Skip to content

Controller: Fail annotation parsing fast and report errors. (#11740) #8171

Controller: Fail annotation parsing fast and report errors. (#11740)

Controller: Fail annotation parsing fast and report errors. (#11740) #8171

GitHub Actions / JEST Tests v1.29.10 succeeded Nov 21, 2024 in 0s

438 passed, 0 failed and 4 skipped

Tests passed successfully

✅ report-e2e-test-suite.xml

442 tests were completed in 2936s with 438 passed, 0 failed and 4 skipped.

Test suite Passed Failed Skipped Time
nginx-ingress-controller e2e suite 438✅ 4⚪ 2936s

✅ nginx-ingress-controller e2e suite

nginx-ingress-controller e2e suite
  ✅ [It] [Annotations] auth-tls-* should return 200 using auth-tls-match-cn with matching CN from client
  ✅ [It] [Flag] ingress-class Without IngressClass Cluster scoped Permission should watch Ingress with correct annotation
  ✅ [It] [Annotations] affinity session-cookie-name should set the path to /something on the generated cookie
  ✅ [It] [Service] Type ExternalName should return 200 for service type=ExternalName without a port defined
  ✅ [It] [Annotations] ssl-ciphers should keep ssl ciphers
  ✅ [It] [Annotations] service-upstream when enabling in the configmap and disabling in the annotations should not use the Service Cluster IP and Port
  ✅ [It] [Flag] disable-catch-all should delete Ingress updated to catch-all
  ✅ [It] [Setting] log-format-* Check log-format-escape-json and log-format-escape-none should disable the log-format-escape-json
  ✅ [It] [Setting] OCSP should enable OCSP and contain stapling information in the connection
  ✅ [It] [Annotations] enable-access-log enable-rewrite-log set rewrite_log on
  ✅ [It] [Flag] disable-sync-events should not create sync events
  ✅ [It] [Annotations] affinity session-cookie-name should work with use-regex annotation and session-cookie-path
  ✅ [It] [Annotations] canary-* does not crash when canary ingress has multiple paths to the same non-matching backend
  ✅ [It] [Annotations] auth-* when external authentication is configured should redirect to signin url when not signed in
  ✅ [It] [Setting] gzip should be enabled with default settings
  ✅ [It] [Annotations] auth-* when external authentication with caching is configured should return status code 200 when signed in after auth backend is deleted
  ✅ [It] [Setting] proxy-next-upstream should build proxy next upstream using configmap values
  ✅ [It] [Annotations] backend-protocol should set backend protocol to https:// and use proxy_pass
  ✅ [It] [Flag] ingress-class With default ingress class config should serve Ingress when class is updated between annotation and ingressClassName
  ✅ [It] [Annotations] cors-* should not break functionality - without `*`
  ✅ [It] [Setting] main-snippet should add value of main-snippet setting to nginx config
  ✅ [It] [Annotations] auth-* when external authentication is configured should not create additional upstream block when auth-keepalive is negative
  ✅ [It] single ingress - multiple hosts should set the correct $service_name NGINX variable
  ✅ [It] [Flag] ingress-class With default ingress class config should ignore Ingress with different controller class
  ✅ [It] [Service] Type ExternalName should sync ingress on external name service addition/deletion
  ✅ [It] [Flag] ingress-class With default ingress class config should delete Ingress when class is removed
  ✅ [It] [Setting] use-proxy-protocol should respect proto passed by the PROXY Protocol server port
  ✅ [It] [Annotations] satisfy should allow multiple auth with satisfy any
  ✅ [It] Configure Opentelemetry should exists opentelemetry_operation_name directive when is configured
  ✅ [It] [Annotations] canary-* when canaried by header with value should route requests to the correct upstream
  ✅ [It] [Annotations] permanent-redirect permanent-redirect-code should respond with a custom redirect code
  ✅ [It] [TCP] tcp-services should expose a TCP service
  ✅ [It] [Setting] [Lua] lua-shared-dicts configures lua shared dicts
  ✅ [It] [Annotations] modsecurity owasp should disable default modsecurity conf setting when modsecurity-snippet is specified
  ✅ [It] [Annotations] custom-headers-* should return status code 200 when no custom-headers is configured
  ✅ [It] [Setting] access-log http-access-log-path & stream-access-log-path use the specified configuration
  ✅ [It] [Annotations] auth-* should set cache_key when external auth cache is configured
  ✅ [It] [Annotations] proxy-* should set proxy client-max-body-size to 8m
  ✅ [It] [Annotations] auth-* when external authentication with caching is configured should deny login for different servers
  ✅ [It] [Setting] enable-real-ip trusts X-Forwarded-For header only when setting is true
  ✅ [It] [Setting] reuse-port reuse port should be enabled
  ✅ [It] [Annotations] auth-* with invalid auth-url should deny whole location should return 503 (location was denied)
  ✅ [It] [Setting] nginx-configuration start nginx with default configuration
  ✅ [It] [Annotations] disable-access-log disable-http-access-log disable-stream-access-log disable-access-log set access_log off
  ✅ [It] [Annotations] auth-* when external authentication is configured should not create additional upstream block when host part of auth-url contains a variable
  ✅ [It] [Lua] dynamic configuration when only backends change handles endpoints only changes (down scaling of replicas)
  ✅ [It] [Annotations] server-alias should return status code 200 for host 'foo' and 'bar'
  ✅ [It] [Annotations] client-body-buffer-size should set client_body_buffer_size to 1K
  ✅ [It] [Setting] configmap server-snippet should add value of server-snippet setting to all ingress config
  ✅ [It] [Setting] gzip should set gzip_min_length to 100
  ✅ [It] [Setting] GRPC should set the correct GRPC Buffer Size
  ✅ [It] [Annotations] rewrite-target use-regex enable-rewrite-log should use correct longest path match
  ✅ [It] [Annotations] proxy-* should turn off proxy-request-buffering
  ✅ [It] Debug CLI should list the backend servers
  ✅ [It] [Annotations] satisfy should configure satisfy directive correctly
  ✅ [It] [Setting] [Security] global-auth-url cookie set by external authentication server user retains cookie by default
  ✅ [It] [Setting] proxy-connect-timeout should not set invalid proxy timeouts using configmap values
  ✅ [It] [Annotations] cors-* should set cors max-age
  ✅ [It] [Annotations] x-forwarded-prefix should set the X-Forwarded-Prefix to the annotation value
  ✅ [It] [Annotations] proxy-* should turn on proxy-buffering
  ✅ [It] [Annotations] backend-protocol - GRPC authorization metadata should be overwritten by external auth response headers
  ✅ [It] [Annotations] proxy-* should change the default proxy HTTP version
  ✅ [It] [Flag] watch namespace selector With specific watch-namespace-selector flags should ignore Ingress of namespace without label foo=bar and accept those of namespace with label foo=bar
  ✅ [It] [Admission] admission controller should not return an error for an invalid Ingress when it has unknown class
  ✅ [It] [CGroups] cgroups detects cgroups version v1
  ✅ [It] [Admission] admission controller should return an error if there is a forbidden value in some annotation
  ✅ [It] [Admission] admission controller should block ingress with invalid path
  ✅ [It] [Admission] admission controller should allow overlaps of host and paths with canary annotation
  ✅ [It] [CGroups] cgroups detect cgroups version v2
  ✅ [It] [Admission] admission controller should return an error if there is an error validating the ingress definition
  ✅ [It] [Admission] admission controller should return an error if there is an invalid value in some annotation
  ✅ [It] [Admission] admission controller should not return an error if the Ingress V1 definition is valid with IngressClass annotation
  ✅ [It] [Admission] admission controller should return an error if there is an invalid path and wrong pathType is set
  ✅ [It] [Admission] admission controller should not allow overlaps of host and paths without canary annotations
  ✅ [It] [Admission] admission controller should not return an error if the Ingress V1 definition is valid with Ingress Class
  ✅ [It] [Admission] admission controller should return an error if the Ingress V1 definition contains invalid annotations
  ✅ [It] annotation validations should allow ingress based on their risk on webhooks
  ✅ [It] [TopologyHints] topology aware routing should return 200 when service has topology hints
  ✅ [It] annotation validations should allow ingress based on their risk on webhooks
  ✅ [It] [Annotations] canary-* canary affinity behavior routes traffic to either mainline or canary backend (legacy behavior)
  ✅ [It] [Setting] [Load Balancer] EWMA does not fail requests
  ✅ [It] [Ingress] [PathType] prefix checks should test prefix path using simple regex pattern for /id/{int}
  ✅ [It] [Annotations] auth-* when external authentication is configured should create additional upstream block when auth-keepalive is set with HTTP/1.x
  ✅ [It] [Lua] dynamic configuration configures balancer Lua middleware correctly
  ✅ [It] [Annotations] rewrite-target use-regex enable-rewrite-log should fail to use longest match for documented warning
  ✅ [It] [metrics] exported prometheus metrics exclude socket request metrics are absent
  ✅ [It] [Annotations] auth-* when external authentication is configured should overwrite Foo header with auth response
  ✅ [It] [Annotations] auth-* should set snippet "proxy_set_header My-Custom-Header 42;" when external auth is configured
  ✅ [It] Dynamic $proxy_host should exist a proxy_host using the upstream-vhost annotation value
  ✅ [It] brotli should only compress responses that meet the `brotli-min-length` condition
  ✅ [It] [Annotations] backend-protocol should set backend protocol to https:// and use proxy_pass with lowercase annotation
  ✅ [It] [Flag] ingress-class With default ingress class config should serve Ingress when class is added
  ✅ [It] [Annotations] auth-tls-* should 302 redirect to error page instead of 400 when auth-tls-error-page is set
  ✅ [It] [Annotations] affinity session-cookie-name should set sticky cookie without host
  ✅ [It] [Annotations] modsecurity owasp should enable modsecurity when enable-owasp-modsecurity-crs is set to true
  ✅ [It] [Annotations] auth-* when external authentication is configured should not create additional upstream block when auth-keepalive is not set
  ✅ [It] [Annotations] modsecurity owasp should enable modsecurity through the config map but ignore snippet as disabled by admin
  ✅ [It] [Setting] use-forwarded-headers should trust X-Forwarded headers when setting is true
  ✅ [It] [Annotations] modsecurity owasp should enable modsecurity with transaction ID and OWASP rules
  ✅ [It] [Setting] add-headers Add a custom header
  ✅ [It] [Annotations] server-alias should return status code 200 for hosts defined in two ingresses, different path with one alias
  ✅ [It] [Annotations] backend-protocol - GRPC should return Error when request exceed timeout
  ✅ [It] [Annotations] rewrite-target use-regex enable-rewrite-log should write rewrite logs
  ✅ [It] [Annotations] canary-* when canaried by cookie respects always and never values
  ✅ [It] [Setting] log-format-* Check log-format-escape-json and log-format-escape-none should enable the log-format-escape-none
  ✅ [It] [Ingress] [PathType] prefix checks should test prefix path using regex pattern for /id/{int} ignoring non-digits characters at end of string
  ✅ [It] [Setting] [Security] block-* should block User-Agents defined in the ConfigMap
  ✅ [It] [Annotations] canary-* canary affinity behavior always routes traffic to canary if first request was affinitized to canary (default behavior)
  ✅ [It] [Annotations] proxy-* should set proxy_redirect to off
  ✅ [It] [Service] Type ExternalName should return 200 for service type=ExternalName using FQDN with trailing dot
  ✅ [It] [Setting] [SSL] TLS protocols, ciphers and headers should configure HSTS policy header setting max-age parameter
  ✅ [It] [Annotations] backend-protocol - FastCGI should add fastcgi_index in the configuration file
  ✅ [It] [Setting] gzip should set gzip_disable to msie6
  ✅ [It] [Annotations] canary-* when canaried by weight should route requests only to canary if canary weight is equal to canary weight total
  ✅ [It] [Setting] nginx-configuration fails when using root directive
  ✅ [It] [Setting] enable-multi-accept should be enabled by default
  ✅ [It] [Setting] proxy-send-timeout should not set invalid proxy send timeouts using configmap values
  ✅ [It] [Annotations] backend-protocol should set backend protocol to $scheme:// and use proxy_pass
  ✅ [It] [Annotations] backend-protocol - GRPC should use grpc_pass in the configuration file
  ✅ [It] [Annotations] cors-* should not break functionality
  ✅ [It] [Setting] Add no tls redirect locations Check no tls redirect locations config
  ✅ [It] [Setting] stream-snippet should add stream-snippet and drop annotations per admin config
  ✅ [It] [Annotations] canary-* canary affinity behavior always routes traffic to canary if first request was affinitized to canary (explicit sticky behavior)
  ✅ [It] [Security] request smuggling should not return body content from error_page
  ✅ [It] [Setting] Geoip2 should up and running nginx controller using autoreload flag
  ✅ [It] [Annotations] auth-* when external authentication with caching is configured should redirect to signin url when not signed in
  ✅ [It] [Setting] ssl-ciphers Add ssl ciphers
  ✅ [It] [Annotations] relative-redirects configures Nginx correctly
  ✅ [It] [Lua] dynamic certificates given an ingress with TLS correctly configured picks up the updated certificate without reloading
  ✅ [It] Configure Opentelemetry should include opentelemetry_trust_incoming_spans on directive when enabled
  ✅ [It] [Annotations] custom-http-errors configures Nginx correctly
  ✅ [It] [Setting] enable-multi-accept should be disabled when set to false
  ✅ [It] [Annotations] upstream-hash-by-* should connect to the same pod
  ✅ [It] [TCP] tcp-services should reload after an update in the configuration
  ✅ [It] [Annotations] canary-* when canaried by weight should route requests split between mainline and canary if canary weight is 50
  ✅ [It] [Annotations] disable-proxy-intercept-errors configures Nginx correctly
  ✅ [It] [Annotations] affinity session-cookie-name should set secure in cookie with provided true annotation on http
  ✅ [It] [Lua] dynamic certificates given an ingress with TLS correctly configured falls back to using default certificate when secret gets deleted without reloading
  ✅ [It] [Annotations] backend-protocol - FastCGI should add fastcgi_param in the configuration file
  ✅ [It] [Flag] enable-ssl-passthrough With enable-ssl-passthrough enabled should pass unknown traffic to default backend and handle known traffic
  ✅ [It] [Annotations] cors-* should allow - matching origin with wildcard origin (2 subdomains)
  ✅ [It] [Annotations] Bad annotation values [BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation
  ✅ [It] [Annotations] proxy-* should build proxy next upstream
  ⚪ [It] [Setting] Geoip2 should only allow requests from specific countries
  ✅ [It] [Annotations] client-body-buffer-size should set client_body_buffer_size to 1000
  ✅ [It] [Annotations] modsecurity owasp should enable modsecurity without using 'modsecurity on;'
  ✅ [It] [Setting] server-tokens should exists Server header in the response when is enabled
  ✅ [It] [Default Backend] custom service uses custom default backend that returns 200 as status code
  ✅ [It] [Annotations] configuration-snippet drops snippet more_set_header in all locations if disabled by admin
  ✅ [It] [Setting] aio-write should be enabled by default
  ✅ [It] [Setting] [Security] no-auth-locations should return status code 401 when accessing '/' unauthentication
  ✅ [It] [Setting] [Load Balancer] round-robin should evenly distribute requests with round-robin (default algorithm)
  ✅ [It] [Annotations] backend-protocol - FastCGI should use fastcgi_pass in the configuration file
  ✅ [It] [Lua] dynamic configuration when only backends change handles endpoints only changes consistently (down scaling of replicas vs. empty service)
  ✅ [It] [Annotations] cors-* should not allow - single origin without port and origin with required port
  ✅ [It] [Annotations] cors-* should allow origin for cors
  ✅ [It] [metrics] exported prometheus metrics request metrics per undefined host are present when flag is set
  ✅ [It] [Service] Type ExternalName should update the external name after a service update
  ✅ [It] [Status] status update should update status field after client-go reconnection
  ✅ [It] [Flag] custom HTTP and HTTPS ports with a plain HTTP ingress should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port
  ✅ [It] [Annotations] auth-* when external authentication is configured with a custom redirect param keeps processing new ingresses even if one of the existing ingresses is misconfigured
  ✅ [It] [Annotations] client-body-buffer-size should set client_body_buffer_size to 1m
  ✅ [It] [Annotations] preserve-trailing-slash should allow preservation of trailing slashes
  ✅ [It] [Annotations] affinity session-cookie-name should set secure in cookie with provided false annotation on https
  ✅ [It] [Ingress] [PathType] prefix checks should return 404 when prefix /aaa does not match request /aaaccc
  ✅ [It] [Setting] [Security] global-auth-url when global external authentication is configured should add auth headers when global-auth-response-headers is configured
  ✅ [It] [Setting] use-forwarded-headers should not trust X-Forwarded headers when setting is false
  ✅ [It] [Annotations] auth-* should return status code 200 when no authentication is configured
  ⚪ [It] [Default Backend] enables access logging for default backend
  ✅ [It] [Annotations] auth-* should return status code 401 and cors headers when authentication and cors is configured but Authorization header is not configured
  ✅ [It] [Annotations] cors-* should allow - matching origin+port with wildcard origin
  ✅ [It] [Annotations] cors-* should allow - single origin with required port
  ✅ [It] [Annotations] auth-tls-* should pass URL-encoded certificate to upstream
  ✅ [It] [Annotations] upstream-hash-by-* should connect to the same subset of pods
  ✅ [It] [SSL] redirect to HTTPS should redirect from HTTP to HTTPS when secret is missing
  ✅ [It] [Annotations] enable-access-log enable-rewrite-log set access_log off
  ✅ [It] [Setting] access-log access-log-path use the default configuration
  ✅ [It] [Annotations] modsecurity owasp should enable modsecurity
  ✅ [It] [Setting] [Security] global-auth-url when global external authentication is configured should proxy_method method when global-auth-method is configured
  ✅ [It] [Setting] reuse-port reuse port should be disabled
  ✅ [It] [Setting] log-format-* Check log-format-upstream with log-format-escape-json and log-format-escape-none log-format-escape-json enabled
  ✅ [It] [Setting] [Security] block-* should block CIDRs defined in the ConfigMap
  ✅ [It] [Setting] access-log http-access-log-path use the specified configuration
  ✅ [It] [Setting] hash size Check the variable hash size should set variables-hash-max-size
  ✅ [It] [Service] backend status code 503 should return 503 when backend service does not exist
  ✅ [It] [Annotations] service-upstream when using the default value (false) and enabling in the annotations should use the Service Cluster IP and Port
  ✅ [It] [Annotations] auth-* cookie set by external authentication server user does not retain cookie if upstream returns error status code
  ✅ [It] [Annotations] auth-* should set "proxy_set_header 'My-Custom-Header' '42';" when auth-headers are set
  ✅ [It] [Annotations] cors-* should allow - origins with non-http[s] protocols
  ✅ [It] [Setting] gzip should set gzip_comp_level to 4
  ✅ [It] [Annotations] mirror-* should disable mirror-request-body
  ✅ [It] [Annotations] disable-access-log disable-http-access-log disable-stream-access-log disable-stream-access-log set access_log off
  ✅ [It] [Annotations] auth-* when external authentication is configured with a custom redirect param should return status code 200 when signed in
  ✅ [It] [Default Backend] change default settings should apply the annotation to the default backend
  ✅ [It] [Setting] [Security] global-auth-url when global external authentication is configured should add custom error page when global-auth-signin url is configured
  ✅ [It] [Annotations] affinity session-cookie-name should not set cookie without domain annotation
  ✅ [It] [Annotations] auth-* when external authentication is configured with a custom redirect param should redirect to signin url when not signed in
  ✅ [It] [Setting] proxy-read-timeout should set valid proxy read timeouts using configmap values
  ✅ [It] [Annotations] force-ssl-redirect should redirect to https
  ✅ [It] [Setting] log-format-* Check log-format-upstream with log-format-escape-json and log-format-escape-none log-format default escape
  ✅ [It] [Annotations] affinitymode Balanced affinity mode should balance
  ✅ [It] [Shutdown] Grace period shutdown /healthz should return status code 500 during shutdown grace period
  ✅ [It] [Annotations] auth-* when external authentication is configured should return status code 200 when signed in
  ✅ [It] [Setting] gzip should be disabled by default
  ✅ [It] [Lua] dynamic configuration when only backends change handles endpoints only changes
  ✅ [It] [Annotations] backend-protocol - GRPC should return OK when request not exceed timeout
  ✅ [It] [Default Backend] should return 404 sending requests when only a default backend is running
  ✅ [It] [Annotations] upstream-vhost set host to upstreamvhost.bar.com
  ✅ [It] [Annotations] proxy-* should set proxy_redirect to default
  ✅ [It] [Ingress] definition without host should set ingress details variables for ingresses without a host
  ✅ [It] [Setting] [Security] global-auth-url when global external authentication is configured should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service
  ✅ [It] [Setting] [Load Balancer] load-balance should apply the configmap load-balance setting
  ✅ [It] [Flag] custom HTTP and HTTPS ports with a TLS enabled ingress when external authentication is configured should set the X-Forwarded-Port header to 443
  ✅ [It] [Setting] log-format-* Check log-format-escape-json and log-format-escape-none should disable the log-format-escape-none
  ✅ [It] [Annotations] cors-* should not allow - unmatching origin with wildcard origin (2 subdomains)
  ✅ [It] [Flag] ingress-class With default ingress class config should ignore Ingress without IngressClass configuration
  ✅ [It] [Lua] dynamic certificates given an ingress with TLS correctly configured picks up a non-certificate only change
  ✅ [It] [Setting] keep-alive keep-alive-requests Check the upstream keep alive should set keepalive time to upstream server
  ✅ [It] [Annotations] custom-headers-* should set "more_set_headers 'My-Custom-Header' '42';" when custom-headers are set
  ✅ [It] [Setting] hash size Check server names hash size should set server_names_hash_max_size
  ✅ [It] [Annotations] auth-tls-* should return 403 using auth-tls-match-cn with no matching CN from client
  ✅ [It] [Setting] aio-write should be disabled when setting is false
  ✅ [It] [Annotations] affinity session-cookie-name should set cookie with domain
  ✅ [It] [Annotations] client-body-buffer-size should not set client_body_buffer_size to invalid 1b
  ✅ [It] Debug CLI should get information for a specific backend server
  ✅ [It] [Setting] Configmap change should reload after an update in the configuration
  ✅ [It] [Annotations] canary-* when canaried by weight should route requests split between mainline and canary if canary weight is 100 and weight total is 200
  ✅ [It] [Annotations] proxy-ssl-* should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on
  ✅ [It] [Lua] dynamic certificates picks up the previously missing secret for a given ingress without reloading
  ✅ [It] [Setting] configmap stream-snippet should add value of stream-snippet via config map to nginx config
  ✅ [It] [Setting] server-tokens should not exists Server header in the response
  ✅ [It] [Flag] ingress-class With default ingress class config should accept both Ingresses with default IngressClassName and IngressClass annotation
  ✅ [It] [Annotations] proxy-ssl-* should set valid proxy-ssl-secret
  ✅ [It] [Setting] log-format-* Check log-format-escape-json and log-format-escape-none should enable the log-format-escape-json
  ✅ [It] [Annotations] auth-* when external authentication is configured should disable set_all_vars when auth-keepalive-share-vars is not set
  ✅ [It] [Annotations] auth-* cookie set by external authentication server user with annotated ingress retains cookie if upstream returns error status code
  ✅ [It] [Setting] Geoip2 should include geoip2 line in config when enabled and db file exists
  ✅ [It] [Annotations] auth-* cookie set by external authentication server user retains cookie by default
  ✅ [It] [Annotations] modsecurity owasp should enable modsecurity through the config map
  ✅ [It] [Annotations] cors-* should allow correct origins - single origin for multiple cors values
  ✅ [It] [Service] Type ExternalName should return status 502 for service type=ExternalName with an invalid host
  ✅ [It] [Setting] gzip should set gzip_types to text/html
  ✅ [It] [Annotations] cors-* should set cors methods to only allow POST, GET
  ✅ [It] [Annotations] auth-* with invalid auth-url should deny whole location should add error to the config
  ✅ [It] [Annotations] modsecurity owasp should enable modsecurity globally and with modsecurity-snippet block requests
  ✅ [It] [Annotations] mirror-* should set mirror-target to https://test.env.com/$request_uri
  ✅ [It] [Setting] [Security] global-auth-url when global external authentication is configured should set request-redirect when global-auth-request-redirect is configured
  ✅ [It] [Annotations] backend-protocol should set backend protocol to grpc:// and use grpc_pass
  ✅ [It] [Annotations] canary-* when canaried by header with value and pattern should route requests to the correct upstream
  ✅ [It] [Ingress] definition without host should set ingress details variables for ingresses with host without IngressRuleValue, only Backend
  ✅ [It] [Annotations] relative-redirects should respond with absolute URL in Location
  ✅ [It] Debug CLI should produce valid JSON for /dbg general
  ✅ [It] [Setting] [Security] global-auth-url cookie set by external authentication server user does not retain cookie if upstream returns error status code
  ✅ [It] [Lua] dynamic certificates given an ingress with TLS correctly configured removes HTTPS configuration when we delete TLS spec
  ✅ [It] [Annotations] auth-* should return status code 401 when authentication is configured with invalid content and Authorization header is sent
  ✅ [It] [Setting] [Security] no-auth-locations should return status code 200 when accessing '/'  authentication
  ✅ [It] [Service] Type ExternalName should return 200 for service type=ExternalName using a port name
  ✅ [It] [Annotations] server-alias should return status code 200 for host 'foo' and 404 for 'bar'
  ✅ [It] [Annotations] Bad annotation values [BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation
  ✅ [It] [Annotations] canary-* when canary is created should route requests to the correct upstream if the canary ingress is modified
  ✅ [It] Dynamic $proxy_host should exist a proxy_host
  ✅ [It] [Annotations] modsecurity owasp should disable modsecurity
  ✅ [It] global-options should have worker_rlimit_nofile option and be independent on amount of worker processes
  ✅ [It] [Setting] hash size Check proxy header hash size should set proxy-headers-hash-max-size
  ✅ [It] [Annotations] canary-* Single canary Ingress should not use canary as a catch-all server
  ✅ [It] [Annotations] proxy-ssl-* should set valid proxy-ssl-secret, proxy-ssl-protocols
  ✅ [It] [Annotations] canary-* when canaried by weight should route requests only to canary if canary weight is 100
  ✅ [It] [Setting] configmap server-snippet should add global server-snippet and drop annotations per admin config
  ✅ [It] [Lua] dynamic certificates given an ingress with TLS correctly configured supports requests with domain with trailing dot
  ✅ [It] [Endpointslices] long service name should return 200 when service name has max allowed number of characters 63
  ✅ [It] [Annotations] auth-* when external authentication is configured keeps processing new ingresses even if one of the existing ingresses is misconfigured
  ✅ [It] [Setting] keep-alive keep-alive-requests Check the keep alive should set keepalive_timeout
  ✅ [It] [Annotations] denylist-source-range only deny explicitly denied IPs, allow all others
  ✅ [It] [Setting] [SSL] TLS protocols, ciphers and headers should configure HSTS policy header setting includeSubDomains parameter
  ✅ [It] [Setting] reuse-port reuse port should be enabled by default
  ✅ [It] [Flag] ingress-class Without IngressClass Cluster scoped Permission should ignore Ingress with only IngressClassName
  ✅ [It] [Annotations] auth-* should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials
  ✅ [It] [SSL] secret update should return the fake SSL certificate if the secret is invalid
  ✅ [It] [Setting] proxy-read-timeout should not set invalid proxy read timeouts using configmap values
  ✅ [It] [Annotations] canary-* when canaried by header with value and pattern should route requests to the correct upstream
  ✅ [It] [Annotations] allowlist-source-range should set valid ip allowlist range
  ✅ [It] [Annotations] x-forwarded-prefix should not add X-Forwarded-Prefix if the annotation value is empty
  ✅ [It] [Annotations] cors-* should enable cors
  ✅ [It] [Annotations] affinitymode Check persistent affinity mode
  ✅ [It] [Annotations] cors-* should disable cors allow credentials
  ✅ [It] [TCP] tcp-services should expose an ExternalName TCP service
  ✅ [It] [Flag] disable-sync-events should create sync events (default)
  ✅ [It] [Setting] [SSL] TLS protocols, ciphers and headers ports or X-Forwarded-Host check during HTTP tp HTTPS redirection should not use ports during the HTTP to HTTPS redirection
  ✅ [It] [Setting] hash size Check server names hash size should set server_names_hash_bucket_size
  ✅ [It] [Default Backend] SSL should return a self generated SSL certificate
  ✅ [It] [Setting] use-proxy-protocol should enable PROXY Protocol for HTTPS
  ✅ [It] [Setting] [Security] block-* should block Referers defined in the ConfigMap
  ✅ [It] [Annotations] canary-* when canaried by header with no value should route requests to the correct upstream
  ✅ [It] Configure Opentelemetry should not exists opentelemetry_operation_name directive when is empty
  ✅ [It] [Annotations] backend-protocol - GRPC should return OK for service with backend protocol GRPCS
  ✅ [It] [Annotations] configuration-snippet set snippet more_set_headers in all locations
  ✅ [It] [Setting] aio-write should be enabled when setting is true
  ✅ [It] [Annotations] cors-* should not match
  ✅ [It] [Service] backend status code 503 should return 503 when all backend service endpoints are unavailable
  ✅ [It] [Annotations] cors-* should expose headers for cors
  ✅ [It] [Annotations] cors-* should allow correct origin but not others - cors allow origin annotations contain trailing comma
  ✅ [It] [Setting] [Security] global-auth-url when global external authentication is configured should return status code 401 when request any protected service
  ✅ [It] [Annotations] backend-protocol should set backend protocol to grpcs:// and use grpc_pass
  ✅ [It] [Annotations] auth-* should not set snippet "proxy_set_header My-Custom-Header 42;" when external auth is not configured
  ✅ [It] [Service] Nil Service Backend should return 404 when backend service is nil
  ✅ [It] [Annotations] affinity session-cookie-name should work with server-alias annotation
  ✅ [It] [Setting] keep-alive keep-alive-requests Check the keep alive should set keepalive_requests
  ✅ [It] [SSL] secret update should not appear references to secret updates not used in ingress rules
  ✅ [It] [Annotations] affinity session-cookie-name should set cookie with expires
  ✅ [It] [Ingress] [PathType] prefix checks should test prefix path using fixed path size regex pattern /id/{int}{3}
  ✅ [It] [Flag] custom HTTP and HTTPS ports with a TLS enabled ingress should set X-Forwarded-Port header to 443
  ✅ [It] [Shutdown] ingress controller should shutdown in less than 60 seconds without pending connections
  ⚪ [It] [Default Backend] disables access logging for default backend
  ✅ [It] [Setting] [Security] modsecurity-snippet should add value of modsecurity-snippet setting to nginx config
  ✅ [It] [Setting] add-headers Add multiple custom headers
  ✅ [It] [Annotations] affinity session-cookie-name should not set affinity across all server locations when using separate ingresses
  ✅ [It] [Annotations] affinity session-cookie-name should warn user when use-regex is true and session-cookie-path is not set
  ✅ [It] [Annotations] proxy-* should not set proxy client-max-body-size to incorrect value
  ✅ [It] [Annotations] denylist-source-range only allow explicitly allowed IPs, deny all others
  ✅ [It] [Annotations] auth-* should return status code 200 when authentication is configured with a map and Authorization header is sent
  ✅ [It] [Setting] [Security] no-auth-locations should return status code 200 when accessing '/noauth' unauthenticated
  ✅ [It] [Annotations] Bad annotation values [BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place
  ✅ [It] [Setting] [Security] global-auth-url when global external authentication is configured should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service
  ✅ [It] [Setting] enable-multi-accept should be enabled when set to true
  ✅ [It] [Annotations] auth-tls-* should validate auth-tls-verify-client
  ✅ [It] [Annotations] proxy-ssl-* should set valid proxy-ssl-secret, proxy-ssl-ciphers to HIGH:!AES
  ✅ [It] [Annotations] relative-redirects should respond with relative URL in Location
  ✅ [It] [Annotations] server-snippet add valid directives to server via server snippet
  ✅ [It] [Annotations] auth-tls-* should return 200 using auth-tls-match-cn where atleast one of the regex options matches CN from client
  ✅ [It] [Setting] use-proxy-protocol should respect port passed by the PROXY Protocol
  ✅ [It] [Setting] access-log access-log-path use the specified configuration
  ✅ [It] [Annotations] Bad annotation values [BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass
  ✅ [It] [Annotations] cors-* should not allow - single origin with port and origin without port
  ✅ [It] [Annotations] server-snippet drops server snippet if disabled by the administrator
  ✅ [It] [Setting] Configmap - limit-rate Check limit-rate config
  ✅ [It] [Annotations] canary-* when canaried by weight should route requests only to mainline if canary weight is 0
  ✅ [It] [Flag] disable-catch-all should ignore catch all Ingress with backend
  ✅ [It] [Annotations] cors-* should not allow - portless origin with wildcard origin
  ✅ [It] [Setting] keep-alive keep-alive-requests Check the upstream keep alive should set the request count to upstream server through one keep alive connection
  ✅ [It] [Flag] ingress-class With watch-ingress-without-class flag should watch Ingress with no class and ignore ingress with a different class
  ✅ [It] [Annotations] backend-protocol - GRPC should return OK for service with backend protocol GRPC
  ✅ [It] [Ingress] [PathType] prefix checks should correctly route multi-segment path patterns
  ✅ [It] [Flag] enable-ssl-passthrough With enable-ssl-passthrough enabled should enable ssl-passthrough-proxy-port on a different port
  ✅ [It] [Disable Leader] Routing works when leader election was disabled should create multiple ingress routings rules when leader election has disabled
  ✅ [It] [Setting] keep-alive keep-alive-requests Check the upstream keep alive should set keep alive connection timeout to upstream server
  ✅ [It] [Setting] [Security] global-auth-url when global external authentication is configured should set snippet when global external auth is configured
  ✅ [It] [Flag] ingress-class With specific ingress-class flags should ignore Ingress with no class and accept the correctly configured Ingresses
  ✅ [It] [Setting] [SSL] TLS protocols, ciphers and headers should configure HSTS policy header overriding what's set from the upstream
  ✅ [It] [Setting] log-format-* Check log-format-escape-json and log-format-escape-none should not configure log-format escape by default
  ✅ [It] [Annotations] canary-* when canaried by header with value and cookie should route requests to the correct upstream
  ✅ [It] [Annotations] cors-* should not break functionality with extra domain
  ✅ [It] [Annotations] canary-* Single canary Ingress should not use canary with domain as a server
  ✅ [It] [Setting] hash size Check the variable hash size should set variables-hash-bucket-size
  ✅ [It] [Lua] dynamic configuration when only backends change handles an annotation change
  ✅ [It] [Ingress] [PathType] exact should choose exact location for /exact
  ✅ [It] [Setting] proxy-connect-timeout should set valid proxy timeouts using configmap values
  ✅ [It] [Annotations] canary-* when canary is created should return 404 status for requests to the canary if no matching ingress is found
  ✅ [It] [Annotations] auth-tls-* should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2
  ✅ [It] [Flag] disable-service-external-name should ignore services of external-name type
  ✅ [It] [Annotations] cors-* should allow headers for cors
  ✅ [It] [Setting] hash size Check proxy header hash size should set proxy-headers-hash-bucket-size
  ✅ [It] [Setting] proxy-send-timeout should set valid proxy send timeouts using configmap values
  ✅ [It] [Setting] [SSL] TLS protocols, ciphers and headers ports or X-Forwarded-Host check during HTTP tp HTTPS redirection should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection
  ✅ [It] [Annotations] connection-proxy-header set connection header to keep-alive
  ✅ [It] [Annotations] from-to-www-redirect should redirect from www HTTP to HTTP
  ✅ [It] [Annotations] auth-tls-* should reload the nginx config when auth-tls-match-cn is updated
  ✅ [It] [Annotations] affinity session-cookie-name should not set secure in cookie with provided false annotation on http
  ✅ [It] [Annotations] app-root should redirect to /foo
  ✅ [It] [Annotations] affinity session-cookie-name should set sticky cookie SERVERID
  ✅ [It] [Setting] [Security] global-auth-url cookie set by external authentication server user with global-auth-always-set-cookie key in configmap retains cookie if upstream returns error status code
  ✅ [It] [Annotations] canary-* when canary is created should route requests to the correct upstream if mainline ingress is created after the canary ingress
  ✅ [It] [Annotations] cors-* should not allow - single origin for multiple cors values
  ✅ [It] [Annotations] canary-* when canary is created should route requests to the correct upstream if mainline ingress is created before the canary ingress
  ✅ [It] [Annotations] auth-* should return status code 503 when authentication is configured with an invalid secret
  ✅ [It] [Annotations] auth-* when external authentication is configured should enable set_all_vars when auth-keepalive-share-vars is true
  ✅ [It] [Flag] disable-catch-all should ignore catch all Ingress with backend and rules
  ✅ [It] [Annotations] permanent-redirect permanent-redirect-code should respond with a standard redirect code
  ✅ [It] [SSL] [Flag] default-ssl-certificate uses default ssl certificate for host based ingress when configured certificate does not match host
  ✅ [It] [Annotations] rewrite-target use-regex enable-rewrite-log should allow for custom rewrite parameters
  ✅ [It] [Annotations] cors-* should allow correct origins - missing subdomain + origin with wildcard origin and correct origin
  ✅ [It] [Annotations] backend-protocol should set backend protocol to '' and use fastcgi_pass
  ✅ [It] [Annotations] mirror-* should set mirror-target to http://localhost/mirror
  ✅ [It] [Flag] disable-catch-all should allow Ingress with rules
  ✅ [It] [Annotations] canary-* when canary is created should route requests to the correct upstream if the mainline ingress is modified
  ✅ [It] [Annotations] limit-rate Check limit-rate annotation
  ✅ [It] [Annotations] backend-protocol - FastCGI should return OK for service with backend protocol FastCGI
  ✅ [It] [Annotations] canary-* when canary is created should response with a 200 status from the mainline upstream when requests are made to the mainline ingress
  ✅ [It] [Annotations] auth-tls-* should set sslClientCertificate, sslVerifyClient and sslVerifyDepth with auth-tls-secret
  ✅ [It] [Annotations] custom-headers-* should return status code 503 when custom-headers is configured with an invalid secret
  ✅ [It] [Setting] log-format-* Check log-format-upstream with log-format-escape-json and log-format-escape-none log-format-escape-none enabled
  ✅ [It] [Annotations] http2-push-preload enable the http2-push-preload directive
  ✅ [It] [Annotations] canary-* when canaried by header with value and pattern should routes to mainline upstream when the given Regex causes error
  ✅ [It] [Annotations] proxy-ssl-* proxy-ssl-location-only flag should change the nginx config server part
  ✅ [It] [Annotations] modsecurity owasp should disable modsecurity using 'modsecurity off;'
  ✅ [It] [Flag] disable-sync-events should create sync events
  ✅ [It] [Setting] stream-snippet should add value of stream-snippet to nginx config
  ✅ [It] [Annotations] proxy-* should not set invalid proxy timeouts
  ✅ [It] [Setting] enable-real-ip should not trust X-Forwarded-For header when setting is false
  ✅ [It] [Annotations] auth-* should return status code 200 when authentication is configured and Authorization header is sent
  ✅ [It] [Annotations] proxy-* should setup proxy cookies
  ✅ [It] [Ingress] DeepInspection should drop whole ingress if one path matches invalid regex
  ✅ [It] [Annotations] default-backend when default backend annotation is enabled should use a custom default backend as upstream
  ✅ [It] [Annotations] cors-* should allow - single origin for multiple cors values
  ✅ [It] [Annotations] auth-* when external authentication is configured should not create additional upstream block when auth-keepalive is set with HTTP/2
  ✅ [It] [Setting] keep-alive keep-alive-requests Check the upstream keep alive should set keepalive connection to upstream server
  ✅ [It] [Annotations] Annotation - limit-connections should limit-connections
  ✅ [It] [Setting] [SSL] TLS protocols, ciphers and headers should configure TLS protocol setting cipher suite
  ✅ [It] [Annotations] rewrite-target use-regex enable-rewrite-log should use ~* location modifier if regex annotation is present
  ✅ [It] [Annotations] proxy-* should set proxy_redirect to hello.com goodbye.com
  ✅ [It] [Annotations] ssl-ciphers should change ssl ciphers
  ✅ [It] [Annotations] affinity session-cookie-name does not set the path to / on the generated cookie if there's more than one rule referring to the same backend
  ✅ [It] [Annotations] disable-access-log disable-http-access-log disable-stream-access-log disable-http-access-log set access_log off
  ✅ [It] Configure Opentelemetry should exists opentelemetry directive when is enabled
  ✅ [It] [Flag] ingress-class With ingress-class-by-name flag should watch Ingress that uses the class name even if spec is different
  ✅ [It] [Setting] [Security] global-auth-url when global external authentication is configured should still return status code 200 after auth backend is deleted using cache
  ✅ [It] [Service] Type ExternalName should return 200 for service type=ExternalName with a port defined
  ✅ [It] [Flag] ingress-class With default ingress class config should ignore Ingress with a different class annotation
  ✅ [It] [Setting] nginx-configuration fails when using alias directive
  ✅ [It] [Service] Type ExternalName works with external name set to incomplete fqdn
  ✅ [It] Configure Opentelemetry should not exists opentelemetry directive
  ⚪ [It] [Memory Leak] Dynamic Certificates should not leak memory from ingress SSL certificates or configuration updates
  ✅ [It] [Annotations] modsecurity owasp should enable modsecurity with snippet
  ✅ [It] [Annotations] client-body-buffer-size should set client_body_buffer_size to 1M
  ✅ [It] [Annotations] modsecurity owasp should enable modsecurity with snippet and block requests
  ✅ [It] [Annotations] auth-* should return status code 401 when authentication is configured but Authorization header is not configured
  ✅ [It] [metrics] exported prometheus metrics exclude socket request metrics are present
  ✅ [It] [Annotations] proxy-* should set valid proxy timeouts
  ✅ [It] global-options should have worker_rlimit_nofile option
  ✅ [It] [Annotations] client-body-buffer-size should set client_body_buffer_size to 1k
  ✅ [It] [Ingress] [PathType] mix Exact and Prefix paths should choose the correct location
  ✅ [It] [Lua] dynamic certificates picks up the certificate when we add TLS spec to existing ingress
  ✅ [It] [SSL] [Flag] default-ssl-certificate uses default ssl certificate for catch-all ingress
  ✅ [It] [Setting] hash size Check the map hash size should set vmap-hash-bucket-size
  ✅ [It] [Annotations] cors-* should allow - missing origins (should allow all origins)
  ✅ [It] [Annotations] auth-* when external authentication with caching is configured should deny login for different location on same server
  ✅ [It] [Setting] [SSL] TLS protocols, ciphers and headers should configure HSTS policy header setting preload parameter
  ✅ [It] [metrics] exported prometheus metrics request metrics per undefined host are not present when flag is not set
  ✅ [It] [Annotations] service-upstream when enabling in the configmap should use the Service Cluster IP and Port
  ✅ [It] [Annotations] affinity session-cookie-name should change cookie name on ingress definition change
  ✅ [It] [Setting] access-log stream-access-log-path use the specified configuration
  ✅ [It] [Annotations] from-to-www-redirect should redirect from www HTTPS to HTTPS
  ✅ [It] [Setting] use-proxy-protocol should enable PROXY Protocol for TCP