fix tls version annotation (#1652)

2026-06-06 11:17:29 +08:00 · 2025-01-08 15:31:39 +08:00
parent 4733af849d
commit 6820a06a99
1 changed files with 18 additions and 19 deletions
--- a/pkg/ingress/kube/annotations/downstreamtls.go
+++ b/pkg/ingress/kube/annotations/downstreamtls.go
@@ -15,8 +15,8 @@
 package annotations

 import (
-	"strings"
 	"fmt"
+	"strings"

 	networking "istio.io/api/networking/v1alpha3"
 	gatewaytool "istio.io/istio/pkg/config/gateway"
@@ -28,10 +28,10 @@ import (
 )

 const (
-	authTLSSecret      		= "auth-tls-secret"
-	sslCipher          		= "ssl-cipher"
-	gatewaySdsCaSuffix 		= "-cacert"
-	annotationMinTLSVersion = "tls-min-protocol-version" 
+	authTLSSecret           = "auth-tls-secret"
+	sslCipher               = "ssl-cipher"
+	gatewaySdsCaSuffix      = "-cacert"
+	annotationMinTLSVersion = "tls-min-protocol-version"
 	annotationMaxTLSVersion = "tls-max-protocol-version"
 )

@@ -86,7 +86,7 @@ func (d downstreamTLS) Parse(annotations Annotations, config *Ingress, _ *Global

 		downstreamTLSConfig.CipherSuites = validCipherSuite
 	}
-	
+
 	if minVersion, err := annotations.ParseStringASAP(annotationMinTLSVersion); err == nil {
 		downstreamTLSConfig.MinVersion = minVersion
 	}
@@ -123,42 +123,41 @@ func (d downstreamTLS) ApplyGateway(gateway *networking.Gateway, config *Ingress

 			if downstreamTLSConfig.MinVersion != "" {
 				if version, err := convertTLSVersion(downstreamTLSConfig.MinVersion); err != nil {
-						IngressLog.Errorf("Invalid minimum TLS version: %v", err)
+					IngressLog.Errorf("Invalid minimum TLS version: %v", err)
 				} else {
-						server.Tls.MinProtocolVersion = version
+					server.Tls.MinProtocolVersion = version
 				}
 			}

 			if downstreamTLSConfig.MaxVersion != "" {
 				if version, err := convertTLSVersion(downstreamTLSConfig.MaxVersion); err != nil {
-						IngressLog.Errorf("Invalid maximum TLS version: %v", err)
+					IngressLog.Errorf("Invalid maximum TLS version: %v", err)
 				} else {
-						server.Tls.MaxProtocolVersion = version
+					server.Tls.MaxProtocolVersion = version
 				}
 			}
-		
+
 		}
 	}
 }

 func needDownstreamTLS(annotations Annotations) bool {
 	return annotations.HasASAP(sslCipher) ||
-		annotations.HasASAP(authTLSSecret)||
+		annotations.HasASAP(authTLSSecret) ||
 		annotations.HasASAP(annotationMinTLSVersion) ||
 		annotations.HasASAP(annotationMaxTLSVersion)
 }

-func convertTLSVersion(version string) (networking.ServerTLSSettings_TLSProtocol, error)  {
+func convertTLSVersion(version string) (networking.ServerTLSSettings_TLSProtocol, error) {
 	switch version {
 	case "TLSv1.0":
-		return networking.ServerTLSSettings_TLSV1_0 , nil
+		return networking.ServerTLSSettings_TLSV1_0, nil
 	case "TLSv1.1":
-			return networking.ServerTLSSettings_TLSV1_1 , nil
+		return networking.ServerTLSSettings_TLSV1_1, nil
 	case "TLSv1.2":
-			return networking.ServerTLSSettings_TLSV1_2 , nil
+		return networking.ServerTLSSettings_TLSV1_2, nil
 	case "TLSv1.3":
-	default:
-		return networking.ServerTLSSettings_TLS_AUTO, fmt.Errorf("invalid TLS version: %s. Valid values are: TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3", version)
+		return networking.ServerTLSSettings_TLSV1_3, nil
 	}
-	return networking.ServerTLSSettings_TLS_AUTO, fmt.Errorf("unreachable code, but required by compiler")
+	return networking.ServerTLSSettings_TLS_AUTO, fmt.Errorf("invalid TLS version: %s. Valid values are: TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3", version)
 }