func validateTLSOptions()

in pkg/config/validation/validation.go [564:647]

• 71 lines of code
• 29 McCabe index (conditional complexity)

func validateTLSOptions(tls *networking.ServerTLSSettings) (v Validation) {
	if tls == nil {
		// no tls config at all is valid
		return
	}

	invalidCiphers := sets.New()
	validCiphers := sets.New()
	duplicateCiphers := sets.New()
	for _, cs := range tls.CipherSuites {
		if !security.IsValidCipherSuite(cs) {
			invalidCiphers.Insert(cs)
		} else {
			if !validCiphers.Contains(cs) {
				validCiphers.Insert(cs)
			} else {
				duplicateCiphers.Insert(cs)
			}
		}
	}

	if len(invalidCiphers) > 0 {
		v = appendWarningf(v, "ignoring invalid cipher suites: %v", invalidCiphers.SortedList())
	}

	if len(duplicateCiphers) > 0 {
		v = appendWarningf(v, "ignoring duplicate cipher suites: %v", duplicateCiphers.SortedList())
	}

	if tls.Mode == networking.ServerTLSSettings_ISTIO_MUTUAL {
		// ISTIO_MUTUAL TLS mode uses either SDS or default certificate mount paths
		// therefore, we should fail validation if other TLS fields are set
		if tls.ServerCertificate != "" {
			v = appendValidation(v, fmt.Errorf("ISTIO_MUTUAL TLS cannot have associated server certificate"))
		}
		if tls.PrivateKey != "" {
			v = appendValidation(v, fmt.Errorf("ISTIO_MUTUAL TLS cannot have associated private key"))
		}
		if tls.CaCertificates != "" {
			v = appendValidation(v, fmt.Errorf("ISTIO_MUTUAL TLS cannot have associated CA bundle"))
		}
		if tls.CredentialName != "" {
			if features.EnableLegacyIstioMutualCredentialName {
				// Legacy mode enabled, just warn
				v = appendWarningf(v, "ISTIO_MUTUAL TLS cannot have associated credentialName")
			} else {
				v = appendValidation(v, fmt.Errorf("ISTIO_MUTUAL TLS cannot have associated credentialName"))
			}
		}
		return
	}

	if tls.Mode == networking.ServerTLSSettings_PASSTHROUGH || tls.Mode == networking.ServerTLSSettings_AUTO_PASSTHROUGH {
		if tls.ServerCertificate != "" || tls.PrivateKey != "" || tls.CaCertificates != "" || tls.CredentialName != "" {
			// Warn for backwards compatibility
			v = appendWarningf(v, "%v mode does not use certificates, they will be ignored", tls.Mode)
		}
	}

	if (tls.Mode == networking.ServerTLSSettings_SIMPLE || tls.Mode == networking.ServerTLSSettings_MUTUAL) && tls.CredentialName != "" {
		// If tls mode is SIMPLE or MUTUAL, and CredentialName is specified, credentials are fetched
		// remotely. ServerCertificate and CaCertificates fields are not required.
		return
	}
	if tls.Mode == networking.ServerTLSSettings_SIMPLE {
		if tls.ServerCertificate == "" {
			v = appendValidation(v, fmt.Errorf("SIMPLE TLS requires a server certificate"))
		}
		if tls.PrivateKey == "" {
			v = appendValidation(v, fmt.Errorf("SIMPLE TLS requires a private key"))
		}
	} else if tls.Mode == networking.ServerTLSSettings_MUTUAL {
		if tls.ServerCertificate == "" {
			v = appendValidation(v, fmt.Errorf("MUTUAL TLS requires a server certificate"))
		}
		if tls.PrivateKey == "" {
			v = appendValidation(v, fmt.Errorf("MUTUAL TLS requires a private key"))
		}
		if tls.CaCertificates == "" {
			v = appendValidation(v, fmt.Errorf("MUTUAL TLS requires a client CA bundle"))
		}
	}
	return
}