feat: Enhance SSL passthrough support (#3943)

Signed-off-by: zijiren233 <pyh1670605849@gmail.com>
2026-06-26 02:35:02 +08:00 · 2026-06-22 21:06:42 +08:00
parent f060c9f51d
commit 9c13b6418c
14 changed files with 3178 additions and 46 deletions
--- a/pkg/ingress/kube/annotations/annotations.go
+++ b/pkg/ingress/kube/annotations/annotations.go
@@ -57,6 +57,8 @@ type Ingress struct {

 	DownstreamTLS *DownstreamTLSConfig

+	SSLPassthrough *SSLPassthroughConfig
+
 	Canary *CanaryConfig

 	IPAccessControl *IPAccessControlConfig
@@ -115,6 +117,10 @@ func (i *Ingress) IsCanary() bool {
 	return i.Canary.Enabled
 }

+func (i *Ingress) IsSSLPassthrough() bool {
+	return i.SSLPassthrough != nil && i.SSLPassthrough.Enabled
+}
+
 // CanaryKind return byHeader, byWeight
 func (i *Ingress) CanaryKind() (bool, bool) {
 	if !i.IsCanary() {
@@ -157,6 +163,7 @@ func NewAnnotationHandlerManager() AnnotationHandler {
 			canary{},
 			cors{},
 			downstreamTLS{},
+			sslPassthrough{},
 			redirect{},
 			rewrite{},
 			upstreamTLS{},
--- a/pkg/ingress/kube/annotations/downstreamtls.go
+++ b/pkg/ingress/kube/annotations/downstreamtls.go
@@ -106,6 +106,9 @@ func (d downstreamTLS) ApplyGateway(gateway *networking.Gateway, config *Ingress
 	downstreamTLSConfig := config.DownstreamTLS
 	for _, server := range gateway.Servers {
 		if gatewaytool.IsTLSServer(server) {
+			if server.Tls != nil && server.Tls.Mode == networking.ServerTLSSettings_PASSTHROUGH {
+				continue
+			}
 			if downstreamTLSConfig.CASecretName.Name != "" {
 				serverCert := extraSecret(server.Tls.CredentialName)
 				if downstreamTLSConfig.CASecretName.Namespace != serverCert.Namespace ||
--- a/pkg/ingress/kube/annotations/downstreamtls_test.go
+++ b/pkg/ingress/kube/annotations/downstreamtls_test.go
@@ -269,6 +269,40 @@ func TestApplyGateway(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "skip passthrough server",
+			input: &networking.Gateway{
+				Servers: []*networking.Server{
+					{
+						Port: &networking.Port{
+							Protocol: "TLS",
+						},
+						Tls: &networking.ServerTLSSettings{
+							Mode: networking.ServerTLSSettings_PASSTHROUGH,
+						},
+					},
+				},
+			},
+			config: &Ingress{
+				DownstreamTLS: &DownstreamTLSConfig{
+					CipherSuites: []string{"ECDHE-RSA-AES256-GCM-SHA384"},
+					MinVersion:   "TLSv1.2",
+					MaxVersion:   "TLSv1.3",
+				},
+			},
+			expect: &networking.Gateway{
+				Servers: []*networking.Server{
+					{
+						Port: &networking.Port{
+							Protocol: "TLS",
+						},
+						Tls: &networking.ServerTLSSettings{
+							Mode: networking.ServerTLSSettings_PASSTHROUGH,
+						},
+					},
+				},
+			},
+		},
 	}

 	for _, tc := range testCases {
--- a/pkg/ingress/kube/annotations/ssl_passthrough.go
+++ b/pkg/ingress/kube/annotations/ssl_passthrough.go
@@ -0,0 +1,34 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package annotations
+
+const sslPassthroughAnnotation = "ssl-passthrough"
+
+var _ Parser = &sslPassthrough{}
+
+type SSLPassthroughConfig struct {
+	Enabled bool
+}
+
+type sslPassthrough struct{}
+
+func (s sslPassthrough) Parse(annotations Annotations, config *Ingress, _ *GlobalContext) error {
+	enabled, err := annotations.ParseBoolASAP(sslPassthroughAnnotation)
+	if err != nil {
+		return nil
+	}
+	config.SSLPassthrough = &SSLPassthroughConfig{Enabled: enabled}
+	return nil
+}
--- a/pkg/ingress/kube/annotations/ssl_passthrough_test.go
+++ b/pkg/ingress/kube/annotations/ssl_passthrough_test.go
@@ -0,0 +1,112 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package annotations
+
+import "testing"
+
+func TestSSLPassthroughParse(t *testing.T) {
+	testCases := []struct {
+		name    string
+		input   Annotations
+		enabled bool
+		exists  bool
+	}{
+		{
+			name:  "missing",
+			input: Annotations{},
+		},
+		{
+			name: "enabled by nginx annotation",
+			input: Annotations{
+				buildNginxAnnotationKey(sslPassthroughAnnotation): "true",
+			},
+			enabled: true,
+			exists:  true,
+		},
+		{
+			name: "enabled by higress annotation",
+			input: Annotations{
+				buildHigressAnnotationKey(sslPassthroughAnnotation): "true",
+			},
+			enabled: true,
+			exists:  true,
+		},
+		{
+			name: "disabled by nginx annotation",
+			input: Annotations{
+				buildNginxAnnotationKey(sslPassthroughAnnotation): "false",
+			},
+			exists: true,
+		},
+		{
+			name: "disabled by higress annotation",
+			input: Annotations{
+				buildHigressAnnotationKey(sslPassthroughAnnotation): "false",
+			},
+			exists: true,
+		},
+	}
+
+	parser := sslPassthrough{}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			config := &Ingress{}
+			if err := parser.Parse(tc.input, config, nil); err != nil {
+				t.Fatalf("Parse() error = %v", err)
+			}
+			if tc.exists && config.SSLPassthrough == nil {
+				t.Fatal("expected ssl passthrough config")
+			}
+			if !tc.exists && config.SSLPassthrough != nil {
+				t.Fatal("unexpected ssl passthrough config")
+			}
+			if tc.exists && config.SSLPassthrough.Enabled != tc.enabled {
+				t.Fatalf("enabled mismatch, want %v, got %v", tc.enabled, config.SSLPassthrough.Enabled)
+			}
+		})
+	}
+}
+
+func TestSSLPassthroughDoesNotSetUpstreamTLS(t *testing.T) {
+	parser := sslPassthrough{}
+	config := &Ingress{}
+	err := parser.Parse(Annotations{
+		buildNginxAnnotationKey(sslPassthroughAnnotation): "true",
+	}, config, nil)
+	if err != nil {
+		t.Fatalf("Parse() error = %v", err)
+	}
+	if config.UpstreamTLS != nil {
+		t.Fatal("unexpected upstream tls config")
+	}
+}
+
+func TestSSLPassthroughKeepsExplicitBackendProtocol(t *testing.T) {
+	manager := NewAnnotationHandlerManager()
+	config := &Ingress{}
+	err := manager.Parse(Annotations{
+		buildNginxAnnotationKey(sslPassthroughAnnotation): "true",
+		buildNginxAnnotationKey(backendProtocol):          "HTTPS",
+	}, config, nil)
+	if err != nil {
+		t.Fatalf("Parse() error = %v", err)
+	}
+	if config.UpstreamTLS == nil {
+		t.Fatal("expected upstream tls config")
+	}
+	if config.UpstreamTLS.BackendProtocol != "HTTPS" {
+		t.Fatalf("backend protocol mismatch, want HTTPS, got %s", config.UpstreamTLS.BackendProtocol)
+	}
+}