github.com/kiali/kiali@v1.84.0/business/checkers/peerauthentications/mesh_mtls_checker.go

github.com/kiali/kiali@v1.84.0/business/checkers/peerauthentications/mesh_mtls_checker.go (about)

     1  package peerauthentications
     2  
     3  import (
     4  	security_v1beta "istio.io/client-go/pkg/apis/security/v1beta1"
     5  
     6  	"github.com/kiali/kiali/kubernetes"
     7  	"github.com/kiali/kiali/models"
     8  )
     9  
    10  // Note that MeshMtlsChecker will work with MeshPolicy resources
    11  type MeshMtlsChecker struct {
    12  	MeshPolicy    *security_v1beta.PeerAuthentication
    13  	MTLSDetails   kubernetes.MTLSDetails
    14  	IsServiceMesh bool
    15  }
    16  
    17  func (t MeshMtlsChecker) Check() ([]*models.IstioCheck, bool) {
    18  	validations := make([]*models.IstioCheck, 0)
    19  
    20  	// if MeshPolicy doesn't have mtls in strict mode, stop validation with any check.
    21  	if strictMode := kubernetes.PeerAuthnHasStrictMTLS(t.MeshPolicy); !strictMode {
    22  		return validations, true
    23  	}
    24  
    25  	// if EnableAutoMtls is true, then we don't need to check for DestinationRules
    26  	if t.MTLSDetails.EnabledAutoMtls {
    27  		return validations, true
    28  	}
    29  
    30  	// otherwise, check among Destination Rules for a rule enabling mTLS mesh-wide.
    31  	for _, dr := range t.MTLSDetails.DestinationRules {
    32  		if enabled, _ := kubernetes.DestinationRuleHasMeshWideMTLSEnabled(dr); enabled {
    33  			return validations, true
    34  		}
    35  	}
    36  
    37  	check := models.Build("peerauthentication.mtls.destinationrulemissing", "spec/mtls")
    38  	validations = append(validations, &check)
    39  
    40  	return validations, false
    41  }