def test_scenario27(kiali_client, openshift_client, browser):
""" PeerAuthentication is PERMISSIVE in mesh level, Grafana UNSET but DISABLE in port level
"""
tests = ValidationsTest(kiali_client=kiali_client,
openshift_client=openshift_client,
browser=browser,
objects_path=istio_objects_mtls_path.strpath)
tests.test_istio_objects(
SCENARIO_27,
config_validation_objects=[
ConfigValidationObject('DestinationRule',
'enable-mesh-mtls',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'permissive-mesh-mtls',
namespace=ISTIO_SYSTEM,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'grafana-unset-ports-mtls-disabled',
namespace=ISTIO_SYSTEM,
error_messages=[])
],
tls_type=MeshWideTLSType.PARTLY_ENABLED,
namespace_tls_objects=[
NamespaceTLSObject('bookinfo', MeshWideTLSType.DISABLED),
NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED),
NamespaceTLSObject('default', MeshWideTLSType.DISABLED)
])
def test_scenario21(kiali_client, openshift_client, browser):
""" PeerAuthentication is DISABLE
DestinationRule is DISABLE
"""
tests = ValidationsTest(kiali_client=kiali_client,
openshift_client=openshift_client,
browser=browser,
objects_path=istio_objects_mtls_path.strpath)
tests.test_istio_objects(SCENARIO_21,
namespace=BOOKINFO,
config_validation_objects=[
ConfigValidationObject('DestinationRule',
'disable-mtls',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'default',
namespace=BOOKINFO,
error_messages=[])
],
tls_type=MeshWideTLSType.DISABLED,
namespace_tls_objects=[
NamespaceTLSObject('bookinfo',
MeshWideTLSType.DISABLED),
NamespaceTLSObject('istio-system',
MeshWideTLSType.DISABLED),
NamespaceTLSObject('default',
MeshWideTLSType.DISABLED)
])
def test_scenario29(kiali_client, openshift_client, browser):
""" Enable mtls at mesh-level (PeerAuthn + DR)
Disable mtls at ns-level (PA + DR)
No validations for DR/PA at NS-level
"""
tests = ValidationsTest(kiali_client=kiali_client,
openshift_client=openshift_client,
browser=browser,
objects_path=istio_objects_mtls_path.strpath)
tests.test_istio_objects(
SCENARIO_29,
config_validation_objects=[
ConfigValidationObject('DestinationRule',
'enable-mesh-mtls',
namespace=ISTIO_SYSTEM,
error_messages=[]),
ConfigValidationObject('DestinationRule',
'bookinfo-disable-mtls',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'disable-mtls-bookinfo',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'mtls-mesh',
namespace=ISTIO_SYSTEM,
error_messages=[])
],
tls_type=MeshWideTLSType.ENABLED,
namespace_tls_objects=[
NamespaceTLSObject('bookinfo', MeshWideTLSType.DISABLED),
NamespaceTLSObject('istio-system', MeshWideTLSType.ENABLED)
])
def test_scenario17(kiali_client, openshift_client, browser):
""" Destination Rule valid: it doesn't define any mTLS setting
PeerAuth: STRICT
"""
tests = ValidationsTest(kiali_client=kiali_client,
openshift_client=openshift_client,
browser=browser,
objects_path=istio_objects_mtls_path.strpath)
tests.test_istio_objects(
SCENARIO_17,
namespace=BOOKINFO,
config_validation_objects=[
ConfigValidationObject('DestinationRule',
'reviews',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'default',
namespace=BOOKINFO,
error_messages=[KIA0501])
],
tls_type=MeshWideTLSType.DISABLED,
namespace_tls_objects=[
NamespaceTLSObject('bookinfo',
(MeshWideTLSType.PARTLY_ENABLED
if not openshift_client.is_auto_mtls() else
MeshWideTLSType.ENABLED)),
NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED),
NamespaceTLSObject('default', MeshWideTLSType.DISABLED)
])
def test_vs_duplicate_gateway(kiali_client, openshift_client):
""" KIA1106 More than one Virtual Service for same host
"""
tests = ValidationsTest(
kiali_client=kiali_client,
openshift_client=openshift_client,
objects_path=istio_objects_validation_path.strpath)
tests.test_istio_objects(
scenario=SCENARIO_25, namespace=BOOKINFO,
config_validation_objects=[
ConfigValidationObject(
object_type='VirtualService',
object_name='admin-vs-2',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject(
object_type='VirtualService',
object_name='admin-vs',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject(
object_type='VirtualService',
object_name='user-vs-2',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject(
object_type='VirtualService',
object_name='user-vs',
namespace=BOOKINFO,
error_messages=[])
])
def test_scenario20(kiali_client, openshift_client, browser):
""" Destination Rule valid: ISTIO_MUTUAL
PeerAuth: DISABLE
"""
tests = ValidationsTest(kiali_client=kiali_client,
openshift_client=openshift_client,
browser=browser,
objects_path=istio_objects_mtls_path.strpath)
tests.test_istio_objects(
SCENARIO_20,
namespace=ISTIO_SYSTEM,
config_validation_objects=[
ConfigValidationObject('DestinationRule',
'default',
namespace=ISTIO_SYSTEM,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'default',
namespace=ISTIO_SYSTEM,
error_messages=[])
],
tls_type=(MeshWideTLSType.PARTLY_ENABLED
if not openshift_client.is_auto_mtls() else
MeshWideTLSType.DISABLED),
namespace_tls_objects=[
NamespaceTLSObject('bookinfo', MeshWideTLSType.PARTLY_ENABLED),
NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED),
NamespaceTLSObject('default', MeshWideTLSType.DISABLED)
])
def test_scenario24(kiali_client, openshift_client, browser):
""" DestinationRule: DISABLED at mesh-level
"""
tests = ValidationsTest(kiali_client=kiali_client,
openshift_client=openshift_client,
browser=browser,
objects_path=istio_objects_mtls_path.strpath)
tests.test_istio_objects(
SCENARIO_24,
config_validation_objects=[
ConfigValidationObject('DestinationRule',
'disable-mesh-mtls',
namespace=BOOKINFO,
error_messages=[KIA0208]),
ConfigValidationObject('PeerAuthentication',
'disable-mesh-mtls',
namespace=ISTIO_SYSTEM,
error_messages=[KIA0401])
],
tls_type=MeshWideTLSType.PARTLY_ENABLED,
namespace_tls_objects=[
NamespaceTLSObject('bookinfo', MeshWideTLSType.DISABLED),
NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED),
NamespaceTLSObject('default', MeshWideTLSType.DISABLED)
])
def test_duplicate_sidecar_errors(kiali_client, openshift_client):
""" More than one selector-less Sidecar in the same namespace
"""
tests = ValidationsTest(
kiali_client=kiali_client,
openshift_client=openshift_client,
objects_path=istio_objects_validation_path.strpath)
tests.test_istio_objects(
scenario=SCENARIO_18, namespace=BOOKINFO,
config_validation_objects=[
ConfigValidationObject(
object_type='Sidecar',
object_name='dupliacate-sidecar1-auto',
namespace=BOOKINFO,
error_messages=[KIA0002,
KIA1004,
KIA1004]),
ConfigValidationObject(
object_type='Sidecar',
object_name='dupliacate-sidecar2-auto',
namespace=BOOKINFO,
error_messages=[KIA0002,
KIA1004,
KIA1004])
])
def test_scenario2(kiali_client, openshift_client, browser):
""" PeerAuthentication explicitly asks for mTLS connections
but DestinationRule disables workload mtls connections
"""
tests = ValidationsTest(kiali_client=kiali_client,
openshift_client=openshift_client,
browser=browser,
objects_path=istio_objects_mtls_path.strpath)
tests.test_istio_objects(
SCENARIO_2,
namespace=BOOKINFO,
config_validation_objects=[
ConfigValidationObject('DestinationRule',
'disable-mtls',
namespace=BOOKINFO,
error_messages=[KIA0207]),
ConfigValidationObject('PeerAuthentication',
'default',
namespace=BOOKINFO,
error_messages=[KIA0501])
],
tls_type=MeshWideTLSType.DISABLED,
namespace_tls_objects=[
NamespaceTLSObject('bookinfo', MeshWideTLSType.PARTLY_ENABLED),
NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED),
NamespaceTLSObject('default', MeshWideTLSType.DISABLED)
])
def test_scenario11(kiali_client, openshift_client, browser):
""" STRICT mode allow only mTLS connections to services
"""
tests = ValidationsTest(kiali_client=kiali_client,
openshift_client=openshift_client,
browser=browser,
objects_path=istio_objects_mtls_path.strpath)
tests.test_istio_objects(SCENARIO_11,
namespace=None,
config_validation_objects=[
ConfigValidationObject('DestinationRule',
'enable-mtls',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'default',
namespace=BOOKINFO,
error_messages=[])
])
def test_scenario12(kiali_client, openshift_client, browser):
""" PERMISSIVE mode allow mTLS connections to services to the whole mesh
"""
tests = ValidationsTest(kiali_client=kiali_client,
openshift_client=openshift_client,
browser=browser,
objects_path=istio_objects_mtls_path.strpath)
tests.test_istio_objects(SCENARIO_12,
namespace=None,
config_validation_objects=[
ConfigValidationObject('DestinationRule',
'enable-mtls',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject(
'PeerAuthentication',
'default',
namespace='istio-system',
error_messages=[])
])
def test_mtls_settings_overridden(kiali_client, openshift_client):
""" mTLS settings of a non-local Destination Rule are overridden
"""
tests = ValidationsTest(
kiali_client=kiali_client,
openshift_client=openshift_client,
objects_path=istio_objects_validation_path.strpath)
tests.test_istio_objects(
scenario=SCENARIO_7, namespace=None,
config_validation_objects=[
ConfigValidationObject(
object_type='DestinationRule',
object_name='default',
namespace=ISTIO_SYSTEM,
error_messages=[KIA0205]),
ConfigValidationObject(
object_type='DestinationRule',
object_name='reviews-overridden-auto',
namespace=BOOKINFO,
error_messages=[KIA0204])
])
def test_two_gateways_different_selectors(kiali_client, openshift_client):
""" More than one Gateway for the same host port combination referring to different selectors
"""
tests = ValidationsTest(
kiali_client=kiali_client,
openshift_client=openshift_client,
objects_path=istio_objects_validation_path.strpath)
tests.test_istio_objects(
scenario=SCENARIO_28, namespace=ISTIO_SYSTEM,
config_validation_objects=[
ConfigValidationObject(
object_type='Gateway',
object_name='istio-gateway-prv',
namespace=ISTIO_SYSTEM,
error_messages=[KIA0302]),
ConfigValidationObject(
object_type='Gateway',
object_name='istio-gateway-pub',
namespace=ISTIO_SYSTEM,
error_messages=[KIA0302])
],
ignore_common_errors=False)
def test_more_drs_same_host_port(kiali_client, openshift_client):
""" More than one DestinationRules for the same host subset combination
"""
tests = ValidationsTest(
kiali_client=kiali_client,
openshift_client=openshift_client,
objects_path=istio_objects_validation_path.strpath)
tests.test_istio_objects(
scenario=SCENARIO_3, namespace=BOOKINFO,
config_validation_objects=[
ConfigValidationObject(
object_type='DestinationRule',
object_name='reviews-dr1-auto',
namespace=BOOKINFO,
error_messages=[KIA0201]),
ConfigValidationObject(
object_type='DestinationRule',
object_name='reviews-dr2-auto',
namespace=BOOKINFO,
error_messages=[KIA0201])
],
ignore_common_errors=False)
def test_meshpolicy_disabled_ok(kiali_client, openshift_client):
""" PeerAuthentication disabling mtls for the whole namespace (mode = DISABLE)
Destination Rule disabling mTLS for a whole namespace (mode = DISABLE)
"""
tests = ValidationsTest(
kiali_client=kiali_client,
openshift_client=openshift_client,
objects_path=istio_objects_validation_path.strpath)
tests.test_istio_objects(
scenario=SCENARIO_21, namespace=None,
config_validation_objects=[
ConfigValidationObject(
object_type='DestinationRule',
object_name='disable-mtls',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject(
object_type='PeerAuthentication',
object_name='default',
namespace=BOOKINFO,
error_messages=[])
])
def test_meshpolicy_mtls_enable_ok(kiali_client, openshift_client):
""" PeerAuthentication enabling mTLS found, permissive policy is needed:
DestinatonRule to enable mTLS instead of disabling it (change the mode to ISTIO_MUTUAL)
"""
tests = ValidationsTest(
kiali_client=kiali_client,
openshift_client=openshift_client,
objects_path=istio_objects_validation_path.strpath)
tests.test_istio_objects(
scenario=SCENARIO_9, namespace=None,
config_validation_objects=[
ConfigValidationObject(
object_type='DestinationRule',
object_name='default',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject(
object_type='PeerAuthentication',
object_name='default',
namespace=ISTIO_SYSTEM,
error_messages=[KIA0401])
])
def test_meshpolicy_permissive_ok(kiali_client, openshift_client):
""" PeerAuthentication enabling mTLS found, permissive policy is needed:
PeerAuthentication to enable PERMISSIVE mode to all the workloads in the mesh
"""
tests = ValidationsTest(
kiali_client=kiali_client,
openshift_client=openshift_client,
objects_path=istio_objects_validation_path.strpath)
tests.test_istio_objects(
scenario=SCENARIO_8, namespace=None,
config_validation_objects=[
ConfigValidationObject(
object_type='DestinationRule',
object_name='default',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject(
object_type='PeerAuthentication',
object_name='default',
namespace=ISTIO_SYSTEM,
error_messages=[])
])
def test_two_gateways_same_host(kiali_client, openshift_client):
""" More than one Gateway for the same host port combination
"""
tests = ValidationsTest(
kiali_client=kiali_client,
openshift_client=openshift_client,
objects_path=istio_objects_validation_path.strpath)
tests.test_istio_objects(
scenario=SCENARIO_1, namespace=None,
config_validation_objects=[
ConfigValidationObject(
object_type='Gateway',
object_name='bookinfo-gateway-auto-host',
namespace=BOOKINFO,
error_messages=[KIA0301]),
ConfigValidationObject(
object_type='Gateway',
object_name='bookinfo-gateway-auto-host-copy',
namespace=BOOKINFO2,
error_messages=[KIA0301])
],
ignore_common_errors=False)
def test_scenario15(kiali_client, openshift_client, browser):
""" PeerAuthentication in STRICT mode + DestinationRule enabling mTLS mesh-wide (classic scenario)
PeerAuthentication ns-level in PERMISSIVE mode + DR disabling mTLS ns-wide.
"""
tests = ValidationsTest(kiali_client=kiali_client,
openshift_client=openshift_client,
browser=browser,
objects_path=istio_objects_mtls_path.strpath)
tests.test_istio_objects(SCENARIO_15,
namespace=None,
config_validation_objects=[
ConfigValidationObject('DestinationRule',
'default',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'default',
namespace=BOOKINFO,
error_messages=[])
])
def test_scenario13(kiali_client, openshift_client, browser):
""" STRICT mode allow only mTLS connections to services to the whole service mesh
"""
tests = ValidationsTest(kiali_client=kiali_client,
openshift_client=openshift_client,
browser=browser,
objects_path=istio_objects_mtls_path.strpath)
tests.test_istio_objects(
SCENARIO_13,
namespace=None,
config_validation_objects=[
ConfigValidationObject('DestinationRule',
'enable-mtls',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'default',
namespace='istio-system',
error_messages=[KIA0401])
],
tls_type=(MeshWideTLSType.PARTLY_ENABLED
if not openshift_client.is_auto_mtls() else
MeshWideTLSType.ENABLED))
def test_scenario8(kiali_client, openshift_client, browser):
""" DR mesh-wide enables clients start mTLS connections
"""
tests = ValidationsTest(kiali_client=kiali_client,
openshift_client=openshift_client,
browser=browser,
objects_path=istio_objects_mtls_path.strpath)
tests.test_istio_objects(
SCENARIO_8,
namespace=BOOKINFO,
config_validation_objects=[
ConfigValidationObject('DestinationRule',
'enable-mtls',
namespace=BOOKINFO,
error_messages=[KIA0205]),
ConfigValidationObject('PeerAuthentication',
'default',
namespace=BOOKINFO,
error_messages=[])
],
tls_type=(MeshWideTLSType.PARTLY_ENABLED
if not openshift_client.is_auto_mtls() else
MeshWideTLSType.ENABLED))
def test_gateway_no_matching_workload(kiali_client, openshift_client):
""" No matching workload found for gateway selector in this namespace
"""
tests = ValidationsTest(
kiali_client=kiali_client,
openshift_client=openshift_client,
objects_path=istio_objects_validation_path.strpath)
tests.test_istio_objects(
scenario=SCENARIO_2, namespace=None,
config_validation_objects=[
ConfigValidationObject(
object_type='Gateway',
object_name='bookinfo-gateway-auto-not-match',
namespace=BOOKINFO,
error_messages=[KIA0302])
])
def test_scenario28(kiali_client, openshift_client, browser):
""" PeerAuthentication is set to STRICT at the workload level,
but set to PERMISSIVE at the mesh and namespace level
KIA0105 should not be displayed
"""
tests = ValidationsTest(kiali_client=kiali_client,
openshift_client=openshift_client,
browser=browser,
objects_path=istio_objects_mtls_path.strpath)
tests.test_istio_objects(
SCENARIO_28,
config_validation_objects=[
ConfigValidationObject('DestinationRule',
'details-mtls',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject('DestinationRule',
'ratings-mtls',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'default',
namespace=ISTIO_SYSTEM,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'default-policy',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'details-policy',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject('PeerAuthentication',
'ratings-policy',
namespace=BOOKINFO,
error_messages=[]),
ConfigValidationObject('AuthorizationPolicy',
'ratings',
namespace=BOOKINFO,
error_messages=[])
],
tls_type=MeshWideTLSType.DISABLED,
namespace_tls_objects=[
NamespaceTLSObject('bookinfo',
(MeshWideTLSType.PARTLY_ENABLED
if not openshift_client.is_auto_mtls() else
MeshWideTLSType.DISABLED)),
NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED)
])
def test_mesh_policy_not_found(kiali_client, openshift_client):
""" PeerAuthentication enabling mTLS is missing
"""
tests = ValidationsTest(
kiali_client=kiali_client,
openshift_client=openshift_client,
objects_path=istio_objects_validation_path.strpath)
tests.test_istio_objects(
scenario=SCENARIO_6, namespace=ISTIO_SYSTEM,
config_validation_objects=[
ConfigValidationObject(
object_type='DestinationRule',
object_name='default',
namespace=ISTIO_SYSTEM,
error_messages=[KIA0205])
])
def test_vs_to_non_existing_gateway(kiali_client, openshift_client):
""" VirtualService is pointing to a non-existent gateway
"""
tests = ValidationsTest(
kiali_client=kiali_client,
openshift_client=openshift_client,
objects_path=istio_objects_validation_path.strpath)
tests.test_istio_objects(
scenario=SCENARIO_10, namespace=BOOKINFO,
config_validation_objects=[
ConfigValidationObject(
object_type='VirtualService',
object_name='details-vs-non-existing-gateway-auto',
namespace=BOOKINFO,
error_messages=[KIA1102])
])
def test_dr_fqdn_not_exist(kiali_client, openshift_client):
""" Host in DR is given in FQDN which does not exist
"""
tests = ValidationsTest(
kiali_client=kiali_client,
openshift_client=openshift_client,
objects_path=istio_objects_validation_path.strpath)
tests.test_istio_objects(
scenario=SCENARIO_13, namespace=None,
config_validation_objects=[
ConfigValidationObject(
object_type='DestinationRule',
object_name='reviews-dr-wrong-fqdn-auto',
namespace=BOOKINFO,
error_messages=[KIA0202])
])
def test_vs_less_than_100_weight(kiali_client, openshift_client):
""" VirtualService has only weight < 100
"""
tests = ValidationsTest(
kiali_client=kiali_client,
openshift_client=openshift_client,
objects_path=istio_objects_validation_path.strpath)
tests.test_istio_objects(
scenario=SCENARIO_16, namespace=BOOKINFO,
config_validation_objects=[
ConfigValidationObject(
object_type='VirtualService',
object_name='virtual-service-less-100-weight-auto',
namespace=BOOKINFO,
error_messages=[KIA1104])
])
def test_default_workload_sidecar(kiali_client, openshift_client):
""" Global default sidecar should not have workloadSelector
"""
tests = ValidationsTest(
kiali_client=kiali_client,
openshift_client=openshift_client,
objects_path=istio_objects_validation_path.strpath)
tests.test_istio_objects(
scenario=SCENARIO_20, namespace=ISTIO_SYSTEM,
config_validation_objects=[
ConfigValidationObject(
object_type='Sidecar',
object_name='default-sidecar-workload-auto',
namespace=ISTIO_SYSTEM,
error_messages=[KIA1006, KIA0004])
])
def test_vs_subset_validations_no_service_entry(kiali_client, openshift_client):
""" KIA1107 Subset not found as ServiceEntry missing
"""
tests = ValidationsTest(
kiali_client=kiali_client,
openshift_client=openshift_client,
objects_path=istio_objects_validation_path.strpath)
tests.test_istio_objects(
scenario=SCENARIO_24, namespace=BOOKINFO,
config_validation_objects=[
ConfigValidationObject(
object_type='VirtualService',
object_name='orahub-vs-no-dr',
namespace=BOOKINFO,
error_messages=[KIA1104, KIA1104, KIA1107, KIA1107])
])
def test_subset_no_label(kiali_client, openshift_client):
""" This subset have not label
"""
tests = ValidationsTest(
kiali_client=kiali_client,
openshift_client=openshift_client,
objects_path=istio_objects_validation_path.strpath)
tests.test_istio_objects(
scenario=SCENARIO_29, namespace=BOOKINFO,
config_validation_objects=[
ConfigValidationObject(
object_type='DestinationRule',
object_name='reviews-subset-not-label-auto',
namespace=BOOKINFO,
error_messages=[KIA0209])
])
