github.com/kiali/kiali@v1.84.0/business/checkers/destinationrules/meshwide_mtls_checker_test.go (about) 1 package destinationrules 2 3 import ( 4 "testing" 5 6 "github.com/stretchr/testify/assert" 7 networking_v1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1" 8 security_v1beta1 "istio.io/client-go/pkg/apis/security/v1beta1" 9 10 "github.com/kiali/kiali/kubernetes" 11 "github.com/kiali/kiali/models" 12 "github.com/kiali/kiali/tests/data" 13 "github.com/kiali/kiali/tests/testutils/validations" 14 ) 15 16 // Context: DestinationRule enables mesh-wide mTLS 17 // Context: There is no MeshPolicy 18 // It returns any validation 19 func TestMTLSMeshWideDREnabledWithNoMeshPolicy(t *testing.T) { 20 destinationRule := data.AddTrafficPolicyToDestinationRule(data.CreateMTLSTrafficPolicyForDestinationRules(), 21 data.CreateEmptyDestinationRule("istio-system", "dr-mtls", "*.local")) 22 23 mTlsDetails := kubernetes.MTLSDetails{ 24 MeshPeerAuthentications: []*security_v1beta1.PeerAuthentication{}, 25 } 26 27 testReturnsAValidation(t, destinationRule, mTlsDetails) 28 } 29 30 // Context: DestinationRule enables mesh-wide mTLS 31 // Context: There is one MeshPolicy in PERMISSIVE mode 32 // It doesn't return any validation 33 func TestMTLSMeshWideDREnabledWithMeshPolicyDisabled(t *testing.T) { 34 destinationRule := data.AddTrafficPolicyToDestinationRule(data.CreateMTLSTrafficPolicyForDestinationRules(), 35 data.CreateEmptyDestinationRule("istio-system", "dr-mtls", "*.local")) 36 37 mTlsDetails := kubernetes.MTLSDetails{ 38 MeshPeerAuthentications: []*security_v1beta1.PeerAuthentication{ 39 data.CreateEmptyMeshPeerAuthentication("default", data.CreateMTLS("PERMISSIVE")), 40 }, 41 } 42 43 testNoValidationsFound(t, destinationRule, mTlsDetails) 44 } 45 46 // Context: DestinationRule enables mesh-wide mTLS 47 // Context: There is one MeshPolicy enabling mTLS in STRICT mode 48 // It doesn't return any validation 49 func TestMTLSMeshWideDREnabledWithMeshPolicy(t *testing.T) { 50 destinationRule := data.AddTrafficPolicyToDestinationRule(data.CreateMTLSTrafficPolicyForDestinationRules(), 51 data.CreateEmptyDestinationRule("istio-system", "dr-mtls", "*.local")) 52 53 mTlsDetails := kubernetes.MTLSDetails{ 54 MeshPeerAuthentications: []*security_v1beta1.PeerAuthentication{ 55 data.CreateEmptyMeshPeerAuthentication("default", data.CreateMTLS("STRICT")), 56 }, 57 } 58 59 testNoValidationsFound(t, destinationRule, mTlsDetails) 60 } 61 62 // Context: DestinationRule enables namespace-wide mTLS 63 // Context: There is one MeshPolicy enabling mTLS in STRICT mode 64 // It doesn't return any validation 65 func TestMTLSNamespaceWideDREnabledWithMeshPolicy(t *testing.T) { 66 destinationRule := data.AddTrafficPolicyToDestinationRule(data.CreateMTLSTrafficPolicyForDestinationRules(), 67 data.CreateEmptyDestinationRule("istio-system", "dr-mtls", "*.istio-system.svc.cluster.local")) 68 69 mTlsDetails := kubernetes.MTLSDetails{ 70 MeshPeerAuthentications: []*security_v1beta1.PeerAuthentication{ 71 data.CreateEmptyMeshPeerAuthentication("default", data.CreateMTLS("STRICT")), 72 }, 73 } 74 75 testNoValidationsFound(t, destinationRule, mTlsDetails) 76 } 77 78 // Context: DestinationRule enables namespace-wide mTLS 79 // Context: There is one MeshPolicy enabling mTLS in PERMISSIVE mode 80 // It doesn't return any validation 81 func TestMTLSNamespaceWideDREnabledWithMeshPolicyDisabled(t *testing.T) { 82 destinationRule := data.AddTrafficPolicyToDestinationRule(data.CreateMTLSTrafficPolicyForDestinationRules(), 83 data.CreateEmptyDestinationRule("istio-system", "dr-mtls", "*.istio-system.svc.cluster.local")) 84 85 mTlsDetails := kubernetes.MTLSDetails{ 86 MeshPeerAuthentications: []*security_v1beta1.PeerAuthentication{ 87 data.CreateEmptyMeshPeerAuthentication("default", data.CreateMTLS("PERMISSIVE")), 88 }, 89 } 90 91 testNoValidationsFound(t, destinationRule, mTlsDetails) 92 } 93 94 // Context: DestinationRule not enabling mTLS 95 // Context: There is one MeshPolicy enabling mTLS 96 // It doesn't return any validation 97 func TestMTLSDRDisabledWithMeshPolicy(t *testing.T) { 98 destinationRule := data.CreateEmptyDestinationRule("istio-system", "dr-mtls", "*.istio-system.svc.cluster.local") 99 100 mTlsDetails := kubernetes.MTLSDetails{ 101 MeshPeerAuthentications: []*security_v1beta1.PeerAuthentication{ 102 data.CreateEmptyMeshPeerAuthentication("default", data.CreateMTLS("STRICT")), 103 }, 104 } 105 106 testNoValidationsFound(t, destinationRule, mTlsDetails) 107 } 108 109 // Context: DestinationRule not enabling mTLS 110 // Context: There is one MeshPolicy not enabling mTLS 111 // It doesn't return any validation 112 func TestMTLSDRDisabledWithMeshPolicyDisabled(t *testing.T) { 113 destinationRule := data.CreateEmptyDestinationRule("istio-system", "dr-mtls", "*.istio-system.svc.cluster.local") 114 115 mTlsDetails := kubernetes.MTLSDetails{ 116 MeshPeerAuthentications: []*security_v1beta1.PeerAuthentication{ 117 data.CreateEmptyMeshPeerAuthentication("default", data.CreateMTLS("PERMISSIVE")), 118 }, 119 } 120 121 testNoValidationsFound(t, destinationRule, mTlsDetails) 122 } 123 124 func testReturnsAValidation(t *testing.T, destinationRule *networking_v1beta1.DestinationRule, mTLSDetails kubernetes.MTLSDetails) { 125 assert := assert.New(t) 126 127 vals, valid := MeshWideMTLSChecker{ 128 DestinationRule: destinationRule, 129 MTLSDetails: mTLSDetails, 130 }.Check() 131 132 assert.NotEmpty(vals) 133 assert.Equal(1, len(vals)) 134 assert.False(valid) 135 136 validation := vals[0] 137 assert.NotNil(validation) 138 assert.Equal(models.ErrorSeverity, validation.Severity) 139 assert.Equal("spec/trafficPolicy/tls/mode", validation.Path) 140 assert.NoError(validations.ConfirmIstioCheckMessage("destinationrules.mtls.meshpolicymissing", validation)) 141 } 142 143 func testNoValidationsFound(t *testing.T, destinationRule *networking_v1beta1.DestinationRule, mTLSDetails kubernetes.MTLSDetails) { 144 assert := assert.New(t) 145 146 validations, valid := MeshWideMTLSChecker{ 147 DestinationRule: destinationRule, 148 MTLSDetails: mTLSDetails, 149 }.Check() 150 151 assert.Empty(validations) 152 assert.True(valid) 153 }