e2e-tests.md

e2e test suite for Ingress NGINX Controller

Geoip2

• should include geoip2 line in config when enabled and db file exists
• should only allow requests from specific countries

[Security] global-auth-url

• should return status code 401 when request any protected service
• should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service
• should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service
• should still return status code 200 after auth backend is deleted using cache
• should proxy_method method when global-auth-method is configured
• should add custom error page when global-auth-signin url is configured
• should add auth headers when global-auth-response-headers is configured
• should set request-redirect when global-auth-request-redirect is configured
• should set snippet when global external auth is configured
• user retains cookie by default
• user does not retain cookie if upstream returns error status code
• user with global-auth-always-set-cookie key in configmap retains cookie if upstream returns error status code

[Security] Pod Security Policies

• should be running with a Pod Security Policy

log-format-*

• should disable the log-format-escape-json by default
• should enable the log-format-escape-json
• should disable the log-format-escape-json
• log-format-escape-json enabled
• log-format-escape-json disabled

server-tokens

• should not exists Server header in the response
• should exists Server header in the response when is enabled

proxy-connect-timeout

• should set valid proxy timeouts using configmap values
• should not set invalid proxy timeouts using configmap values

ssl-ciphers

• Add ssl ciphers

use-proxy-protocol

• should respect port passed by the PROXY Protocol
• should respect proto passed by the PROXY Protocol server port
• should enable PROXY Protocol for HTTPS
• should enable PROXY Protocol for TCP

plugins

• should exist a x-hello-world header

configmap server-snippet

• should add value of server-snippet setting to all ingress config
• should add global server-snippet and drop annotations per admin config

[Flag] disable-catch-all

• should ignore catch all Ingress with backend
• should ignore catch all Ingress with backend and rules
• should delete Ingress updated to catch-all
• should allow Ingress with rules

enable-real-ip

• trusts X-Forwarded-For header only when setting is true
• should not trust X-Forwarded-For header when setting is false

keep-alive keep-alive-requests

• should set keepalive_timeout
• should set keepalive_requests
• should set keepalive connection to upstream server
• should set keep alive connection timeout to upstream server
• should set the request count to upstream server through one keep alive connection

enable-multi-accept

• should be enabled by default
• should be enabled when set to true
• should be disabled when set to false

[Flag] watch namespace selector

• should ingore Ingress of namespace without label foo=bar and accept those of namespace with label foo=bar

[Flag] disable-service-external-name

• should ignore services of external-name type

Configure OpenTracing

• should not exists opentracing directive
• should exists opentracing directive when is enabled
• should include opentracing_trust_incoming_span off directive when disabled
• should not exists opentracing_operation_name directive when is empty
• should exists opentracing_operation_name directive when is configured
• should not exists opentracing_location_operation_name directive when is empty
• should exists opentracing_location_operation_name directive when is configured
• should enable opentracing using zipkin
• should enable opentracing using jaeger
• should enable opentracing using jaeger with sampler host
• should propagate the w3c header when configured with jaeger
• should enable opentracing using jaeger with an HTTP endpoint
• should enable opentracing using datadog

Configmap change

• should reload after an update in the configuration

Configmap - limit-rate

• Check limit-rate config

access-log

• use the default configuration
• use the specified configuration
• use the specified configuration
• use the specified configuration
• use the specified configuration

global-options

• should have worker_rlimit_nofile option
• should have worker_rlimit_nofile option and be independent on amount of worker processes

[Flag] ingress-class

• should ignore Ingress with a different class annotation
• should ignore Ingress with different controller class
• should accept both Ingresses with default IngressClassName and IngressClass annotation
• should ignore Ingress without IngressClass configuration
• should delete Ingress when class is removed
• should serve Ingress when class is added
• should serve Ingress when class is updated between annotation and ingressClassName
• should ignore Ingress with no class and accept the correctly configured Ingresses
• should watch Ingress with no class and ignore ingress with a different class
• should watch Ingress that uses the class name even if spec is different
• should watch Ingress with correct annotation
• should ignore Ingress with only IngressClassName

reuse-port

• reuse port should be enabled by default
• reuse port should be disabled
• reuse port should be enabled

proxy-send-timeout

• should set valid proxy send timeouts using configmap values
• should not set invalid proxy send timeouts using configmap values

[SSL] [Flag] default-ssl-certificate

• uses default ssl certificate for catch-all ingress
• uses default ssl certificate for host based ingress when configured certificate does not match host

brotli

• condition

[Security] Pod Security Policies with volumes

• should be running with a Pod Security Policy

Dynamic $proxy_host

• should exist a proxy_host
• should exist a proxy_host using the upstream-vhost annotation value

[Security] block-*

• should block CIDRs defined in the ConfigMap
• should block User-Agents defined in the ConfigMap
• should block Referers defined in the ConfigMap

settings-global-rate-limit

• generates correct NGINX configuration

Add no tls redirect locations

• Check no tls redirect locations config

main-snippet

• should add value of main-snippet setting to nginx config

[Lua] lua-shared-dicts

• configures lua shared dicts

Bad annotation values

• [BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation
• [BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation
• [BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place
• [BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass

[SSL] TLS protocols, ciphers and headers)

• setting cipher suite
• enforcing TLS v1.0
• setting max-age parameter
• setting includeSubDomains parameter
• setting preload parameter
• overriding what's set from the upstream
• should not use ports during the HTTP to HTTPS redirection
• should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection

[Security] modsecurity-snippet

• should add value of modsecurity-snippet setting to nginx config

OCSP

• should enable OCSP and contain stapling information in the connection

configmap stream-snippet

• should add value of stream-snippet via config map to nginx config

proxy-read-timeout

• should set valid proxy read timeouts using configmap values
• should not set invalid proxy read timeouts using configmap values

proxy-next-upstream

• should build proxy next upstream using configmap values

hash size

• should set server_names_hash_bucket_size
• should set server_names_hash_max_size
• should set proxy-headers-hash-bucket-size
• should set proxy-headers-hash-max-size
• should set variables-hash-bucket-size
• should set variables-hash-max-size
• should set vmap-hash-bucket-size

[Security] no-auth-locations

• should return status code 401 when accessing '/' unauthentication
• should return status code 200 when accessing '/' authentication
• should return status code 200 when accessing '/noauth' unauthenticated

[Flag] custom HTTP and HTTPS ports

• should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port
• should set X-Forwarded-Port header to 443
• should set the X-Forwarded-Port header to 443

use-forwarded-headers

• should trust X-Forwarded headers when setting is true
• should not trust X-Forwarded headers when setting is false

add-headers

• Add a custom header
• Add multiple custom headers

[Load Balancer] round-robin

• should evenly distribute requests with round-robin (default algorithm)

[Load Balancer] EWMA

• does not fail requests

[Load Balancer] load-balance

• should apply the configmap load-balance setting

[SSL] redirect to HTTPS

• should redirect from HTTP to HTTPS when secret is missing

[SSL] secret update

• should not appear references to secret updates not used in ingress rules
• should return the fake SSL certificate if the secret is invalid

[Service] Type ExternalName

• works with external name set to incomplete fqdn
• should return 200 for service type=ExternalName without a port defined
• should return 200 for service type=ExternalName with a port defined
• should return status 502 for service type=ExternalName with an invalid host
• should return 200 for service type=ExternalName using a port name
• should return 200 for service type=ExternalName using FQDN with trailing dot
• should update the external name after a service update
• should sync ingress on external name service addition/deletion

[Service] Nil Service Backend

• should return 404 when backend service is nil

[Service] backend status code 503

• should return 503 when backend service does not exist
• should return 503 when all backend service endpoints are unavailable