feat: add TLS version annotation support for per-rule configuration (#1592)

Co-authored-by: 澄潭 <zty98751@alibaba-inc.com>
2026-06-09 20:57:32 +08:00 · 2025-01-06 21:29:09 +08:00
parent 61fef0ecf8
commit 1c2330e33b
2 changed files with 216 additions and 91 deletions
--- a/pkg/ingress/kube/annotations/downstreamtls.go
+++ b/pkg/ingress/kube/annotations/downstreamtls.go
@@ -16,6 +16,7 @@ package annotations

 import (
 	"strings"
+	"fmt"

 	networking "istio.io/api/networking/v1alpha3"
 	gatewaytool "istio.io/istio/pkg/config/gateway"
@@ -27,9 +28,11 @@ import (
 )

 const (
-	authTLSSecret      = "auth-tls-secret"
-	sslCipher          = "ssl-cipher"
-	gatewaySdsCaSuffix = "-cacert"
+	authTLSSecret      		= "auth-tls-secret"
+	sslCipher          		= "ssl-cipher"
+	gatewaySdsCaSuffix 		= "-cacert"
+	annotationMinTLSVersion = "tls-min-protocol-version" 
+	annotationMaxTLSVersion = "tls-max-protocol-version"
 )

 var (
@@ -41,6 +44,8 @@ type DownstreamTLSConfig struct {
 	CipherSuites []string
 	Mode         networking.ServerTLSSettings_TLSmode
 	CASecretName types.NamespacedName
+	MinVersion   string
+	MaxVersion   string
 }

 type downstreamTLS struct{}
@@ -81,6 +86,14 @@ func (d downstreamTLS) Parse(annotations Annotations, config *Ingress, _ *Global

 		downstreamTLSConfig.CipherSuites = validCipherSuite
 	}
+	
+	if minVersion, err := annotations.ParseStringASAP(annotationMinTLSVersion); err == nil {
+		downstreamTLSConfig.MinVersion = minVersion
+	}
+
+	if maxVersion, err := annotations.ParseStringASAP(annotationMaxTLSVersion); err == nil {
+		downstreamTLSConfig.MaxVersion = maxVersion
+	}

 	return nil
 }
@@ -107,11 +120,45 @@ func (d downstreamTLS) ApplyGateway(gateway *networking.Gateway, config *Ingress
 			if len(downstreamTLSConfig.CipherSuites) != 0 {
 				server.Tls.CipherSuites = downstreamTLSConfig.CipherSuites
 			}
+
+			if downstreamTLSConfig.MinVersion != "" {
+				if version, err := convertTLSVersion(downstreamTLSConfig.MinVersion); err != nil {
+						IngressLog.Errorf("Invalid minimum TLS version: %v", err)
+				} else {
+						server.Tls.MinProtocolVersion = version
+				}
+			}
+
+			if downstreamTLSConfig.MaxVersion != "" {
+				if version, err := convertTLSVersion(downstreamTLSConfig.MaxVersion); err != nil {
+						IngressLog.Errorf("Invalid maximum TLS version: %v", err)
+				} else {
+						server.Tls.MaxProtocolVersion = version
+				}
+			}
+		
 		}
 	}
 }

 func needDownstreamTLS(annotations Annotations) bool {
 	return annotations.HasASAP(sslCipher) ||
-		annotations.HasASAP(authTLSSecret)
+		annotations.HasASAP(authTLSSecret)||
+		annotations.HasASAP(annotationMinTLSVersion) ||
+		annotations.HasASAP(annotationMaxTLSVersion)
+}
+
+func convertTLSVersion(version string) (networking.ServerTLSSettings_TLSProtocol, error)  {
+	switch version {
+	case "TLSv1.0":
+		return networking.ServerTLSSettings_TLSV1_0 , nil
+	case "TLSv1.1":
+			return networking.ServerTLSSettings_TLSV1_1 , nil
+	case "TLSv1.2":
+			return networking.ServerTLSSettings_TLSV1_2 , nil
+	case "TLSv1.3":
+	default:
+		return networking.ServerTLSSettings_TLS_AUTO, fmt.Errorf("invalid TLS version: %s. Valid values are: TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3", version)
+	}
+	return networking.ServerTLSSettings_TLS_AUTO, fmt.Errorf("unreachable code, but required by compiler")
 }