support HTTPRoute resources in authcheck CLI command (#9)

Signed-off-by: aatarasoff <[email protected]>
aatarasoff · Sep 12, 2022 · 7c85c6d · 7c85c6d
1 parent 2519b6d
commit 7c85c6d
Show file tree

Hide file tree

Showing 2 changed files with 83 additions and 7 deletions.
diff --git a/cmd/authcheck.go b/cmd/authcheck.go
@@ -99,21 +99,38 @@ func easyAuthCategory(resources *K8sResources) *healthcheck.Category {
 
 						if selector.Matches(labels.Set(server.GetLabels())) {
 							founded = true
+							break
 						}
 
 						if serverAuthorization.Spec.Server.Name == server.GetName() {
 							founded = true
+							break
 						}
 					}
 
-					for _, policy := range resources.AuthorizationPolicies {
-						// namespaced policies applies on each server
-						if policy.Spec.TargetRef.Kind == "Namespace" {
-							founded = true
-						}
+					if !founded {
+						for _, policy := range resources.AuthorizationPolicies {
+							// namespaced policies applies on each server
+							if policy.Spec.TargetRef.Kind == "Namespace" && policy.GetNamespace() == server.Namespace {
+								founded = true
+								break
+							}
 
-						if string(policy.Spec.TargetRef.Name) == server.GetName() {
-							founded = true
+							if policy.Spec.TargetRef.Kind == k8s.ServerKind && string(policy.Spec.TargetRef.Name) == server.GetName() {
+								founded = true
+								break
+							}
+
+							if policy.Spec.TargetRef.Kind == k8s.HTTPRouteKind {
+								for _, httpRoute := range resources.HTTPRoutes {
+									for _, targetRef := range httpRoute.Spec.ParentRefs {
+										if *targetRef.Kind == k8s.ServerKind && string(targetRef.Name) == server.GetName() && string(policy.Spec.TargetRef.Name) == httpRoute.GetName() {
+											founded = true
+											break
+										}
+									}
+								}
+							}
 						}
 					}
 
@@ -166,6 +183,20 @@ func easyAuthCategory(resources *K8sResources) *healthcheck.Category {
 						for _, server := range resources.Servers {
 							if policy.Spec.TargetRef.Kind == k8s.ServerKind && (string(policy.Spec.TargetRef.Name) == server.GetName()) {
 								founded = true
+								break
+							}
+						}
+
+						for _, httpRoute := range resources.HTTPRoutes {
+							if policy.Spec.TargetRef.Kind == k8s.HTTPRouteKind {
+								for _, server := range resources.Servers {
+									for _, targetRef := range httpRoute.Spec.ParentRefs {
+										if *targetRef.Kind == k8s.ServerKind && string(targetRef.Name) == server.GetName() && string(policy.Spec.TargetRef.Name) == httpRoute.GetName() {
+											founded = true
+											break
+										}
+									}
+								}
 							}
 						}
 					}
@@ -181,6 +212,43 @@ func easyAuthCategory(resources *K8sResources) *healthcheck.Category {
 				return fmt.Errorf("Obsolete ServerAuthorizations:\n\t%s", strings.Join(serverAuthorizationsWOServer, "\n\t"))
 			}))
 
+	checkers = append(checkers,
+		*healthcheck.NewChecker("linkerd-easyauth no obsolete HTTPRoutes").
+			Warning().
+			WithCheck(func(ctx context.Context) error {
+				httpRoutesWithObsoleteTargetRef := []string{}
+
+				for _, httpRoute := range resources.HTTPRoutes {
+					for _, targetRef := range httpRoute.Spec.ParentRefs {
+						founded := false
+
+						if *targetRef.Kind == k8s.ServerKind {
+							for _, server := range resources.Servers {
+								if string(targetRef.Name) == server.GetName() {
+									founded = true
+									break
+								}
+							}
+						}
+
+						if !founded {
+							httpRoutesWithObsoleteTargetRef = append(
+								httpRoutesWithObsoleteTargetRef,
+								fmt.Sprintf("TargetRef %s in HTTPPolicy %s is obsolete (eg. doesn't apply to any Server",
+									string(targetRef.Name),
+									httpRoute.GetName(),
+								),
+							)
+						}
+					}
+				}
+
+				if len(httpRoutesWithObsoleteTargetRef) == 0 {
+					return nil
+				}
+				return fmt.Errorf("Some HTTPRoutes have obsolete targetRef:\n\t%s", strings.Join(httpRoutesWithObsoleteTargetRef, "\n\t"))
+			}))
+
 	checkers = append(checkers,
 		*healthcheck.NewChecker("linkerd-easyauth no ports without Server").
 			Warning().

diff --git a/cmd/k8s.go b/cmd/k8s.go
@@ -23,6 +23,7 @@ type K8sResources struct {
 	Servers               []*server.Server
 	ServerAuthorizations  []*saz.ServerAuthorization
 	AuthorizationPolicies []*policy.AuthorizationPolicy
+	HTTPRoutes            []*policy.HTTPRoute
 }
 
 func FetchK8sResources(ctx context.Context, namespace string) (*K8sResources, error) {
@@ -58,12 +59,18 @@ func FetchK8sResources(ctx context.Context, namespace string) (*K8sResources, er
 		return nil, err
 	}
 
+	httpRoutes, err := lr5dAPI.Policy().V1alpha1().HTTPRoutes().Lister().HTTPRoutes(namespace).List(labels.NewSelector())
+	if err != nil {
+		return nil, err
+	}
+
 	return &K8sResources{
 		Pods:                  pods,
 		Services:              services,
 		Servers:               servers,
 		ServerAuthorizations:  serverAuthorizations,
 		AuthorizationPolicies: authorizationPolicies,
+		HTTPRoutes:            httpRoutes,
 	}, nil
 }
 
@@ -88,6 +95,7 @@ func initServerAPI(kubeconfigPath string) l5dcrdinformer.SharedInformerFactory {
 	go lr5dAPI.Policy().V1alpha1().AuthorizationPolicies().Informer().Run(stopCh)
 	go lr5dAPI.Policy().V1alpha1().MeshTLSAuthentications().Informer().Run(stopCh)
 	go lr5dAPI.Policy().V1alpha1().NetworkAuthentications().Informer().Run(stopCh)
+	go lr5dAPI.Policy().V1alpha1().HTTPRoutes().Informer().Run(stopCh)
 
 	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
 	defer cancel()