From 49ba53b7b6b6720329d02637b2446721c8acfb7f Mon Sep 17 00:00:00 2001
From: Elvin Efendi <elvin.efendiyev@gmail.com>
Date: Wed, 11 Dec 2019 13:36:51 -0500
Subject: [PATCH 1/3] regression test for duplicate hsts

---
 test/e2e/framework/deployment.go |  6 ++++++
 test/e2e/settings/tls.go         | 12 ++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go
index f9c4aecc12..c1c8c02c08 100644
--- a/test/e2e/framework/deployment.go
+++ b/test/e2e/framework/deployment.go
@@ -127,6 +127,12 @@ Request Body:
 		location / {
 			lua_need_request_body on;
 
+			header_filter_by_lua_block {
+				if ngx.var.arg_hsts == "true" then
+					ngx.header["Strict-Transport-Security"] = "max-age=3600; preload"
+				end
+			}
+
 			content_by_lua_block {
 				ngx.header["Server"] = "echoserver"
 
diff --git a/test/e2e/settings/tls.go b/test/e2e/settings/tls.go
index ac9930786c..4daa0d544b 100644
--- a/test/e2e/settings/tls.go
+++ b/test/e2e/settings/tls.go
@@ -154,6 +154,18 @@ var _ = framework.IngressNginxDescribe("Settings - TLS)", func() {
 		Expect(errs).Should(BeEmpty())
 		Expect(resp.StatusCode).Should(Equal(http.StatusOK))
 		Expect(resp.Header.Get("Strict-Transport-Security")).Should(Equal("max-age=86400; preload"))
+
+		By("overriding what's set from the upstream")
+
+		// we can not use gorequest here because it flattens the duplicate headers
+		// and specifically in case of Strict-Transport-Security it ignore extra headers
+		// intead of concatenating, rightfully. And I don't know of any API it provides for getting raw headers.
+		curlCmd := fmt.Sprintf("curl -I -k --fail --silent --resolve settings-tls:443:127.0.0.1 https://settings-tls/%v", "?hsts=true")
+		output, err := f.ExecIngressPod(curlCmd)
+		Expect(err).ToNot(HaveOccurred())
+		Expect(output).Should(ContainSubstring("strict-transport-security: max-age=86400; preload"))
+		// this is what the upstream sets
+		Expect(output).ShouldNot(ContainSubstring("strict-transport-security: max-age=3600; preload"))
 	})
 
 	It("should not use ports during the HTTP to HTTPS redirection", func() {

From 54918c0ff29aad7c3d10df72e08a6805e838ce6d Mon Sep 17 00:00:00 2001
From: Elvin Efendi <elvin.efendiyev@gmail.com>
Date: Thu, 12 Dec 2019 13:49:13 -0500
Subject: [PATCH 2/3] fix duplicate hsts bug

---
 rootfs/etc/nginx/lua/lua_ingress.lua | 2 ++
 rootfs/etc/nginx/template/nginx.tmpl | 1 +
 2 files changed, 3 insertions(+)

diff --git a/rootfs/etc/nginx/lua/lua_ingress.lua b/rootfs/etc/nginx/lua/lua_ingress.lua
index 463924792d..f0b8e761c2 100644
--- a/rootfs/etc/nginx/lua/lua_ingress.lua
+++ b/rootfs/etc/nginx/lua/lua_ingress.lua
@@ -142,7 +142,9 @@ function _M.rewrite(location_config)
 
     ngx_redirect(uri, config.http_redirect_code)
   end
+end
 
+function _M.header()
   if config.hsts and ngx.var.scheme == "https" and certificate_configured_for_current_request then
     local value = "max-age=" .. config.hsts_max_age
     if config.hsts_include_subdomains then
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index f0a1df16a5..95f72b19a0 100755
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -991,6 +991,7 @@ stream {
             #}
 
             header_filter_by_lua_block {
+                lua_ingress.header()
                 plugins.run()
             }
 

From 162ecb97e98d3e118caaec4b1b034484e598a602 Mon Sep 17 00:00:00 2001
From: Elvin Efendi <elvin.efendiyev@gmail.com>
Date: Thu, 12 Dec 2019 13:49:28 -0500
Subject: [PATCH 3/3] misc: improve build scripts

---
 build/dev-env.sh       | 3 ++-
 build/run-e2e-suite.sh | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/build/dev-env.sh b/build/dev-env.sh
index e535af5c4e..d2e2b41128 100755
--- a/build/dev-env.sh
+++ b/build/dev-env.sh
@@ -36,7 +36,8 @@ DEV_IMAGE=${REGISTRY}/nginx-ingress-controller:${TAG}
 { [ "$(minikube status | grep -c Running)" -ge 2 ] && minikube status | grep -qE ': Configured$|Correctly Configured'; } \
   || minikube start \
     --extra-config=kubelet.sync-frequency=1s \
-    --extra-config=apiserver.authorization-mode=RBAC
+    --extra-config=apiserver.authorization-mode=RBAC \
+    --kubernetes-version=v1.15.0
 
 # shellcheck disable=SC2046
 eval $(minikube docker-env --shell bash)
diff --git a/build/run-e2e-suite.sh b/build/run-e2e-suite.sh
index 4fa19b0f19..3f14d34cda 100755
--- a/build/run-e2e-suite.sh
+++ b/build/run-e2e-suite.sh
@@ -69,6 +69,8 @@ until kubectl get secret | grep -q -e ^ingress-nginx-e2e-token; do \
   sleep 3; \
 done
 
+echo -e "Starting the e2e test pod"
+
 kubectl run --rm \
   --attach \
   --restart=Never \