should build proxy next upstream
✅ [It] [Annotations] x-forwarded-prefix should not add X-Forwarded-Prefix if the annotation value is empty
✅ [It] [Service] Nil Service Backend should return 404 when backend service is nil
✅ [It] [Annotations] canary-* when canary is created should return 404 status for requests to the canary if no matching ingress is found
✅ [It] [Annotations] client-body-buffer-size should set client_body_buffer_size to 1k
✅ [It] [Annotations] cors-* should not break functionality with extra domain
✅ [It] [Annotations] canary-* does not crash when canary ingress has multiple paths to the same non-matching backend
✅ [It] [Setting] hash size Check proxy header hash size should set proxy-headers-hash-bucket-size
✅ [It] [Annotations] auth-* when external authentication is configured should not create additional upstream block when auth-keepalive is negative
✅ [It] [Annotations] cors-* should set cors max-age
✅ [It] [Annotations] cors-* should set cors methods to only allow POST, GET
✅ [It] Configure Opentelemetry should exists opentelemetry_operation_name directive when is configured
✅ [It] [Annotations] backend-protocol - GRPC should use grpc_pass in the configuration file
✅ [It] [Annotations] canary-* when canaried by header with value and cookie should route requests to the correct upstream
✅ [It] [Annotations] client-body-buffer-size should set client_body_buffer_size to 1m
✅ [It] [Default Backend] SSL should return a self generated SSL certificate
⚪ [It] [Memory Leak] Dynamic Certificates should not leak memory from ingress SSL certificates or configuration updates
✅ [It] [metrics] exported prometheus metrics exclude socket request metrics are absent
✅ [It] [Annotations] auth-* cookie set by external authentication server user with annotated ingress retains cookie if upstream returns error status code
✅ [It] [Default Backend] custom service uses custom default backend that returns 200 as status code
✅ [It] [Setting] use-forwarded-headers should trust X-Forwarded headers when setting is true
✅ [It] [Ingress] [PathType] prefix checks should test prefix path using regex pattern for /id/{int} ignoring non-digits characters at end of string
✅ [It] [Setting] configmap server-snippet should add global server-snippet and drop annotations per admin config
✅ [It] [Annotations] auth-* when external authentication is configured should overwrite Foo header with auth response
✅ [It] [Annotations] Bad annotation values [BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation
✅ [It] [Setting] [Security] modsecurity-snippet should add value of modsecurity-snippet setting to nginx config
✅ [It] [Setting] ssl-ciphers Add ssl ciphers
✅ [It] [Annotations] auth-* should set cache_key when external auth cache is configured
✅ [It] [Shutdown] Grace period shutdown /healthz should return status code 500 during shutdown grace period
✅ [It] [Annotations] auth-* should set snippet "proxy_set_header My-Custom-Header 42;" when external auth is configured
✅ [It] [Setting] [SSL] TLS protocols, ciphers and headers) should configure HSTS policy header setting includeSubDomains parameter
✅ [It] [Annotations] auth-tls-* should reload the nginx config when auth-tls-match-cn is updated
✅ [It] [Annotations] auth-tls-* should return 200 using auth-tls-match-cn with matching CN from client
✅ [It] [Setting] [Security] block-* should block Referers defined in the ConfigMap
✅ [It] [Annotations] proxy-ssl-* proxy-ssl-location-only flag should change the nginx config server part
✅ [It] [Annotations] disable-access-log disable-http-access-log disable-stream-access-log disable-http-access-log set access_log off
✅ [It] [Setting] stream-snippet should add value of stream-snippet to nginx config
✅ [It] [Annotations] auth-tls-* should return 200 using auth-tls-match-cn where atleast one of the regex options matches CN from client
✅ [It] [Setting] Configmap change should reload after an update in the configuration
✅ [It] [Setting] [SSL] TLS protocols, ciphers and headers) ports or X-Forwarded-Host check during HTTP tp HTTPS redirection should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection
✅ [It] [Setting] use-proxy-protocol should respect port passed by the PROXY Protocol
✅ [It] [Lua] dynamic certificates given an ingress with TLS correctly configured supports requests with domain with trailing dot
✅ [It] [Annotations] auth-* when external authentication with caching is configured should deny login for different servers
✅ [It] [SSL] [Flag] default-ssl-certificate uses default ssl certificate for host based ingress when configured certificate does not match host
✅ [It] [Annotations] mirror-* should set mirror-target to http://localhost/mirror
✅ [It] [Setting] gzip should set gzip_min_length to 100
✅ [It] [Annotations] default-backend when default backend annotation is enabled should use a custom default backend as upstream
✅ [It] [Setting] aio-write should be enabled when setting is true
✅ [It] [Annotations] service-upstream when enabling in the configmap and disabling in the annotations should not use the Service Cluster IP and Port
✅ [It] Dynamic $proxy_host should exist a proxy_host
✅ [It] [Setting] add-headers Add multiple custom headers
✅ [It] [Setting] configmap server-snippet should add value of server-snippet setting to all ingress config
✅ [It] [Annotations] auth-* when external authentication with caching is configured should redirect to signin url when not signed in
✅ [It] [Setting] [Security] global-auth-url when global external authentication is configured should set request-redirect when global-auth-request-redirect is configured
✅ [It] [Annotations] canary-* when canaried by header with value and pattern should route requests to the correct upstream
✅ [It] Configure Opentelemetry should not exists opentelemetry_operation_name directive when is empty
✅ [It] [Setting] [Security] no-auth-locations should return status code 401 when accessing '/' unauthentication
✅ [It] Configure Opentelemetry should not exists opentelemetry directive
✅ [It] [Annotations] canary-* Single canary Ingress should not use canary with domain as a server
✅ [It] [Flag] disable-sync-events should not create sync events
✅ [It] [Annotations] auth-* when external authentication is configured keeps processing new ingresses even if one of the existing ingresses is misconfigured
✅ [It] [Setting] [SSL] TLS protocols, ciphers and headers) should configure TLS protocol setting cipher suite
✅ [It] [SSL] secret update should return the fake SSL certificate if the secret is invalid
✅ [It] [Annotations] modsecurity owasp should enable modsecurity globally and with modsecurity-snippet block requests
✅ [It] [Annotations] http2-push-preload enable the http2-push-preload directive
✅ [It] [Service] Type ExternalName should return 200 for service type=ExternalName with a port defined
✅ [It] [Annotations] cors-* should allow - missing origins (should allow all origins)
✅ [It] [Annotations] cors-* should allow correct origin but not others - cors allow origin annotations contain trailing comma
✅ [It] [Annotations] modsecurity owasp should enable modsecurity with transaction ID and OWASP rules
✅ [It] [Flag] custom HTTP and HTTPS ports with a TLS enabled ingress when external authentication is configured should set the X-Forwarded-Port header to 443
✅ [It] [Flag] ingress-class With default ingress class config should accept both Ingresses with default IngressClassName and IngressClass annotation
✅ [It] [Setting] [SSL] TLS protocols, ciphers and headers) should configure HSTS policy header setting max-age parameter
✅ [It] [Annotations] configuration-snippet set snippet more_set_headers in all locations
✅ [It] [Annotations] canary-* when canary is created should route requests to the correct upstream if mainline ingress is created before the canary ingress
✅ [It] [Annotations] canary-* when canaried by weight should route requests split between mainline and canary if canary weight is 50
✅ [It] [Flag] ingress-class Without IngressClass Cluster scoped Permission should watch Ingress with correct annotation
✅ [It] plugins should exist a x-hello-world header
✅ [It] [Flag] enable-ssl-passthrough With enable-ssl-passthrough enabled should pass unknown traffic to default backend and handle known traffic
✅ [It] [Setting] main-snippet should add value of main-snippet setting to nginx config
✅ [It] [Setting] proxy-next-upstream should build proxy next upstream using configmap values
✅ [It] [Annotations] auth-tls-* should return 403 using auth-tls-match-cn with no matching CN from client
✅ [It] [Annotations] backend-protocol - GRPC authorization metadata should be overwritten by external auth response headers
✅ [It] [Annotations] proxy-* should not set proxy client-max-body-size to incorrect value
✅ [It] [Service] Type ExternalName should return 200 for service type=ExternalName using a port name
✅ [It] [Setting] nginx-configuration fails when using alias directive
✅ [It] [Annotations] auth-* when external authentication is configured with a custom redirect param should redirect to signin url when not signed in
✅ [It] [Flag] ingress-class Without IngressClass Cluster scoped Permission should ignore Ingress with only IngressClassName
✅ [It] [Annotations] modsecurity owasp should enable modsecurity with snippet and block requests
✅ [It] global-options should have worker_rlimit_nofile option and be independent on amount of worker processes
✅ [It] [Annotations] client-body-buffer-size should set client_body_buffer_size to 1000
✅ [It] [Annotations] denylist-source-range only deny explicitly denied IPs, allow all others
✅ [It] [Annotations] canary-* when canaried by cookie respects always and never values
✅ [It] [Ingress] [PathType] prefix checks should test prefix path using fixed path size regex pattern /id/{int}{3}
✅ [It] [Annotations] backend-protocol should set backend protocol to $scheme:// and use proxy_pass
✅ [It] [Annotations] modsecurity owasp should enable modsecurity
✅ [It] [Annotations] canary-* when canaried by header with no value should route requests to the correct upstream
✅ [It] [Setting] [Security] global-auth-url when global external authentication is configured should return status code 401 when request any protected service
✅ [It] [Setting] enable-multi-accept should be disabled when set to false
✅ [It] [Service] backend status code 503 should return 503 when backend service does not exist
✅ [It] [Annotations] auth-tls-* should set sslClientCertificate, sslVerifyClient and sslVerifyDepth with auth-tls-secret
✅ [It] [Setting] [Security] global-auth-url when global external authentication is configured should proxy_method method when global-auth-method is configured
✅ [It] [Annotations] canary-* canary affinity behavior always routes traffic to canary if first request was affinitized to canary (explicit sticky behavior)
✅ [It] [Annotations] auth-* when external authentication with caching is configured should return status code 200 when signed in after auth backend is deleted
✅ [It] [Lua] dynamic configuration when only backends change handles endpoints only changes consistently (down scaling of replicas vs. empty service)
✅ [It] [Annotations] server-alias should return status code 200 for host 'foo' and 'bar'
✅ [It] [Annotations] proxy-* should set proxy_redirect to off
✅ [It] [Annotations] rewrite-target use-regex enable-rewrite-log should use ~* location modifier if regex annotation is present
✅ [It] [Status] status update should update status field after client-go reconnection
✅ [It] [Annotations] from-to-www-redirect should redirect from www HTTPS to HTTPS
✅ [It] [Setting] use-proxy-protocol should enable PROXY Protocol for HTTPS
✅ [It] [Annotations] proxy-* should turn on proxy-buffering
✅ [It] [Annotations] affinity session-cookie-name should set secure in cookie with provided false annotation on https
✅ [It] [Annotations] affinity session-cookie-name should not set affinity across all server locations when using separate ingresses
✅ [It] [Annotations] allowlist-source-range should set valid ip allowlist range
✅ [It] [Setting] keep-alive keep-alive-requests Check the upstream keep alive should set keepalive time to upstream server
✅ [It] [TCP] tcp-services should reload after an update in the configuration
✅ [It] [Ingress] definition without host should set ingress details variables for ingresses without a host
✅ [It] [Setting] hash size Check proxy header hash size should set proxy-headers-hash-max-size
✅ [It] [Annotations] force-ssl-redirect should redirect to https
✅ [It] [Ingress] [PathType] prefix checks should correctly route multi-segment path patterns
✅ [It] [Annotations] auth-* when external authentication is configured should not create additional upstream block when auth-keepalive is set with HTTP/2
✅ [It] [Lua] dynamic certificates given an ingress with TLS correctly configured picks up a non-certificate only change
✅ [It] [Setting] keep-alive keep-alive-requests Check the upstream keep alive should set keep alive connection timeout to upstream server
✅ [It] [Default Backend] change default settings should apply the annotation to the default backend
✅ [It] [Setting] add-headers Add a custom header
✅ [It] [Setting] enable-multi-accept should be enabled by default
✅ [It] [Annotations] backend-protocol - GRPC should return OK for service with backend protocol GRPCS
✅ [It] [Lua] dynamic certificates given an ingress with TLS correctly configured picks up the updated certificate without reloading
⚪ [It] [Setting] Geoip2 should only allow requests from specific countries
✅ [It] [Annotations] mirror-* should set mirror-target to https://test.env.com/$request_uri
✅ [It] [Annotations] backend-protocol should set backend protocol to grpcs:// and use grpc_pass
✅ [It] [Annotations] auth-tls-* should 302 redirect to error page instead of 400 when auth-tls-error-page is set
✅ [It] [Lua] dynamic configuration when only backends change handles an annotation change
✅ [It] [Annotations] auth-* should return status code 200 when no authentication is configured
✅ [It] [Annotations] backend-protocol should set backend protocol to https:// and use proxy_pass with lowercase annotation
✅ [It] [Setting] proxy-read-timeout should set valid proxy read timeouts using configmap values
✅ [It] [Annotations] auth-tls-* should validate auth-tls-verify-client
✅ [It] [Annotations] canary-* when canary is created should route requests to the correct upstream if the mainline ingress is modified
✅ [It] [Annotations] cors-* should not match
✅ [It] [Annotations] affinity session-cookie-name should set cookie with expires
✅ [It] [Annotations] affinity session-cookie-name should change cookie name on ingress definition change
✅ [It] [Setting] settings-global-rate-limit generates correct NGINX configuration
✅ [It] [Annotations] auth-* when external authentication is configured with a custom redirect param keeps processing new ingresses even if one of the existing ingresses is misconfigured
✅ [It] [Flag] ingress-class With watch-ingress-without-class flag should watch Ingress with no class and ignore ingress with a different class
✅ [It] [Annotations] affinity session-cookie-name should set secure in cookie with provided true annotation on http
✅ [It] [Annotations] cors-* should not allow - portless origin with wildcard origin
✅ [It] [Annotations] rewrite-target use-regex enable-rewrite-log should write rewrite logs
✅ [It] [TCP] tcp-services should expose an ExternalName TCP service
✅ [It] [Setting] [Lua] lua-shared-dicts configures lua shared dicts
✅ [It] [Setting] [Security] no-auth-locations should return status code 200 when accessing '/noauth' unauthenticated
✅ [It] [Annotations] proxy-* should turn off proxy-request-buffering
✅ [It] [Flag] ingress-class With default ingress class config should ignore Ingress with a different class annotation
✅ [It] [Annotations] affinity session-cookie-name should set the path to /something on the generated cookie
✅ [It] [Annotations] cors-* should not allow - single origin without port and origin with required port
✅ [It] brotli should only compress responses that meet the `brotli-min-length` condition
✅ [It] [Flag] ingress-class With default ingress class config should delete Ingress when class is removed
✅ [It] [Setting] log-format-* Check log-format-upstream with log-format-escape-json and log-format-escape-none log-format default escape
✅ [It] [Endpointslices] long service name should return 200 when service name has max allowed number of characters 63
✅ [It] [Flag] ingress-class With default ingress class config should serve Ingress when class is updated between annotation and ingressClassName
✅ [It] [Annotations] Bad annotation values [BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation
✅ [It] [Setting] keep-alive keep-alive-requests Check the keep alive should set keepalive_requests
✅ [It] [Annotations] enable-access-log enable-rewrite-log set access_log off
✅ [It] [Setting] keep-alive keep-alive-requests Check the upstream keep alive should set the request count to upstream server through one keep alive connection
✅ [It] Debug CLI should list the backend servers
✅ [It] [Flag] disable-catch-all should ignore catch all Ingress with backend and rules
✅ [It] [Setting] log-format-* Check log-format-escape-json and log-format-escape-none should not configure log-format escape by default
✅ [It] [Annotations] cors-* should allow origin for cors
✅ [It] [Annotations] from-to-www-redirect should redirect from www HTTP to HTTP
✅ [It] [Annotations] client-body-buffer-size should not set client_body_buffer_size to invalid 1b
✅ [It] [Flag] ingress-class With specific ingress-class flags should ignore Ingress with no class and accept the correctly configured Ingresses
✅ [It] [Ingress] [PathType] exact should choose exact location for /exact
✅ [It] [Annotations] auth-* when external authentication is configured should enable set_all_vars when auth-keepalive-share-vars is true
✅ [It] [Annotations] auth-* when external authentication is configured should redirect to signin url when not signed in
✅ [It] [Annotations] proxy-* should set proxy client-max-body-size to 8m
✅ [It] [Annotations] auth-* when external authentication is configured should return status code 200 when signed in
✅ [It] [Setting] [SSL] TLS protocols, ciphers and headers) should configure HSTS policy header overriding what's set from the upstream
✅ [It] [Annotations] proxy-ssl-* should set valid proxy-ssl-secret, proxy-ssl-protocols
✅ [It] [Annotations] auth-* should set "proxy_set_header 'My-Custom-Header' '42';" when auth-headers are set
✅ [It] [Setting] reuse-port reuse port should be enabled by default
✅ [It] [Annotations] canary-* when canary is created should response with a 200 status from the mainline upstream when requests are made to the mainline ingress
✅ [It] Dynamic $proxy_host should exist a proxy_host using the upstream-vhost annotation value
✅ [It] [Annotations] auth-* cookie set by external authentication server user does not retain cookie if upstream returns error status code
✅ [It] [Setting] hash size Check server names hash size should set server_names_hash_max_size
✅ [It] [Annotations] server-alias should return status code 200 for host 'foo' and 404 for 'bar'
✅ [It] [Service] Type ExternalName should update the external name after a service update
✅ [It] [Annotations] Bad annotation values [BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass
✅ [It] Debug CLI should get information for a specific backend server
✅ [It] [Setting] hash size Check the variable hash size should set variables-hash-max-size
✅ [It] [Default Backend] should return 404 sending requests when only a default backend is running
✅ [It] [Annotations] denylist-source-range only allow explicitly allowed IPs, deny all others
✅ [It] [Annotations] custom-http-errors configures Nginx correctly
⚪ [It] [Default Backend] disables access logging for default backend
✅ [It] [Setting] access-log http-access-log-path & stream-access-log-path use the specified configuration
✅ [It] [Annotations] auth-* when external authentication is configured should create additional upstream block when auth-keepalive is set with HTTP/1.x
✅ [It] [Annotations] affinitymode Check persistent affinity mode
✅ [It] [Setting] hash size Check server names hash size should set server_names_hash_bucket_size
✅ [It] [Annotations] affinity session-cookie-name should not set secure in cookie with provided false annotation on http
✅ [It] [Annotations] canary-* canary affinity behavior always routes traffic to canary if first request was affinitized to canary (default behavior)
✅ [It] [Flag] ingress-class With default ingress class config should ignore Ingress without IngressClass configuration
✅ [It] [Setting] log-format-* Check log-format-upstream with log-format-escape-json and log-format-escape-none log-format-escape-json enabled
✅ [It] [Annotations] canary-* when canaried by weight should route requests only to canary if canary weight is 100
✅ [It] [Annotations] backend-protocol - FastCGI should add fastcgi_index in the configuration file
✅ [It] [Annotations] canary-* when canary is created should route requests to the correct upstream if the canary ingress is modified
✅ [It] [Annotations] cors-* should allow - matching origin+port with wildcard origin
✅ [It] [Setting] reuse-port reuse port should be enabled
✅ [It] [Annotations] auth-* should return status code 200 when authentication is configured and Authorization header is sent
✅ [It] [Annotations] proxy-ssl-* should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on
✅ [It] [Annotations] proxy-ssl-* should set valid proxy-ssl-secret
✅ [It] [Annotations] preserve-trailing-slash should allow preservation of trailing slashes
✅ [It] [Annotations] upstream-hash-by-* should connect to the same pod
✅ [It] [Setting] proxy-send-timeout should set valid proxy send timeouts using configmap values
✅ [It] [Annotations] auth-* when external authentication is configured should not create additional upstream block when host part of auth-url contains a variable
✅ [It] [Annotations] auth-* should return status code 503 when authentication is configured with an invalid secret
✅ [It] [Annotations] proxy-* should set valid proxy timeouts
✅ [It] [Setting] proxy-read-timeout should not set invalid proxy read timeouts using configmap values
✅ [It] [Setting] keep-alive keep-alive-requests Check the keep alive should set keepalive_timeout
✅ [It] [Setting] [Security] global-auth-url cookie set by external authentication server user retains cookie by default
✅ [It] [Setting] access-log http-access-log-path use the specified configuration
✅ [It] [Setting] Configmap - limit-rate Check limit-rate config
✅ [It] [Annotations] auth-* should not set snippet "proxy_set_header My-Custom-Header 42;" when external auth is not configured
✅ [It] [Flag] disable-sync-events should create sync events (default)
✅ [It] [Setting] [Security] global-auth-url cookie set by external authentication server user does not retain cookie if upstream returns error status code
✅ [It] [Annotations] modsecurity owasp should enable modsecurity through the config map but ignore snippet as disabled by admin
✅ [It] [Annotations] auth-* with invalid auth-url should deny whole location should return 503 (location was denied)
✅ [It] [Annotations] modsecurity owasp should enable modsecurity without using 'modsecurity on;'
✅ [It] [Flag] custom HTTP and HTTPS ports with a TLS enabled ingress should set X-Forwarded-Port header to 443
✅ [It] [Annotations] app-root should redirect to /foo
⚪ [It] [Default Backend] enables access logging for default backend
✅ [It] [Annotations] modsecurity owasp should enable modsecurity through the config map
✅ [It] [Annotations] backend-protocol should set backend protocol to https:// and use proxy_pass
✅ [It] [Annotations] cors-* should disable cors allow credentials
✅ [It] [Annotations] auth-* cookie set by external authentication server user retains cookie by default
✅ [It] global-options should have worker_rlimit_nofile option
✅ [It] [Annotations] affinity session-cookie-name does not set the path to / on the generated cookie if there's more than one rule referring to the same backend
✅ [It] [Annotations] canary-* when canaried by header with value should route requests to the correct upstream
✅ [It] [Annotations] cors-* should not break functionality - without `*`
✅ [It] [Annotations] modsecurity owasp should disable default modsecurity conf setting when modsecurity-snippet is specified
✅ [It] [Setting] proxy-connect-timeout should not set invalid proxy timeouts using configmap values
✅ [It] [Annotations] cors-* should allow correct origins - missing subdomain + origin with wildcard origin and correct origin
✅ [It] [Annotations] disable-access-log disable-http-access-log disable-stream-access-log disable-access-log set access_log off
✅ [It] [Annotations] rewrite-target use-regex enable-rewrite-log should use correct longest path match
✅ [It] Configure Opentelemetry should exists opentelemetry directive when is enabled
✅ [It] [Annotations] canary-* when canaried by header with value and pattern should route requests to the correct upstream
✅ [It] [Setting] OCSP should enable OCSP and contain stapling information in the connection
✅ [It] [Ingress] definition without host should set ingress details variables for ingresses with host without IngressRuleValue, only Backend
✅ [It] [Flag] disable-sync-events should create sync events
✅ [It] [Flag] ingress-class With ingress-class-by-name flag should watch Ingress that uses the class name even if spec is different
✅ [It] [Annotations] ssl-ciphers should change ssl ciphers
✅ [It] [Setting] access-log access-log-path use the default configuration
✅ [It] [Annotations] configuration-snippet drops snippet more_set_header in all locations if disabled by admin
✅ [It] [Annotations] auth-* when external authentication is configured with a custom redirect param should return status code 200 when signed in
✅ [It] [Annotations] auth-* should return status code 401 when authentication is configured but Authorization header is not configured
✅ [It] [Setting] enable-real-ip trusts X-Forwarded-For header only when setting is true
✅ [It] [Service] Type ExternalName should return status 502 for service type=ExternalName with an invalid host
✅ [It] [Annotations] server-alias should return status code 200 for hosts defined in two ingresses, different path with one alias
✅ [It] [Annotations] service-upstream when using the default value (false) and enabling in the annotations should use the Service Cluster IP and Port
✅ [It] [Lua] dynamic certificates given an ingress with TLS correctly configured removes HTTPS configuration when we delete TLS spec
✅ [It] [Setting] configmap stream-snippet should add value of stream-snippet via config map to nginx config
✅ [It] [Shutdown] ingress controller should shutdown in less than 60 secons without pending connections
✅ [It] [Setting] gzip should be disabled by default
✅ [It] [Setting] [Security] global-auth-url when global external authentication is configured should set snippet when global external auth is configured
Loading