linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Validate `--default-inbound-policy` values (#9195) 

Closes #9148

With this change, the value of `—default-inbound-policy` is verified to be one
of the accepted values. 

When the value is not an accepted value we now error

```shell $ linkerd install --default-inbound-policy=everybody Error:
--default-inbound-policy must be one of: all-authenticated, all-unauthenticated,
cluster-authenticated, cluster-unauthenticated, deny (got everybody) Usage:
  linkerd install [flags]
... ```

A unit test has also been added.

Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
This commit is contained in:
Kevin Leimkuhler 2022-08-17 19:42:01 -06:00 committed by GitHub
parent 695f843914
commit ddc214acdf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
cli/cmd/install_test.go
View File

@ -576,6 +576,23 @@ func TestValidate(t *testing.T) {
}
}
})
t.Run("Rejects invalid default-inbound-policy", func(t *testing.T) {
values, err := testInstallOptions()
if err != nil {
t.Fatalf("Unexpected error: %v\n", err)
}
values.PolicyController.DefaultAllowPolicy = "everybody"
expected := "--default-inbound-policy must be one of: all-authenticated, all-unauthenticated, cluster-authenticated, cluster-unauthenticated, deny (got everybody)"
err = validateValues(context.Background(), nil, values)
if err == nil {
t.Fatal("Expected error, got nothing")
}
if err.Error() != expected {
t.Fatalf("Expected error string \"%s\", got \"%s\"", expected, err)
}
})
}
func fakeHeartbeatSchedule() string {

15
cli/cmd/options.go
View File

@ -545,6 +545,11 @@ func validateValues(ctx context.Context, k *k8s.KubernetesAPI, values *l5dcharts
}
}
err = validatePolicy(values.PolicyController.DefaultAllowPolicy)
if err != nil {
return err
}
return nil
}
@ -622,6 +627,16 @@ func validateProxyValues(values *l5dcharts.Values) error {
return nil
}
func validatePolicy(policy string) error {
validPolicies := []string{"all-authenticated", "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny"}
for _, p := range validPolicies {
if p == policy {
return nil
}
}
return fmt.Errorf("--default-inbound-policy must be one of: %s (got %s)", strings.Join(validPolicies, ", "), policy)
}
// initializeIssuerCredentials populates the identity issuer TLS credentials.
// If we are using an externally managed issuer secret, all we need to do here
// is copy the trust root from the issuer secret. Otherwise, if no credentials