Skip to content

Annotations: Quote CertificateAuth.MatchCN. #11886

Annotations: Quote CertificateAuth.MatchCN.

Annotations: Quote CertificateAuth.MatchCN. #11886

GitHub Actions / JEST Tests v1.31.4 succeeded Jan 14, 2025 in 0s

435 passed, 0 failed and 4 skipped

Tests passed successfully

βœ…Β report-e2e-test-suite.xml

439 tests were completed in 2582s with 435 passed, 0 failed and 4 skipped.

Test suite Passed Failed Skipped Time
nginx-ingress-controller e2e suite 435βœ… 4βšͺ 2582s

βœ…Β nginx-ingress-controller e2e suite

nginx-ingress-controller e2e suite
  βœ… [It] [Annotations] cors-* should not allow - single origin with port and origin without port
  βœ… [It] [Annotations] auth-tls-* should return 200 using auth-tls-match-cn where atleast one of the regex options matches CN from client
  βœ… [It] [Setting] access-log access-log-path use the specified configuration
  βœ… [It] [Service] Type ExternalName should return 200 for service type=ExternalName using a port name
  βœ… [It] [Annotations] proxy-* should build proxy next upstream
  βœ… [It] [Annotations] service-upstream when using the default value (false) and enabling in the annotations should use the Service Cluster IP and Port
  βœ… [It] [Setting] [SSL] TLS protocols, ciphers and headers should configure HSTS policy header setting max-age parameter
  βœ… [It] [Annotations] client-body-buffer-size should set client_body_buffer_size to 1M
  βœ… [It] [Annotations] auth-* cookie set by external authentication server user retains cookie by default
  βœ… [It] [Annotations] canary-* when canaried by weight should route requests only to canary if canary weight is equal to canary weight total
  βœ… [It] [Annotations] modsecurity owasp should enable modsecurity globally and with modsecurity-snippet block requests
  βœ… [It] [Annotations] canary-* when canary is created should response with a 200 status from the mainline upstream when requests are made to the mainline ingress
  βœ… [It] [Annotations] denylist-source-range only allow explicitly allowed IPs, deny all others
  βœ… [It] [Annotations] cors-* should not allow - single origin without port and origin with required port
  βœ… [It] [Annotations] Annotation - limit-connections should limit-connections
  βœ… [It] [Setting] keep-alive keep-alive-requests Check the upstream keep alive should set keep alive connection timeout to upstream server
  βœ… [It] [Setting] enable-multi-accept should be enabled by default
  βœ… [It] [Flag] disable-catch-all should allow Ingress with rules
  βœ… [It] [Disable Leader] Routing works when leader election was disabled should create multiple ingress routings rules when leader election has disabled
  βœ… [It] [Flag] ingress-class With default ingress class config should ignore Ingress with different controller class
  βœ… [It] [Annotations] proxy-* should set proxy_redirect to hello.com goodbye.com
  βœ… [It] [Annotations] denylist-source-range only deny explicitly denied IPs, allow all others
  βœ… [It] [Annotations] disable-access-log disable-http-access-log disable-stream-access-log disable-http-access-log set access_log off
  βœ… [It] [Lua] dynamic certificates given an ingress with TLS correctly configured supports requests with domain with trailing dot
  βœ… [It] [Ingress] [PathType] prefix checks should correctly route multi-segment path patterns
  βœ… [It] [Annotations] auth-tls-* should return 200 using auth-tls-match-cn with matching CN from client
  βœ… [It] [Annotations] auth-* should return status code 401 and cors headers when authentication and cors is configured but Authorization header is not configured
  βœ… [It] [Annotations] auth-tls-* should validate auth-tls-verify-client
  βœ… [It] [Setting] Add no tls redirect locations Check no tls redirect locations config
  βœ… [It] [Annotations] canary-* when canaried by header with value and pattern should route requests to the correct upstream
  βœ… [It] [Annotations] ssl-ciphers should keep ssl ciphers
  βœ… [It] [Setting] [Security] global-auth-url cookie set by external authentication server user retains cookie by default
  βœ… [It] [Setting] [Security] modsecurity-snippet should add value of modsecurity-snippet setting to nginx config
  βœ… [It] [Setting] use-forwarded-headers should not trust X-Forwarded headers when setting is false
  βœ… [It] [metrics] exported prometheus metrics request metrics per undefined host are present when flag is set
  βœ… [It] [Annotations] canary-* when canaried by weight should route requests split between mainline and canary if canary weight is 50
  βœ… [It] Debug CLI should produce valid JSON for /dbg general
  βœ… [It] [Annotations] preserve-trailing-slash should allow preservation of trailing slashes
  βœ… [It] [Annotations] rewrite-target use-regex enable-rewrite-log should use ~* location modifier if regex annotation is present
  βœ… [It] [Annotations] modsecurity owasp should enable modsecurity
  βœ… [It] [Flag] disable-catch-all should delete Ingress updated to catch-all
  βœ… [It] Dynamic $proxy_host should exist a proxy_host using the upstream-vhost annotation value
  βœ… [It] [Setting] log-format-* Check log-format-escape-json and log-format-escape-none should not configure log-format escape by default
  βœ… [It] [Annotations] satisfy should allow multiple auth with satisfy any
  βœ… [It] [Flag] disable-sync-events should create sync events (default)
  βœ… [It] [Setting] proxy-next-upstream should build proxy next upstream using configmap values
  βœ… [It] [Annotations] backend-protocol should set backend protocol to https:// and use proxy_pass with lowercase annotation
  βœ… [It] [Annotations] cors-* should set cors methods to only allow POST, GET
  βœ… [It] [Setting] proxy-read-timeout should set valid proxy read timeouts using configmap values
  βœ… [It] [Annotations] ssl-ciphers should change ssl ciphers
  βœ… [It] [Annotations] auth-* should return status code 200 when no authentication is configured
  βœ… [It] [Annotations] mirror-* should set mirror-target to https://test.env.com/$request_uri
  βœ… [It] [Setting] nginx-configuration fails when using alias directive
  βœ… [It] [Flag] ingress-class Without IngressClass Cluster scoped Permission should watch Ingress with correct annotation
  βœ… [It] [Setting] proxy-connect-timeout should set valid proxy timeouts using configmap values
  βœ… [It] [Annotations] auth-* should return status code 401 when authentication is configured with invalid content and Authorization header is sent
  βœ… [It] [Lua] dynamic certificates given an ingress with TLS correctly configured picks up a non-certificate only change
  βœ… [It] [Service] Type ExternalName should return status 502 for service type=ExternalName with an invalid host
  βœ… [It] [Flag] custom HTTP and HTTPS ports with a TLS enabled ingress should set X-Forwarded-Port header to 443
  βœ… [It] [Annotations] affinitymode Balanced affinity mode should balance
  βœ… [It] [Annotations] allowlist-source-range should set valid ip allowlist range
  βœ… [It] [Annotations] canary-* when canaried by weight should route requests only to canary if canary weight is 100
  βœ… [It] [Security] request smuggling should not return body content from error_page
  βœ… [It] [Setting] [Security] no-auth-locations should return status code 401 when accessing '/' unauthentication
  βœ… [It] [Annotations] auth-* when external authentication is configured should disable set_all_vars when auth-keepalive-share-vars is not set
  βœ… [It] [Annotations] canary-* when canaried by header with value and pattern should route requests to the correct upstream
  βœ… [It] [Annotations] affinity session-cookie-name should change cookie name on ingress definition change
  βœ… [It] [Annotations] cors-* should allow correct origin but not others - cors allow origin annotations contain trailing comma
  βœ… [It] [Annotations] proxy-* should turn on proxy-buffering
  βœ… [It] [Admission] admission controller should not allow overlaps of host and paths without canary annotations [Serial]
  βœ… [It] [Admission] admission controller should return an error if there is an invalid value in some annotation [Serial]
  βœ… [It] [Admission] admission controller should return an error if the Ingress V1 definition contains invalid annotations [Serial]
  βœ… [It] [Admission] admission controller should return an error if there is an invalid path and wrong pathType is set [Serial]
  βœ… [It] [TopologyHints] topology aware routing should return 200 when service has topology hints [Serial]
  βœ… [It] [Admission] admission controller should return an error if there is an error validating the ingress definition [Serial]
  βœ… [It] annotation validations should allow ingress based on their risk on webhooks [Serial]
  βœ… [It] [Admission] admission controller should allow overlaps of host and paths with canary annotation [Serial]
  βœ… [It] [Admission] admission controller should not return an error for an invalid Ingress when it has unknown class [Serial]
  βœ… [It] [CGroups] cgroups detect cgroups version v2 [Serial]
  βœ… [It] [Admission] admission controller should not return an error if the Ingress V1 definition is valid with IngressClass annotation [Serial]
  βœ… [It] [Flag] watch namespace selector With specific watch-namespace-selector flags should ignore Ingress of namespace without label foo=bar and accept those of namespace with label foo=bar [Serial]
  βœ… [It] [Admission] admission controller should not return an error if the Ingress V1 definition is valid with Ingress Class [Serial]
  βœ… [It] annotation validations should allow ingress based on their risk on webhooks [Serial]
  βœ… [It] [CGroups] cgroups detects cgroups version v1 [Serial]
  βœ… [It] [Admission] admission controller should block ingress with invalid path [Serial]
  βœ… [It] [Admission] admission controller should return an error if there is a forbidden value in some annotation [Serial]
  βœ… [It] [Annotations] cors-* should not match
  βœ… [It] [Setting] keep-alive keep-alive-requests Check the upstream keep alive should set keepalive time to upstream server
  βœ… [It] [Annotations] backend-protocol - FastCGI should add fastcgi_param in the configuration file
  βœ… [It] [Setting] log-format-* Check log-format-escape-json and log-format-escape-none should disable the log-format-escape-json
  βœ… [It] [Setting] Configmap change should reload after an update in the configuration
  βœ… [It] [metrics] exported prometheus metrics request metrics per undefined host are not present when flag is not set
  βœ… [It] [Annotations] affinity session-cookie-name should work with server-alias annotation
  βœ… [It] [Annotations] upstream-hash-by-* should connect to the same subset of pods
  βœ… [It] [Annotations] upstream-hash-by-* should connect to the same pod
  βœ… [It] [Annotations] auth-* when external authentication with caching is configured should return status code 200 when signed in after auth backend is deleted
  βœ… [It] [Annotations] proxy-* should set proxy client-max-body-size to 8m
  βœ… [It] [Shutdown] ingress controller should shutdown in less than 60 seconds without pending connections
  βœ… [It] [Setting] [Security] global-auth-url cookie set by external authentication server user with global-auth-always-set-cookie key in configmap retains cookie if upstream returns error status code
  βœ… [It] [Setting] [SSL] TLS protocols, ciphers and headers ports or X-Forwarded-Host check during HTTP tp HTTPS redirection should not use ports during the HTTP to HTTPS redirection
  βœ… [It] [Setting] gzip should set gzip_types to text/html
  βœ… [It] [Annotations] modsecurity owasp should enable modsecurity through the config map
  βœ… [It] [Annotations] configuration-snippet set snippet more_set_headers in all locations
  βœ… [It] [Annotations] cors-* should not break functionality - without `*`
  βœ… [It] [Flag] enable-ssl-passthrough With enable-ssl-passthrough enabled should enable ssl-passthrough-proxy-port on a different port
  βœ… [It] [Annotations] auth-* should set cache_key when external auth cache is configured
  βœ… [It] [Annotations] mirror-* should disable mirror-request-body
  βœ… [It] [Setting] [Security] global-auth-url when global external authentication is configured should still return status code 200 after auth backend is deleted using cache
  βœ… [It] [Setting] add-headers Add a custom header
  βœ… [It] [Flag] disable-sync-events should not create sync events
  βœ… [It] [Setting] proxy-read-timeout should not set invalid proxy read timeouts using configmap values
  βœ… [It] [Service] Type ExternalName should sync ingress on external name service addition/deletion
  βœ… [It] [Annotations] rewrite-target use-regex enable-rewrite-log should fail to use longest match for documented warning
  βšͺ [It] [Default Backend] disables access logging for default backend
  βœ… [It] [Annotations] proxy-* should turn off proxy-request-buffering
  βœ… [It] [Setting] [Security] global-auth-url when global external authentication is configured should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service
  βœ… [It] [Lua] dynamic configuration when only backends change handles endpoints only changes
  βœ… [It] [Annotations] canary-* when canaried by header with value and pattern should routes to mainline upstream when the given Regex causes error
  βœ… [It] [Annotations] backend-protocol should set backend protocol to https:// and use proxy_pass
  βœ… [It] [Setting] [SSL] TLS protocols, ciphers and headers should configure HSTS policy header overriding what's set from the upstream
  βœ… [It] [Setting] nginx-configuration fails when using root directive
  βœ… [It] [Setting] nginx-configuration start nginx with default configuration
  βœ… [It] [Annotations] proxy-* should setup proxy cookies
  βœ… [It] [Annotations] proxy-ssl-* should set valid proxy-ssl-secret, proxy-ssl-ciphers to HIGH:!AES
  βœ… [It] [Annotations] canary-* when canaried by header with no value should route requests to the correct upstream
  βœ… [It] [Annotations] auth-* when external authentication is configured should not create additional upstream block when auth-keepalive is negative
  βœ… [It] [Annotations] server-alias should return status code 200 for host 'foo' and 'bar'
  βœ… [It] [metrics] exported prometheus metrics exclude socket request metrics are present
  βœ… [It] [Setting] [SSL] TLS protocols, ciphers and headers ports or X-Forwarded-Host check during HTTP tp HTTPS redirection should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection
  βœ… [It] [Setting] hash size Check proxy header hash size should set proxy-headers-hash-bucket-size
  βœ… [It] [Ingress] [PathType] prefix checks should test prefix path using simple regex pattern for /id/{int}
  βœ… [It] [Annotations] Bad annotation values [BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation
  βœ… [It] [Annotations] server-snippet add valid directives to server via server snippet
  βœ… [It] [Setting] main-snippet should add value of main-snippet setting to nginx config
  βœ… [It] [Annotations] auth-* with invalid auth-url should deny whole location should add error to the config
  βšͺ [It] [Default Backend] enables access logging for default backend
  βœ… [It] [Annotations] enable-access-log enable-rewrite-log set access_log off
  βœ… [It] [Lua] dynamic certificates picks up the certificate when we add TLS spec to existing ingress
  βœ… [It] [Annotations] affinity session-cookie-name should set the path to /something on the generated cookie
  βœ… [It] [Annotations] cors-* should not break functionality
  βœ… [It] [Lua] dynamic configuration configures balancer Lua middleware correctly
  βœ… [It] [Flag] ingress-class With watch-ingress-without-class flag should watch Ingress with no class and ignore ingress with a different class
  βœ… [It] [Annotations] canary-* canary affinity behavior always routes traffic to canary if first request was affinitized to canary (default behavior)
  βœ… [It] [Annotations] modsecurity owasp should disable modsecurity
  βœ… [It] [Setting] [Security] global-auth-url when global external authentication is configured should add custom error page when global-auth-signin url is configured
  βœ… [It] [Setting] use-proxy-protocol should enable PROXY Protocol for HTTPS
  βœ… [It] [TCP] tcp-services should expose a TCP service
  βœ… [It] [Annotations] mirror-* should set mirror-target to http://localhost/mirror
  βœ… [It] [Annotations] backend-protocol - GRPC should return OK when request not exceed timeout
  βœ… [It] Configure Opentelemetry should include opentelemetry_trust_incoming_spans on directive when enabled
  βœ… [It] [Annotations] auth-* when external authentication with caching is configured should redirect to signin url when not signed in
  βœ… [It] [Annotations] disable-proxy-intercept-errors configures Nginx correctly
  βœ… [It] [Setting] [Security] global-auth-url when global external authentication is configured should set snippet when global external auth is configured
  βœ… [It] [Endpointslices] long service name should return 200 when service name has max allowed number of characters 63
  βœ… [It] [Service] Type ExternalName should return 200 for service type=ExternalName without a port defined
  βœ… [It] [Annotations] auth-* when external authentication with caching is configured should deny login for different location on same server
  βœ… [It] [Annotations] proxy-* should set proxy_redirect to default
  βœ… [It] [Annotations] modsecurity owasp should enable modsecurity with transaction ID and OWASP rules
  βœ… [It] [Setting] proxy-send-timeout should set valid proxy send timeouts using configmap values
  βœ… [It] [Annotations] auth-* should return status code 503 when authentication is configured with an invalid secret
  βœ… [It] [Setting] [Load Balancer] round-robin should evenly distribute requests with round-robin (default algorithm)
  βœ… [It] [Setting] gzip should set gzip_comp_level to 4
  βœ… [It] [Annotations] modsecurity owasp should enable modsecurity through the config map but ignore snippet as disabled by admin
  βœ… [It] [SSL] [Flag] default-ssl-certificate uses default ssl certificate for host based ingress when configured certificate does not match host
  βœ… [It] [Annotations] canary-* when canaried by cookie respects always and never values
  βœ… [It] [Annotations] backend-protocol should set backend protocol to grpcs:// and use grpc_pass
  βœ… [It] [Setting] log-format-* Check log-format-escape-json and log-format-escape-none should disable the log-format-escape-none
  βœ… [It] [Setting] [Load Balancer] load-balance should apply the configmap load-balance setting
  βœ… [It] [Setting] gzip should set gzip_disable to msie6
  βœ… [It] [Annotations] auth-* cookie set by external authentication server user does not retain cookie if upstream returns error status code
  βœ… [It] Dynamic $proxy_host should exist a proxy_host
  βœ… [It] [Annotations] proxy-* should set valid proxy timeouts
  βœ… [It] [Setting] enable-multi-accept should be disabled when set to false
  βœ… [It] [Annotations] modsecurity owasp should enable modsecurity with snippet
  βœ… [It] [Annotations] from-to-www-redirect should redirect from www HTTP to HTTP
  βœ… [It] [Annotations] cors-* should enable cors
  βœ… [It] [Setting] [SSL] TLS protocols, ciphers and headers should configure HSTS policy header setting preload parameter
  βœ… [It] [Annotations] canary-* when canaried by weight should route requests only to mainline if canary weight is 0
  βœ… [It] [Setting] [Security] no-auth-locations should return status code 200 when accessing '/'  authentication
  βœ… [It] [Flag] disable-catch-all should ignore catch all Ingress with backend
  βœ… [It] [Ingress] [PathType] mix Exact and Prefix paths should choose the correct location
  βœ… [It] [Setting] [Security] block-* should block CIDRs defined in the ConfigMap
  βœ… [It] [Setting] [Security] global-auth-url cookie set by external authentication server user does not retain cookie if upstream returns error status code
  βœ… [It] [Annotations] canary-* when canary is created should route requests to the correct upstream if mainline ingress is created after the canary ingress
  βœ… [It] [Shutdown] Grace period shutdown /healthz should return status code 500 during shutdown grace period
  βœ… [It] [Setting] reuse-port reuse port should be enabled by default
  βœ… [It] [Annotations] affinity session-cookie-name should set cookie with domain
  βœ… [It] [Service] Type ExternalName should return 200 for service type=ExternalName using FQDN with trailing dot
  βœ… [It] [Annotations] auth-* when external authentication is configured should not create additional upstream block when host part of auth-url contains a variable
  βœ… [It] [Flag] ingress-class With ingress-class-by-name flag should watch Ingress that uses the class name even if spec is different
  βœ… [It] [Default Backend] change default settings should apply the annotation to the default backend
  βœ… [It] [Annotations] permanent-redirect permanent-redirect-code should respond with a custom redirect code
  βœ… [It] [Ingress] definition without host should set ingress details variables for ingresses without a host
  βœ… [It] [Annotations] auth-* should return status code 401 when authentication is configured but Authorization header is not configured
  βœ… [It] [Setting] enable-real-ip should not trust X-Forwarded-For header when setting is false
  βœ… [It] [Annotations] auth-* when external authentication is configured keeps processing new ingresses even if one of the existing ingresses is misconfigured
  βœ… [It] [Annotations] auth-* when external authentication is configured should return status code 200 when signed in
  βœ… [It] [Annotations] backend-protocol - GRPC authorization metadata should be overwritten by external auth response headers
  βœ… [It] [Setting] keep-alive keep-alive-requests Check the upstream keep alive should set the request count to upstream server through one keep alive connection
  βœ… [It] [Annotations] server-alias should return status code 200 for host 'foo' and 404 for 'bar'
  βœ… [It] [Setting] add-headers Add multiple custom headers
  βœ… [It] [Setting] aio-write should be enabled by default
  βœ… [It] [Annotations] proxy-ssl-* should set valid proxy-ssl-secret
  βœ… [It] [Flag] enable-ssl-passthrough With enable-ssl-passthrough enabled should pass unknown traffic to default backend and handle known traffic
  βœ… [It] [Setting] proxy-connect-timeout should not set invalid proxy timeouts using configmap values
  βœ… [It] [Flag] ingress-class With default ingress class config should serve Ingress when class is added
  βœ… [It] [Annotations] proxy-ssl-* proxy-ssl-location-only flag should change the nginx config server part
  βœ… [It] [Service] backend status code 503 should return 503 when all backend service endpoints are unavailable
  βœ… [It] [Setting] hash size Check server names hash size should set server_names_hash_max_size
  βœ… [It] [Setting] log-format-* Check log-format-escape-json and log-format-escape-none should enable the log-format-escape-json
  βœ… [It] [Annotations] canary-* Single canary Ingress should not use canary with domain as a server
  βœ… [It] [Annotations] permanent-redirect permanent-redirect-code should respond with a standard redirect code
  βœ… [It] [Annotations] proxy-* should set proxy_redirect to off
  βœ… [It] [Setting] [Security] global-auth-url when global external authentication is configured should add auth headers when global-auth-response-headers is configured
  βœ… [It] [Ingress] DeepInspection should drop whole ingress if one path matches invalid regex
  βœ… [It] [Annotations] auth-tls-* should set sslClientCertificate, sslVerifyClient and sslVerifyDepth with auth-tls-secret
  βœ… [It] [Annotations] canary-* when canary is created should route requests to the correct upstream if the canary ingress is modified
  βœ… [It] [Setting] [SSL] TLS protocols, ciphers and headers should configure TLS protocol setting cipher suite
  βœ… [It] [Annotations] proxy-ssl-* should set valid proxy-ssl-secret, proxy-ssl-protocols
  βœ… [It] [Annotations] configuration-snippet drops snippet more_set_header in all locations if disabled by admin
  βœ… [It] [Annotations] affinity session-cookie-name should set secure in cookie with provided false annotation on https
  βœ… [It] [Annotations] x-forwarded-prefix should set the X-Forwarded-Prefix to the annotation value
  βœ… [It] [SSL] secret update should not appear references to secret updates not used in ingress rules
  βœ… [It] [Annotations] affinity session-cookie-name should warn user when use-regex is true and session-cookie-path is not set
  βœ… [It] [metrics] exported prometheus metrics exclude socket request metrics are absent
  βœ… [It] [Setting] [Security] no-auth-locations should return status code 200 when accessing '/noauth' unauthenticated
  βœ… [It] [Annotations] service-upstream when enabling in the configmap and disabling in the annotations should not use the Service Cluster IP and Port
  βœ… [It] Configure Opentelemetry should exists opentelemetry directive when is enabled
  βœ… [It] [Setting] server-tokens should exists Server header in the response when is enabled
  βœ… [It] [Annotations] backend-protocol - GRPC should return OK for service with backend protocol GRPCS
  βœ… [It] [Annotations] cors-* should not allow - single origin for multiple cors values
  βœ… [It] [Annotations] auth-* should set snippet "proxy_set_header My-Custom-Header 42;" when external auth is configured
  βœ… [It] [Annotations] modsecurity owasp should enable modsecurity when enable-owasp-modsecurity-crs is set to true
  βœ… [It] [Setting] [SSL] TLS protocols, ciphers and headers should configure HSTS policy header setting includeSubDomains parameter
  βœ… [It] [Annotations] default-backend when default backend annotation is enabled should use a custom default backend as upstream
  βœ… [It] [Annotations] auth-tls-* should reload the nginx config when auth-tls-match-cn is updated
  βœ… [It] Configure Opentelemetry should not exists opentelemetry_operation_name directive when is empty
  βœ… [It] [Annotations] auth-tls-* should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2
  βœ… [It] [Setting] stream-snippet should add stream-snippet and drop annotations per admin config
  βœ… [It] [Flag] custom HTTP and HTTPS ports with a plain HTTP ingress should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port
  βœ… [It] [Lua] dynamic configuration when only backends change handles endpoints only changes consistently (down scaling of replicas vs. empty service)
  βœ… [It] [Annotations] limit-rate Check limit-rate annotation
  βœ… [It] [Annotations] canary-* canary affinity behavior routes traffic to either mainline or canary backend (legacy behavior)
  βœ… [It] [Annotations] custom-headers-* should return status code 200 when no custom-headers is configured
  βœ… [It] [Annotations] canary-* when canaried by header with value and cookie should route requests to the correct upstream
  βœ… [It] [Annotations] canary-* canary affinity behavior always routes traffic to canary if first request was affinitized to canary (explicit sticky behavior)
  βœ… [It] [Annotations] rewrite-target use-regex enable-rewrite-log should use correct longest path match
  βœ… [It] [Annotations] client-body-buffer-size should not set client_body_buffer_size to invalid 1b
  βœ… [It] [Annotations] proxy-* should not set proxy client-max-body-size to incorrect value
  βœ… [It] [Annotations] rewrite-target use-regex enable-rewrite-log should write rewrite logs
  βœ… [It] [Annotations] affinity session-cookie-name should set secure in cookie with provided true annotation on http
  βœ… [It] [Setting] [Security] global-auth-url when global external authentication is configured should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service
  βœ… [It] [Annotations] auth-* should set "proxy_set_header 'My-Custom-Header' '42';" when auth-headers are set
  βœ… [It] [Annotations] auth-tls-* should return 403 using auth-tls-match-cn with no matching CN from client
  βœ… [It] [Service] Nil Service Backend should return 404 when backend service is nil
  βœ… [It] [Annotations] disable-access-log disable-http-access-log disable-stream-access-log disable-stream-access-log set access_log off
  βœ… [It] [Annotations] modsecurity owasp should enable modsecurity with snippet and block requests
  βœ… [It] [Annotations] canary-* when canaried by weight should route requests split between mainline and canary if canary weight is 100 and weight total is 200
  βœ… [It] [Flag] ingress-class With default ingress class config should serve Ingress when class is updated between annotation and ingressClassName
  βœ… [It] [Service] Type ExternalName should update the external name after a service update
  βœ… [It] [Setting] log-format-* Check log-format-upstream with log-format-escape-json and log-format-escape-none log-format-escape-json enabled
  βœ… [It] [Lua] dynamic certificates given an ingress with TLS correctly configured removes HTTPS configuration when we delete TLS spec
  βœ… [It] [Annotations] cors-* should set cors max-age
  βœ… [It] [SSL] redirect to HTTPS should redirect from HTTP to HTTPS when secret is missing
  βœ… [It] [Setting] hash size Check server names hash size should set server_names_hash_bucket_size
  βœ… [It] [Setting] Configmap - limit-rate Check limit-rate config
  βœ… [It] [Annotations] cors-* should not allow - unmatching origin with wildcard origin (2 subdomains)
  βœ… [It] [Annotations] satisfy should configure satisfy directive correctly
  βœ… [It] [Annotations] auth-tls-* should pass URL-encoded certificate to upstream
  βœ… [It] [Annotations] modsecurity owasp should enable modsecurity without using 'modsecurity on;'
  βœ… [It] [Annotations] auth-* should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials
  βœ… [It] [Setting] hash size Check proxy header hash size should set proxy-headers-hash-max-size
  βœ… [It] [Ingress] [PathType] prefix checks should test prefix path using fixed path size regex pattern /id/{int}{3}
  βœ… [It] [Annotations] auth-* when external authentication is configured should not create additional upstream block when auth-keepalive is set with HTTP/2
  βœ… [It] single ingress - multiple hosts should set the correct $service_name NGINX variable
  βœ… [It] [Annotations] backend-protocol - FastCGI should add fastcgi_index in the configuration file
  βœ… [It] [Annotations] auth-* when external authentication is configured should create additional upstream block when auth-keepalive is set with HTTP/1.x
  βœ… [It] [Annotations] from-to-www-redirect should redirect from www HTTPS to HTTPS
  βœ… [It] [Annotations] backend-protocol - GRPC should return Error when request exceed timeout
  βœ… [It] [Setting] log-format-* Check log-format-escape-json and log-format-escape-none should enable the log-format-escape-none
  βœ… [It] [Ingress] [PathType] prefix checks should return 404 when prefix /aaa does not match request /aaaccc
  βœ… [It] [Annotations] Bad annotation values [BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass
  βœ… [It] [Annotations] client-body-buffer-size should set client_body_buffer_size to 1K
  βœ… [It] Debug CLI should list the backend servers
  βœ… [It] [Annotations] cors-* should allow correct origins - missing subdomain + origin with wildcard origin and correct origin
  βœ… [It] [Setting] ssl-ciphers Add ssl ciphers
  βœ… [It] [Annotations] cors-* should disable cors allow credentials
  βœ… [It] [Flag] ingress-class Without IngressClass Cluster scoped Permission should ignore Ingress with only IngressClassName
  βœ… [It] [Annotations] canary-* does not crash when canary ingress has multiple paths to the same non-matching backend
  βœ… [It] [Annotations] force-ssl-redirect should redirect to https
  βœ… [It] [Annotations] auth-* with invalid auth-url should deny whole location should return 503 (location was denied)
  βœ… [It] [Annotations] custom-headers-* should set "more_set_headers 'My-Custom-Header' '42';" when custom-headers are set
  βœ… [It] [Annotations] Bad annotation values [BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation
  βœ… [It] [Setting] log-format-* Check log-format-upstream with log-format-escape-json and log-format-escape-none log-format default escape
  βœ… [It] [Default Backend] custom service uses custom default backend that returns 200 as status code
  βœ… [It] [Setting] enable-multi-accept should be enabled when set to true
  βœ… [It] [Annotations] auth-* should return status code 200 when authentication is configured with a map and Authorization header is sent
  βœ… [It] [Annotations] auth-* should return status code 200 when authentication is configured and Authorization header is sent
  βœ… [It] [Setting] [Security] global-auth-url when global external authentication is configured should return status code 401 when request any protected service
  βœ… [It] [Setting] aio-write should be enabled when setting is true
  βœ… [It] Configure Opentelemetry should not exists opentelemetry directive
  βœ… [It] [Flag] disable-catch-all should ignore catch all Ingress with backend and rules
  βœ… [It] [Annotations] cors-* should allow - missing origins (should allow all origins)
  βœ… [It] [Setting] [Load Balancer] EWMA does not fail requests
  βœ… [It] [Service] backend status code 503 should return 503 when backend service does not exist
  βœ… [It] [Annotations] cors-* should allow - single origin with required port
  βœ… [It] [Setting] stream-snippet should add value of stream-snippet to nginx config
  βœ… [It] [Setting] reuse-port reuse port should be enabled
  βœ… [It] [Setting] access-log stream-access-log-path use the specified configuration
  βœ… [It] [Annotations] backend-protocol should set backend protocol to '' and use fastcgi_pass
  βœ… [It] [Annotations] enable-access-log enable-rewrite-log set rewrite_log on
  βœ… [It] [Annotations] affinity session-cookie-name should not set secure in cookie with provided false annotation on http
  βœ… [It] [Setting] server-tokens should not exists Server header in the response
  βœ… [It] [Setting] [Lua] lua-shared-dicts configures lua shared dicts
  βœ… [It] [Annotations] backend-protocol should set backend protocol to grpc:// and use grpc_pass
  βœ… [It] [Annotations] modsecurity owasp should disable default modsecurity conf setting when modsecurity-snippet is specified
  βœ… [It] [Annotations] affinity session-cookie-name should set sticky cookie without host
  βœ… [It] [Annotations] canary-* when canary is created should return 404 status for requests to the canary if no matching ingress is found
  βœ… [It] [Annotations] custom-http-errors configures Nginx correctly
  βœ… [It] [Annotations] proxy-* should change the default proxy HTTP version
  βœ… [It] [Setting] configmap stream-snippet should add value of stream-snippet via config map to nginx config
  βœ… [It] [Setting] reuse-port reuse port should be disabled
  βœ… [It] [Flag] custom HTTP and HTTPS ports with a TLS enabled ingress when external authentication is configured should set the X-Forwarded-Port header to 443
  βœ… [It] [SSL] [Flag] default-ssl-certificate uses default ssl certificate for catch-all ingress
  βœ… [It] Configure Opentelemetry should exists opentelemetry_operation_name directive when is configured
  βœ… [It] [Annotations] cors-* should expose headers for cors
  βœ… [It] [Annotations] affinitymode Check persistent affinity mode
  βœ… [It] [Flag] disable-service-external-name should ignore services of external-name type
  βœ… [It] [Annotations] canary-* when canary is created should route requests to the correct upstream if mainline ingress is created before the canary ingress
  βœ… [It] [Setting] use-proxy-protocol should respect proto passed by the PROXY Protocol server port
  βœ… [It] [Annotations] affinity session-cookie-name should set cookie with expires
  βœ… [It] [Annotations] affinity session-cookie-name should work with use-regex annotation and session-cookie-path
  βœ… [It] [Setting] OCSP should enable OCSP and contain stapling information in the connection
  βœ… [It] [Flag] ingress-class With default ingress class config should delete Ingress when class is removed
  βœ… [It] [Annotations] backend-protocol - FastCGI should return OK for service with backend protocol FastCGI
  βœ… [It] [Annotations] cors-* should allow origin for cors
  βœ… [It] [Setting] gzip should set gzip_min_length to 100
  βœ… [It] [Annotations] x-forwarded-prefix should not add X-Forwarded-Prefix if the annotation value is empty
  βœ… [It] [Annotations] custom-headers-* should return status code 503 when custom-headers is configured with an invalid secret
  βœ… [It] [Annotations] cors-* should not break functionality with extra domain
  βœ… [It] [Ingress] definition without host should set ingress details variables for ingresses with host without IngressRuleValue, only Backend
  βœ… [It] [Annotations] affinity session-cookie-name should set sticky cookie SERVERID
  βœ… [It] [Annotations] auth-* should not set snippet "proxy_set_header My-Custom-Header 42;" when external auth is not configured
  βœ… [It] [Annotations] auth-* when external authentication with caching is configured should deny login for different servers
  βœ… [It] [Annotations] backend-protocol should set backend protocol to $scheme:// and use proxy_pass
  βœ… [It] [Setting] Geoip2 should include geoip2 line in config when enabled and db file exists
  βœ… [It] [Annotations] backend-protocol - FastCGI should use fastcgi_pass in the configuration file
  βœ… [It] [Setting] hash size Check the variable hash size should set variables-hash-bucket-size
  βœ… [It] [Annotations] cors-* should allow correct origins - single origin for multiple cors values
  βœ… [It] [Setting] use-forwarded-headers should trust X-Forwarded headers when setting is true
  βœ… [It] [Annotations] modsecurity owasp should disable modsecurity using 'modsecurity off;'
  βœ… [It] [Setting] keep-alive keep-alive-requests Check the upstream keep alive should set keepalive connection to upstream server
  βšͺ [It] [Memory Leak] Dynamic Certificates should not leak memory from ingress SSL certificates or configuration updates
  βœ… [It] [Setting] proxy-send-timeout should not set invalid proxy send timeouts using configmap values
  βœ… [It] [Setting] gzip should be enabled with default settings
  βœ… [It] [Annotations] client-body-buffer-size should set client_body_buffer_size to 1k
  βœ… [It] [Setting] access-log http-access-log-path & stream-access-log-path use the specified configuration
  βœ… [It] [Setting] gzip should be disabled by default
  βœ… [It] [Annotations] affinity session-cookie-name does not set the path to / on the generated cookie if there's more than one rule referring to the same backend
  βœ… [It] [Annotations] server-snippet drops server snippet if disabled by the administrator
  βœ… [It] [Annotations] affinity session-cookie-name should not set cookie without domain annotation
  βœ… [It] [Service] Type ExternalName works with external name set to incomplete fqdn
  βœ… [It] [Setting] enable-real-ip trusts X-Forwarded-For header only when setting is true
  βœ… [It] [Annotations] affinity session-cookie-name should not set affinity across all server locations when using separate ingresses
  βœ… [It] global-options should have worker_rlimit_nofile option
  βœ… [It] [Service] Type ExternalName should return 200 for service type=ExternalName with a port defined
  βœ… [It] [Annotations] client-body-buffer-size should set client_body_buffer_size to 1000
  βœ… [It] [Flag] ingress-class With default ingress class config should accept both Ingresses with default IngressClassName and IngressClass annotation
  βœ… [It] [Default Backend] should return 404 sending requests when only a default backend is running
  βœ… [It] [Annotations] rewrite-target use-regex enable-rewrite-log should allow for custom rewrite parameters
  βœ… [It] [Annotations] auth-* when external authentication is configured with a custom redirect param keeps processing new ingresses even if one of the existing ingresses is misconfigured
  βœ… [It] [Flag] ingress-class With specific ingress-class flags should ignore Ingress with no class and accept the correctly configured Ingresses
  βœ… [It] [Annotations] proxy-* should not set invalid proxy timeouts
  βœ… [It] [TCP] tcp-services should reload after an update in the configuration
  βœ… [It] [Setting] aio-write should be disabled when setting is false
  βœ… [It] [Ingress] [PathType] exact should choose exact location for /exact
  βœ… [It] [Annotations] auth-tls-* should 302 redirect to error page instead of 400 when auth-tls-error-page is set
  βœ… [It] [Annotations] client-body-buffer-size should set client_body_buffer_size to 1m
  βœ… [It] [TCP] tcp-services should expose an ExternalName TCP service
  βœ… [It] [Flag] disable-sync-events should create sync events
  βœ… [It] [Status] status update should update status field after client-go reconnection
  βœ… [It] [Setting] [Security] global-auth-url when global external authentication is configured should set request-redirect when global-auth-request-redirect is configured
  βœ… [It] [Lua] dynamic configuration when only backends change handles endpoints only changes (down scaling of replicas)
  βœ… [It] [Annotations] server-alias should return status code 200 for hosts defined in two ingresses, different path with one alias
  βœ… [It] [Annotations] auth-* when external authentication is configured should enable set_all_vars when auth-keepalive-share-vars is true
  βœ… [It] [Annotations] auth-* when external authentication is configured should overwrite Foo header with auth response
  βœ… [It] [Annotations] canary-* when canary is created should route requests to the correct upstream if the mainline ingress is modified
  βœ… [It] [Annotations] upstream-vhost set host to upstreamvhost.bar.com
  βœ… [It] [Ingress] [PathType] prefix checks should test prefix path using regex pattern for /id/{int} ignoring non-digits characters at end of string
  βœ… [It] [Setting] log-format-* Check log-format-upstream with log-format-escape-json and log-format-escape-none log-format-escape-none enabled
  βœ… [It] [Setting] Geoip2 should up and running nginx controller using autoreload flag
  βœ… [It] [Annotations] auth-* when external authentication is configured with a custom redirect param should return status code 200 when signed in
  βœ… [It] [Setting] [Security] block-* should block Referers defined in the ConfigMap
  βœ… [It] [Setting] hash size Check the map hash size should set vmap-hash-bucket-size
  βœ… [It] [Setting] keep-alive keep-alive-requests Check the keep alive should set keepalive_timeout
  βœ… [It] [Annotations] cors-* should allow - matching origin with wildcard origin (2 subdomains)
  βšͺ [It] [Setting] Geoip2 should only allow requests from specific countries
  βœ… [It] brotli should only compress responses that meet the `brotli-min-length` condition
  βœ… [It] [Flag] ingress-class With default ingress class config should ignore Ingress without IngressClass configuration
  βœ… [It] [Setting] hash size Check the variable hash size should set variables-hash-max-size
  βœ… [It] [Annotations] disable-access-log disable-http-access-log disable-stream-access-log disable-access-log set access_log off
  βœ… [It] [Annotations] canary-* when canaried by header with value should route requests to the correct upstream
  βœ… [It] [Annotations] app-root should redirect to /foo
  βœ… [It] [Annotations] auth-* cookie set by external authentication server user with annotated ingress retains cookie if upstream returns error status code
  βœ… [It] [Annotations] auth-* when external authentication is configured should not create additional upstream block when auth-keepalive is not set
  βœ… [It] [Setting] access-log access-log-path use the default configuration
  βœ… [It] [Annotations] cors-* should not allow - portless origin with wildcard origin
  βœ… [It] [Flag] ingress-class With default ingress class config should ignore Ingress with a different class annotation
  βœ… [It] [Setting] [Security] global-auth-url when global external authentication is configured should proxy_method method when global-auth-method is configured
  βœ… [It] [Annotations] backend-protocol - GRPC should use grpc_pass in the configuration file
  βœ… [It] [Setting] configmap server-snippet should add global server-snippet and drop annotations per admin config
  βœ… [It] [Annotations] cors-* should allow - matching origin+port with wildcard origin
  βœ… [It] [Annotations] proxy-ssl-* should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on
  βœ… [It] Debug CLI should get information for a specific backend server
  βœ… [It] [Setting] GRPC should set the correct GRPC Buffer Size
  βœ… [It] [Default Backend] SSL should return a self generated SSL certificate
  βœ… [It] [Annotations] backend-protocol - GRPC should return OK for service with backend protocol GRPC
  βœ… [It] [Lua] dynamic certificates given an ingress with TLS correctly configured falls back to using default certificate when secret gets deleted without reloading
  βœ… [It] global-options should have worker_rlimit_nofile option and be independent on amount of worker processes
  βœ… [It] [Setting] configmap server-snippet should add value of server-snippet setting to all ingress config
  βœ… [It] [Annotations] service-upstream when enabling in the configmap should use the Service Cluster IP and Port
  βœ… [It] [Annotations] http2-push-preload enable the http2-push-preload directive
  βœ… [It] [Annotations] canary-* Single canary Ingress should not use canary as a catch-all server
  βœ… [It] [Annotations] Bad annotation values [BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place
  βœ… [It] [Lua] dynamic certificates given an ingress with TLS correctly configured picks up the updated certificate without reloading
  βœ… [It] [Setting] keep-alive keep-alive-requests Check the keep alive should set keepalive_requests
  βœ… [It] [Annotations] cors-* should allow - origins with non-http[s] protocols
  βœ… [It] [Annotations] auth-* when external authentication is configured should redirect to signin url when not signed in
  βœ… [It] [Annotations] cors-* should allow headers for cors
  βœ… [It] [SSL] secret update should return the fake SSL certificate if the secret is invalid
  βœ… [It] [Setting] [Security] block-* should block User-Agents defined in the ConfigMap
  βœ… [It] [Annotations] auth-* when external authentication is configured with a custom redirect param should redirect to signin url when not signed in
  βœ… [It] [Annotations] cors-* should allow - single origin for multiple cors values
  βœ… [It] [Lua] dynamic certificates picks up the previously missing secret for a given ingress without reloading
  βœ… [It] [Setting] access-log http-access-log-path use the specified configuration
  βœ… [It] [Setting] use-proxy-protocol should enable PROXY Protocol for TCP
  βœ… [It] [Lua] dynamic configuration when only backends change handles an annotation change
  βœ… [It] [Annotations] connection-proxy-header set connection header to keep-alive
  βœ… [It] [Setting] use-proxy-protocol should respect port passed by the PROXY Protocol