@sig-network @conformance @release-1.19

Feature: Host rules

An Ingress may define routing rules based on the request host. If the HTTP request host matches one of the hosts in the Ingress objects, the traffic is routed to its backend service.

Scenarios
Status Progress

Passed

 100.00%

Failed

 0.00%
Scenario: An Ingress with a host rule should send TLS traffic to the matching backend service

(host foo.bar.com matches request foo.bar.com)

check_circle
Given 0s a new random namespace
check_circle
Given 0s a self-signed TLS secret named conformance-tls for the foo.bar.com hostname
check_circle
Given 10s an Ingress resource +Show Parameter 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: host-rules
spec:
  tls:
    - hosts:
        - foo.bar.com
      secretName: conformance-tls
  rules:
    - host: "*.foo.com"
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: wildcard-foo-com
                port:
                  number: 8080

    - host: foo.bar.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: foo-bar-com
                port:
                  name: http
check_circle
Then 10s The Ingress status shows the IP address or FQDN where it is exposed
check_circle
When 0s I send a GET request to https://foo.bar.com
check_circle
Then 0s the secure connection must verify the foo.bar.com hostname
check_circle
And 0s the response status-code must be 200
check_circle
And 0s the response must be served by the foo-bar-com service
check_circle
And 0s the request host must be foo.bar.com
Duration: 20s query_builder
9
Scenario: An Ingress with a host rule should send traffic to the matching backend service

(host foo.bar.com matches request foo.bar.com)

check_circle
Given 0s a new random namespace
check_circle
Given 0s a self-signed TLS secret named conformance-tls for the foo.bar.com hostname
check_circle
Given 10s an Ingress resource +Show Parameter 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: host-rules
spec:
  tls:
    - hosts:
        - foo.bar.com
      secretName: conformance-tls
  rules:
    - host: "*.foo.com"
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: wildcard-foo-com
                port:
                  number: 8080

    - host: foo.bar.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: foo-bar-com
                port:
                  name: http
check_circle
Then 10s The Ingress status shows the IP address or FQDN where it is exposed
check_circle
When 0s I send a GET request to http://foo.bar.com
check_circle
And 0s the response status-code must be 200
check_circle
And 0s the response must be served by the foo-bar-com service
check_circle
And 0s the request host must be foo.bar.com
Duration: 20s query_builder
8
Scenario: An Ingress with a host rule should not route traffic when hostname does not match

(host foo.bar.com does not match request subdomain.bar.com)

check_circle
Given 0s a new random namespace
check_circle
Given 0s a self-signed TLS secret named conformance-tls for the foo.bar.com hostname
check_circle
Given 10s an Ingress resource +Show Parameter 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: host-rules
spec:
  tls:
    - hosts:
        - foo.bar.com
      secretName: conformance-tls
  rules:
    - host: "*.foo.com"
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: wildcard-foo-com
                port:
                  number: 8080

    - host: foo.bar.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: foo-bar-com
                port:
                  name: http
check_circle
Then 5s The Ingress status shows the IP address or FQDN where it is exposed
check_circle
When 0s I send a GET request to http://subdomain.bar.com
check_circle
Then 0s the response status-code must be 404
Duration: 15s query_builder
6
Scenario: An Ingress with a wildcard host rule should send traffic to the matching backend service

(Matches based on shared suffix)

check_circle
Given 0s a new random namespace
check_circle
Given 0s a self-signed TLS secret named conformance-tls for the foo.bar.com hostname
check_circle
Given 10s an Ingress resource +Show Parameter 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: host-rules
spec:
  tls:
    - hosts:
        - foo.bar.com
      secretName: conformance-tls
  rules:
    - host: "*.foo.com"
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: wildcard-foo-com
                port:
                  number: 8080

    - host: foo.bar.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: foo-bar-com
                port:
                  name: http
check_circle
Then 10s The Ingress status shows the IP address or FQDN where it is exposed
check_circle
When 0s I send a GET request to http://bar.foo.com
check_circle
Then 0s the response status-code must be 200
check_circle
And 0s the response must be served by the wildcard-foo-com service
check_circle
And 0s the request host must be bar.foo.com
Duration: 20s query_builder
8
Scenario: An Ingress with a wildcard host rule should not route traffic matching on more than a single dns label

(No match, wildcard only covers a single DNS label)

check_circle
Given 0s a new random namespace
check_circle
Given 0s a self-signed TLS secret named conformance-tls for the foo.bar.com hostname
check_circle
Given 10s an Ingress resource +Show Parameter 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: host-rules
spec:
  tls:
    - hosts:
        - foo.bar.com
      secretName: conformance-tls
  rules:
    - host: "*.foo.com"
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: wildcard-foo-com
                port:
                  number: 8080

    - host: foo.bar.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: foo-bar-com
                port:
                  name: http
check_circle
Then 10s The Ingress status shows the IP address or FQDN where it is exposed
check_circle
When 0s I send a GET request to http://baz.bar.foo.com
check_circle
Then 0s the response status-code must be 404
Duration: 20s query_builder
6
Scenario: An Ingress with a wildcard host rule should not route traffic matching no dns label

(No match, wildcard only covers a single DNS label)

check_circle
Given 0s a new random namespace
check_circle
Given 0s a self-signed TLS secret named conformance-tls for the foo.bar.com hostname
check_circle
Given 10s an Ingress resource +Show Parameter 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: host-rules
spec:
  tls:
    - hosts:
        - foo.bar.com
      secretName: conformance-tls
  rules:
    - host: "*.foo.com"
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: wildcard-foo-com
                port:
                  number: 8080

    - host: foo.bar.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: foo-bar-com
                port:
                  name: http
check_circle
Then 10s The Ingress status shows the IP address or FQDN where it is exposed
check_circle
When 0s I send a GET request to http://foo.com
check_circle
Then 0s the response status-code must be 404
Duration: 20s query_builder
6

Kubernetes ingress controller conformance