github.com/kiali/kiali@v1.84.0/business/tls.go (about) 1 package business 2 3 import ( 4 "context" 5 6 security_v1beta1 "istio.io/client-go/pkg/apis/security/v1beta1" 7 8 "github.com/kiali/kiali/config" 9 "github.com/kiali/kiali/kubernetes" 10 "github.com/kiali/kiali/kubernetes/cache" 11 "github.com/kiali/kiali/log" 12 "github.com/kiali/kiali/models" 13 "github.com/kiali/kiali/observability" 14 "github.com/kiali/kiali/util/mtls" 15 ) 16 17 type TLSService struct { 18 userClients map[string]kubernetes.ClientInterface 19 kialiCache cache.KialiCache 20 businessLayer *Layer 21 enabledAutoMtls *bool 22 } 23 24 const ( 25 MTLSEnabled = "MTLS_ENABLED" 26 MTLSPartiallyEnabled = "MTLS_PARTIALLY_ENABLED" 27 MTLSNotEnabled = "MTLS_NOT_ENABLED" 28 MTLSDisabled = "MTLS_DISABLED" 29 ) 30 31 func (in *TLSService) MeshWidemTLSStatus(ctx context.Context, namespaces []string, cluster string) (models.MTLSStatus, error) { 32 var end observability.EndFunc 33 ctx, end = observability.StartSpan(ctx, "MeshWidemTLSStatus", 34 observability.Attribute("package", "business"), 35 observability.Attribute("namespaces", namespaces), 36 observability.Attribute("cluster", cluster), 37 ) 38 defer end() 39 40 criteria := IstioConfigCriteria{ 41 IncludeDestinationRules: true, 42 IncludePeerAuthentications: true, 43 } 44 conf := config.Get() 45 46 istioConfigList, err := in.businessLayer.IstioConfig.GetIstioConfigList(ctx, cluster, criteria) 47 if err != nil { 48 return models.MTLSStatus{}, err 49 } 50 51 pas := kubernetes.FilterByNamespace(istioConfigList.PeerAuthentications, conf.ExternalServices.Istio.RootNamespace) 52 drs := kubernetes.FilterByNamespaces(istioConfigList.DestinationRules, namespaces) 53 54 mtlsStatus := mtls.MtlsStatus{ 55 PeerAuthentications: pas, 56 DestinationRules: drs, 57 AutoMtlsEnabled: in.hasAutoMTLSEnabled(cluster), 58 AllowPermissive: false, 59 } 60 61 minTLS, err := in.businessLayer.IstioCerts.GetTlsMinVersion() 62 if err != nil { 63 log.Errorf("Error getting TLS min version: %s ", err) 64 } 65 66 return models.MTLSStatus{ 67 Status: mtlsStatus.MeshMtlsStatus().OverallStatus, 68 AutoMTLSEnabled: mtlsStatus.AutoMtlsEnabled, 69 MinTLS: minTLS, 70 }, nil 71 } 72 73 func (in *TLSService) NamespaceWidemTLSStatus(ctx context.Context, namespace, cluster string) (models.MTLSStatus, error) { 74 var end observability.EndFunc 75 ctx, end = observability.StartSpan(ctx, "NamespaceWidemTLSStatus", 76 observability.Attribute("package", "business"), 77 observability.Attribute("cluster", cluster), 78 observability.Attribute("namespace", namespace), 79 ) 80 defer end() 81 82 nss, err := in.getNamespaces(ctx, cluster) 83 if err != nil { 84 return models.MTLSStatus{}, nil 85 } 86 87 criteria := IstioConfigCriteria{ 88 IncludeDestinationRules: true, 89 IncludePeerAuthentications: true, 90 } 91 92 istioConfigList, err := in.businessLayer.IstioConfig.GetIstioConfigList(ctx, cluster, criteria) 93 if err != nil { 94 return models.MTLSStatus{}, err 95 } 96 97 pas := kubernetes.FilterByNamespace(istioConfigList.PeerAuthentications, namespace) 98 if config.IsRootNamespace(namespace) { 99 pas = []*security_v1beta1.PeerAuthentication{} 100 } 101 drs := kubernetes.FilterByNamespaces(istioConfigList.DestinationRules, nss) 102 103 mtlsStatus := mtls.MtlsStatus{ 104 PeerAuthentications: pas, 105 DestinationRules: drs, 106 AutoMtlsEnabled: in.hasAutoMTLSEnabled(cluster), 107 AllowPermissive: false, 108 } 109 110 return models.MTLSStatus{ 111 Status: mtlsStatus.NamespaceMtlsStatus(namespace).OverallStatus, 112 AutoMTLSEnabled: mtlsStatus.AutoMtlsEnabled, 113 Cluster: cluster, 114 Namespace: namespace, 115 }, nil 116 } 117 118 func (in *TLSService) ClusterWideNSmTLSStatus(ctx context.Context, nss []string, cluster string) ([]models.MTLSStatus, error) { 119 var end observability.EndFunc 120 ctx, end = observability.StartSpan(ctx, "ClusterWideNSmTLSStatus", 121 observability.Attribute("package", "business"), 122 observability.Attribute("cluster", cluster), 123 ) 124 defer end() 125 126 result := []models.MTLSStatus{} 127 128 allNamespaces, err := in.getNamespaces(ctx, cluster) 129 if err != nil { 130 return result, nil 131 } 132 133 criteria := IstioConfigCriteria{ 134 IncludeDestinationRules: true, 135 IncludePeerAuthentications: true, 136 } 137 138 istioConfigList, err := in.businessLayer.IstioConfig.GetIstioConfigList(ctx, cluster, criteria) 139 if err != nil { 140 return result, err 141 } 142 143 drs := kubernetes.FilterByNamespaces(istioConfigList.DestinationRules, allNamespaces) 144 for _, namespace := range nss { 145 pas := kubernetes.FilterByNamespace(istioConfigList.PeerAuthentications, namespace) 146 if config.IsRootNamespace(namespace) { 147 pas = []*security_v1beta1.PeerAuthentication{} 148 } 149 150 mtlsStatus := mtls.MtlsStatus{ 151 PeerAuthentications: pas, 152 DestinationRules: drs, 153 AutoMtlsEnabled: in.hasAutoMTLSEnabled(cluster), 154 AllowPermissive: false, 155 } 156 157 result = append(result, models.MTLSStatus{ 158 Status: mtlsStatus.NamespaceMtlsStatus(namespace).OverallStatus, 159 AutoMTLSEnabled: mtlsStatus.AutoMtlsEnabled, 160 Cluster: cluster, 161 Namespace: namespace, 162 }) 163 } 164 165 return result, nil 166 } 167 168 func (in *TLSService) getNamespaces(ctx context.Context, cluster string) ([]string, error) { 169 nss, nssErr := in.businessLayer.Namespace.GetClusterNamespaces(ctx, cluster) 170 if nssErr != nil { 171 return nil, nssErr 172 } 173 174 nsNames := make([]string, 0) 175 for _, ns := range nss { 176 nsNames = append(nsNames, ns.Name) 177 } 178 return nsNames, nil 179 } 180 181 func (in *TLSService) hasAutoMTLSEnabled(cluster string) bool { 182 if in.enabledAutoMtls != nil { 183 return *in.enabledAutoMtls 184 } 185 186 kubeCache := in.kialiCache.GetKubeCaches()[cluster] 187 if kubeCache == nil { 188 return true 189 } 190 191 cfg := config.Get() 192 istioConfig, err := kubeCache.GetConfigMap(cfg.IstioNamespace, IstioConfigMapName(*cfg, "")) 193 if err != nil { 194 return true 195 } 196 197 mc, err := kubernetes.GetIstioConfigMap(istioConfig) 198 if err != nil { 199 return true 200 } 201 autoMtls := mc.GetEnableAutoMtls() 202 in.enabledAutoMtls = &autoMtls 203 return autoMtls 204 }