github.com/kiali/kiali@v1.84.0/business/checkers/peerauthentications/namespace_mtls_checker.go (about) 1 package peerauthentications 2 3 import ( 4 security_v1beta "istio.io/client-go/pkg/apis/security/v1beta1" 5 6 "github.com/kiali/kiali/kubernetes" 7 "github.com/kiali/kiali/models" 8 ) 9 10 type NamespaceMtlsChecker struct { 11 PeerAuthn *security_v1beta.PeerAuthentication 12 MTLSDetails kubernetes.MTLSDetails 13 } 14 15 // Checks if a PeerAuthn enabling namespace-wide has a Destination Rule enabling mTLS too 16 func (t NamespaceMtlsChecker) Check() ([]*models.IstioCheck, bool) { 17 validations := make([]*models.IstioCheck, 0) 18 19 // if PeerAuthn doesn't enables mTLS, stop validation with any check. 20 if strictMode := kubernetes.PeerAuthnHasStrictMTLS(t.PeerAuthn); !strictMode { 21 return validations, true 22 } 23 24 // if EnableAutoMtls is true, then we don't need to check for DestinationRules 25 if t.MTLSDetails.EnabledAutoMtls { 26 return validations, true 27 } 28 29 // otherwise, check among Destination Rules for a rule enabling mTLS namespace-wide or mesh-wide. 30 for _, dr := range t.MTLSDetails.DestinationRules { 31 // Check if there is a Destination Rule enabling ns-wide mTLS 32 if enabled, _ := kubernetes.DestinationRuleHasNamespaceWideMTLSEnabled(t.PeerAuthn.Namespace, dr); enabled { 33 return validations, true 34 } 35 36 // Check if there is a Destination Rule enabling mesh-wide mTLS in second position 37 if enabled, _ := kubernetes.DestinationRuleHasMeshWideMTLSEnabled(dr); enabled { 38 return validations, true 39 } 40 } 41 42 check := models.Build("peerauthentications.mtls.destinationrulemissing", "spec/mtls") 43 validations = append(validations, &check) 44 45 return validations, false 46 }