jiazhizhong/higress
1
0
Fork 0
mirror of https://github.com/alibaba/higress.git synced 2026-06-26 02:35:02 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix tls version annotation (#1652)

Browse Source
This commit is contained in:
澄潭
2025-01-08 15:31:39 +08:00
committed by GitHub
parent 4733af849d
commit 6820a06a99
1 changed files with 18 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
pkg/ingress/kube/annotations/downstreamtls.go
View File

@@ -15,8 +15,8 @@
package annotations package annotations
import ( import (
"strings"
"fmt" "fmt"
"strings"
networking "istio.io/api/networking/v1alpha3" networking "istio.io/api/networking/v1alpha3"
gatewaytool "istio.io/istio/pkg/config/gateway" gatewaytool "istio.io/istio/pkg/config/gateway"
@@ -28,9 +28,9 @@ import (
) )
const ( const (
authTLSSecret = "auth-tls-secret" authTLSSecret = "auth-tls-secret"
sslCipher = "ssl-cipher" sslCipher = "ssl-cipher"
gatewaySdsCaSuffix = "-cacert" gatewaySdsCaSuffix = "-cacert"
annotationMinTLSVersion = "tls-min-protocol-version" annotationMinTLSVersion = "tls-min-protocol-version"
annotationMaxTLSVersion = "tls-max-protocol-version" annotationMaxTLSVersion = "tls-max-protocol-version"
) )
@@ -123,17 +123,17 @@ func (d downstreamTLS) ApplyGateway(gateway *networking.Gateway, config *Ingress
if downstreamTLSConfig.MinVersion != "" { if downstreamTLSConfig.MinVersion != "" {
if version, err := convertTLSVersion(downstreamTLSConfig.MinVersion); err != nil { if version, err := convertTLSVersion(downstreamTLSConfig.MinVersion); err != nil {
IngressLog.Errorf("Invalid minimum TLS version: %v", err) IngressLog.Errorf("Invalid minimum TLS version: %v", err)
} else { } else {
server.Tls.MinProtocolVersion = version server.Tls.MinProtocolVersion = version
} }
} }
if downstreamTLSConfig.MaxVersion != "" { if downstreamTLSConfig.MaxVersion != "" {
if version, err := convertTLSVersion(downstreamTLSConfig.MaxVersion); err != nil { if version, err := convertTLSVersion(downstreamTLSConfig.MaxVersion); err != nil {
IngressLog.Errorf("Invalid maximum TLS version: %v", err) IngressLog.Errorf("Invalid maximum TLS version: %v", err)
} else { } else {
server.Tls.MaxProtocolVersion = version server.Tls.MaxProtocolVersion = version
} }
} }
@@ -143,22 +143,21 @@ func (d downstreamTLS) ApplyGateway(gateway *networking.Gateway, config *Ingress
func needDownstreamTLS(annotations Annotations) bool { func needDownstreamTLS(annotations Annotations) bool {
return annotations.HasASAP(sslCipher) || return annotations.HasASAP(sslCipher) ||
annotations.HasASAP(authTLSSecret)|| annotations.HasASAP(authTLSSecret) ||
annotations.HasASAP(annotationMinTLSVersion) || annotations.HasASAP(annotationMinTLSVersion) ||
annotations.HasASAP(annotationMaxTLSVersion) annotations.HasASAP(annotationMaxTLSVersion)
} }
func convertTLSVersion(version string) (networking.ServerTLSSettings_TLSProtocol, error) { func convertTLSVersion(version string) (networking.ServerTLSSettings_TLSProtocol, error) {
switch version { switch version {
case "TLSv1.0": case "TLSv1.0":
return networking.ServerTLSSettings_TLSV1_0 , nil return networking.ServerTLSSettings_TLSV1_0, nil
case "TLSv1.1": case "TLSv1.1":
return networking.ServerTLSSettings_TLSV1_1 , nil return networking.ServerTLSSettings_TLSV1_1, nil
case "TLSv1.2": case "TLSv1.2":
return networking.ServerTLSSettings_TLSV1_2 , nil return networking.ServerTLSSettings_TLSV1_2, nil
case "TLSv1.3": case "TLSv1.3":
default: return networking.ServerTLSSettings_TLSV1_3, nil
return networking.ServerTLSSettings_TLS_AUTO, fmt.Errorf("invalid TLS version: %s. Valid values are: TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3", version)
} }
return networking.ServerTLSSettings_TLS_AUTO, fmt.Errorf("unreachable code, but required by compiler") return networking.ServerTLSSettings_TLS_AUTO, fmt.Errorf("invalid TLS version: %s. Valid values are: TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3", version)
} }