def test_scenario29(kiali_client, openshift_client, browser):
""" Enable mtls at mesh-level (PeerAuthn + DR)
Disable mtls at ns-level (PA + DR)
No validations for DR/PA at NS-level
"""
tests = ValidationsTest(kiali_client=kiali_client,
openshift_client=openshift_client,
browser=browser,
objects_path=istio_objects_mtls_path.strpath)
tests.test_istio_objects(
SCENARIO_29,
config_validation_objects=[
ConfigValidationObject('DestinationRule',
'enable-mesh-mtls',
namespace=ISTIO_SYSTEM,
error_messages=[]),
ConfigValidationObject('DestinationRule',
'bookinfo-disable-mtls',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'disable-mtls-bookinfo',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'mtls-mesh',
namespace=ISTIO_SYSTEM,
error_messages=[])
],
tls_type=MeshWideTLSType.ENABLED,
namespace_tls_objects=[
NamespaceTLSObject('bookinfo', MeshWideTLSType.DISABLED),
NamespaceTLSObject('istio-system', MeshWideTLSType.ENABLED)
])
def test_scenario27(kiali_client, openshift_client, browser):
""" PeerAuthentication is PERMISSIVE in mesh level, Grafana UNSET but DISABLE in port level
"""
tests = ValidationsTest(kiali_client=kiali_client,
openshift_client=openshift_client,
browser=browser,
objects_path=istio_objects_mtls_path.strpath)
tests.test_istio_objects(
SCENARIO_27,
config_validation_objects=[
ConfigValidationObject('DestinationRule',
'enable-mesh-mtls',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'permissive-mesh-mtls',
namespace=ISTIO_SYSTEM,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'grafana-unset-ports-mtls-disabled',
namespace=ISTIO_SYSTEM,
error_messages=[])
],
tls_type=MeshWideTLSType.PARTLY_ENABLED,
namespace_tls_objects=[
NamespaceTLSObject('bookinfo', MeshWideTLSType.DISABLED),
NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED),
NamespaceTLSObject('default', MeshWideTLSType.DISABLED)
])
def test_scenario24(kiali_client, openshift_client, browser):
""" DestinationRule: DISABLED at mesh-level
"""
tests = ValidationsTest(kiali_client=kiali_client,
openshift_client=openshift_client,
browser=browser,
objects_path=istio_objects_mtls_path.strpath)
tests.test_istio_objects(
SCENARIO_24,
config_validation_objects=[
ConfigValidationObject('DestinationRule',
'disable-mesh-mtls',
namespace=BOOKINFO,
error_messages=[KIA0208]),
ConfigValidationObject('PeerAuthentication',
'disable-mesh-mtls',
namespace=ISTIO_SYSTEM,
error_messages=[KIA0401])
],
tls_type=MeshWideTLSType.PARTLY_ENABLED,
namespace_tls_objects=[
NamespaceTLSObject('bookinfo', MeshWideTLSType.DISABLED),
NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED),
NamespaceTLSObject('default', MeshWideTLSType.DISABLED)
])
def test_scenario2(kiali_client, openshift_client, browser):
""" PeerAuthentication explicitly asks for mTLS connections
but DestinationRule disables workload mtls connections
"""
tests = ValidationsTest(kiali_client=kiali_client,
openshift_client=openshift_client,
browser=browser,
objects_path=istio_objects_mtls_path.strpath)
tests.test_istio_objects(
SCENARIO_2,
namespace=BOOKINFO,
config_validation_objects=[
ConfigValidationObject('DestinationRule',
'disable-mtls',
namespace=BOOKINFO,
error_messages=[KIA0207]),
ConfigValidationObject('PeerAuthentication',
'default',
namespace=BOOKINFO,
error_messages=[KIA0501])
],
tls_type=MeshWideTLSType.DISABLED,
namespace_tls_objects=[
NamespaceTLSObject('bookinfo', MeshWideTLSType.PARTLY_ENABLED),
NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED),
NamespaceTLSObject('default', MeshWideTLSType.DISABLED)
])
def test_scenario21(kiali_client, openshift_client, browser):
""" PeerAuthentication is DISABLE
DestinationRule is DISABLE
"""
tests = ValidationsTest(kiali_client=kiali_client,
openshift_client=openshift_client,
browser=browser,
objects_path=istio_objects_mtls_path.strpath)
tests.test_istio_objects(SCENARIO_21,
namespace=BOOKINFO,
config_validation_objects=[
ConfigValidationObject('DestinationRule',
'disable-mtls',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'default',
namespace=BOOKINFO,
error_messages=[])
],
tls_type=MeshWideTLSType.DISABLED,
namespace_tls_objects=[
NamespaceTLSObject('bookinfo',
MeshWideTLSType.DISABLED),
NamespaceTLSObject('istio-system',
MeshWideTLSType.DISABLED),
NamespaceTLSObject('default',
MeshWideTLSType.DISABLED)
])
def test_scenario20(kiali_client, openshift_client, browser):
""" Destination Rule valid: ISTIO_MUTUAL
PeerAuth: DISABLE
"""
tests = ValidationsTest(kiali_client=kiali_client,
openshift_client=openshift_client,
browser=browser,
objects_path=istio_objects_mtls_path.strpath)
tests.test_istio_objects(
SCENARIO_20,
namespace=ISTIO_SYSTEM,
config_validation_objects=[
ConfigValidationObject('DestinationRule',
'default',
namespace=ISTIO_SYSTEM,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'default',
namespace=ISTIO_SYSTEM,
error_messages=[])
],
tls_type=(MeshWideTLSType.PARTLY_ENABLED
if not openshift_client.is_auto_mtls() else
MeshWideTLSType.DISABLED),
namespace_tls_objects=[
NamespaceTLSObject('bookinfo', MeshWideTLSType.PARTLY_ENABLED),
NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED),
NamespaceTLSObject('default', MeshWideTLSType.DISABLED)
])
def test_scenario17(kiali_client, openshift_client, browser):
""" Destination Rule valid: it doesn't define any mTLS setting
PeerAuth: STRICT
"""
tests = ValidationsTest(kiali_client=kiali_client,
openshift_client=openshift_client,
browser=browser,
objects_path=istio_objects_mtls_path.strpath)
tests.test_istio_objects(
SCENARIO_17,
namespace=BOOKINFO,
config_validation_objects=[
ConfigValidationObject('DestinationRule',
'reviews',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'default',
namespace=BOOKINFO,
error_messages=[KIA0501])
],
tls_type=MeshWideTLSType.DISABLED,
namespace_tls_objects=[
NamespaceTLSObject('bookinfo',
(MeshWideTLSType.PARTLY_ENABLED
if not openshift_client.is_auto_mtls() else
MeshWideTLSType.ENABLED)),
NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED),
NamespaceTLSObject('default', MeshWideTLSType.DISABLED)
])
def test_scenario28(kiali_client, openshift_client, browser):
""" PeerAuthentication is set to STRICT at the workload level,
but set to PERMISSIVE at the mesh and namespace level
KIA0105 should not be displayed
"""
tests = ValidationsTest(kiali_client=kiali_client,
openshift_client=openshift_client,
browser=browser,
objects_path=istio_objects_mtls_path.strpath)
tests.test_istio_objects(
SCENARIO_28,
config_validation_objects=[
ConfigValidationObject('DestinationRule',
'details-mtls',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject('DestinationRule',
'ratings-mtls',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'default',
namespace=ISTIO_SYSTEM,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'default-policy',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'details-policy',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'ratings-policy',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject('AuthorizationPolicy',
'ratings',
namespace=BOOKINFO,
error_messages=[])
],
tls_type=MeshWideTLSType.DISABLED,
namespace_tls_objects=[
NamespaceTLSObject('bookinfo',
(MeshWideTLSType.PARTLY_ENABLED
if not openshift_client.is_auto_mtls() else
MeshWideTLSType.DISABLED)),
NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED)
])
def test_scenario16(kiali_client, openshift_client, browser):
""" PeerAuthentication OK
"""
tests = ValidationsTest(kiali_client=kiali_client,
openshift_client=openshift_client,
browser=browser,
objects_path=istio_objects_mtls_path.strpath)
tests.test_istio_objects(SCENARIO_16,
namespace=None,
config_validation_objects=[],
tls_type=MeshWideTLSType.ENABLED,
namespace_tls_objects=[
NamespaceTLSObject('bookinfo',
MeshWideTLSType.ENABLED),
NamespaceTLSObject('istio-system',
MeshWideTLSType.ENABLED),
NamespaceTLSObject('default',
MeshWideTLSType.ENABLED)
])
def test_scenario5(kiali_client, openshift_client, browser):
""" There aren't any PeerAuthentication defining mTLS settings
"""
tests = ValidationsTest(kiali_client=kiali_client,
openshift_client=openshift_client,
browser=browser,
objects_path=istio_objects_mtls_path.strpath)
tests.test_istio_objects(
SCENARIO_5,
namespace=None,
config_validation_objects=[
ConfigValidationObject('DestinationRule',
'disable-mtls',
namespace=BOOKINFO,
error_messages=[])
],
tls_type=MeshWideTLSType.DISABLED,
namespace_tls_objects=[
NamespaceTLSObject('bookinfo', MeshWideTLSType.PARTLY_ENABLED),
NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED),
NamespaceTLSObject('default', MeshWideTLSType.DISABLED)
])
