e2e-tests.md

e2e test suite for NGINX Ingress Controller

[Default Backend] change default settings

• should apply the annotation to the default backend

[Default Backend]

• should return 404 sending requests when only a default backend is running
• enables access logging for default backend
• disables access logging for default backend

[Default Backend] custom service

• uses custom default backend that returns 200 as status code

[Default Backend] SSL

• should return a self generated SSL certificate

[TCP] tcp-services

• should expose a TCP service
• should expose an ExternalName TCP service

auth-*

• should return status code 200 when no authentication is configured
• should return status code 503 when authentication is configured with an invalid secret
• should return status code 401 when authentication is configured but Authorization header is not configured
• should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials
• should return status code 200 when authentication is configured and Authorization header is sent
• should return status code 200 when authentication is configured with a map and Authorization header is sent
• should return status code 401 when authentication is configured with invalid content and Authorization header is sent
• proxy_set_header My-Custom-Header 42;
• proxy_set_header My-Custom-Header 42;
• proxy_set_header 'My-Custom-Header' '42';
• retains cookie set by external authentication server
• should return status code 200 when signed in
• should redirect to signin url when not signed in
• keeps processing new ingresses even if one of the existing ingresses is misconfigured
• should return status code 200 when signed in after auth backend is deleted
• should deny login for different location on same server
• should deny login for different servers
• should redirect to signin url when not signed in

affinitymode

• Balanced affinity mode should balance
• Check persistent affinity mode

proxy-*

• should set proxy_redirect to off
• should set proxy_redirect to default
• should set proxy_redirect to hello.com goodbye.com
• should set proxy client-max-body-size to 8m
• should not set proxy client-max-body-size to incorrect value
• should set valid proxy timeouts
• should not set invalid proxy timeouts
• should turn on proxy-buffering
• should turn off proxy-request-buffering
• should build proxy next upstream
• should setup proxy cookies
• should change the default proxy HTTP version

affinity session-cookie-name

• should set sticky cookie SERVERID
• should change cookie name on ingress definition change
• should set the path to /something on the generated cookie
• does not set the path to / on the generated cookie if there's more than one rule referring to the same backend
• should set cookie with expires
• should work with use-regex annotation and session-cookie-path
• should warn user when use-regex is true and session-cookie-path is not set
• should not set affinity across all server locations when using separate ingresses
• should set sticky cookie without host

mirror-*

• should set mirror-target to http://localhost/mirror
• should set mirror-target to https://test.env.com/$request_uri
• should disable mirror-request-body

canary-*

• should response with a 200 status from the mainline upstream when requests are made to the mainline ingress
• should return 404 status for requests to the canary if no matching ingress is found
• should return the correct status codes when endpoints are unavailable
• should route requests to the correct upstream if mainline ingress is created before the canary ingress
• should route requests to the correct upstream if mainline ingress is created after the canary ingress
• should route requests to the correct upstream if the mainline ingress is modified
• should route requests to the correct upstream if the canary ingress is modified
• should route requests to the correct upstream
• should route requests to the correct upstream
• should route requests to the correct upstream
• should route requests to the correct upstream
• should routes to mainline upstream when the given Regex causes error
• should route requests to the correct upstream
• should route requests to the correct upstream
• should route requests to the correct upstream
• should not use canary as a catch-all server
• should not use canary with domain as a server
• does not crash when canary ingress has multiple paths to the same non-matching backend

limit-rate

• Check limit-rate annotation

force-ssl-redirect

• should redirect to https

http2-push-preload

• enable the http2-push-preload directive

proxy-ssl-*

• should set valid proxy-ssl-secret
• should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on
• should set valid proxy-ssl-secret, proxy-ssl-ciphers to HIGH:!AES
• should set valid proxy-ssl-secret, proxy-ssl-protocols
• proxy-ssl-location-only flag should change the nginx config server part

modsecurity owasp

• should enable modsecurity
• should enable modsecurity with transaction ID and OWASP rules
• should disable modsecurity
• should enable modsecurity with snippet
• should enable modsecurity without using 'modsecurity on;'
• should disable modsecurity using 'modsecurity off;'
• should enable modsecurity with snippet and block requests
• should enable modsecurity globally and with modsecurity-snippet block requests

backend-protocol - GRPC

• should use grpc_pass in the configuration file
• should return OK for service with backend protocol GRPC
• should return OK for service with backend protocol GRPCS

cors-*

• should enable cors
• should set cors methods to only allow POST, GET
• should set cors max-age
• should disable cors allow credentials
• should allow origin for cors
• should allow headers for cors
• should expose headers for cors

influxdb-*

• should send the request metric to the influxdb server

Annotation - limit-connections

• should limit-connections

client-body-buffer-size

• should set client_body_buffer_size to 1000
• should set client_body_buffer_size to 1K
• should set client_body_buffer_size to 1k
• should set client_body_buffer_size to 1m
• should set client_body_buffer_size to 1M
• should not set client_body_buffer_size to invalid 1b

default-backend

• should use a custom default backend as upstream

connection-proxy-header

• set connection header to keep-alive

upstream-vhost

• set host to upstreamvhost.bar.com

custom-http-errors

• configures Nginx correctly

disable-access-log disable-http-access-log disable-stream-access-log

• disable-access-log set access_log off
• disable-http-access-log set access_log off
• disable-stream-access-log set access_log off

server-snippet

rewrite-target use-regex enable-rewrite-log

• should write rewrite logs
• should use correct longest path match
• should use ~* location modifier if regex annotation is present
• should fail to use longest match for documented warning
• should allow for custom rewrite parameters

app-root

• should redirect to /foo

whitelist-source-range

• should set valid ip whitelist range

enable-access-log enable-rewrite-log

• set access_log off
• set rewrite_log on

x-forwarded-prefix

• should set the X-Forwarded-Prefix to the annotation value
• should not add X-Forwarded-Prefix if the annotation value is empty

configuration-snippet

• in all locations

backend-protocol - FastCGI

• should use fastcgi_pass in the configuration file
• should add fastcgi_index in the configuration file
• should add fastcgi_param in the configuration file
• should return OK for service with backend protocol FastCGI

from-to-www-redirect

• should redirect from www HTTP to HTTP
• should redirect from www HTTPS to HTTPS

permanent-redirect permanent-redirect-code

• should respond with a standard redirect code
• should respond with a custom redirect code

upstream-hash-by-*

• should connect to the same pod
• should connect to the same subset of pods

backend-protocol

• should set backend protocol to https:// and use proxy_pass
• should set backend protocol to grpc:// and use grpc_pass
• should set backend protocol to grpcs:// and use grpc_pass
• should set backend protocol to '' and use fastcgi_pass
• should set backend protocol to '' and use ajp_pass

satisfy

• should configure satisfy directive correctly
• should allow multiple auth with satisfy any

server-alias

• should return status code 200 for host 'foo' and 404 for 'bar'
• should return status code 200 for host 'foo' and 'bar'
• should return status code 200 for hosts defined in two ingresses, different path with one alias

ssl-ciphers

• should change ssl ciphers

auth-tls-*

• should set valid auth-tls-secret
• should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2
• should set valid auth-tls-secret, pass certificate to upstream, and error page
• should validate auth-tls-verify-client

[Status] status update

• should update status field after client-go reconnection

Debug CLI

• should list the backend servers
• should get information for a specific backend server
• should produce valid JSON for /dbg general

[Memory Leak] Dynamic Certificates

• should not leak memory from ingress SSL certificates or configuration updates

single ingress - multiple hosts

• should set the correct $service_name NGINX variable

[Ingress] [PathType] exact

• should choose exact location for /exact

[Security] request smuggling

• should not return body content from error_page

[SSL] [Flag] default-ssl-certificate

• uses default ssl certificate for catch-all ingress
• uses default ssl certificate for host based ingress when configured certificate does not match host

enable-real-ip

• trusts X-Forwarded-For header only when setting is true
• should not trust X-Forwarded-For header when setting is false

access-log

• use the default configuration
• use the specified configuration
• use the specified configuration
• use the specified configuration
• use the specified configuration

[Lua] lua-shared-dicts

• configures lua shared dicts

server-tokens

• should not exists Server header in the response
• should exists Server header in the response when is enabled

use-proxy-protocol

• should respect port passed by the PROXY Protocol
• should respect proto passed by the PROXY Protocol server port
• should enable PROXY Protocol for HTTPS
• should enable PROXY Protocol for TCP

[Flag] custom HTTP and HTTPS ports

• should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port
• should set X-Forwarded-Port header to 443
• should set the X-Forwarded-Port header to 443

[Security] no-auth-locations

• should return status code 401 when accessing '/' unauthentication
• should return status code 200 when accessing '/' authentication
• should return status code 200 when accessing '/noauth' unauthenticated

Dynamic $proxy_host

• should exist a proxy_host
• should exist a proxy_host using the upstream-vhost annotation value

proxy-connect-timeout

• should set valid proxy timeouts using configmap values
• should not set invalid proxy timeouts using configmap values

[Security] Pod Security Policies

• should be running with a Pod Security Policy

Geoip2

• should only allow requests from specific countries

[Security] Pod Security Policies with volumes

• should be running with a Pod Security Policy

enable-multi-accept

• should be enabled by default
• should be enabled when set to true
• should be disabled when set to false

log-format-*

• should disable the log-format-escape-json by default
• should enable the log-format-escape-json
• should disable the log-format-escape-json
• log-format-escape-json enabled
• log-format-escape-json disabled

[Flag] ingress-class

• should ignore Ingress with class
• should ignore Ingress with no class
• should delete Ingress when class is removed
• check scenarios for IngressClass and ingress.class annotation

ssl-ciphers

• Add ssl ciphers

proxy-next-upstream

• should build proxy next upstream using configmap values

[Security] global-auth-url

• should return status code 401 when request any protected service
• should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service
• should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service
• should still return status code 200 after auth backend is deleted using cache

[Security] block-*

• should block CIDRs defined in the ConfigMap
• should block User-Agents defined in the ConfigMap
• should block Referers defined in the ConfigMap

plugins

• should exist a x-hello-world header

Configmap - limit-rate

• Check limit-rate config

Configure OpenTracing

• should not exists opentracing directive
• should exists opentracing directive when is enabled
• should not exists opentracing_operation_name directive when is empty
• should exists opentracing_operation_name directive when is configured
• should not exists opentracing_location_operation_name directive when is empty
• should exists opentracing_location_operation_name directive when is configured
• should enable opentracing using zipkin
• should enable opentracing using jaeger
• should enable opentracing using jaeger with sampler host
• should enable opentracing using datadog

use-forwarded-headers

• should trust X-Forwarded headers when setting is true
• should not trust X-Forwarded headers when setting is false

proxy-send-timeout

• should set valid proxy send timeouts using configmap values
• should not set invalid proxy send timeouts using configmap values

Add no tls redirect locations

• Check no tls redirect locations config

add-headers

• Add a custom header
• Add multiple custom headers

hash size

• should set server_names_hash_bucket_size
• should set server_names_hash_max_size
• should set proxy-headers-hash-bucket-size
• should set proxy-headers-hash-max-size
• should set variables-hash-bucket-size
• should set variables-hash-max-size
• should set vmap-hash-bucket-size

keep-alive keep-alive-requests

• should set keepalive_timeout
• should set keepalive_requests
• should set keepalive connection to upstream server
• should set keep alive connection timeout to upstream server
• should set the request count to upstream server through one keep alive connection

[Flag] disable-catch-all

• should ignore catch all Ingress
• should delete Ingress updated to catch-all
• should allow Ingress with both a default backend and rules

main-snippet

• should add value of main-snippet setting to nginx config

[SSL] TLS protocols, ciphers and headers)

• setting cipher suite
• enforcing TLS v1.0
• setting max-age parameter
• setting includeSubDomains parameter
• setting preload parameter
• overriding what's set from the upstream
• should not use ports during the HTTP to HTTPS redirection
• should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection

Configmap change

• should reload after an update in the configuration

proxy-read-timeout

• should set valid proxy read timeouts using configmap values
• should not set invalid proxy read timeouts using configmap values

[Security] modsecurity-snippet

• should add value of modsecurity-snippet setting to nginx config

OCSP

• should enable OCSP and contain stapling information in the connection

reuse-port

• reuse port should be enabled by default
• reuse port should be disabled
• reuse port should be enabled

[Shutdown] Graceful shutdown with pending request

• should let slow requests finish before shutting down

[Shutdown] ingress controller

• should shutdown in less than 60 secons without pending connections
• should shutdown after waiting 60 seconds for pending connections to be closed
• should shutdown after waiting 150 seconds for pending connections to be closed

[Service] backend status code 503

• should return 503 when backend service does not exist
• should return 503 when all backend service endpoints are unavailable

[Service] Type ExternalName

• works with external name set to incomplete fqdn
• should return 200 for service type=ExternalName without a port defined
• should return 200 for service type=ExternalName with a port defined
• should return status 502 for service type=ExternalName with an invalid host
• should return 200 for service type=ExternalName using a port name
• should update the external name after a service update