func istioPolicies()

in appconfigmgrv2/controllers/istio_policies.go [64:131]

• 61 lines of code
• 7 McCabe index (conditional complexity)

func istioPolicies(t *appconfig.AppEnvConfigTemplateV2) ([]*unstructured.Unstructured, error) {
	if t.Spec.Auth == nil || t.Spec.Auth.JWT == nil {
		return nil, nil
	}

	list := make([]*unstructured.Unstructured, 0, len(t.Spec.Services))

	issuer, jwksUri, err := resolveJWTIssuerJWKS(t.Spec.Auth.JWT)
	if err != nil {
		return nil, fmt.Errorf("resolving jwt config: %v", err)
	}

	gvk := istioPolicyGVK()

	for i := range t.Spec.Services {
		var triggerRules []*istioauth.Jwt_TriggerRule
		if t.Spec.Services[i].DisableAuth {
			triggerRules = append(triggerRules, &istioauth.Jwt_TriggerRule{
				ExcludedPaths: []*istioauth.StringMatch{
					{
						MatchType: &istioauth.StringMatch_Prefix{
							Prefix: "/",
						},
					},
				},
			})
		}

		var (
			meta = map[string]interface{}{
				"name":      istioPolicyName(t, i),
				"namespace": t.Namespace,
			}
			spec = &istioauth.Policy{
				Targets: []*istioauth.TargetSelector{
					{
						Name: serviceName(t, i),
					},
				},
				Peers: []*istioauth.PeerAuthenticationMethod{
					{
						Params: &istioauth.PeerAuthenticationMethod_Mtls{
							Mtls: &istioauth.MutualTls{},
						},
					},
				},
				Origins: []*istioauth.OriginAuthenticationMethod{
					{
						Jwt: &istioauth.Jwt{
							Issuer:       issuer,
							JwksUri:      jwksUri,
							TriggerRules: triggerRules,
						},
					},
				},
				PrincipalBinding: istioauth.PrincipalBinding_USE_ORIGIN,
			}
		)

		unst, err := unstructuredFromProto(gvk, meta, spec)
		if err != nil {
			return nil, fmt.Errorf("unstructured from proto: %v", err)
		}
		list = append(list, unst)
	}

	return list, nil
}