-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add istio gateway and virtual service
- Loading branch information
Showing
5 changed files
with
208 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
{{- if .Values.ingress.enabled -}} | ||
--- | ||
apiVersion: networking.istio.io/v1alpha3 | ||
kind: Gateway | ||
metadata: | ||
name: {{ include "logprep.fullname" . }} | ||
labels: | ||
{{- include "logprep.labels" . | nindent 4 }} | ||
spec: | ||
selector: | ||
istio: ingressgateway | ||
servers: | ||
- hosts: | ||
- "*" | ||
port: | ||
name: http | ||
number: 80 | ||
protocol: HTTP | ||
tls: | ||
httpsRedirect: true | ||
- hosts: | ||
- "*" | ||
port: | ||
name: https | ||
number: 443 | ||
protocol: HTTPS | ||
tls: | ||
credentialName: {{ .Values.ingress.certificate.name }} | ||
mode: SIMPLE | ||
{{- end}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
{{- if .Values.ingress.enabled -}} | ||
{{- if .Values.input -}} | ||
{{- if eq .Values.input.type "http_input" -}} | ||
--- | ||
apiVersion: networking.istio.io/v1alpha3 | ||
kind: VirtualService | ||
metadata: | ||
name: {{ include "logprep.fullname" . }} | ||
labels: | ||
{{- include "logprep.labels" . | nindent 4 }} | ||
spec: | ||
gateways: | ||
- {{ include "logprep.fullname" . }}-gateway | ||
hosts: | ||
- {{ .Values.ingress.domain }} | ||
http: | ||
{{ $logprep_fullname := include "logprep.fullname" .}} | ||
{{ $uvicorn_port := .Values.input.uvicorn_config.port }} | ||
{{ $response_headers := .Values.ingress.response_headers }} | ||
{{ range $key, $value := .Values.input.endpoints }} | ||
- match: | ||
- uri: | ||
regex: {{ $key | quote }} | ||
route: | ||
- destination: | ||
host: {{ $logprep_fullname }}-http-input | ||
port: | ||
number: {{ $uvicorn_port }} | ||
headers: | ||
response: | ||
set: | ||
{{- toYaml $response_headers | nindent 16 }} | ||
{{ end }} | ||
{{- end}} | ||
{{- end}} | ||
{{- end}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
# pylint: disable=missing-docstring | ||
# pylint: disable=attribute-defined-outside-init | ||
# pylint: disable=protected-access | ||
|
||
|
||
from tests.unit.charts.test_base import TestBaseChartTest | ||
|
||
|
||
class TestIngressGateway(TestBaseChartTest): | ||
|
||
def test_ingress_gateway_is_rendered(self): | ||
logprep_values = {"ingress": {"enabled": True}} | ||
self.manifests = self.render_chart("logprep", logprep_values) | ||
ingress_gateway = self.manifests.by_query( | ||
"kind: Gateway AND apiVersion: networking.istio.io/v1alpha3" | ||
) | ||
assert ingress_gateway | ||
assert len(ingress_gateway) == 1 | ||
ingress_gateway = ingress_gateway[0] | ||
assert ingress_gateway["metadata"]["name"] == "logprep-logprep" | ||
|
||
def test_ingress_gateway_is_not_rendered(self): | ||
logprep_values = {"ingress": {"enabled": False}} | ||
self.manifests = self.render_chart("logprep", logprep_values) | ||
ingress_gateway = self.manifests.by_query( | ||
"kind: Gateway AND apiVersion: networking.istio.io/v1alpha3" | ||
) | ||
assert not ingress_gateway |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
# pylint: disable=missing-docstring | ||
# pylint: disable=attribute-defined-outside-init | ||
# pylint: disable=protected-access | ||
|
||
|
||
from logprep.util.configuration import yaml | ||
from tests.unit.charts.test_base import TestBaseChartTest | ||
|
||
http_input_config = { | ||
"type": "http_input", | ||
"message_backlog_size": 150, | ||
"collect_meta": True, | ||
"metafield_name": "@metadata", | ||
"uvicorn_config": { | ||
"host": "0.0.0.0", | ||
"port": 9000, | ||
"workers": 2, | ||
"access_log": True, | ||
"server_header": False, | ||
"date_header": False, | ||
}, | ||
"endpoints": { | ||
"/auth-json": "json", | ||
"/json": "json", | ||
"/lab/123/(ABC|DEF)/pl.*": "plaintext", | ||
"/lab/123/ABC/auditlog": "jsonl", | ||
}, | ||
} | ||
|
||
|
||
class TestIstioVirtualService(TestBaseChartTest): | ||
|
||
def test_virtual_service_is_rendered(self): | ||
logprep_values = {"ingress": {"enabled": True}, "input": http_input_config} | ||
self.manifests = self.render_chart("logprep", logprep_values) | ||
virtual_service = self.manifests.by_query( | ||
"kind: VirtualService AND apiVersion: networking.istio.io/v1alpha3" | ||
) | ||
assert virtual_service | ||
assert len(virtual_service) == 1 | ||
virtual_service = virtual_service[0] | ||
assert virtual_service["metadata"]["name"] == "logprep-logprep" | ||
|
||
def test_virtual_service_has_endpoint_routes(self): | ||
logprep_values = {"ingress": {"enabled": True}, "input": http_input_config} | ||
self.manifests = self.render_chart("logprep", logprep_values) | ||
virtual_service = self.manifests.by_query( | ||
"kind: VirtualService AND apiVersion: networking.istio.io/v1alpha3" | ||
)[0] | ||
defined_routes = [ | ||
route["match"][0]["uri"]["regex"] for route in virtual_service["spec.http"] | ||
] | ||
for endpoint in http_input_config["endpoints"]: | ||
assert endpoint in defined_routes | ||
|
||
def test_virtual_service_routes_have_response_header(self): | ||
logprep_values = {"ingress": {"enabled": True}, "input": http_input_config} | ||
self.manifests = self.render_chart("logprep", logprep_values) | ||
virtual_service = self.manifests.by_query( | ||
"kind: VirtualService AND apiVersion: networking.istio.io/v1alpha3" | ||
)[0] | ||
response_headers_for_routes = [ | ||
route["route"][0]["headers"]["response"]["set"] | ||
for route in virtual_service["spec.http"] | ||
] | ||
expected_headers = { | ||
"Cache-Control": "no-cache", | ||
"Content-Security-Policy": "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; frame-ancestors 'self'; form-action 'self';", | ||
"Cross-Origin-Resource-Policy": "same-site", | ||
"Referrer-Policy": "strict-origin-when-cross-origin", | ||
"Strict-Transport-Security": "max-age=31536000; includeSubdomains", | ||
"Permissions-Policy": "geolocation=(), camera=(), microphone=()", | ||
"X-XSS-Protection": "1; mode=block", | ||
"X-Content-Type-Options": "nosniff", | ||
"X-Frame-Options": "DENY", | ||
} | ||
for headers in response_headers_for_routes: | ||
assert headers == expected_headers |