add istio gateway and virtual service

charts/logprep/templates/gateway.yaml

@@ -0,0 +1,30 @@
+{{- if .Values.ingress.enabled -}}
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: {{ include "logprep.fullname" . }}
+  labels:
+    {{- include "logprep.labels" . | nindent 4 }}
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+    - hosts:
+        - "*"
+      port:
+        name: http
+        number: 80
+        protocol: HTTP
+      tls:
+        httpsRedirect: true
+    - hosts:
+        - "*"
+      port:
+        name: https
+        number: 443
+        protocol: HTTPS
+      tls:
+        credentialName: {{ .Values.ingress.certificate.name }}
+        mode: SIMPLE
+{{- end}}

charts/logprep/templates/virtual-service.yaml

@@ -0,0 +1,36 @@
+{{- if .Values.ingress.enabled -}}
+{{- if .Values.input -}}
+{{- if eq .Values.input.type "http_input" -}}
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: {{ include "logprep.fullname" . }}
+  labels:
+    {{- include "logprep.labels" . | nindent 4 }}
+spec:
+  gateways:
+    - {{ include "logprep.fullname" . }}-gateway
+  hosts:
+    - {{ .Values.ingress.domain }}
+  http:
+  {{ $logprep_fullname := include "logprep.fullname" .}}
+  {{ $uvicorn_port := .Values.input.uvicorn_config.port }}
+  {{ $response_headers := .Values.ingress.response_headers }}
+  {{ range $key, $value := .Values.input.endpoints }}
+    - match:
+        - uri:
+            regex: {{ $key | quote }}
+      route:
+        - destination:
+            host: {{ $logprep_fullname }}-http-input
+            port:
+              number: {{ $uvicorn_port }}
+          headers:
+            response:
+              set:
+                {{- toYaml $response_headers | nindent 16 }}
+  {{ end }}
+{{- end}}
+{{- end}}
+{{- end}}

charts/logprep/values.yaml

@@ -106,7 +106,23 @@ logger:
 # Note:
 # For the `http_input` endpoints you have to add the endpoint `/health: plaintext` to ensure
 # readiness probes are working.
-input: {}
+input:
+  type: http_input
+  message_backlog_size: 150
+  collect_meta: True
+  metafield_name: "@metadata"
+  uvicorn_config:
+    host: 0.0.0.0
+    port: 9000
+    workers: 2
+    access_log: true
+    server_header: false
+    date_header: false
+  endpoints:
+    /auth-json: json
+    /json: json
+    /lab/123/(ABC|DEF)/pl.*: plaintext
+    /lab/123/ABC/auditlog: jsonl
 
 # The logprep output connector configuration
 # Note: This is only the default output. Additional outputs can be configured in
@@ -151,3 +167,22 @@ configurations:
 #       admin
 #       admin2
 artifacts: []
+
+# The ingress configuration
+# If enabled, an istio based ingress will be deployed. This option is only useful
+# if the logprep configuration has a http_input configured.
+ingress:
+  enabled: true
+  domain: "localhost"
+  certificate:
+    name: "istio-gateway-certificate"
+  response_headers:
+    Cache-Control: no-cache
+    Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; frame-ancestors 'self'; form-action 'self';
+    Cross-Origin-Resource-Policy: same-site
+    Referrer-Policy: strict-origin-when-cross-origin
+    Strict-Transport-Security: max-age=31536000; includeSubdomains
+    Permissions-Policy: geolocation=(), camera=(), microphone=()
+    X-XSS-Protection: 1; mode=block
+    X-Content-Type-Options: nosniff
+    X-Frame-Options: DENY

tests/unit/charts/test_ingress_gateway.py

@@ -0,0 +1,28 @@
+# pylint: disable=missing-docstring
+# pylint: disable=attribute-defined-outside-init
+# pylint: disable=protected-access
+
+
+from tests.unit.charts.test_base import TestBaseChartTest
+
+
+class TestIngressGateway(TestBaseChartTest):
+
+    def test_ingress_gateway_is_rendered(self):
+        logprep_values = {"ingress": {"enabled": True}}
+        self.manifests = self.render_chart("logprep", logprep_values)
+        ingress_gateway = self.manifests.by_query(
+            "kind: Gateway AND apiVersion: networking.istio.io/v1alpha3"
+        )
+        assert ingress_gateway
+        assert len(ingress_gateway) == 1
+        ingress_gateway = ingress_gateway[0]
+        assert ingress_gateway["metadata"]["name"] == "logprep-logprep"
+
+    def test_ingress_gateway_is_not_rendered(self):
+        logprep_values = {"ingress": {"enabled": False}}
+        self.manifests = self.render_chart("logprep", logprep_values)
+        ingress_gateway = self.manifests.by_query(
+            "kind: Gateway AND apiVersion: networking.istio.io/v1alpha3"
+        )
+        assert not ingress_gateway

tests/unit/charts/test_virtual_service.py

@@ -0,0 +1,78 @@
+# pylint: disable=missing-docstring
+# pylint: disable=attribute-defined-outside-init
+# pylint: disable=protected-access
+
+
+from logprep.util.configuration import yaml
+from tests.unit.charts.test_base import TestBaseChartTest
+
+http_input_config = {
+    "type": "http_input",
+    "message_backlog_size": 150,
+    "collect_meta": True,
+    "metafield_name": "@metadata",
+    "uvicorn_config": {
+        "host": "0.0.0.0",
+        "port": 9000,
+        "workers": 2,
+        "access_log": True,
+        "server_header": False,
+        "date_header": False,
+    },
+    "endpoints": {
+        "/auth-json": "json",
+        "/json": "json",
+        "/lab/123/(ABC|DEF)/pl.*": "plaintext",
+        "/lab/123/ABC/auditlog": "jsonl",
+    },
+}
+
+
+class TestIstioVirtualService(TestBaseChartTest):
+
+    def test_virtual_service_is_rendered(self):
+        logprep_values = {"ingress": {"enabled": True}, "input": http_input_config}
+        self.manifests = self.render_chart("logprep", logprep_values)
+        virtual_service = self.manifests.by_query(
+            "kind: VirtualService AND apiVersion: networking.istio.io/v1alpha3"
+        )
+        assert virtual_service
+        assert len(virtual_service) == 1
+        virtual_service = virtual_service[0]
+        assert virtual_service["metadata"]["name"] == "logprep-logprep"
+
+    def test_virtual_service_has_endpoint_routes(self):
+        logprep_values = {"ingress": {"enabled": True}, "input": http_input_config}
+        self.manifests = self.render_chart("logprep", logprep_values)
+        virtual_service = self.manifests.by_query(
+            "kind: VirtualService AND apiVersion: networking.istio.io/v1alpha3"
+        )[0]
+        defined_routes = [
+            route["match"][0]["uri"]["regex"] for route in virtual_service["spec.http"]
+        ]
+        for endpoint in http_input_config["endpoints"]:
+            assert endpoint in defined_routes
+
+    def test_virtual_service_routes_have_response_header(self):
+        logprep_values = {"ingress": {"enabled": True}, "input": http_input_config}
+        self.manifests = self.render_chart("logprep", logprep_values)
+        virtual_service = self.manifests.by_query(
+            "kind: VirtualService AND apiVersion: networking.istio.io/v1alpha3"
+        )[0]
+        response_headers_for_routes = [
+            route["route"][0]["headers"]["response"]["set"]
+            for route in virtual_service["spec.http"]
+        ]
+        expected_headers = {
+            "Cache-Control": "no-cache",
+            "Content-Security-Policy": "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; frame-ancestors 'self'; form-action 'self';",
+            "Cross-Origin-Resource-Policy": "same-site",
+            "Referrer-Policy": "strict-origin-when-cross-origin",
+            "Strict-Transport-Security": "max-age=31536000; includeSubdomains",
+            "Permissions-Policy": "geolocation=(), camera=(), microphone=()",
+            "X-XSS-Protection": "1; mode=block",
+            "X-Content-Type-Options": "nosniff",
+            "X-Frame-Options": "DENY",
+        }
+        for headers in response_headers_for_routes:
+            assert headers == expected_headers