Implement annotation validation #9673
Merged
GitHub Actions / JEST Tests v1.27.1
succeeded
Jul 20, 2023 in 0s
JEST Tests v1.27.1 ✔️
✔️ report-e2e-test-suite.xml
430 tests were completed in 2689s with 424 passed, 0 failed and 6 skipped.
| Test suite | Passed | Failed | Skipped | Time |
|---|---|---|---|---|
| nginx-ingress-controller e2e suite | 424✔️ | 6✖️ | 2689s |
✔️ nginx-ingress-controller e2e suite
nginx-ingress-controller e2e suite
✔️ [It] [Setting] hash size Check server names hash size should set server_names_hash_bucket_size
✔️ [It] [Setting] [SSL] TLS protocols, ciphers and headers) should configure TLS protocol setting cipher suite
✔️ [It] [Flag] disable-sync-events should not create sync events
✔️ [It] [Annotations] backend-protocol - GRPC should return OK for service with backend protocol GRPCS
✔️ [It] [Annotations] canary-* when canary is created should route requests to the correct upstream if the canary ingress is modified
✔️ [It] [Annotations] client-body-buffer-size should set client_body_buffer_size to 1k
✔️ [It] [Service] Type ExternalName should sync ingress on external name service addition/deletion
✔️ [It] [Flag] ingress-class With default ingress class config should serve Ingress when class is added
✔️ [It] [Setting] [Security] global-auth-url when global external authentication is configured should set snippet when global external auth is configured
✔️ [It] [Annotations] Annotation - limit-connections should limit-connections
✔️ [It] [Annotations] cors-* should allow - matching origin with wildcard origin (2 subdomains)
✔️ [It] [Annotations] affinity session-cookie-name should set cookie with domain
✔️ [It] [Annotations] auth-* when external authentication is configured with a custom redirect param should return status code 200 when signed in
✔️ [It] [Annotations] canary-* when canaried by header with value and pattern should routes to mainline upstream when the given Regex causes error
✔️ [It] [Flag] ingress-class With default ingress class config should ignore Ingress without IngressClass configuration
✔️ [It] [Annotations] proxy-ssl-* should set valid proxy-ssl-secret
✔️ [It] [Service] Type ExternalName should return status 502 for service type=ExternalName with an invalid host
✔️ [It] [Annotations] modsecurity owasp should enable modsecurity through the config map but ignore snippet as disabled by admin
✔️ [It] [Annotations] affinity session-cookie-name should set the path to /something on the generated cookie
✔️ [It] [Annotations] cors-* should set cors methods to only allow POST, GET
✔️ [It] [Annotations] auth-* when external authentication is configured should not create additional upstream block when auth-keepalive is not set
✔️ [It] [Annotations] auth-* should not set snippet "proxy_set_header My-Custom-Header 42;" when external auth is not configured
✔️ [It] [Setting] [Security] global-auth-url when global external authentication is configured should return status code 401 when request any protected service
✔️ [It] [Annotations] cors-* should allow - missing origins (should allow all origins)
✔️ [It] [Annotations] proxy-* should set valid proxy timeouts
✔️ [It] [Setting] access-log access-log-path use the default configuration
✔️ [It] Configure Opentelemetry should not exists opentelemetry directive
✔️ [It] [Setting] use-proxy-protocol should enable PROXY Protocol for HTTPS
✔️ [It] [Lua] dynamic configuration when only backends change handles an annotation change
✔️ [It] [Annotations] canary-* when canaried by weight should route requests split between mainline and canary if canary weight is 100 and weight total is 200
✔️ [It] [Setting] stream-snippet should add stream-snippet and drop annotations per admin config
✔️ [It] [TCP] tcp-services should expose an ExternalName TCP service
✔️ [It] [Annotations] auth-tls-* should validate auth-tls-verify-client
✔️ [It] [Annotations] affinity session-cookie-name should set sticky cookie SERVERID
✔️ [It] [Status] status update should update status field after client-go reconnection
✔️ [It] [Lua] dynamic certificates picks up the previously missing secret for a given ingress without reloading
✔️ [It] [Annotations] modsecurity owasp should enable modsecurity
✔️ [It] [Annotations] proxy-ssl-* should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on
✔️ [It] [Setting] gzip should set gzip_comp_level to 4
✔️ [It] [Shutdown] ingress controller should shutdown in less than 60 secons without pending connections
✔️ [It] [Annotations] configuration-snippet set snippet more_set_headers in all locations
✔️ [It] [Annotations] upstream-hash-by-* should connect to the same subset of pods
✔️ [It] [Setting] enable-multi-accept should be enabled by default
✔️ [It] [Annotations] cors-* should not break functionality with extra domain
✔️ [It] [Annotations] cors-* should allow correct origins - single origin for multiple cors values
✔️ [It] [Setting] [Security] global-auth-url when global external authentication is configured should proxy_method method when global-auth-method is configured
✔️ [It] [Annotations] affinity session-cookie-name should not set secure in cookie with provided false annotation on http
✔️ [It] [Annotations] auth-tls-* should return 403 using auth-tls-match-cn with no matching CN from client
✔️ [It] [Annotations] auth-* when external authentication is configured with a custom redirect param should redirect to signin url when not signed in
✔️ [It] [Annotations] auth-* when external authentication is configured should not create additional upstream block when auth-keepalive is negative
✔️ [It] [Annotations] affinity session-cookie-name does not set the path to / on the generated cookie if there's more than one rule referring to the same backend
✔️ [It] [Annotations] disable-access-log disable-http-access-log disable-stream-access-log disable-http-access-log set access_log off
✔️ [It] [Setting] [Security] global-auth-url cookie set by external authentication server user with global-auth-always-set-cookie key in configmap retains cookie if upstream returns error status code
✔️ [It] [Annotations] modsecurity owasp should enable modsecurity globally and with modsecurity-snippet block requests
✔️ [It] [Lua] dynamic configuration when only backends change handles endpoints only changes (down scaling of replicas)
✔️ [It] [Admission] admission controller reject ingress with global-rate-limit annotations when memcached is not configured
✔️ [It] [Admission] admission controller should not return an error if the Ingress V1 definition is valid with IngressClass annotation
✔️ [It] [Admission] admission controller should not return an error for an invalid Ingress when it has unknown class
✔️ [It] [Admission] admission controller should return an error if there is an invalid value in some annotation
✔️ [It] [Admission] admission controller should not allow overlaps of host and paths without canary annotations
✔️ [It] [Flag] watch namespace selector With specific watch-namespace-selector flags should ingore Ingress of namespace without label foo=bar and accept those of namespace with label foo=bar
✔️ [It] [Admission] admission controller should return an error if there is an invalid path and wrong pathType is set
✔️ [It] [Admission] admission controller should allow overlaps of host and paths with canary annotation
✔️ [It] [Admission] admission controller should return an error if there is an error validating the ingress definition
✔️ [It] annotation validations should allow ingress based on their risk on webhooks
✔️ [It] annotation validations should allow ingress based on their risk on webhooks
✔️ [It] [TopologyHints] topology aware routing should return 200 when service has topology hints
✔️ [It] [Admission] admission controller should block ingress with invalid path
✔️ [It] [Admission] admission controller should return an error if the Ingress V1 definition contains invalid annotations
✔️ [It] [Admission] admission controller should not return an error if the Ingress V1 definition is valid with Ingress Class
✔️ [It] [Admission] admission controller should return an error if there is a forbidden value in some annotation
✔️ [It] [Annotations] canary-* when canaried by weight should route requests only to canary if canary weight is 100
✔️ [It] [Annotations] server-snippet drops server snippet if disabled by the administrator
✔️ [It] [Annotations] canary-* canary affinity behavior routes traffic to either mainline or canary backend (legacy behavior)
✔️ [It] [Flag] enable-ssl-passthrough With enable-ssl-passthrough enabled should pass unknown traffic to default backend and handle known traffic
✔️ [It] [Annotations] backend-protocol should set backend protocol to '' and use fastcgi_pass
✔️ [It] Configure OpenTracing should exists opentracing_operation_name directive when is configured
✔️ [It] [Setting] reuse-port reuse port should be enabled by default
✔️ [It] [Annotations] auth-* when external authentication is configured should return status code 200 when signed in
✔️ [It] [Annotations] affinity session-cookie-name should set secure in cookie with provided true annotation on http
✔️ [It] [Annotations] proxy-* should setup proxy cookies
✔️ [It] [Flag] ingress-class With default ingress class config should ignore Ingress with a different class annotation
✔️ [It] [Setting] keep-alive keep-alive-requests Check the upstream keep alive should set keep alive connection timeout to upstream server
✔️ [It] [Annotations] server-alias should return status code 200 for host 'foo' and 'bar'
✔️ [It] [Annotations] cors-* should allow headers for cors
✔️ [It] [Lua] dynamic certificates given an ingress with TLS correctly configured removes HTTPS configuration when we delete TLS spec
✔️ [It] [Annotations] proxy-ssl-* should set valid proxy-ssl-secret, proxy-ssl-protocols
✔️ [It] [Annotations] auth-tls-* should return 200 using auth-tls-match-cn where atleast one of the regex options matches CN from client
✔️ [It] [Annotations] affinity session-cookie-name should work with server-alias annotation
✔️ [It] [Setting] [Load Balancer] round-robin should evenly distribute requests with round-robin (default algorithm)
✔️ [It] Dynamic $proxy_host should exist a proxy_host
✔️ [It] [Security] request smuggling should not return body content from error_page
✔️ [It] [Annotations] cors-* should set cors max-age
✔️ [It] [Setting] use-forwarded-headers should trust X-Forwarded headers when setting is true
✔️ [It] [Annotations] canary-* when canaried by header with value and pattern should route requests to the correct upstream
✔️ [It] [Annotations] canary-* when canaried by header with value and pattern should route requests to the correct upstream
✔️ [It] [Setting] log-format-* Check log-format-escape-json and log-format-escape-none should enable the log-format-escape-json
✔️ [It] [Annotations] backend-protocol should set backend protocol to $scheme:// and use proxy_pass
✔️ [It] Configure OpenTracing should exists opentracing directive when is enabled
✔️ [It] [Annotations] client-body-buffer-size should set client_body_buffer_size to 1m
✔️ [It] [Annotations] proxy-* should set proxy_redirect to hello.com goodbye.com
✔️ [It] [Setting] gzip should be enabled with default settings
✔️ [It] plugins should exist a x-hello-world header
✔️ [It] [Flag] disable-catch-all should allow Ingress with rules
✔️ [It] Configure OpenTracing should not exists opentracing_operation_name directive when is empty
✔️ [It] [Annotations] cors-* should allow correct origins - missing subdomain + origin with wildcard origin and correct origin
✔️ [It] [Annotations] proxy-* should set proxy_redirect to default
✔️ [It] [Annotations] auth-tls-* should 302 redirect to error page instead of 400 when auth-tls-error-page is set
✔️ [It] [Setting] enable-multi-accept should be enabled when set to true
✔️ [It] [Lua] dynamic certificates given an ingress with TLS correctly configured picks up a non-certificate only change
✔️ [It] Configure OpenTracing should include opentracing_trust_incoming_span off directive when disabled
✔️ [It] [Annotations] permanent-redirect permanent-redirect-code should respond with a standard redirect code
✔️ [It] Configure OpenTracing should not exists opentracing directive
✔️ [It] [Service] backend status code 503 should return 503 when backend service does not exist
✔️ [It] [Annotations] preserve-trailing-slash should allow preservation of trailing slashes
✔️ [It] [Annotations] auth-* when external authentication with caching is configured should deny login for different servers
✔️ [It] [Setting] gzip should set gzip_disable to msie6
✔️ [It] [Annotations] upstream-hash-by-* should connect to the same pod
✔️ [It] [Setting] access-log stream-access-log-path use the specified configuration
✔️ [It] [Annotations] backend-protocol - GRPC should use grpc_pass in the configuration file
✔️ [It] [Setting] [Security] global-auth-url when global external authentication is configured should add auth headers when global-auth-response-headers is configured
✔️ [It] [Annotations] cors-* should not allow - single origin without port and origin with required port
✔️ [It] [Annotations] auth-tls-* should pass URL-encoded certificate to upstream
✔️ [It] [Setting] enable-real-ip trusts X-Forwarded-For header only when setting is true
✔️ [It] [Annotations] rewrite-target use-regex enable-rewrite-log should write rewrite logs
✔️ [It] [Setting] log-format-* Check log-format-upstream with log-format-escape-json and log-format-escape-none log-format default escape
✔️ [It] brotli should only compress responses that meet the `brotli-min-length` condition
✔️ [It] [Annotations] canary-* Single canary Ingress should not use canary as a catch-all server
✔️ [It] [Setting] [Security] block-* should block CIDRs defined in the ConfigMap
✔️ [It] [Default Backend] SSL should return a self generated SSL certificate
✔️ [It] [Flag] disable-sync-events should create sync events (default)
✔️ [It] [Setting] [Security] global-auth-url when global external authentication is configured should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service
✔️ [It] single ingress - multiple hosts should set the correct $service_name NGINX variable
✔️ [It] [Setting] keep-alive keep-alive-requests Check the keep alive should set keepalive_timeout
✔️ [It] [Setting] hash size Check proxy header hash size should set proxy-headers-hash-bucket-size
✔️ [It] [Setting] log-format-* Check log-format-escape-json and log-format-escape-none should disable the log-format-escape-json
✔️ [It] [Flag] ingress-class With specific ingress-class flags should ignore Ingress with no class and accept the correctly configured Ingresses
✔️ [It] [Default Backend] change default settings should apply the annotation to the default backend
✖️ [It] [Default Backend] disables access logging for default backend
✔️ [It] [Setting] main-snippet should add value of main-snippet setting to nginx config
✔️ [It] [Annotations] auth-* cookie set by external authentication server user does not retain cookie if upstream returns error status code
✔️ [It] [Setting] configmap server-snippet should add value of server-snippet setting to all ingress config
✔️ [It] [Setting] log-format-* Check log-format-escape-json and log-format-escape-none should not configure log-format escape by default
✔️ [It] [Setting] OCSP should enable OCSP and contain stapling information in the connection
✔️ [It] [Annotations] client-body-buffer-size should set client_body_buffer_size to 1K
✔️ [It] [Ingress] DeepInspection should drop whole ingress if one path matches invalid regex
✔️ [It] [Setting] enable-multi-accept should be disabled when set to false
✔️ [It] Configure Opentelemetry should not exists opentelemetry_operation_name directive when is empty
✔️ [It] [Setting] [SSL] TLS protocols, ciphers and headers) should configure HSTS policy header setting max-age parameter
✔️ [It] [Setting] reuse-port reuse port should be disabled
✔️ [It] [Annotations] auth-* when external authentication is configured should redirect to signin url when not signed in
✔️ [It] [Annotations] Bad annotation values [BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation
✔️ [It] [Annotations] connection-proxy-header set connection header to keep-alive
✔️ [It] [Setting] gzip should set gzip_types to application/javascript
✔️ [It] [metrics] exported prometheus metrics exclude socket request metrics are absent
✔️ [It] [Flag] ingress-class With ingress-class-by-name flag should watch Ingress that uses the class name even if spec is different
✔️ [It] [Setting] Add no tls redirect locations Check no tls redirect locations config
✔️ [It] [Annotations] proxy-* should not set invalid proxy timeouts
✔️ [It] [Setting] add-headers Add a custom header
✔️ [It] [Annotations] auth-* should return status code 200 when authentication is configured and Authorization header is sent
✔️ [It] [Annotations] client-body-buffer-size should set client_body_buffer_size to 1M
✔️ [It] [Annotations] auth-tls-* should set sslClientCertificate, sslVerifyClient and sslVerifyDepth with auth-tls-secret
✔️ [It] Configure Opentelemetry should exists opentelemetry_operation_name directive when is configured
✔️ [It] [Ingress] definition without host should set ingress details variables for ingresses without a host
✔️ [It] [Annotations] rewrite-target use-regex enable-rewrite-log should use ~* location modifier if regex annotation is present
✔️ [It] [Setting] proxy-connect-timeout should set valid proxy timeouts using configmap values
✔️ [It] [Annotations] Bad annotation values [BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation
✔️ [It] [Annotations] allowlist-source-range should set valid ip allowlist range
✔️ [It] [Annotations] default-backend when default backend annotation is enabled should use a custom default backend as upstream
✔️ [It] Configure Opentelemetry should exists opentelemetry directive when is enabled
✔️ [It] [Annotations] client-body-buffer-size should set client_body_buffer_size to 1000
✔️ [It] [Flag] custom HTTP and HTTPS ports with a TLS enabled ingress when external authentication is configured should set the X-Forwarded-Port header to 443
✔️ [It] [Setting] use-proxy-protocol should respect proto passed by the PROXY Protocol server port
✔️ [It] [Annotations] auth-* should return status code 401 when authentication is configured but Authorization header is not configured
✔️ [It] [Annotations] backend-protocol should set backend protocol to grpcs:// and use grpc_pass
✔️ [It] global-options should have worker_rlimit_nofile option
✔️ [It] [Annotations] auth-* should return status code 200 when no authentication is configured
✔️ [It] [Annotations] affinity session-cookie-name should not set affinity across all server locations when using separate ingresses
✔️ [It] [Annotations] denylist-source-range only deny explicitly denied IPs, allow all others
✔️ [It] [Annotations] service-upstream when using the default value (false) and enabling in the annotations should use the Service Cluster IP and Port
✔️ [It] [Setting] [Load Balancer] load-balance should apply the configmap load-balance setting
✔️ [It] Configure OpenTracing should enable opentracing using zipkin
✔️ [It] [Annotations] affinity session-cookie-name should warn user when use-regex is true and session-cookie-path is not set
✔️ [It] [Annotations] backend-protocol should set backend protocol to https:// and use proxy_pass
✔️ [It] [Setting] [Security] global-auth-url cookie set by external authentication server user does not retain cookie if upstream returns error status code
✔️ [It] global-options should have worker_rlimit_nofile option and be independent on amount of worker processes
✔️ [It] [Setting] [Security] no-auth-locations should return status code 401 when accessing '/' unauthentication
✔️ [It] [Annotations] cors-* should not break functionality
✔️ [It] [Setting] use-proxy-protocol should respect port passed by the PROXY Protocol
✔️ [It] [Setting] access-log access-log-path use the specified configuration
✔️ [It] [Annotations] cors-* should not allow - single origin for multiple cors values
✔️ [It] [Annotations] service-upstream when enabling in the configmap and disabling in the annotations should not use the Service Cluster IP and Port
✔️ [It] [Flag] disable-catch-all should ignore catch all Ingress with backend and rules
✔️ [It] [Annotations] mirror-* should set mirror-target to https://test.env.com/$request_uri
✔️ [It] [Annotations] canary-* when canary is created should route requests to the correct upstream if mainline ingress is created after the canary ingress
✔️ [It] [Annotations] auth-* with invalid auth-url should deny whole location should add error to the config
✔️ [It] [Annotations] annotation-global-rate-limit generates correct configuration
✔️ [It] [Annotations] ssl-ciphers should change ssl ciphers
✔️ [It] [Service] Type ExternalName should update the external name after a service update
✔️ [It] [Annotations] auth-* should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials
✔️ [It] [Annotations] app-root should redirect to /foo
✖️ [It] [Memory Leak] Dynamic Certificates should not leak memory from ingress SSL certificates or configuration updates
✔️ [It] [Lua] dynamic certificates given an ingress with TLS correctly configured picks up the updated certificate without reloading
✔️ [It] [Setting] add-headers Add multiple custom headers
✔️ [It] [Annotations] cors-* should allow origin for cors
✔️ [It] [Setting] reuse-port reuse port should be enabled
✔️ [It] [Annotations] server-alias should return status code 200 for hosts defined in two ingresses, different path with one alias
✔️ [It] [Setting] proxy-next-upstream should build proxy next upstream using configmap values
✔️ [It] [Annotations] auth-* when external authentication is configured keeps processing new ingresses even if one of the existing ingresses is misconfigured
✔️ [It] [Lua] dynamic certificates picks up the certificate when we add TLS spec to existing ingress
✔️ [It] [Annotations] auth-* should set snippet "proxy_set_header My-Custom-Header 42;" when external auth is configured
✔️ [It] [Default Backend] should return 404 sending requests when only a default backend is running
✔️ [It] [Annotations] auth-* should return status code 401 when authentication is configured with invalid content and Authorization header is sent
✔️ [It] [Annotations] Bad annotation values [BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass
✔️ [It] [Setting] keep-alive keep-alive-requests Check the keep alive should set keepalive_requests
✔️ [It] [Setting] stream-snippet should add value of stream-snippet to nginx config
✔️ [It] [Annotations] canary-* when canaried by weight should route requests only to mainline if canary weight is 0
✔️ [It] [Annotations] mirror-* should disable mirror-request-body
✔️ [It] [Annotations] proxy-ssl-* should set valid proxy-ssl-secret, proxy-ssl-ciphers to HIGH:!AES
✔️ [It] [Annotations] affinitymode Check persistent affinity mode
✔️ [It] [Annotations] disable-access-log disable-http-access-log disable-stream-access-log disable-access-log set access_log off
✔️ [It] [Annotations] auth-* when external authentication is configured should not create additional upstream block when host part of auth-url contains a variable
✔️ [It] [Annotations] affinitymode Balanced affinity mode should balance
✔️ [It] [Annotations] canary-* when canary is created should return 404 status for requests to the canary if no matching ingress is found
✔️ [It] [Setting] Configmap change should reload after an update in the configuration
✔️ [It] [Annotations] affinity session-cookie-name should set secure in cookie with provided false annotation on https
✔️ [It] [Setting] [SSL] TLS protocols, ciphers and headers) should configure HSTS policy header setting preload parameter
✔️ [It] [Setting] [Security] global-auth-url when global external authentication is configured should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service
✔️ [It] [Annotations] auth-* should set cache_key when external auth cache is configured
✔️ [It] [Annotations] service-upstream when enabling in the configmap should use the Service Cluster IP and Port
✔️ [It] [Annotations] upstream-vhost set host to upstreamvhost.bar.com
✔️ [It] [Endpointslices] long service name should return 200 when service name has max allowed number of characters 63
✔️ [It] [Setting] proxy-read-timeout should not set invalid proxy read timeouts using configmap values
✔️ [It] [Annotations] cors-* should allow - single origin for multiple cors values
✔️ [It] [Annotations] auth-* when external authentication with caching is configured should return status code 200 when signed in after auth backend is deleted
✔️ [It] [Setting] proxy-read-timeout should set valid proxy read timeouts using configmap values
✔️ [It] [Annotations] proxy-ssl-* proxy-ssl-location-only flag should change the nginx config server part
✔️ [It] [Setting] log-format-* Check log-format-upstream with log-format-escape-json and log-format-escape-none log-format-escape-json enabled
✔️ [It] [Annotations] client-body-buffer-size should not set client_body_buffer_size to invalid 1b
✔️ [It] [Setting] hash size Check the variable hash size should set variables-hash-max-size
✔️ [It] [metrics] exported prometheus metrics exclude socket request metrics are present
✔️ [It] Configure OpenTracing should enable opentracing using datadog
✔️ [It] [Flag] custom HTTP and HTTPS ports with a plain HTTP ingress should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port
✔️ [It] [Annotations] affinity session-cookie-name should change cookie name on ingress definition change
✔️ [It] [Annotations] cors-* should not break functionality - without `*`
✔️ [It] [Annotations] cors-* should allow - matching origin+port with wildcard origin
✔️ [It] [Ingress] [PathType] exact should choose exact location for /exact
✔️ [It] [Flag] ingress-class With watch-ingress-without-class flag should watch Ingress with no class and ignore ingress with a different class
✔️ [It] [Annotations] cors-* should enable cors
✔️ [It] [Setting] [Security] block-* should block Referers defined in the ConfigMap
✔️ [It] [Annotations] auth-* should return status code 200 when authentication is configured with a map and Authorization header is sent
✔️ [It] [Annotations] satisfy should allow multiple auth with satisfy any
✔️ [It] [Annotations] proxy-* should set proxy_redirect to off
✔️ [It] [Setting] proxy-send-timeout should not set invalid proxy send timeouts using configmap values
✔️ [It] Configure OpenTracing should exists opentracing_location_operation_name directive when is configured
✔️ [It] [Annotations] cors-* should not allow - portless origin with wildcard origin
✔️ [It] [Setting] server-tokens should exists Server header in the response when is enabled
✔️ [It] [Setting] keep-alive keep-alive-requests Check the upstream keep alive should set keepalive connection to upstream server
✔️ [It] [SSL] [Flag] default-ssl-certificate uses default ssl certificate for host based ingress when configured certificate does not match host
✔️ [It] [Setting] use-forwarded-headers should not trust X-Forwarded headers when setting is false
✔️ [It] [Annotations] rewrite-target use-regex enable-rewrite-log should use correct longest path match
✔️ [It] [Lua] dynamic configuration configures balancer Lua middleware correctly
✔️ [It] [Annotations] modsecurity owasp should enable modsecurity when enable-owasp-modsecurity-crs is set to true
✔️ [It] [Service] Type ExternalName should return 200 for service type=ExternalName using FQDN with trailing dot
✔️ [It] [Flag] disable-catch-all should delete Ingress updated to catch-all
✔️ [It] [Setting] nginx-configuration start nginx with default configuration
✔️ [It] [Lua] dynamic certificates given an ingress with TLS correctly configured falls back to using default certificate when secret gets deleted without reloading
✔️ [It] [Annotations] auth-* cookie set by external authentication server user with annotated ingress retains cookie if upstream returns error status code
✔️ [It] [Annotations] auth-* when external authentication is configured should create additional upstream block when auth-keepalive is set with HTTP/1.x
✔️ [It] [Annotations] auth-* when external authentication with caching is configured should deny login for different location on same server
✔️ [It] [Setting] enable-real-ip should not trust X-Forwarded-For header when setting is false
✔️ [It] [Annotations] auth-* when external authentication is configured should overwrite Foo header with auth response
✔️ [It] [Annotations] Bad annotation values [BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place
✔️ [It] [Lua] dynamic configuration when only backends change handles endpoints only changes
✔️ [It] [Setting] hash size Check proxy header hash size should set proxy-headers-hash-max-size
✔️ [It] [Annotations] modsecurity owasp should enable modsecurity with transaction ID and OWASP rules
✔️ [It] Debug CLI should list the backend servers
✔️ [It] [Setting] [Security] global-auth-url when global external authentication is configured should set request-redirect when global-auth-request-redirect is configured
✔️ [It] [Annotations] auth-* should set "proxy_set_header 'My-Custom-Header' '42';" when auth-headers are set
✔️ [It] [Annotations] proxy-* should turn off proxy-request-buffering
✔️ [It] [Setting] proxy-send-timeout should set valid proxy send timeouts using configmap values
✔️ [It] [Annotations] affinity session-cookie-name should set sticky cookie without host
✔️ [It] [Setting] [Load Balancer] EWMA does not fail requests
✔️ [It] [Annotations] backend-protocol - FastCGI should use fastcgi_pass in the configuration file
✔️ [It] [Setting] [SSL] TLS protocols, ciphers and headers) ports or X-Forwarded-Host check during HTTP tp HTTPS redirection should not use ports during the HTTP to HTTPS redirection
✔️ [It] [Annotations] auth-* with invalid auth-url should deny whole location should return 503 (location was denied)
✔️ [It] Configure Opentelemetry should include opentelemetry_trust_incoming_spans on directive when enabled
✔️ [It] [Flag] ingress-class With default ingress class config should delete Ingress when class is removed
✔️ [It] [Setting] keep-alive keep-alive-requests Check the upstream keep alive should set the request count to upstream server through one keep alive connection
✔️ [It] [Annotations] configuration-snippet drops snippet more_set_header in all locations if disabled by admin
✔️ [It] [Annotations] modsecurity owasp should enable modsecurity with snippet and block requests
✔️ [It] [SSL] secret update should return the fake SSL certificate if the secret is invalid
✔️ [It] [Setting] use-proxy-protocol should enable PROXY Protocol for TCP
✔️ [It] [Setting] [Security] no-auth-locations should return status code 200 when accessing '/noauth' unauthenticated
✔️ [It] [Setting] [SSL] TLS protocols, ciphers and headers) should configure HSTS policy header setting includeSubDomains parameter
✔️ [It] [Setting] settings-global-rate-limit generates correct NGINX configuration
✔️ [It] [Annotations] cors-* should expose headers for cors
✔️ [It] [Annotations] cors-* should not allow - single origin with port and origin without port
✔️ [It] [Annotations] auth-* should return status code 401 and cors headers when authentication and cors is configured but Authorization header is not configured
✔️ [It] [Lua] dynamic configuration when only backends change handles endpoints only changes consistently (down scaling of replicas vs. empty service)
✔️ [It] [Annotations] canary-* when canary is created should route requests to the correct upstream if the mainline ingress is modified
✔️ [It] [Flag] ingress-class With default ingress class config should accept both Ingresses with default IngressClassName and IngressClass annotation
✔️ [It] [Annotations] backend-protocol - FastCGI should return OK for service with backend protocol FastCGI
✔️ [It] [Annotations] cors-* should not allow - unmatching origin with wildcard origin (2 subdomains)
✔️ [It] [Setting] gzip should be disabled by default
✔️ [It] [Annotations] canary-* when canary is created should route requests to the correct upstream if mainline ingress is created before the canary ingress
✔️ [It] [TCP] tcp-services should expose a TCP service
✔️ [It] [Service] Nil Service Backend should return 404 when backend service is nil
✔️ [It] [Annotations] server-snippet add valid directives to server via server snippet
✖️ [It] [Security] Pod Security Policies should be running with a Pod Security Policy
✔️ [It] [Annotations] proxy-* should set proxy client-max-body-size to 8m
✔️ [It] [Annotations] canary-* when canaried by header with no value should route requests to the correct upstream
✔️ [It] [Annotations] modsecurity owasp should enable modsecurity with snippet
✔️ [It] [Annotations] disable-access-log disable-http-access-log disable-stream-access-log disable-stream-access-log set access_log off
✔️ [It] [Setting] keep-alive keep-alive-requests Check the upstream keep alive should set keepalive time to upstream server
✔️ [It] [Annotations] denylist-source-range only allow explicitly allowed IPs, deny all others
✔️ [It] [Setting] [Security] global-auth-url cookie set by external authentication server user retains cookie by default
✔️ [It] [SSL] secret update should not appear references to secret updates not used in ingress rules
✔️ [It] [Setting] [Security] global-auth-url when global external authentication is configured should add custom error page when global-auth-signin url is configured
✔️ [It] [Flag] ingress-class Without IngressClass Cluster scoped Permission should watch Ingress with correct annotation
✔️ [It] [SSL] redirect to HTTPS should redirect from HTTP to HTTPS when secret is missing
✔️ [It] [Setting] log-format-* Check log-format-upstream with log-format-escape-json and log-format-escape-none log-format-escape-none enabled
✔️ [It] [Annotations] canary-* when canaried by header with value and cookie should route requests to the correct upstream
✔️ [It] [Annotations] cors-* should not match
✔️ [It] [Setting] configmap server-snippet should add global server-snippet and drop annotations per admin config
✔️ [It] [Annotations] backend-protocol - GRPC authorization metadata should be overwritten by external auth response headers
✔️ [It] [Annotations] enable-access-log enable-rewrite-log set access_log off
✔️ [It] [Annotations] canary-* when canaried by cookie respects always and never values
✔️ [It] [Setting] hash size Check the map hash size should set vmap-hash-bucket-size
✔️ [It] [Annotations] cors-* should allow - single origin with required port
✔️ [It] [Annotations] auth-* cookie set by external authentication server user retains cookie by default
✔️ [It] [Ingress] [PathType] prefix checks should return 404 when prefix /aaa does not match request /aaaccc
✔️ [It] [Service] backend status code 503 should return 503 when all backend service endpoints are unavailable
✔️ [It] [Annotations] auth-tls-* should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2
✔️ [It] [Setting] [Security] block-* should block User-Agents defined in the ConfigMap
✔️ [It] Configure OpenTracing should enable opentracing using jaeger
✔️ [It] [Annotations] canary-* Single canary Ingress should not use canary with domain as a server
✔️ [It] Debug CLI should get information for a specific backend server
✔️ [It] [Annotations] proxy-* should not set proxy client-max-body-size to incorrect value
✔️ [It] [Annotations] proxy-* should build proxy next upstream
✔️ [It] [Flag] enable-ssl-passthrough With enable-ssl-passthrough enabled should enable ssl-passthrough-proxy-port on a different port
✔️ [It] [Annotations] server-alias should return status code 200 for host 'foo' and 404 for 'bar'
✔️ [It] [Annotations] backend-protocol - GRPC should return OK for service with backend protocol GRPC
✔️ [It] [Annotations] enable-access-log enable-rewrite-log set rewrite_log on
✔️ [It] [Annotations] auth-* should return status code 503 when authentication is configured with an invalid secret
✔️ [It] [Service] Type ExternalName should return 200 for service type=ExternalName without a port defined
✔️ [It] [Setting] [Security] no-auth-locations should return status code 200 when accessing '/' authentication
✔️ [It] [Service] Type ExternalName should return 200 for service type=ExternalName with a port defined
✔️ [It] [Setting] gzip should set gzip_min_length to 100
✔️ [It] [Annotations] rewrite-target use-regex enable-rewrite-log should fail to use longest match for documented warning
✔️ [It] [Annotations] x-forwarded-prefix should set the X-Forwarded-Prefix to the annotation value
✔️ [It] [Annotations] satisfy should configure satisfy directive correctly
✔️ [It] [Ingress] [PathType] mix Exact and Prefix paths should choose the correct location
✔️ [It] [Annotations] canary-* does not crash when canary ingress has multiple paths to the same non-matching backend
✔️ [It] [Setting] hash size Check server names hash size should set server_names_hash_max_size
✔️ [It] [Annotations] backend-protocol - FastCGI should add fastcgi_param in the configuration file
✔️ [It] Dynamic $proxy_host should exist a proxy_host using the upstream-vhost annotation value
✖️ [It] [Security] Pod Security Policies with volumes should be running with a Pod Security Policy
✔️ [It] [TCP] tcp-services should reload after an update in the configuration
✔️ [It] [Annotations] custom-http-errors configures Nginx correctly
✔️ [It] [Annotations] auth-* when external authentication with caching is configured should redirect to signin url when not signed in
✔️ [It] [Setting] ssl-ciphers Add ssl ciphers
✔️ [It] [Default Backend] custom service uses custom default backend that returns 200 as status code
✔️ [It] [Annotations] backend-protocol - FastCGI should add fastcgi_index in the configuration file
✔️ [It] [Setting] [SSL] TLS protocols, ciphers and headers) should configure HSTS policy header overriding what's set from the upstream
✔️ [It] [Flag] disable-sync-events should create sync events
✔️ [It] [Annotations] http2-push-preload enable the http2-push-preload directive
✔️ [It] [Service] Type ExternalName should return 200 for service type=ExternalName using a port name
✔️ [It] [Setting] [Security] global-auth-url when global external authentication is configured should still return status code 200 after auth backend is deleted using cache
✔️ [It] Debug CLI should produce valid JSON for /dbg general
✔️ [It] [Annotations] affinity session-cookie-name should set cookie with expires
✔️ [It] [Ingress] definition without host should set ingress details variables for ingresses with host without IngressRuleValue, only Backend
✔️ [It] [Setting] log-format-* Check log-format-escape-json and log-format-escape-none should disable the log-format-escape-none
✔️ [It] [Annotations] force-ssl-redirect should redirect to https
✔️ [It] [Annotations] proxy-* should turn on proxy-buffering
✔️ [It] [Flag] custom HTTP and HTTPS ports with a TLS enabled ingress should set X-Forwarded-Port header to 443
✖️ [It] [Default Backend] enables access logging for default backend
✔️ [It] [Setting] [Security] modsecurity-snippet should add value of modsecurity-snippet setting to nginx config
✔️ [It] [Setting] configmap stream-snippet should add value of stream-snippet via config map to nginx config
✔️ [It] [Annotations] canary-* when canary is created should response with a 200 status from the mainline upstream when requests are made to the mainline ingress
✔️ [It] [Setting] access-log http-access-log-path use the specified configuration
✔️ [It] [Annotations] modsecurity owasp should disable modsecurity using 'modsecurity off;'
✔️ [It] [Setting] nginx-configuration fails when using alias directive
✔️ [It] [Annotations] canary-* canary affinity behavior always routes traffic to canary if first request was affinitized to canary (default behavior)
✔️ [It] [Flag] ingress-class With default ingress class config should serve Ingress when class is updated between annotation and ingressClassName
✔️ [It] [Setting] [SSL] TLS protocols, ciphers and headers) ports or X-Forwarded-Host check during HTTP tp HTTPS redirection should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection
✔️ [It] Configure OpenTracing should enable opentracing using jaeger with sampler host
✔️ [It] [Annotations] modsecurity owasp should enable modsecurity through the config map
✔️ [It] [Annotations] canary-* when canaried by weight should route requests only to canary if canary weight is equal to canary weight total
✖️ [It] [Setting] Geoip2 should only allow requests from specific countries
✔️ [It] [Flag] disable-catch-all should ignore catch all Ingress with backend
✔️ [It] [Setting] log-format-* Check log-format-escape-json and log-format-escape-none should enable the log-format-escape-none
✔️ [It] Configure OpenTracing should propagate the w3c header when configured with jaeger
✔️ [It] [Lua] dynamic certificates given an ingress with TLS correctly configured supports requests with domain with trailing dot
✔️ [It] [SSL] [Flag] default-ssl-certificate uses default ssl certificate for catch-all ingress
✔️ [It] [Annotations] cors-* should disable cors allow credentials
✔️ [It] [Annotations] auth-* when external authentication is configured with a custom redirect param keeps processing new ingresses even if one of the existing ingresses is misconfigured
✔️ [It] [Setting] access-log http-access-log-path & stream-access-log-path use the specified configuration
✔️ [It] [Annotations] modsecurity owasp should disable modsecurity
✔️ [It] [Setting] hash size Check the variable hash size should set variables-hash-bucket-size
✔️ [It] [Annotations] mirror-* should set mirror-target to http://localhost/mirror
✔️ [It] [Flag] ingress-class Without IngressClass Cluster scoped Permission should ignore Ingress with only IngressClassName
✔️ [It] [Setting] Configmap - limit-rate Check limit-rate config
✔️ [It] [Service] Type ExternalName works with external name set to incomplete fqdn
✔️ [It] [Annotations] from-to-www-redirect should redirect from www HTTPS to HTTPS
✔️ [It] [Annotations] affinity session-cookie-name should work with use-regex annotation and session-cookie-path
✔️ [It] [Setting] nginx-configuration fails when using root directive
✔️ [It] [Annotations] modsecurity owasp should disable default modsecurity conf setting when modsecurity-snippet is specified
✔️ [It] [Annotations] x-forwarded-prefix should not add X-Forwarded-Prefix if the annotation value is empty
✔️ [It] [Setting] [Lua] lua-shared-dicts configures lua shared dicts
✔️ [It] [Annotations] auth-* when external authentication is configured should not create additional upstream block when auth-keepalive is set with HTTP/2
✔️ [It] [Annotations] rewrite-target use-regex enable-rewrite-log should allow for custom rewrite parameters
✔️ [It] [Flag] ingress-class With default ingress class config should ignore Ingress with different controller class
✔️ [It] [Annotations] from-to-www-redirect should redirect from www HTTP to HTTP
✔️ [It] [Annotations] affinity session-cookie-name should not set cookie without domain annotation
✔️ [It] [Annotations] proxy-* should change the default proxy HTTP version
✔️ [It] [Shutdown] Grace period shutdown /healthz should return status code 500 during shutdown grace period
✔️ [It] [Annotations] backend-protocol should set backend protocol to grpc:// and use grpc_pass
✔️ [It] [Setting] server-tokens should not exists Server header in the response
✔️ [It] [Setting] Geoip2 should include geoip2 line in config when enabled and db file exists
✔️ [It] [Annotations] limit-rate Check limit-rate annotation
✔️ [It] [Annotations] permanent-redirect permanent-redirect-code should respond with a custom redirect code
✔️ [It] [Flag] disable-service-external-name should ignore services of external-name type
✔️ [It] [Annotations] canary-* canary affinity behavior always routes traffic to canary if first request was affinitized to canary (explicit sticky behavior)
✔️ [It] [Setting] proxy-connect-timeout should not set invalid proxy timeouts using configmap values
✔️ [It] [Annotations] canary-* when canaried by header with value should route requests to the correct upstream
✔️ [It] [Annotations] canary-* when canaried by weight should route requests split between mainline and canary if canary weight is 50
✔️ [It] Configure OpenTracing should not exists opentracing_location_operation_name directive when is empty
✔️ [It] [Annotations] modsecurity owasp should enable modsecurity without using 'modsecurity on;'
✔️ [It] [Annotations] auth-tls-* should return 200 using auth-tls-match-cn with matching CN from client
Loading