istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pkg/config/analysis/analyzers/gateway/secret.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pkg/config/analysis/analyzers/gateway/secret.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package gateway
    16  
    17  import (
    18  	"fmt"
    19  
    20  	corev1 "k8s.io/api/core/v1"
    21  	"k8s.io/apimachinery/pkg/labels"
    22  
    23  	"istio.io/api/networking/v1alpha3"
    24  	"istio.io/istio/pilot/pkg/credentials/kube"
    25  	"istio.io/istio/pilot/pkg/xds"
    26  	"istio.io/istio/pkg/config"
    27  	"istio.io/istio/pkg/config/analysis"
    28  	"istio.io/istio/pkg/config/analysis/analyzers/util"
    29  	"istio.io/istio/pkg/config/analysis/msg"
    30  	"istio.io/istio/pkg/config/resource"
    31  	"istio.io/istio/pkg/config/schema/gvk"
    32  )
    33  
    34  // SecretAnalyzer checks a gateway's referenced secrets for correctness
    35  type SecretAnalyzer struct{}
    36  
    37  var _ analysis.Analyzer = &SecretAnalyzer{}
    38  
    39  // Metadata implements analysis.Analyzer
    40  func (a *SecretAnalyzer) Metadata() analysis.Metadata {
    41  	return analysis.Metadata{
    42  		Name:        "gateway.SecretAnalyzer",
    43  		Description: "Checks a gateway's referenced secrets for correctness",
    44  		Inputs: []config.GroupVersionKind{
    45  			gvk.Gateway,
    46  			gvk.Pod,
    47  			gvk.Secret,
    48  		},
    49  	}
    50  }
    51  
    52  // Analyze implements analysis.Analyzer
    53  func (a *SecretAnalyzer) Analyze(ctx analysis.Context) {
    54  	ctx.ForEach(gvk.Gateway, func(r *resource.Instance) bool {
    55  		gw := r.Message.(*v1alpha3.Gateway)
    56  
    57  		gwNs := getGatewayNamespace(ctx, gw)
    58  
    59  		// If we can't find a namespace for the gateway, it's because there's no matching selector. Exit early with a different message.
    60  		if gwNs == "" {
    61  
    62  			gwSelector := labels.SelectorFromSet(gw.Selector)
    63  			m := msg.NewReferencedResourceNotFound(r, "selector", labels.SelectorFromSet(gw.Selector).String())
    64  
    65  			label := util.ExtractLabelFromSelectorString(gwSelector.String())
    66  			if line, ok := util.ErrorLine(r, fmt.Sprintf(util.GatewaySelector, label)); ok {
    67  				m.Line = line
    68  			}
    69  
    70  			ctx.Report(gvk.Gateway, m)
    71  			return true
    72  		}
    73  
    74  		for i, srv := range gw.GetServers() {
    75  			tls := srv.GetTls()
    76  			if tls == nil {
    77  				continue
    78  			}
    79  
    80  			cn := tls.GetCredentialName()
    81  			if cn == "" {
    82  				continue
    83  			}
    84  
    85  			secret := ctx.Find(gvk.Secret, resource.NewShortOrFullName(gwNs, cn))
    86  			if secret == nil {
    87  				m := msg.NewReferencedResourceNotFound(r, "credentialName", cn)
    88  
    89  				if line, ok := util.ErrorLine(r, fmt.Sprintf(util.CredentialName, i)); ok {
    90  					m.Line = line
    91  				}
    92  
    93  				ctx.Report(gvk.Gateway, m)
    94  				continue
    95  			}
    96  			if !isValidSecret(secret) {
    97  				m := msg.NewInvalidGatewayCredential(r, r.Metadata.FullName.Name.String(), gwNs.String())
    98  
    99  				if line, ok := util.ErrorLine(r, fmt.Sprintf(util.CredentialName, i)); ok {
   100  					m.Line = line
   101  				}
   102  
   103  				ctx.Report(gvk.Secret, m)
   104  			}
   105  		}
   106  		return true
   107  	})
   108  }
   109  
   110  func isValidSecret(secret *resource.Instance) bool {
   111  	s, ok := secret.Message.(*corev1.Secret)
   112  	if !ok {
   113  		return false
   114  	}
   115  	certs, err := kube.ExtractCertInfo(s)
   116  	if err != nil {
   117  		return false
   118  	}
   119  	if err = xds.ValidateCertificate(certs.Cert); err != nil {
   120  		return false
   121  	}
   122  	return true
   123  }
   124  
   125  // Gets the namespace for the gateway (in terms of the actual workload selected by the gateway, NOT the namespace of the Gateway CRD)
   126  // Assumes that all selected workloads are in the same namespace, if this is not the case which one's namespace gets returned is undefined.
   127  func getGatewayNamespace(ctx analysis.Context, gw *v1alpha3.Gateway) resource.Namespace {
   128  	var ns resource.Namespace
   129  
   130  	gwSelector := labels.SelectorFromSet(gw.Selector)
   131  	ctx.ForEach(gvk.Pod, func(rPod *resource.Instance) bool {
   132  		if gwSelector.Matches(labels.Set(rPod.Metadata.Labels)) {
   133  			ns = rPod.Metadata.FullName.Namespace
   134  			return false
   135  		}
   136  		return true
   137  	})
   138  
   139  	return ns
   140  }