def test_scenario27(kiali_client, openshift_client, browser): """ PeerAuthentication is PERMISSIVE in mesh level, Grafana UNSET but DISABLE in port level """ tests = ValidationsTest(kiali_client=kiali_client, openshift_client=openshift_client, browser=browser, objects_path=istio_objects_mtls_path.strpath) tests.test_istio_objects( SCENARIO_27, config_validation_objects=[ ConfigValidationObject('DestinationRule', 'enable-mesh-mtls', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'permissive-mesh-mtls', namespace=ISTIO_SYSTEM, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'grafana-unset-ports-mtls-disabled', namespace=ISTIO_SYSTEM, error_messages=[]) ], tls_type=MeshWideTLSType.PARTLY_ENABLED, namespace_tls_objects=[ NamespaceTLSObject('bookinfo', MeshWideTLSType.DISABLED), NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED), NamespaceTLSObject('default', MeshWideTLSType.DISABLED) ])
def test_scenario21(kiali_client, openshift_client, browser): """ PeerAuthentication is DISABLE DestinationRule is DISABLE """ tests = ValidationsTest(kiali_client=kiali_client, openshift_client=openshift_client, browser=browser, objects_path=istio_objects_mtls_path.strpath) tests.test_istio_objects(SCENARIO_21, namespace=BOOKINFO, config_validation_objects=[ ConfigValidationObject('DestinationRule', 'disable-mtls', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'default', namespace=BOOKINFO, error_messages=[]) ], tls_type=MeshWideTLSType.DISABLED, namespace_tls_objects=[ NamespaceTLSObject('bookinfo', MeshWideTLSType.DISABLED), NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED), NamespaceTLSObject('default', MeshWideTLSType.DISABLED) ])
def test_scenario29(kiali_client, openshift_client, browser): """ Enable mtls at mesh-level (PeerAuthn + DR) Disable mtls at ns-level (PA + DR) No validations for DR/PA at NS-level """ tests = ValidationsTest(kiali_client=kiali_client, openshift_client=openshift_client, browser=browser, objects_path=istio_objects_mtls_path.strpath) tests.test_istio_objects( SCENARIO_29, config_validation_objects=[ ConfigValidationObject('DestinationRule', 'enable-mesh-mtls', namespace=ISTIO_SYSTEM, error_messages=[]), ConfigValidationObject('DestinationRule', 'bookinfo-disable-mtls', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'disable-mtls-bookinfo', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'mtls-mesh', namespace=ISTIO_SYSTEM, error_messages=[]) ], tls_type=MeshWideTLSType.ENABLED, namespace_tls_objects=[ NamespaceTLSObject('bookinfo', MeshWideTLSType.DISABLED), NamespaceTLSObject('istio-system', MeshWideTLSType.ENABLED) ])
def test_scenario17(kiali_client, openshift_client, browser): """ Destination Rule valid: it doesn't define any mTLS setting PeerAuth: STRICT """ tests = ValidationsTest(kiali_client=kiali_client, openshift_client=openshift_client, browser=browser, objects_path=istio_objects_mtls_path.strpath) tests.test_istio_objects( SCENARIO_17, namespace=BOOKINFO, config_validation_objects=[ ConfigValidationObject('DestinationRule', 'reviews', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'default', namespace=BOOKINFO, error_messages=[KIA0501]) ], tls_type=MeshWideTLSType.DISABLED, namespace_tls_objects=[ NamespaceTLSObject('bookinfo', (MeshWideTLSType.PARTLY_ENABLED if not openshift_client.is_auto_mtls() else MeshWideTLSType.ENABLED)), NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED), NamespaceTLSObject('default', MeshWideTLSType.DISABLED) ])
def test_vs_duplicate_gateway(kiali_client, openshift_client): """ KIA1106 More than one Virtual Service for same host """ tests = ValidationsTest( kiali_client=kiali_client, openshift_client=openshift_client, objects_path=istio_objects_validation_path.strpath) tests.test_istio_objects( scenario=SCENARIO_25, namespace=BOOKINFO, config_validation_objects=[ ConfigValidationObject( object_type='VirtualService', object_name='admin-vs-2', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject( object_type='VirtualService', object_name='admin-vs', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject( object_type='VirtualService', object_name='user-vs-2', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject( object_type='VirtualService', object_name='user-vs', namespace=BOOKINFO, error_messages=[]) ])
def test_scenario20(kiali_client, openshift_client, browser): """ Destination Rule valid: ISTIO_MUTUAL PeerAuth: DISABLE """ tests = ValidationsTest(kiali_client=kiali_client, openshift_client=openshift_client, browser=browser, objects_path=istio_objects_mtls_path.strpath) tests.test_istio_objects( SCENARIO_20, namespace=ISTIO_SYSTEM, config_validation_objects=[ ConfigValidationObject('DestinationRule', 'default', namespace=ISTIO_SYSTEM, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'default', namespace=ISTIO_SYSTEM, error_messages=[]) ], tls_type=(MeshWideTLSType.PARTLY_ENABLED if not openshift_client.is_auto_mtls() else MeshWideTLSType.DISABLED), namespace_tls_objects=[ NamespaceTLSObject('bookinfo', MeshWideTLSType.PARTLY_ENABLED), NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED), NamespaceTLSObject('default', MeshWideTLSType.DISABLED) ])
def test_scenario24(kiali_client, openshift_client, browser): """ DestinationRule: DISABLED at mesh-level """ tests = ValidationsTest(kiali_client=kiali_client, openshift_client=openshift_client, browser=browser, objects_path=istio_objects_mtls_path.strpath) tests.test_istio_objects( SCENARIO_24, config_validation_objects=[ ConfigValidationObject('DestinationRule', 'disable-mesh-mtls', namespace=BOOKINFO, error_messages=[KIA0208]), ConfigValidationObject('PeerAuthentication', 'disable-mesh-mtls', namespace=ISTIO_SYSTEM, error_messages=[KIA0401]) ], tls_type=MeshWideTLSType.PARTLY_ENABLED, namespace_tls_objects=[ NamespaceTLSObject('bookinfo', MeshWideTLSType.DISABLED), NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED), NamespaceTLSObject('default', MeshWideTLSType.DISABLED) ])
def test_duplicate_sidecar_errors(kiali_client, openshift_client): """ More than one selector-less Sidecar in the same namespace """ tests = ValidationsTest( kiali_client=kiali_client, openshift_client=openshift_client, objects_path=istio_objects_validation_path.strpath) tests.test_istio_objects( scenario=SCENARIO_18, namespace=BOOKINFO, config_validation_objects=[ ConfigValidationObject( object_type='Sidecar', object_name='dupliacate-sidecar1-auto', namespace=BOOKINFO, error_messages=[KIA0002, KIA1004, KIA1004]), ConfigValidationObject( object_type='Sidecar', object_name='dupliacate-sidecar2-auto', namespace=BOOKINFO, error_messages=[KIA0002, KIA1004, KIA1004]) ])
def test_scenario2(kiali_client, openshift_client, browser): """ PeerAuthentication explicitly asks for mTLS connections but DestinationRule disables workload mtls connections """ tests = ValidationsTest(kiali_client=kiali_client, openshift_client=openshift_client, browser=browser, objects_path=istio_objects_mtls_path.strpath) tests.test_istio_objects( SCENARIO_2, namespace=BOOKINFO, config_validation_objects=[ ConfigValidationObject('DestinationRule', 'disable-mtls', namespace=BOOKINFO, error_messages=[KIA0207]), ConfigValidationObject('PeerAuthentication', 'default', namespace=BOOKINFO, error_messages=[KIA0501]) ], tls_type=MeshWideTLSType.DISABLED, namespace_tls_objects=[ NamespaceTLSObject('bookinfo', MeshWideTLSType.PARTLY_ENABLED), NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED), NamespaceTLSObject('default', MeshWideTLSType.DISABLED) ])
def test_scenario11(kiali_client, openshift_client, browser): """ STRICT mode allow only mTLS connections to services """ tests = ValidationsTest(kiali_client=kiali_client, openshift_client=openshift_client, browser=browser, objects_path=istio_objects_mtls_path.strpath) tests.test_istio_objects(SCENARIO_11, namespace=None, config_validation_objects=[ ConfigValidationObject('DestinationRule', 'enable-mtls', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'default', namespace=BOOKINFO, error_messages=[]) ])
def test_scenario12(kiali_client, openshift_client, browser): """ PERMISSIVE mode allow mTLS connections to services to the whole mesh """ tests = ValidationsTest(kiali_client=kiali_client, openshift_client=openshift_client, browser=browser, objects_path=istio_objects_mtls_path.strpath) tests.test_istio_objects(SCENARIO_12, namespace=None, config_validation_objects=[ ConfigValidationObject('DestinationRule', 'enable-mtls', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject( 'PeerAuthentication', 'default', namespace='istio-system', error_messages=[]) ])
def test_mtls_settings_overridden(kiali_client, openshift_client): """ mTLS settings of a non-local Destination Rule are overridden """ tests = ValidationsTest( kiali_client=kiali_client, openshift_client=openshift_client, objects_path=istio_objects_validation_path.strpath) tests.test_istio_objects( scenario=SCENARIO_7, namespace=None, config_validation_objects=[ ConfigValidationObject( object_type='DestinationRule', object_name='default', namespace=ISTIO_SYSTEM, error_messages=[KIA0205]), ConfigValidationObject( object_type='DestinationRule', object_name='reviews-overridden-auto', namespace=BOOKINFO, error_messages=[KIA0204]) ])
def test_two_gateways_different_selectors(kiali_client, openshift_client): """ More than one Gateway for the same host port combination referring to different selectors """ tests = ValidationsTest( kiali_client=kiali_client, openshift_client=openshift_client, objects_path=istio_objects_validation_path.strpath) tests.test_istio_objects( scenario=SCENARIO_28, namespace=ISTIO_SYSTEM, config_validation_objects=[ ConfigValidationObject( object_type='Gateway', object_name='istio-gateway-prv', namespace=ISTIO_SYSTEM, error_messages=[KIA0302]), ConfigValidationObject( object_type='Gateway', object_name='istio-gateway-pub', namespace=ISTIO_SYSTEM, error_messages=[KIA0302]) ], ignore_common_errors=False)
def test_more_drs_same_host_port(kiali_client, openshift_client): """ More than one DestinationRules for the same host subset combination """ tests = ValidationsTest( kiali_client=kiali_client, openshift_client=openshift_client, objects_path=istio_objects_validation_path.strpath) tests.test_istio_objects( scenario=SCENARIO_3, namespace=BOOKINFO, config_validation_objects=[ ConfigValidationObject( object_type='DestinationRule', object_name='reviews-dr1-auto', namespace=BOOKINFO, error_messages=[KIA0201]), ConfigValidationObject( object_type='DestinationRule', object_name='reviews-dr2-auto', namespace=BOOKINFO, error_messages=[KIA0201]) ], ignore_common_errors=False)
def test_meshpolicy_disabled_ok(kiali_client, openshift_client): """ PeerAuthentication disabling mtls for the whole namespace (mode = DISABLE) Destination Rule disabling mTLS for a whole namespace (mode = DISABLE) """ tests = ValidationsTest( kiali_client=kiali_client, openshift_client=openshift_client, objects_path=istio_objects_validation_path.strpath) tests.test_istio_objects( scenario=SCENARIO_21, namespace=None, config_validation_objects=[ ConfigValidationObject( object_type='DestinationRule', object_name='disable-mtls', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject( object_type='PeerAuthentication', object_name='default', namespace=BOOKINFO, error_messages=[]) ])
def test_meshpolicy_mtls_enable_ok(kiali_client, openshift_client): """ PeerAuthentication enabling mTLS found, permissive policy is needed: DestinatonRule to enable mTLS instead of disabling it (change the mode to ISTIO_MUTUAL) """ tests = ValidationsTest( kiali_client=kiali_client, openshift_client=openshift_client, objects_path=istio_objects_validation_path.strpath) tests.test_istio_objects( scenario=SCENARIO_9, namespace=None, config_validation_objects=[ ConfigValidationObject( object_type='DestinationRule', object_name='default', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject( object_type='PeerAuthentication', object_name='default', namespace=ISTIO_SYSTEM, error_messages=[KIA0401]) ])
def test_meshpolicy_permissive_ok(kiali_client, openshift_client): """ PeerAuthentication enabling mTLS found, permissive policy is needed: PeerAuthentication to enable PERMISSIVE mode to all the workloads in the mesh """ tests = ValidationsTest( kiali_client=kiali_client, openshift_client=openshift_client, objects_path=istio_objects_validation_path.strpath) tests.test_istio_objects( scenario=SCENARIO_8, namespace=None, config_validation_objects=[ ConfigValidationObject( object_type='DestinationRule', object_name='default', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject( object_type='PeerAuthentication', object_name='default', namespace=ISTIO_SYSTEM, error_messages=[]) ])
def test_two_gateways_same_host(kiali_client, openshift_client): """ More than one Gateway for the same host port combination """ tests = ValidationsTest( kiali_client=kiali_client, openshift_client=openshift_client, objects_path=istio_objects_validation_path.strpath) tests.test_istio_objects( scenario=SCENARIO_1, namespace=None, config_validation_objects=[ ConfigValidationObject( object_type='Gateway', object_name='bookinfo-gateway-auto-host', namespace=BOOKINFO, error_messages=[KIA0301]), ConfigValidationObject( object_type='Gateway', object_name='bookinfo-gateway-auto-host-copy', namespace=BOOKINFO2, error_messages=[KIA0301]) ], ignore_common_errors=False)
def test_scenario15(kiali_client, openshift_client, browser): """ PeerAuthentication in STRICT mode + DestinationRule enabling mTLS mesh-wide (classic scenario) PeerAuthentication ns-level in PERMISSIVE mode + DR disabling mTLS ns-wide. """ tests = ValidationsTest(kiali_client=kiali_client, openshift_client=openshift_client, browser=browser, objects_path=istio_objects_mtls_path.strpath) tests.test_istio_objects(SCENARIO_15, namespace=None, config_validation_objects=[ ConfigValidationObject('DestinationRule', 'default', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'default', namespace=BOOKINFO, error_messages=[]) ])
def test_scenario13(kiali_client, openshift_client, browser): """ STRICT mode allow only mTLS connections to services to the whole service mesh """ tests = ValidationsTest(kiali_client=kiali_client, openshift_client=openshift_client, browser=browser, objects_path=istio_objects_mtls_path.strpath) tests.test_istio_objects( SCENARIO_13, namespace=None, config_validation_objects=[ ConfigValidationObject('DestinationRule', 'enable-mtls', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'default', namespace='istio-system', error_messages=[KIA0401]) ], tls_type=(MeshWideTLSType.PARTLY_ENABLED if not openshift_client.is_auto_mtls() else MeshWideTLSType.ENABLED))
def test_scenario8(kiali_client, openshift_client, browser): """ DR mesh-wide enables clients start mTLS connections """ tests = ValidationsTest(kiali_client=kiali_client, openshift_client=openshift_client, browser=browser, objects_path=istio_objects_mtls_path.strpath) tests.test_istio_objects( SCENARIO_8, namespace=BOOKINFO, config_validation_objects=[ ConfigValidationObject('DestinationRule', 'enable-mtls', namespace=BOOKINFO, error_messages=[KIA0205]), ConfigValidationObject('PeerAuthentication', 'default', namespace=BOOKINFO, error_messages=[]) ], tls_type=(MeshWideTLSType.PARTLY_ENABLED if not openshift_client.is_auto_mtls() else MeshWideTLSType.ENABLED))
def test_gateway_no_matching_workload(kiali_client, openshift_client): """ No matching workload found for gateway selector in this namespace """ tests = ValidationsTest( kiali_client=kiali_client, openshift_client=openshift_client, objects_path=istio_objects_validation_path.strpath) tests.test_istio_objects( scenario=SCENARIO_2, namespace=None, config_validation_objects=[ ConfigValidationObject( object_type='Gateway', object_name='bookinfo-gateway-auto-not-match', namespace=BOOKINFO, error_messages=[KIA0302]) ])
def test_scenario28(kiali_client, openshift_client, browser): """ PeerAuthentication is set to STRICT at the workload level, but set to PERMISSIVE at the mesh and namespace level KIA0105 should not be displayed """ tests = ValidationsTest(kiali_client=kiali_client, openshift_client=openshift_client, browser=browser, objects_path=istio_objects_mtls_path.strpath) tests.test_istio_objects( SCENARIO_28, config_validation_objects=[ ConfigValidationObject('DestinationRule', 'details-mtls', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject('DestinationRule', 'ratings-mtls', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'default', namespace=ISTIO_SYSTEM, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'default-policy', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'details-policy', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'ratings-policy', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject('AuthorizationPolicy', 'ratings', namespace=BOOKINFO, error_messages=[]) ], tls_type=MeshWideTLSType.DISABLED, namespace_tls_objects=[ NamespaceTLSObject('bookinfo', (MeshWideTLSType.PARTLY_ENABLED if not openshift_client.is_auto_mtls() else MeshWideTLSType.DISABLED)), NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED) ])
def test_mesh_policy_not_found(kiali_client, openshift_client): """ PeerAuthentication enabling mTLS is missing """ tests = ValidationsTest( kiali_client=kiali_client, openshift_client=openshift_client, objects_path=istio_objects_validation_path.strpath) tests.test_istio_objects( scenario=SCENARIO_6, namespace=ISTIO_SYSTEM, config_validation_objects=[ ConfigValidationObject( object_type='DestinationRule', object_name='default', namespace=ISTIO_SYSTEM, error_messages=[KIA0205]) ])
def test_vs_to_non_existing_gateway(kiali_client, openshift_client): """ VirtualService is pointing to a non-existent gateway """ tests = ValidationsTest( kiali_client=kiali_client, openshift_client=openshift_client, objects_path=istio_objects_validation_path.strpath) tests.test_istio_objects( scenario=SCENARIO_10, namespace=BOOKINFO, config_validation_objects=[ ConfigValidationObject( object_type='VirtualService', object_name='details-vs-non-existing-gateway-auto', namespace=BOOKINFO, error_messages=[KIA1102]) ])
def test_dr_fqdn_not_exist(kiali_client, openshift_client): """ Host in DR is given in FQDN which does not exist """ tests = ValidationsTest( kiali_client=kiali_client, openshift_client=openshift_client, objects_path=istio_objects_validation_path.strpath) tests.test_istio_objects( scenario=SCENARIO_13, namespace=None, config_validation_objects=[ ConfigValidationObject( object_type='DestinationRule', object_name='reviews-dr-wrong-fqdn-auto', namespace=BOOKINFO, error_messages=[KIA0202]) ])
def test_vs_less_than_100_weight(kiali_client, openshift_client): """ VirtualService has only weight < 100 """ tests = ValidationsTest( kiali_client=kiali_client, openshift_client=openshift_client, objects_path=istio_objects_validation_path.strpath) tests.test_istio_objects( scenario=SCENARIO_16, namespace=BOOKINFO, config_validation_objects=[ ConfigValidationObject( object_type='VirtualService', object_name='virtual-service-less-100-weight-auto', namespace=BOOKINFO, error_messages=[KIA1104]) ])
def test_default_workload_sidecar(kiali_client, openshift_client): """ Global default sidecar should not have workloadSelector """ tests = ValidationsTest( kiali_client=kiali_client, openshift_client=openshift_client, objects_path=istio_objects_validation_path.strpath) tests.test_istio_objects( scenario=SCENARIO_20, namespace=ISTIO_SYSTEM, config_validation_objects=[ ConfigValidationObject( object_type='Sidecar', object_name='default-sidecar-workload-auto', namespace=ISTIO_SYSTEM, error_messages=[KIA1006, KIA0004]) ])
def test_vs_subset_validations_no_service_entry(kiali_client, openshift_client): """ KIA1107 Subset not found as ServiceEntry missing """ tests = ValidationsTest( kiali_client=kiali_client, openshift_client=openshift_client, objects_path=istio_objects_validation_path.strpath) tests.test_istio_objects( scenario=SCENARIO_24, namespace=BOOKINFO, config_validation_objects=[ ConfigValidationObject( object_type='VirtualService', object_name='orahub-vs-no-dr', namespace=BOOKINFO, error_messages=[KIA1104, KIA1104, KIA1107, KIA1107]) ])
def test_subset_no_label(kiali_client, openshift_client): """ This subset have not label """ tests = ValidationsTest( kiali_client=kiali_client, openshift_client=openshift_client, objects_path=istio_objects_validation_path.strpath) tests.test_istio_objects( scenario=SCENARIO_29, namespace=BOOKINFO, config_validation_objects=[ ConfigValidationObject( object_type='DestinationRule', object_name='reviews-subset-not-label-auto', namespace=BOOKINFO, error_messages=[KIA0209]) ])