jiazhizhong/higress
1
0
Fork 0
mirror of https://github.com/alibaba/higress.git synced 2026-06-10 05:07:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: add TLS version annotation support for per-rule configuration (#1592)

Browse Source 
Co-authored-by: 澄潭 <zty98751@alibaba-inc.com>
This commit is contained in:
yunmaoQu
2025-01-06 21:29:09 +08:00
committed by GitHub
parent 61fef0ecf8
commit 1c2330e33b
2 changed files with 216 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
pkg/ingress/kube/annotations/downstreamtls.go
View File

@@ -16,6 +16,7 @@ package annotations
import ( import (
"strings" "strings"
"fmt"
networking "istio.io/api/networking/v1alpha3" networking "istio.io/api/networking/v1alpha3"
gatewaytool "istio.io/istio/pkg/config/gateway" gatewaytool "istio.io/istio/pkg/config/gateway"
@@ -27,9 +28,11 @@ import (
) )
const ( const (
authTLSSecret = "auth-tls-secret" authTLSSecret = "auth-tls-secret"
sslCipher = "ssl-cipher" sslCipher = "ssl-cipher"
gatewaySdsCaSuffix = "-cacert" gatewaySdsCaSuffix = "-cacert"
annotationMinTLSVersion = "tls-min-protocol-version"
annotationMaxTLSVersion = "tls-max-protocol-version"
) )
var ( var (
@@ -41,6 +44,8 @@ type DownstreamTLSConfig struct {
CipherSuites []string CipherSuites []string
Mode networking.ServerTLSSettings_TLSmode Mode networking.ServerTLSSettings_TLSmode
CASecretName types.NamespacedName CASecretName types.NamespacedName
MinVersion string
MaxVersion string
} }
type downstreamTLS struct{} type downstreamTLS struct{}
@@ -81,6 +86,14 @@ func (d downstreamTLS) Parse(annotations Annotations, config *Ingress, _ *Global
downstreamTLSConfig.CipherSuites = validCipherSuite downstreamTLSConfig.CipherSuites = validCipherSuite
} }
if minVersion, err := annotations.ParseStringASAP(annotationMinTLSVersion); err == nil {
downstreamTLSConfig.MinVersion = minVersion
}
if maxVersion, err := annotations.ParseStringASAP(annotationMaxTLSVersion); err == nil {
downstreamTLSConfig.MaxVersion = maxVersion
}
return nil return nil
} }
@@ -107,11 +120,45 @@ func (d downstreamTLS) ApplyGateway(gateway *networking.Gateway, config *Ingress
if len(downstreamTLSConfig.CipherSuites) != 0 { if len(downstreamTLSConfig.CipherSuites) != 0 {
server.Tls.CipherSuites = downstreamTLSConfig.CipherSuites server.Tls.CipherSuites = downstreamTLSConfig.CipherSuites
} }
if downstreamTLSConfig.MinVersion != "" {
if version, err := convertTLSVersion(downstreamTLSConfig.MinVersion); err != nil {
IngressLog.Errorf("Invalid minimum TLS version: %v", err)
} else {
server.Tls.MinProtocolVersion = version
}
}
if downstreamTLSConfig.MaxVersion != "" {
if version, err := convertTLSVersion(downstreamTLSConfig.MaxVersion); err != nil {
IngressLog.Errorf("Invalid maximum TLS version: %v", err)
} else {
server.Tls.MaxProtocolVersion = version
}
}
} }
} }
} }
func needDownstreamTLS(annotations Annotations) bool { func needDownstreamTLS(annotations Annotations) bool {
return annotations.HasASAP(sslCipher) || return annotations.HasASAP(sslCipher) ||
annotations.HasASAP(authTLSSecret) annotations.HasASAP(authTLSSecret)||
annotations.HasASAP(annotationMinTLSVersion) ||
annotations.HasASAP(annotationMaxTLSVersion)
}
func convertTLSVersion(version string) (networking.ServerTLSSettings_TLSProtocol, error) {
switch version {
case "TLSv1.0":
return networking.ServerTLSSettings_TLSV1_0 , nil
case "TLSv1.1":
return networking.ServerTLSSettings_TLSV1_1 , nil
case "TLSv1.2":
return networking.ServerTLSSettings_TLSV1_2 , nil
case "TLSv1.3":
default:
return networking.ServerTLSSettings_TLS_AUTO, fmt.Errorf("invalid TLS version: %s. Valid values are: TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3", version)
}
return networking.ServerTLSSettings_TLS_AUTO, fmt.Errorf("unreachable code, but required by compiler")
} }

252
pkg/ingress/kube/annotations/downstreamtls_test.go
View File

@@ -26,11 +26,15 @@ var parser = downstreamTLS{}
func TestParse(t *testing.T) { func TestParse(t *testing.T) {
testCases := []struct { testCases := []struct {
name string
input map[string]string input map[string]string
expect *DownstreamTLSConfig expect *DownstreamTLSConfig
}{ }{
{},
{ {
name: "empty config",
},
{
name: "ssl cipher only",
input: map[string]string{ input: map[string]string{
buildNginxAnnotationKey(sslCipher): "ECDHE-RSA-AES256-GCM-SHA384:AES128-SHA", buildNginxAnnotationKey(sslCipher): "ECDHE-RSA-AES256-GCM-SHA384:AES128-SHA",
}, },
@@ -40,9 +44,24 @@ func TestParse(t *testing.T) {
}, },
}, },
{ {
name: "with TLS version config",
input: map[string]string{ input: map[string]string{
buildNginxAnnotationKey(authTLSSecret): "test", buildNginxAnnotationKey(annotationMinTLSVersion): "TLSv1.2",
buildNginxAnnotationKey(sslCipher): "ECDHE-RSA-AES256-GCM-SHA384:AES128-SHA", buildNginxAnnotationKey(annotationMaxTLSVersion): "TLSv1.3",
},
expect: &DownstreamTLSConfig{
Mode: networking.ServerTLSSettings_SIMPLE,
MinVersion: "TLSv1.2",
MaxVersion: "TLSv1.3",
},
},
{
name: "complete config",
input: map[string]string{
buildNginxAnnotationKey(authTLSSecret): "test",
buildNginxAnnotationKey(sslCipher): "ECDHE-RSA-AES256-GCM-SHA384:AES128-SHA",
buildNginxAnnotationKey(annotationMinTLSVersion): "TLSv1.2",
buildNginxAnnotationKey(annotationMaxTLSVersion): "TLSv1.3",
}, },
expect: &DownstreamTLSConfig{ expect: &DownstreamTLSConfig{
CASecretName: types.NamespacedName{ CASecretName: types.NamespacedName{
@@ -51,34 +70,79 @@ func TestParse(t *testing.T) {
}, },
Mode: networking.ServerTLSSettings_MUTUAL, Mode: networking.ServerTLSSettings_MUTUAL,
CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384", "AES128-SHA"}, CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384", "AES128-SHA"},
}, MinVersion: "TLSv1.2",
}, MaxVersion: "TLSv1.3",
{
input: map[string]string{
buildHigressAnnotationKey(authTLSSecret): "test/foo",
DefaultAnnotationsPrefix + "/" + sslCipher: "ECDHE-RSA-AES256-GCM-SHA384:AES128-SHA",
},
expect: &DownstreamTLSConfig{
CASecretName: types.NamespacedName{
Namespace: "test",
Name: "foo",
},
Mode: networking.ServerTLSSettings_MUTUAL,
CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384", "AES128-SHA"},
}, },
}, },
} }
for _, testCase := range testCases { for _, tc := range testCases {
t.Run("", func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {
config := &Ingress{ config := &Ingress{
Meta: Meta{ Meta: Meta{
Namespace: "foo", Namespace: "foo",
}, },
} }
_ = parser.Parse(testCase.input, config, nil) err := parser.Parse(tc.input, config, nil)
if !reflect.DeepEqual(testCase.expect, config.DownstreamTLS) { if err != nil {
t.Fatalf("Should be equal") t.Fatalf("Parse failed: %v", err)
}
if !reflect.DeepEqual(tc.expect, config.DownstreamTLS) {
t.Fatalf("Parse result mismatch:\nExpect: %+v\nGot: %+v", tc.expect, config.DownstreamTLS)
}
})
}
}
func TestConvertTLSVersion(t *testing.T) {
testCases := []struct {
name string
version string
expect networking.ServerTLSSettings_TLSProtocol
wantErr bool
}{
{
name: "TLS 1.0",
version: "TLSv1.0",
expect: networking.ServerTLSSettings_TLSV1_0,
},
{
name: "TLS 1.1",
version: "TLSv1.1",
expect: networking.ServerTLSSettings_TLSV1_1,
},
{
name: "TLS 1.2",
version: "TLSv1.2",
expect: networking.ServerTLSSettings_TLSV1_2,
},
{
name: "TLS 1.3",
version: "TLSv1.3",
expect: networking.ServerTLSSettings_TLSV1_3,
},
{
name: "invalid version",
version: "invalid",
expect: networking.ServerTLSSettings_TLS_AUTO,
wantErr: true,
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
result, err := convertTLSVersion(tc.version)
if tc.wantErr {
if err == nil {
t.Error("Expected error but got none")
}
} else {
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if result != tc.expect {
t.Errorf("Expected %v but got %v", tc.expect, result)
}
} }
}) })
} }
@@ -86,11 +150,13 @@ func TestParse(t *testing.T) {
func TestApplyGateway(t *testing.T) { func TestApplyGateway(t *testing.T) {
testCases := []struct { testCases := []struct {
name string
input *networking.Gateway input *networking.Gateway
config *Ingress config *Ingress
expect *networking.Gateway expect *networking.Gateway
}{ }{
{ {
name: "apply TLS version",
input: &networking.Gateway{ input: &networking.Gateway{
Servers: []*networking.Server{ Servers: []*networking.Server{
{ {
@@ -105,7 +171,8 @@ func TestApplyGateway(t *testing.T) {
}, },
config: &Ingress{ config: &Ingress{
DownstreamTLS: &DownstreamTLSConfig{ DownstreamTLS: &DownstreamTLSConfig{
CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"}, MinVersion: "TLSv1.2",
MaxVersion: "TLSv1.3",
}, },
}, },
expect: &networking.Gateway{ expect: &networking.Gateway{
@@ -115,14 +182,16 @@ func TestApplyGateway(t *testing.T) {
Protocol: "HTTPS", Protocol: "HTTPS",
}, },
Tls: &networking.ServerTLSSettings{ Tls: &networking.ServerTLSSettings{
Mode: networking.ServerTLSSettings_SIMPLE, Mode: networking.ServerTLSSettings_SIMPLE,
CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"}, MinProtocolVersion: networking.ServerTLSSettings_TLSV1_2,
MaxProtocolVersion: networking.ServerTLSSettings_TLSV1_3,
}, },
}, },
}, },
}, },
}, },
{ {
name: "complete config",
input: &networking.Gateway{ input: &networking.Gateway{
Servers: []*networking.Server{ Servers: []*networking.Server{
{ {
@@ -144,24 +213,28 @@ func TestApplyGateway(t *testing.T) {
}, },
Mode: networking.ServerTLSSettings_MUTUAL, Mode: networking.ServerTLSSettings_MUTUAL,
CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"}, CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"},
MinVersion: "TLSv1.2",
MaxVersion: "TLSv1.3",
}, },
}, },
expect: &networking.Gateway{ expect: &networking.Gateway{
Servers: []*networking.Server{ Servers: []*networking.Server{
{ {Port: &networking.Port{
Port: &networking.Port{ Protocol: "HTTPS",
Protocol: "HTTPS", },
},
Tls: &networking.ServerTLSSettings{ Tls: &networking.ServerTLSSettings{
CredentialName: "kubernetes-ingress://cluster/foo/bar", CredentialName: "kubernetes-ingress://cluster/foo/bar",
Mode: networking.ServerTLSSettings_MUTUAL, Mode: networking.ServerTLSSettings_MUTUAL,
CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"}, CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"},
MinProtocolVersion: networking.ServerTLSSettings_TLSV1_2,
MaxProtocolVersion: networking.ServerTLSSettings_TLSV1_3,
}, },
}, },
}, },
}, },
}, },
{ {
name: "invalid TLS version",
input: &networking.Gateway{ input: &networking.Gateway{
Servers: []*networking.Server{ Servers: []*networking.Server{
{ {
@@ -169,20 +242,15 @@ func TestApplyGateway(t *testing.T) {
Protocol: "HTTPS", Protocol: "HTTPS",
}, },
Tls: &networking.ServerTLSSettings{ Tls: &networking.ServerTLSSettings{
Mode: networking.ServerTLSSettings_SIMPLE, Mode: networking.ServerTLSSettings_SIMPLE,
CredentialName: "kubernetes-ingress://cluster/foo/bar",
}, },
}, },
}, },
}, },
config: &Ingress{ config: &Ingress{
DownstreamTLS: &DownstreamTLSConfig{ DownstreamTLS: &DownstreamTLSConfig{
CASecretName: types.NamespacedName{ MinVersion: "invalid",
Namespace: "foo", MaxVersion: "invalid",
Name: "bar-cacert",
},
Mode: networking.ServerTLSSettings_MUTUAL,
CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"},
}, },
}, },
expect: &networking.Gateway{ expect: &networking.Gateway{
@@ -192,48 +260,10 @@ func TestApplyGateway(t *testing.T) {
Protocol: "HTTPS", Protocol: "HTTPS",
}, },
Tls: &networking.ServerTLSSettings{ Tls: &networking.ServerTLSSettings{
CredentialName: "kubernetes-ingress://cluster/foo/bar", Mode: networking.ServerTLSSettings_SIMPLE,
Mode: networking.ServerTLSSettings_MUTUAL, // Invalid versions should default to TLS_AUTO
CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"}, MinProtocolVersion: networking.ServerTLSSettings_TLS_AUTO,
}, MaxProtocolVersion: networking.ServerTLSSettings_TLS_AUTO,
},
},
},
},
{
input: &networking.Gateway{
Servers: []*networking.Server{
{
Port: &networking.Port{
Protocol: "HTTPS",
},
Tls: &networking.ServerTLSSettings{
Mode: networking.ServerTLSSettings_SIMPLE,
CredentialName: "kubernetes-ingress://cluster/foo/bar",
},
},
},
},
config: &Ingress{
DownstreamTLS: &DownstreamTLSConfig{
CASecretName: types.NamespacedName{
Namespace: "bar",
Name: "foo",
},
Mode: networking.ServerTLSSettings_MUTUAL,
CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"},
},
},
expect: &networking.Gateway{
Servers: []*networking.Server{
{
Port: &networking.Port{
Protocol: "HTTPS",
},
Tls: &networking.ServerTLSSettings{
CredentialName: "kubernetes-ingress://cluster/foo/bar",
Mode: networking.ServerTLSSettings_SIMPLE,
CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"},
}, },
}, },
}, },
@@ -241,11 +271,59 @@ func TestApplyGateway(t *testing.T) {
}, },
} }
for _, testCase := range testCases { for _, tc := range testCases {
t.Run("", func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {
parser.ApplyGateway(testCase.input, testCase.config) parser.ApplyGateway(tc.input, tc.config)
if !reflect.DeepEqual(testCase.input, testCase.expect) { if !reflect.DeepEqual(tc.input, tc.expect) {
t.Fatalf("Should be equal") t.Fatalf("ApplyGateway result mismatch for %s:\nExpect: %+v\nGot: %+v",
tc.name, tc.expect, tc.input)
}
})
}
}
func TestNeedDownstreamTLS(t *testing.T) {
testCases := []struct {
name string
annotations map[string]string
expect bool
}{
{
name: "empty annotations",
annotations: map[string]string{},
expect: false,
},
{
name: "with ssl cipher",
annotations: map[string]string{
buildNginxAnnotationKey(sslCipher): "ECDHE-RSA-AES256-GCM-SHA384",
},
expect: true,
},
{
name: "with TLS version",
annotations: map[string]string{
buildNginxAnnotationKey(annotationMinTLSVersion): "TLSv1.2",
},
expect: true,
},
{
name: "with multiple TLS configs",
annotations: map[string]string{
buildNginxAnnotationKey(sslCipher): "ECDHE-RSA-AES256-GCM-SHA384",
buildNginxAnnotationKey(annotationMinTLSVersion): "TLSv1.2",
buildNginxAnnotationKey(annotationMaxTLSVersion): "TLSv1.3",
},
expect: true,
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
result := needDownstreamTLS(tc.annotations)
if result != tc.expect {
t.Errorf("needDownstreamTLS() for %s = %v, want %v",
tc.name, result, tc.expect)
} }
}) })
} }