github.com/kiali/kiali@v1.84.0/business/checkers/peerauthentications/disabled_namespacewide_checker.go (about) 1 package peerauthentications 2 3 import ( 4 networking_v1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1" 5 security_v1beta "istio.io/client-go/pkg/apis/security/v1beta1" 6 7 "github.com/kiali/kiali/kubernetes" 8 "github.com/kiali/kiali/models" 9 ) 10 11 type DisabledNamespaceWideChecker struct { 12 PeerAuthn *security_v1beta.PeerAuthentication 13 DestinationRules []*networking_v1beta1.DestinationRule 14 } 15 16 func (c DisabledNamespaceWideChecker) Check() ([]*models.IstioCheck, bool) { 17 validations := make([]*models.IstioCheck, 0) 18 19 // Validation only affects to PeerAuthn disabling mTLS 20 if _, mode := kubernetes.PeerAuthnHasMTLSEnabled(c.PeerAuthn); mode != "DISABLE" { 21 return validations, true 22 } 23 24 nsDisableDRFound := false 25 meshEnabledDRFound := false 26 for _, dr := range c.DestinationRules { 27 // If ns-wide Destination Rule enabling mtls found, error found 28 _, mode := kubernetes.DestinationRuleHasNamespaceWideMTLSEnabled(c.PeerAuthn.Namespace, dr) 29 if mode == "ISTIO_MUTUAL" || mode == "MUTUAL" { 30 check := models.Build("peerauthentications.mtls.disabledestinationrulemissing", "spec/mtls") 31 return append(validations, &check), false 32 } else if mode == "DISABLE" { 33 nsDisableDRFound = true 34 break 35 } 36 37 if _, mode := kubernetes.DestinationRuleHasMeshWideMTLSEnabled(dr); mode == "ISTIO_MUTUAL" || mode == "MUTUAL" { 38 meshEnabledDRFound = true 39 } 40 } 41 42 if nsDisableDRFound { 43 return validations, true 44 } 45 46 if meshEnabledDRFound { 47 check := models.Build("peerauthentications.mtls.disabledestinationrulemissing", "spec/mtls") 48 return append(validations, &check), false 49 } 50 51 return validations, true 52 }