def test_scenario29(kiali_client, openshift_client, browser): """ Enable mtls at mesh-level (PeerAuthn + DR) Disable mtls at ns-level (PA + DR) No validations for DR/PA at NS-level """ tests = ValidationsTest(kiali_client=kiali_client, openshift_client=openshift_client, browser=browser, objects_path=istio_objects_mtls_path.strpath) tests.test_istio_objects( SCENARIO_29, config_validation_objects=[ ConfigValidationObject('DestinationRule', 'enable-mesh-mtls', namespace=ISTIO_SYSTEM, error_messages=[]), ConfigValidationObject('DestinationRule', 'bookinfo-disable-mtls', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'disable-mtls-bookinfo', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'mtls-mesh', namespace=ISTIO_SYSTEM, error_messages=[]) ], tls_type=MeshWideTLSType.ENABLED, namespace_tls_objects=[ NamespaceTLSObject('bookinfo', MeshWideTLSType.DISABLED), NamespaceTLSObject('istio-system', MeshWideTLSType.ENABLED) ])
def test_scenario27(kiali_client, openshift_client, browser): """ PeerAuthentication is PERMISSIVE in mesh level, Grafana UNSET but DISABLE in port level """ tests = ValidationsTest(kiali_client=kiali_client, openshift_client=openshift_client, browser=browser, objects_path=istio_objects_mtls_path.strpath) tests.test_istio_objects( SCENARIO_27, config_validation_objects=[ ConfigValidationObject('DestinationRule', 'enable-mesh-mtls', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'permissive-mesh-mtls', namespace=ISTIO_SYSTEM, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'grafana-unset-ports-mtls-disabled', namespace=ISTIO_SYSTEM, error_messages=[]) ], tls_type=MeshWideTLSType.PARTLY_ENABLED, namespace_tls_objects=[ NamespaceTLSObject('bookinfo', MeshWideTLSType.DISABLED), NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED), NamespaceTLSObject('default', MeshWideTLSType.DISABLED) ])
def test_scenario24(kiali_client, openshift_client, browser): """ DestinationRule: DISABLED at mesh-level """ tests = ValidationsTest(kiali_client=kiali_client, openshift_client=openshift_client, browser=browser, objects_path=istio_objects_mtls_path.strpath) tests.test_istio_objects( SCENARIO_24, config_validation_objects=[ ConfigValidationObject('DestinationRule', 'disable-mesh-mtls', namespace=BOOKINFO, error_messages=[KIA0208]), ConfigValidationObject('PeerAuthentication', 'disable-mesh-mtls', namespace=ISTIO_SYSTEM, error_messages=[KIA0401]) ], tls_type=MeshWideTLSType.PARTLY_ENABLED, namespace_tls_objects=[ NamespaceTLSObject('bookinfo', MeshWideTLSType.DISABLED), NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED), NamespaceTLSObject('default', MeshWideTLSType.DISABLED) ])
def test_scenario2(kiali_client, openshift_client, browser): """ PeerAuthentication explicitly asks for mTLS connections but DestinationRule disables workload mtls connections """ tests = ValidationsTest(kiali_client=kiali_client, openshift_client=openshift_client, browser=browser, objects_path=istio_objects_mtls_path.strpath) tests.test_istio_objects( SCENARIO_2, namespace=BOOKINFO, config_validation_objects=[ ConfigValidationObject('DestinationRule', 'disable-mtls', namespace=BOOKINFO, error_messages=[KIA0207]), ConfigValidationObject('PeerAuthentication', 'default', namespace=BOOKINFO, error_messages=[KIA0501]) ], tls_type=MeshWideTLSType.DISABLED, namespace_tls_objects=[ NamespaceTLSObject('bookinfo', MeshWideTLSType.PARTLY_ENABLED), NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED), NamespaceTLSObject('default', MeshWideTLSType.DISABLED) ])
def test_scenario21(kiali_client, openshift_client, browser): """ PeerAuthentication is DISABLE DestinationRule is DISABLE """ tests = ValidationsTest(kiali_client=kiali_client, openshift_client=openshift_client, browser=browser, objects_path=istio_objects_mtls_path.strpath) tests.test_istio_objects(SCENARIO_21, namespace=BOOKINFO, config_validation_objects=[ ConfigValidationObject('DestinationRule', 'disable-mtls', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'default', namespace=BOOKINFO, error_messages=[]) ], tls_type=MeshWideTLSType.DISABLED, namespace_tls_objects=[ NamespaceTLSObject('bookinfo', MeshWideTLSType.DISABLED), NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED), NamespaceTLSObject('default', MeshWideTLSType.DISABLED) ])
def test_scenario20(kiali_client, openshift_client, browser): """ Destination Rule valid: ISTIO_MUTUAL PeerAuth: DISABLE """ tests = ValidationsTest(kiali_client=kiali_client, openshift_client=openshift_client, browser=browser, objects_path=istio_objects_mtls_path.strpath) tests.test_istio_objects( SCENARIO_20, namespace=ISTIO_SYSTEM, config_validation_objects=[ ConfigValidationObject('DestinationRule', 'default', namespace=ISTIO_SYSTEM, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'default', namespace=ISTIO_SYSTEM, error_messages=[]) ], tls_type=(MeshWideTLSType.PARTLY_ENABLED if not openshift_client.is_auto_mtls() else MeshWideTLSType.DISABLED), namespace_tls_objects=[ NamespaceTLSObject('bookinfo', MeshWideTLSType.PARTLY_ENABLED), NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED), NamespaceTLSObject('default', MeshWideTLSType.DISABLED) ])
def test_scenario17(kiali_client, openshift_client, browser): """ Destination Rule valid: it doesn't define any mTLS setting PeerAuth: STRICT """ tests = ValidationsTest(kiali_client=kiali_client, openshift_client=openshift_client, browser=browser, objects_path=istio_objects_mtls_path.strpath) tests.test_istio_objects( SCENARIO_17, namespace=BOOKINFO, config_validation_objects=[ ConfigValidationObject('DestinationRule', 'reviews', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'default', namespace=BOOKINFO, error_messages=[KIA0501]) ], tls_type=MeshWideTLSType.DISABLED, namespace_tls_objects=[ NamespaceTLSObject('bookinfo', (MeshWideTLSType.PARTLY_ENABLED if not openshift_client.is_auto_mtls() else MeshWideTLSType.ENABLED)), NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED), NamespaceTLSObject('default', MeshWideTLSType.DISABLED) ])
def test_scenario28(kiali_client, openshift_client, browser): """ PeerAuthentication is set to STRICT at the workload level, but set to PERMISSIVE at the mesh and namespace level KIA0105 should not be displayed """ tests = ValidationsTest(kiali_client=kiali_client, openshift_client=openshift_client, browser=browser, objects_path=istio_objects_mtls_path.strpath) tests.test_istio_objects( SCENARIO_28, config_validation_objects=[ ConfigValidationObject('DestinationRule', 'details-mtls', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject('DestinationRule', 'ratings-mtls', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'default', namespace=ISTIO_SYSTEM, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'default-policy', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'details-policy', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject('PeerAuthentication', 'ratings-policy', namespace=BOOKINFO, error_messages=[]), ConfigValidationObject('AuthorizationPolicy', 'ratings', namespace=BOOKINFO, error_messages=[]) ], tls_type=MeshWideTLSType.DISABLED, namespace_tls_objects=[ NamespaceTLSObject('bookinfo', (MeshWideTLSType.PARTLY_ENABLED if not openshift_client.is_auto_mtls() else MeshWideTLSType.DISABLED)), NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED) ])
def test_scenario16(kiali_client, openshift_client, browser): """ PeerAuthentication OK """ tests = ValidationsTest(kiali_client=kiali_client, openshift_client=openshift_client, browser=browser, objects_path=istio_objects_mtls_path.strpath) tests.test_istio_objects(SCENARIO_16, namespace=None, config_validation_objects=[], tls_type=MeshWideTLSType.ENABLED, namespace_tls_objects=[ NamespaceTLSObject('bookinfo', MeshWideTLSType.ENABLED), NamespaceTLSObject('istio-system', MeshWideTLSType.ENABLED), NamespaceTLSObject('default', MeshWideTLSType.ENABLED) ])
def test_scenario5(kiali_client, openshift_client, browser): """ There aren't any PeerAuthentication defining mTLS settings """ tests = ValidationsTest(kiali_client=kiali_client, openshift_client=openshift_client, browser=browser, objects_path=istio_objects_mtls_path.strpath) tests.test_istio_objects( SCENARIO_5, namespace=None, config_validation_objects=[ ConfigValidationObject('DestinationRule', 'disable-mtls', namespace=BOOKINFO, error_messages=[]) ], tls_type=MeshWideTLSType.DISABLED, namespace_tls_objects=[ NamespaceTLSObject('bookinfo', MeshWideTLSType.PARTLY_ENABLED), NamespaceTLSObject('istio-system', MeshWideTLSType.DISABLED), NamespaceTLSObject('default', MeshWideTLSType.DISABLED) ])