jjamroga · jjamroga · Feb 2, 2024 · Mar 11, 2024 · Mar 29, 2024
diff --git a/istio.deps b/istio.deps
@@ -4,7 +4,7 @@
     "name": "PROXY_REPO_SHA",
     "repoName": "proxy",
     "file": "",
-    "lastStableSHA": "b080ac27d39c8adcaf0be843a55e8c080cbde7f9"
+    "lastStableSHA": "30e213147c5e54158b6176417c39c46eca60c580"
   },
   {
     "_comment": "",

diff --git a/pkg/config/analysis/analyzer.go b/pkg/config/analysis/analyzer.go
@@ -27,22 +27,29 @@ type Analyzer interface {
 	Analyze(c Context)
 }
 
-// CombinedAnalyzer is a special Analyzer that combines multiple analyzers into one
-type CombinedAnalyzer struct {
+type CombinedAnalyzer interface {
+	Analyzer
+	RelevantSubset(kinds sets.Set[config.GroupVersionKind]) CombinedAnalyzer
+	RemoveSkipped(schemas collection.Schemas) []string
+	AnalyzerNames() []string
+}
+
+// InternalCombinedAnalyzer is a special Analyzer that combines multiple analyzers into one
+type InternalCombinedAnalyzer struct {
 	name      string
 	analyzers []Analyzer
 }
 
 // Combine multiple analyzers into a single one.
 // For input metadata, use the union of the component analyzers
-func Combine(name string, analyzers ...Analyzer) *CombinedAnalyzer {
-	return &CombinedAnalyzer{
+func Combine(name string, analyzers ...Analyzer) CombinedAnalyzer {
+	return &InternalCombinedAnalyzer{
 		name:      name,
 		analyzers: analyzers,
 	}
 }
 
-func (c *CombinedAnalyzer) RelevantSubset(kinds sets.Set[config.GroupVersionKind]) *CombinedAnalyzer {
+func (c *InternalCombinedAnalyzer) RelevantSubset(kinds sets.Set[config.GroupVersionKind]) CombinedAnalyzer {
 	var selected []Analyzer
 	for _, a := range c.analyzers {
 		for _, inputKind := range a.Metadata().Inputs {
@@ -56,15 +63,15 @@ func (c *CombinedAnalyzer) RelevantSubset(kinds sets.Set[config.GroupVersionKind
 }
 
 // Metadata implements Analyzer
-func (c *CombinedAnalyzer) Metadata() Metadata {
+func (c *InternalCombinedAnalyzer) Metadata() Metadata {
 	return Metadata{
 		Name:   c.name,
 		Inputs: combineInputs(c.analyzers),
 	}
 }
 
 // Analyze implements Analyzer
-func (c *CombinedAnalyzer) Analyze(ctx Context) {
+func (c *InternalCombinedAnalyzer) Analyze(ctx Context) {
 	for _, a := range c.analyzers {
 		scope.Analysis.Debugf("Started analyzer %q...", a.Metadata().Name)
 		if ctx.Canceled() {
@@ -82,7 +89,7 @@ func (c *CombinedAnalyzer) Analyze(ctx Context) {
 // Transformer information is used to determine, based on the disabled input collections, which output collections
 // should be disabled. Any analyzers that require those output collections will be removed.
 // 2. The analyzer requires a collection not available in the current snapshot(s)
-func (c *CombinedAnalyzer) RemoveSkipped(schemas collection.Schemas) []string {
+func (c *InternalCombinedAnalyzer) RemoveSkipped(schemas collection.Schemas) []string {
 	allSchemas := schemas.All()
 	s := sets.NewWithLength[config.GroupVersionKind](len(allSchemas))
 	for _, sc := range allSchemas {
@@ -109,7 +116,7 @@ mainloop:
 }
 
 // AnalyzerNames returns the names of analyzers in this combined analyzer
-func (c *CombinedAnalyzer) AnalyzerNames() []string {
+func (c *InternalCombinedAnalyzer) AnalyzerNames() []string {
 	result := make([]string, 0, len(c.analyzers))
 	for _, a := range c.analyzers {
 		result = append(result, a.Metadata().Name)

diff --git a/pkg/config/analysis/analyzers/all.go b/pkg/config/analysis/analyzers/all.go
@@ -78,6 +78,6 @@ func All() []analysis.Analyzer {
 }
 
 // AllCombined returns all analyzers combined as one
-func AllCombined() *analysis.CombinedAnalyzer {
+func AllCombined() analysis.CombinedAnalyzer {
 	return analysis.Combine("all", All()...)
 }
diff --git a/pkg/config/analysis/analyzers/annotations/annotations.go b/pkg/config/analysis/analyzers/annotations/annotations.go
@@ -28,6 +28,7 @@ import (
 	"istio.io/istio/pkg/config/schema/gvk"
 	"istio.io/istio/pkg/kube/inject"
 	"istio.io/istio/pkg/slices"
+	"istio.io/istio/pkg/config/analysis/diag"
 )
 
 // K8sAnalyzer checks for misplaced and invalid Istio annotations in K8s resources
@@ -46,6 +47,12 @@ func (*K8sAnalyzer) Metadata() analysis.Metadata {
 			gvk.Pod,
 			gvk.Deployment,
 		},
+		MessageTypes: []*diag.MessageType{
+			msg.UnknownAnnotation,
+			msg.DeprecatedAnnotation,
+			msg.MisplacedAnnotation,
+			msg.InvalidAnnotation,
+		},
 	}
 }
 

diff --git a/pkg/config/analysis/analyzers/authz/authorizationpolicies.go b/pkg/config/analysis/analyzers/authz/authorizationpolicies.go
@@ -28,6 +28,7 @@ import (
 	"istio.io/istio/pkg/config/analysis/msg"
 	"istio.io/istio/pkg/config/resource"
 	"istio.io/istio/pkg/config/schema/gvk"
+	"istio.io/istio/pkg/config/analysis/diag"
 )
 
 // AuthorizationPoliciesAnalyzer checks the validity of authorization policies
@@ -48,6 +49,10 @@ func (a *AuthorizationPoliciesAnalyzer) Metadata() analysis.Metadata {
 			gvk.Namespace,
 			gvk.Pod,
 		},
+		MessageTypes: []*diag.MessageType{
+			msg.NoMatchingWorkloadsFound,
+			msg.ReferencedResourceNotFound,
+		},
 	}
 }
 

diff --git a/pkg/config/analysis/analyzers/deployment/pod.go b/pkg/config/analysis/analyzers/deployment/pod.go
@@ -24,6 +24,7 @@ import (
 	"istio.io/istio/pkg/config/analysis/msg"
 	"istio.io/istio/pkg/config/resource"
 	"istio.io/istio/pkg/config/schema/gvk"
+	"istio.io/istio/pkg/config/analysis/diag"
 )
 
 type ApplicationUIDAnalyzer struct{}
@@ -42,6 +43,9 @@ func (appUID *ApplicationUIDAnalyzer) Metadata() analysis.Metadata {
 			gvk.Pod,
 			gvk.Deployment,
 		},
+		MessageTypes: []*diag.MessageType{
+			msg.InvalidApplicationUID,
+		},
 	}
 }
 

diff --git a/pkg/config/analysis/analyzers/deployment/services.go b/pkg/config/analysis/analyzers/deployment/services.go
@@ -28,6 +28,7 @@ import (
 	"istio.io/istio/pkg/config/constants"
 	"istio.io/istio/pkg/config/resource"
 	"istio.io/istio/pkg/config/schema/gvk"
+	"istio.io/istio/pkg/config/analysis/diag"
 )
 
 type ServiceAssociationAnalyzer struct{}
@@ -56,6 +57,10 @@ func (s *ServiceAssociationAnalyzer) Metadata() analysis.Metadata {
 			gvk.Deployment,
 			gvk.Namespace,
 		},
+		MessageTypes: []*diag.MessageType{
+			msg.DeploymentAssociatedToMultipleServices,
+			msg.DeploymentConflictingPorts,
+		},
 	}
 }
 

diff --git a/pkg/config/analysis/analyzers/deprecation/deprecation.go b/pkg/config/analysis/analyzers/deprecation/deprecation.go
@@ -25,6 +25,7 @@ import (
 	"istio.io/istio/pkg/config/analysis/msg"
 	"istio.io/istio/pkg/config/resource"
 	"istio.io/istio/pkg/config/schema/gvk"
+	"istio.io/istio/pkg/config/analysis/diag"
 )
 
 // FieldAnalyzer checks for deprecated Istio types and fields
@@ -66,6 +67,9 @@ func (*FieldAnalyzer) Metadata() analysis.Metadata {
 		Name:        "deprecation.DeprecationAnalyzer",
 		Description: "Checks for deprecated Istio types and fields",
 		Inputs:      deprecationInputs,
+		MessageTypes: []*diag.MessageType{
+			msg.Deprecated,
+		},
 	}
 }
 

diff --git a/pkg/config/analysis/analyzers/destinationrule/ca-certificates.go b/pkg/config/analysis/analyzers/destinationrule/ca-certificates.go
@@ -24,6 +24,7 @@ import (
 	"istio.io/istio/pkg/config/analysis/msg"
 	"istio.io/istio/pkg/config/resource"
 	"istio.io/istio/pkg/config/schema/gvk"
+	"istio.io/istio/pkg/config/analysis/diag"
 )
 
 // CaCertificateAnalyzer checks if CaCertificate is set in case mode is SIMPLE/MUTUAL
@@ -38,6 +39,10 @@ func (c *CaCertificateAnalyzer) Metadata() analysis.Metadata {
 		Inputs: []config.GroupVersionKind{
 			gvk.DestinationRule,
 		},
+		MessageTypes: []*diag.MessageType{
+			msg.NoServerCertificateVerificationDestinationLevel,
+			msg.NoServerCertificateVerificationPortLevel,
+		},
 	}
 }
 

diff --git a/pkg/config/analysis/analyzers/envoyfilter/envoyfilter.go b/pkg/config/analysis/analyzers/envoyfilter/envoyfilter.go
@@ -24,6 +24,7 @@ import (
 	"istio.io/istio/pkg/config/analysis/msg"
 	"istio.io/istio/pkg/config/resource"
 	"istio.io/istio/pkg/config/schema/gvk"
+	"istio.io/istio/pkg/config/analysis/diag"
 )
 
 // EnvoyPatchAnalyzer checks envoyFilters to see if the patch section is okay
@@ -40,6 +41,10 @@ func (*EnvoyPatchAnalyzer) Metadata() analysis.Metadata {
 		Inputs: []config.GroupVersionKind{
 			gvk.EnvoyFilter,
 		},
+		MessageTypes: []*diag.MessageType{
+			msg.EnvoyFilterUsesRelativeOperation,
+			msg.EnvoyFilterUsesRelativeOperationWithProxyVersion,
+		},
 	}
 }
 

diff --git a/pkg/config/analysis/analyzers/externalcontrolplane/externalcontrolplane.go b/pkg/config/analysis/analyzers/externalcontrolplane/externalcontrolplane.go
@@ -26,6 +26,7 @@ import (
 	"istio.io/istio/pkg/config/resource"
 	"istio.io/istio/pkg/config/schema/gvk"
 	"istio.io/istio/pkg/slices"
+	"istio.io/istio/pkg/config/analysis/diag"
 )
 
 type ExternalControlPlaneAnalyzer struct{}
@@ -42,6 +43,10 @@ func (s *ExternalControlPlaneAnalyzer) Metadata() analysis.Metadata {
 			gvk.ValidatingWebhookConfiguration,
 			gvk.MutatingWebhookConfiguration,
 		},
+		MessageTypes: []*diag.MessageType{
+			msg.ExternalControlPlaneAddressIsNotAHostname,
+			msg.InvalidExternalControlPlaneConfig,
+		},
 	}
 }
 

diff --git a/pkg/config/analysis/analyzers/gateway/certificate.go b/pkg/config/analysis/analyzers/gateway/certificate.go
@@ -23,6 +23,7 @@ import (
 	"istio.io/istio/pkg/config/analysis/msg"
 	"istio.io/istio/pkg/config/resource"
 	"istio.io/istio/pkg/config/schema/gvk"
+	"istio.io/istio/pkg/config/analysis/diag"
 )
 
 type CertificateAnalyzer struct{}
@@ -36,6 +37,9 @@ func (*CertificateAnalyzer) Metadata() analysis.Metadata {
 		Inputs: []config.GroupVersionKind{
 			gvk.Gateway,
 		},
+		MessageTypes: []*diag.MessageType{
+			msg.GatewayDuplicateCertificate,
+		},
 	}
 }
 

diff --git a/pkg/config/analysis/analyzers/gateway/conflictinggateway.go b/pkg/config/analysis/analyzers/gateway/conflictinggateway.go
@@ -29,6 +29,7 @@ import (
 	"istio.io/istio/pkg/config/host"
 	"istio.io/istio/pkg/config/resource"
 	"istio.io/istio/pkg/config/schema/gvk"
+	"istio.io/istio/pkg/config/analysis/diag"
 )
 
 // ConflictingGatewayAnalyzer checks a gateway's selector, port number and hosts.
@@ -45,6 +46,10 @@ func (*ConflictingGatewayAnalyzer) Metadata() analysis.Metadata {
 		Inputs: []config.GroupVersionKind{
 			gvk.Gateway,
 		},
+		MessageTypes: []*diag.MessageType{
+			msg.ReferencedResourceNotFound,
+			msg.ConflictingGateways,
+		},
 	}
 }
 

diff --git a/pkg/config/analysis/analyzers/gateway/gateway.go b/pkg/config/analysis/analyzers/gateway/gateway.go
@@ -27,6 +27,7 @@ import (
 	"istio.io/istio/pkg/config/analysis/msg"
 	"istio.io/istio/pkg/config/resource"
 	"istio.io/istio/pkg/config/schema/gvk"
+	"istio.io/istio/pkg/config/analysis/diag"
 )
 
 // IngressGatewayPortAnalyzer checks a gateway's ports against the gateway's Kubernetes service ports.
@@ -45,6 +46,10 @@ func (*IngressGatewayPortAnalyzer) Metadata() analysis.Metadata {
 			gvk.Pod,
 			gvk.Service,
 		},
+		MessageTypes: []*diag.MessageType{
+			msg.ReferencedResourceNotFound,
+			msg.GatewayPortNotDefinedOnService,
+		},
 	}
 }
 

diff --git a/pkg/config/analysis/analyzers/gateway/secret.go b/pkg/config/analysis/analyzers/gateway/secret.go
@@ -29,6 +29,7 @@ import (
 	"istio.io/istio/pkg/config/analysis/msg"
 	"istio.io/istio/pkg/config/resource"
 	"istio.io/istio/pkg/config/schema/gvk"
+	"istio.io/istio/pkg/config/analysis/diag"
 )
 
 // SecretAnalyzer checks a gateway's referenced secrets for correctness
@@ -46,6 +47,10 @@ func (a *SecretAnalyzer) Metadata() analysis.Metadata {
 			gvk.Pod,
 			gvk.Secret,
 		},
+		MessageTypes: []*diag.MessageType{
+			msg.ReferencedResourceNotFound,
+			msg.InvalidGatewayCredential,
+		},
 	}
 }
 

diff --git a/pkg/config/analysis/analyzers/injection/image-auto.go b/pkg/config/analysis/analyzers/injection/image-auto.go
@@ -28,6 +28,7 @@ import (
 	"istio.io/istio/pkg/config/analysis/msg"
 	"istio.io/istio/pkg/config/resource"
 	"istio.io/istio/pkg/config/schema/gvk"
+	"istio.io/istio/pkg/config/analysis/diag"
 )
 
 // ImageAutoAnalyzer reports an error if Pods and Deployments with `image: auto` are not going to be injected.
@@ -51,6 +52,10 @@ func (a *ImageAutoAnalyzer) Metadata() analysis.Metadata {
 			gvk.Deployment,
 			gvk.MutatingWebhookConfiguration,
 		},
+		MessageTypes: []*diag.MessageType{
+			msg.ImageAutoWithoutInjectionError,
+			msg.ImageAutoWithoutInjectionWarning,
+		},
 	}
 }
 

diff --git a/pkg/config/analysis/analyzers/injection/injection-image.go b/pkg/config/analysis/analyzers/injection/injection-image.go
@@ -28,6 +28,7 @@ import (
 	"istio.io/istio/pkg/config/resource"
 	"istio.io/istio/pkg/config/schema/gvk"
 	"istio.io/istio/pkg/slices"
+	"istio.io/istio/pkg/config/analysis/diag"
 )
 
 // ImageAnalyzer checks the image of auto-injection configured with the running proxies on pods.
@@ -60,6 +61,9 @@ func (a *ImageAnalyzer) Metadata() analysis.Metadata {
 			gvk.Pod,
 			gvk.ConfigMap,
 		},
+		MessageTypes: []*diag.MessageType{
+			msg.PodsIstioProxyImageMismatchInNamespace,
+		},
 	}
 }
 

diff --git a/pkg/config/analysis/analyzers/injection/injection.go b/pkg/config/analysis/analyzers/injection/injection.go
@@ -31,6 +31,7 @@ import (
 	"istio.io/istio/pkg/config/resource"
 	"istio.io/istio/pkg/config/schema/gvk"
 	"istio.io/istio/pkg/slices"
+	"istio.io/istio/pkg/config/analysis/diag"
 )
 
 // Analyzer checks conditions related to Istio sidecar injection.
@@ -55,6 +56,12 @@ func (a *Analyzer) Metadata() analysis.Metadata {
 			gvk.Pod,
 			gvk.ConfigMap,
 		},
+		MessageTypes: []*diag.MessageType{
+			msg.NamespaceMultipleInjectionLabels,
+			msg.NamespaceInjectionEnabledByDefault,
+			msg.NamespaceNotInjected,
+			msg.PodMissingProxy,
+		},
 	}
 }
 

diff --git a/pkg/config/analysis/analyzers/maturity/maturity.go b/pkg/config/analysis/analyzers/maturity/maturity.go
@@ -27,6 +27,7 @@ import (
 	"istio.io/istio/pkg/config/constants"
 	"istio.io/istio/pkg/config/resource"
 	"istio.io/istio/pkg/config/schema/gvk"
+	"istio.io/istio/pkg/config/analysis/diag"
 )
 
 // AlphaAnalyzer checks for alpha Istio annotations in K8s resources
@@ -49,6 +50,9 @@ func (*AlphaAnalyzer) Metadata() analysis.Metadata {
 			gvk.Pod,
 			gvk.Deployment,
 		},
+		MessageTypes: []*diag.MessageType{
+			msg.AlphaAnnotation,
+		},
 	}
 }