istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pkg/config/analysis/analyzers/destinationrule/ca-certificates.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pkg/config/analysis/analyzers/destinationrule/ca-certificates.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package destinationrule
    16  
    17  import (
    18  	"fmt"
    19  
    20  	"istio.io/api/networking/v1alpha3"
    21  	"istio.io/istio/pkg/config"
    22  	"istio.io/istio/pkg/config/analysis"
    23  	"istio.io/istio/pkg/config/analysis/analyzers/util"
    24  	"istio.io/istio/pkg/config/analysis/msg"
    25  	"istio.io/istio/pkg/config/resource"
    26  	"istio.io/istio/pkg/config/schema/gvk"
    27  )
    28  
    29  // CaCertificateAnalyzer checks if CaCertificate is set in case mode is SIMPLE/MUTUAL
    30  type CaCertificateAnalyzer struct{}
    31  
    32  var _ analysis.Analyzer = &CaCertificateAnalyzer{}
    33  
    34  func (c *CaCertificateAnalyzer) Metadata() analysis.Metadata {
    35  	return analysis.Metadata{
    36  		Name:        "destinationrule.CaCertificateAnalyzer",
    37  		Description: "Checks if caCertificates is set when TLS mode is SIMPLE/MUTUAL",
    38  		Inputs: []config.GroupVersionKind{
    39  			gvk.DestinationRule,
    40  		},
    41  	}
    42  }
    43  
    44  func (c *CaCertificateAnalyzer) Analyze(ctx analysis.Context) {
    45  	ctx.ForEach(gvk.DestinationRule, func(r *resource.Instance) bool {
    46  		c.analyzeDestinationRule(r, ctx)
    47  		return true
    48  	})
    49  }
    50  
    51  func (c *CaCertificateAnalyzer) analyzeDestinationRule(r *resource.Instance, ctx analysis.Context) {
    52  	dr := r.Message.(*v1alpha3.DestinationRule)
    53  	drNs := r.Metadata.FullName.Namespace
    54  	drName := r.Metadata.FullName.String()
    55  	mode := dr.GetTrafficPolicy().GetTls().GetMode()
    56  
    57  	if mode == v1alpha3.ClientTLSSettings_SIMPLE || mode == v1alpha3.ClientTLSSettings_MUTUAL {
    58  		if dr.GetTrafficPolicy().GetTls().GetCaCertificates() == "" {
    59  			m := msg.NewNoServerCertificateVerificationDestinationLevel(r, drName,
    60  				drNs.String(), mode.String(), dr.GetHost())
    61  
    62  			if line, ok := util.ErrorLine(r, fmt.Sprintf(util.DestinationRuleTLSCert)); ok {
    63  				m.Line = line
    64  			}
    65  			ctx.Report(gvk.DestinationRule, m)
    66  		}
    67  	}
    68  	portSettings := dr.TrafficPolicy.GetPortLevelSettings()
    69  
    70  	for i, p := range portSettings {
    71  		mode = p.GetTls().GetMode()
    72  		if mode == v1alpha3.ClientTLSSettings_SIMPLE || mode == v1alpha3.ClientTLSSettings_MUTUAL {
    73  			if p.GetTls().GetCaCertificates() == "" {
    74  				m := msg.NewNoServerCertificateVerificationPortLevel(r, drName,
    75  					drNs.String(), mode.String(), dr.GetHost(), p.GetPort().String())
    76  
    77  				if line, ok := util.ErrorLine(r, fmt.Sprintf(util.DestinationRuleTLSPortLevelCert, i)); ok {
    78  					m.Line = line
    79  				}
    80  				ctx.Report(gvk.DestinationRule, m)
    81  			}
    82  		}
    83  	}
    84  }