Merge remote-tracking branch 'upstream/release-1.6' into MAISTRA-1898

twghu · Nov 23, 2020 · c6ce92b · c6ce92b
2 parents 78d6a2c + 3ddc57b
commit c6ce92b
Show file tree

Hide file tree

Showing 164 changed files with 3,391 additions and 4,549 deletions.
diff --git a/Makefile.core.mk b/Makefile.core.mk
@@ -22,7 +22,7 @@ SHELL := /bin/bash -o pipefail
 VERSION ?= 1.6-dev
 
 # Base version of Istio image to use
-BASE_VERSION ?= 1.6-dev.5
+BASE_VERSION ?= 1.6-dev.12
 
 export GO111MODULE ?= on
 export GOPROXY ?= https://proxy.golang.org

diff --git a/common/.commonfiles.sha b/common/.commonfiles.sha
@@ -1 +1 @@
-ea4c40d055ee4388a5697abd2bc0dafec5f4bb08
+758a07d2c3884ec331764d34a5c4f7ab8afbae5c
diff --git a/common/scripts/gobuild.sh b/common/scripts/gobuild.sh
@@ -86,6 +86,6 @@ fi
 time GOOS=${BUILD_GOOS} GOARCH=${BUILD_GOARCH} ${GOBINARY} build \
         ${V} "${GOBUILDFLAGS_ARRAY[@]}" ${GCFLAGS:+-gcflags "${GCFLAGS}"} \
         -o "${OUT}" \
-        ${OPTIMIZATION_FLAGS} \
+        "${OPTIMIZATION_FLAGS}" \
         -pkgdir="${GOPKG}/${BUILD_GOOS}_${BUILD_GOARCH}" \
         -ldflags "${LDFLAGS} ${LD_EXTRAFLAGS}" "${@}"
diff --git a/common/scripts/setup_env.sh b/common/scripts/setup_env.sh
@@ -59,7 +59,7 @@ fi
 
 # Build image to use
 if [[ "${IMAGE_VERSION:-}" == "" ]]; then
-  export IMAGE_VERSION=release-1.6-2020-05-08T22-06-04
+  export IMAGE_VERSION=release-1.6-2020-11-13T15-30-50
 fi
 if [[ "${IMAGE_NAME:-}" == "" ]]; then
   export IMAGE_NAME=build-tools
@@ -69,7 +69,7 @@ export UID
 DOCKER_GID=$(grep '^docker:' /etc/group | cut -f3 -d:)
 export DOCKER_GID
 
-TIMEZONE=$(readlink $readlink_flags /etc/localtime | sed -e 's/^.*zoneinfo\///')
+TIMEZONE=$(readlink "$readlink_flags" /etc/localtime | sed -e 's/^.*zoneinfo\///')
 export TIMEZONE
 
 export TARGET_OUT="${TARGET_OUT:-$(pwd)/out/${TARGET_OS}_${TARGET_ARCH}}"

diff --git a/galley/pkg/config/analysis/analyzers/all.go b/galley/pkg/config/analysis/analyzers/all.go
@@ -20,6 +20,7 @@ import (
 	"istio.io/istio/galley/pkg/config/analysis/analyzers/auth"
 	"istio.io/istio/galley/pkg/config/analysis/analyzers/deployment"
 	"istio.io/istio/galley/pkg/config/analysis/analyzers/deprecation"
+	"istio.io/istio/galley/pkg/config/analysis/analyzers/destinationrule"
 	"istio.io/istio/galley/pkg/config/analysis/analyzers/gateway"
 	"istio.io/istio/galley/pkg/config/analysis/analyzers/injection"
 	"istio.io/istio/galley/pkg/config/analysis/analyzers/multicluster"
@@ -51,6 +52,7 @@ func All() []analysis.Analyzer {
 		&virtualservice.DestinationRuleAnalyzer{},
 		&virtualservice.GatewayAnalyzer{},
 		&virtualservice.RegexAnalyzer{},
+		&destinationrule.CaCertificateAnalyzer{},
 	}
 
 	analyzers = append(analyzers, schema.AllValidationAnalyzers()...)

diff --git a/galley/pkg/config/analysis/analyzers/analyzers_test.go b/galley/pkg/config/analysis/analyzers/analyzers_test.go
@@ -22,6 +22,8 @@ import (
 	"testing"
 	"time"
 
+	"istio.io/istio/galley/pkg/config/analysis/analyzers/destinationrule"
+
 	. "github.com/onsi/gomega"
 
 	"istio.io/pkg/log"
@@ -315,6 +317,76 @@ var testGrid = []testCase{
 			{msg.UnknownMeshNetworksServiceRegistry, "MeshNetworks meshnetworks.istio-system"},
 		},
 	},
+	{
+		name: "destinationrule with no cacert, simple at destinationlevel",
+		inputFiles: []string{
+			"testdata/destinationrule-simple-destination.yaml",
+		},
+		analyzer: &destinationrule.CaCertificateAnalyzer{},
+		expected: []message{
+			{msg.NoServerCertificateVerificationDestinationLevel, "DestinationRule db-tls"},
+		},
+	},
+	{
+		name: "destinationrule with no cacert, mutual at destinationlevel",
+		inputFiles: []string{
+			"testdata/destinationrule-mutual-destination.yaml",
+		},
+		analyzer: &destinationrule.CaCertificateAnalyzer{},
+		expected: []message{
+			{msg.NoServerCertificateVerificationDestinationLevel, "DestinationRule db-mtls"},
+		},
+	},
+	{
+		name: "destinationrule with no cacert, simple at portlevel",
+		inputFiles: []string{
+			"testdata/destinationrule-simple-port.yaml",
+		},
+		analyzer: &destinationrule.CaCertificateAnalyzer{},
+		expected: []message{
+			{msg.NoServerCertificateVerificationPortLevel, "DestinationRule db-tls"},
+		},
+	},
+	{
+		name: "destinationrule with no cacert, mutual at portlevel",
+		inputFiles: []string{
+			"testdata/destinationrule-mutual-port.yaml",
+		},
+		analyzer: &destinationrule.CaCertificateAnalyzer{},
+		expected: []message{
+			{msg.NoServerCertificateVerificationPortLevel, "DestinationRule db-mtls"},
+		},
+	},
+	{
+		name: "destinationrule with no cacert, mutual at destinationlevel and simple at port level",
+		inputFiles: []string{
+			"testdata/destinationrule-compound-simple-mutual.yaml",
+		},
+		analyzer: &destinationrule.CaCertificateAnalyzer{},
+		expected: []message{
+			{msg.NoServerCertificateVerificationDestinationLevel, "DestinationRule db-mtls"},
+			{msg.NoServerCertificateVerificationPortLevel, "DestinationRule db-mtls"},
+		},
+	},
+	{
+		name: "destinationrule with no cacert, simple at destinationlevel and mutual at port level",
+		inputFiles: []string{
+			"testdata/destinationrule-compound-mutual-simple.yaml",
+		},
+		analyzer: &destinationrule.CaCertificateAnalyzer{},
+		expected: []message{
+			{msg.NoServerCertificateVerificationPortLevel, "DestinationRule db-mtls"},
+			{msg.NoServerCertificateVerificationDestinationLevel, "DestinationRule db-mtls"},
+		},
+	},
+	{
+		name: "destinationrule with both cacerts",
+		inputFiles: []string{
+			"testdata/destinationrule-with-ca.yaml",
+		},
+		analyzer: &destinationrule.CaCertificateAnalyzer{},
+		expected: []message{},
+	},
 }
 
 // regex patterns for analyzer names that should be explicitly ignored for testing

diff --git a/galley/pkg/config/analysis/analyzers/destinationrule/ca-certificates.go b/galley/pkg/config/analysis/analyzers/destinationrule/ca-certificates.go
@@ -0,0 +1,72 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package destinationrule
+
+import (
+	"istio.io/api/networking/v1alpha3"
+
+	"istio.io/istio/galley/pkg/config/analysis"
+	"istio.io/istio/galley/pkg/config/analysis/msg"
+	"istio.io/istio/pkg/config/resource"
+	"istio.io/istio/pkg/config/schema/collection"
+	"istio.io/istio/pkg/config/schema/collections"
+)
+
+// CaCertificateAnalyzer checks if CaCertificate is set in case mode is SIMPLE/MUTUAL
+type CaCertificateAnalyzer struct{}
+
+var _ analysis.Analyzer = &CaCertificateAnalyzer{}
+
+func (c *CaCertificateAnalyzer) Metadata() analysis.Metadata {
+	return analysis.Metadata{
+		Name:        "destinationrule.CaCertificateAnalyzer",
+		Description: "Checks if caCertificates is set when TLS mode is SIMPLE/MUTUAL",
+		Inputs: collection.Names{
+			collections.IstioNetworkingV1Alpha3Destinationrules.Name(),
+		},
+	}
+}
+
+func (c *CaCertificateAnalyzer) Analyze(ctx analysis.Context) {
+	ctx.ForEach(collections.IstioNetworkingV1Alpha3Destinationrules.Name(), func(r *resource.Instance) bool {
+		c.analyzeDestinationRule(r, ctx)
+		return true
+	})
+}
+
+func (c *CaCertificateAnalyzer) analyzeDestinationRule(r *resource.Instance, ctx analysis.Context) {
+	dr := r.Message.(*v1alpha3.DestinationRule)
+	drNs := r.Metadata.FullName.Namespace
+	drName := r.Metadata.FullName.String()
+	mode := dr.GetTrafficPolicy().GetTls().GetMode()
+
+	if mode == v1alpha3.ClientTLSSettings_SIMPLE || mode == v1alpha3.ClientTLSSettings_MUTUAL {
+		if dr.GetTrafficPolicy().GetTls().GetCaCertificates() == "" {
+			ctx.Report(collections.IstioNetworkingV1Alpha3Destinationrules.Name(), msg.NewNoServerCertificateVerificationDestinationLevel(r, drName,
+				drNs.String(), mode.String(), dr.GetHost()))
+		}
+	}
+	portSettings := dr.TrafficPolicy.GetPortLevelSettings()
+
+	for _, p := range portSettings {
+		mode = p.GetTls().GetMode()
+		if mode == v1alpha3.ClientTLSSettings_SIMPLE || mode == v1alpha3.ClientTLSSettings_MUTUAL {
+			if p.GetTls().GetCaCertificates() == "" {
+				ctx.Report(collections.IstioNetworkingV1Alpha3Destinationrules.Name(), msg.NewNoServerCertificateVerificationPortLevel(r, drName,
+					drNs.String(), mode.String(), dr.GetHost(), p.GetPort().String()))
+			}
+		}
+	}
+}
diff --git a/galley/pkg/config/analysis/analyzers/testdata/destinationrule-compound-mutual-simple.yaml b/galley/pkg/config/analysis/analyzers/testdata/destinationrule-compound-mutual-simple.yaml
@@ -0,0 +1,21 @@
+
+# No caCertificates when mode is simple at destination level and MUTUAL at port level
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: db-mtls
+spec:
+  host: mydbserver.prod.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: SIMPLE
+      clientCertificate: /etc/certs/myclientcert.pem
+      privateKey: /etc/certs/client_private_key.pem
+    portLevelSettings:
+      - port:
+          number: 443
+        tls:
+          mode: MUTUAL
+          clientCertificate: /etc/certs/myclientcert.pem
+          privateKey: /etc/certs/client_private_key.pem
+          sni: my-nginx.mesh-external.svc.cluster.local
diff --git a/galley/pkg/config/analysis/analyzers/testdata/destinationrule-compound-simple-mutual.yaml b/galley/pkg/config/analysis/analyzers/testdata/destinationrule-compound-simple-mutual.yaml
@@ -0,0 +1,20 @@
+# No caCertificates when mode is simple at destination level
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: db-mtls
+spec:
+  host: mydbserver.prod.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: MUTUAL
+      clientCertificate: /etc/certs/myclientcert.pem
+      privateKey: /etc/certs/client_private_key.pem
+    portLevelSettings:
+      - port:
+          number: 443
+        tls:
+          mode: SIMPLE
+          clientCertificate: /etc/certs/myclientcert.pem
+          privateKey: /etc/certs/client_private_key.pem
+          sni: my-nginx.mesh-external.svc.cluster.local
diff --git a/galley/pkg/config/analysis/analyzers/testdata/destinationrule-mutual-destination.yaml b/galley/pkg/config/analysis/analyzers/testdata/destinationrule-mutual-destination.yaml
@@ -0,0 +1,12 @@
+# No caCertificates when mode is mutual at destination level
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: db-mtls
+spec:
+  host: mydbserver.prod.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: MUTUAL
+      clientCertificate: /etc/certs/myclientcert.pem
+      privateKey: /etc/certs/client_private_key.pem
diff --git a/galley/pkg/config/analysis/analyzers/testdata/destinationrule-mutual-port.yaml b/galley/pkg/config/analysis/analyzers/testdata/destinationrule-mutual-port.yaml
@@ -0,0 +1,16 @@
+# No caCertificates when mode is mutual at port level
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: db-mtls
+spec:
+  host: mydbserver.prod.svc.cluster.local
+  trafficPolicy:
+    portLevelSettings:
+      - port:
+          number: 443
+        tls:
+          mode: MUTUAL
+          clientCertificate: /etc/certs/myclientcert.pem
+          privateKey: /etc/certs/client_private_key.pem
+          sni: my-nginx.mesh-external.svc.cluster.local
diff --git a/galley/pkg/config/analysis/analyzers/testdata/destinationrule-simple-destination.yaml b/galley/pkg/config/analysis/analyzers/testdata/destinationrule-simple-destination.yaml
@@ -0,0 +1,12 @@
+# No caCertificates when mode is simple at destination level
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: db-tls
+spec:
+  host: mydbserver.prod.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: SIMPLE
+      clientCertificate: /etc/certs/myclientcert.pem
+      privateKey: /etc/certs/client_private_key.pem
diff --git a/galley/pkg/config/analysis/analyzers/testdata/destinationrule-simple-port.yaml b/galley/pkg/config/analysis/analyzers/testdata/destinationrule-simple-port.yaml
@@ -0,0 +1,16 @@
+# No caCertificates when mode is simple at port level
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: db-tls
+spec:
+  host: mydbserver.prod.svc.cluster.local
+  trafficPolicy:
+    portLevelSettings:
+      - port:
+          number: 443
+        tls:
+          mode: SIMPLE
+          clientCertificate: /etc/certs/myclientcert.pem
+          privateKey: /etc/certs/client_private_key.pem
+          sni: my-nginx.mesh-external.svc.cluster.local
diff --git a/galley/pkg/config/analysis/analyzers/testdata/destinationrule-with-ca.yaml b/galley/pkg/config/analysis/analyzers/testdata/destinationrule-with-ca.yaml
@@ -0,0 +1,22 @@
+#  caCertificates when mode is mutual at destination level and simple at port level
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: db-mtls
+spec:
+  host: mydbserver.prod.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: MUTUAL
+      clientCertificate: /etc/certs/myclientcert.pem
+      privateKey: /etc/certs/client_private_key.pem
+      caCertificates: /etc/certs/root.pem
+    portLevelSettings:
+      - port:
+          number: 443
+        tls:
+          mode: SIMPLE
+          clientCertificate: /etc/certs/myclientcert.pem
+          privateKey: /etc/certs/client_private_key.pem
+          caCertificates: /etc/certs/root.pem
+          sni: my-nginx.mesh-external.svc.cluster.local
diff --git a/galley/pkg/config/analysis/msg/messages.gen.go b/galley/pkg/config/analysis/msg/messages.gen.go
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		ea4c40d055ee4388a5697abd2bc0dafec5f4bb08
		758a07d2c3884ec331764d34a5c4f7ab8afbae5c