Move codes to pkg (#46)

2026-06-07 11:47:30 +08:00 · 2022-11-09 20:37:40 +08:00
parent b09b68c1e0
commit ecba3a0265
54 changed files with 62 additions and 65 deletions
--- a/pkg/ingress/kube/annotations/downstreamtls.go
+++ b/pkg/ingress/kube/annotations/downstreamtls.go
@@ -0,0 +1,165 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package annotations
+
+import (
+	"strings"
+
+	networking "istio.io/api/networking/v1alpha3"
+	"istio.io/istio/pilot/pkg/credentials/kube"
+	"istio.io/istio/pilot/pkg/model"
+	gatewaytool "istio.io/istio/pkg/config/gateway"
+	"istio.io/istio/pkg/config/security"
+
+	"github.com/alibaba/higress/pkg/ingress/kube/util"
+	. "github.com/alibaba/higress/pkg/ingress/log"
+)
+
+const (
+	authTLSSecret = "auth-tls-secret"
+	tlsMinVersion = "tls-min-protocol-version"
+	tlsMaxVersion = "tls-max-protocol-version"
+	sslCipher     = "ssl-cipher"
+)
+
+type TLSProtocolVersion string
+
+const (
+	tlsV10 TLSProtocolVersion = "TLSv1.0"
+	tlsV11 TLSProtocolVersion = "TLSv1.1"
+	tlsV12 TLSProtocolVersion = "TLSv1.2"
+	tlsV13 TLSProtocolVersion = "TLSv1.3"
+)
+
+var (
+	_ Parser         = &downstreamTLS{}
+	_ GatewayHandler = &downstreamTLS{}
+
+	tlsProtocol = map[TLSProtocolVersion]networking.ServerTLSSettings_TLSProtocol{
+		tlsV10: networking.ServerTLSSettings_TLSV1_0,
+		tlsV11: networking.ServerTLSSettings_TLSV1_1,
+		tlsV12: networking.ServerTLSSettings_TLSV1_2,
+		tlsV13: networking.ServerTLSSettings_TLSV1_3,
+	}
+)
+
+func isValidTLSProtocolVersion(protocol string) bool {
+	tls := TLSProtocolVersion(protocol)
+	_, exist := tlsProtocol[tls]
+	return exist
+}
+
+func Convert(protocol string) networking.ServerTLSSettings_TLSProtocol {
+	return tlsProtocol[TLSProtocolVersion(protocol)]
+}
+
+type DownstreamTLSConfig struct {
+	TlsMinVersion TLSProtocolVersion
+	TlsMaxVersion TLSProtocolVersion
+	CipherSuites  []string
+	Mode          networking.ServerTLSSettings_TLSmode
+	CASecretName  model.NamespacedName
+}
+
+type downstreamTLS struct{}
+
+func (d downstreamTLS) Parse(annotations Annotations, config *Ingress, _ *GlobalContext) error {
+	if !needDownstreamTLS(annotations) {
+		return nil
+	}
+
+	downstreamTLSConfig := &DownstreamTLSConfig{
+		Mode: networking.ServerTLSSettings_SIMPLE,
+	}
+	defer func() {
+		config.DownstreamTLS = downstreamTLSConfig
+	}()
+
+	if secretName, err := annotations.ParseStringASAP(authTLSSecret); err == nil {
+		namespacedName := util.SplitNamespacedName(secretName)
+		if namespacedName.Name == "" {
+			IngressLog.Errorf("CA secret name %s format is invalid.", secretName)
+		} else {
+			if namespacedName.Namespace == "" {
+				namespacedName.Namespace = config.Namespace
+			}
+			downstreamTLSConfig.CASecretName = namespacedName
+			downstreamTLSConfig.Mode = networking.ServerTLSSettings_MUTUAL
+		}
+	}
+
+	if minVersion, err := annotations.ParseStringForMSE(tlsMinVersion); err == nil &&
+		isValidTLSProtocolVersion(minVersion) {
+		downstreamTLSConfig.TlsMinVersion = TLSProtocolVersion(minVersion)
+	}
+
+	if maxVersion, err := annotations.ParseStringForMSE(tlsMaxVersion); err == nil &&
+		isValidTLSProtocolVersion(maxVersion) {
+		downstreamTLSConfig.TlsMaxVersion = TLSProtocolVersion(maxVersion)
+	}
+
+	if rawTlsCipherSuite, err := annotations.ParseStringASAP(sslCipher); err == nil {
+		var validCipherSuite []string
+		cipherList := strings.Split(rawTlsCipherSuite, ":")
+		for _, cipher := range cipherList {
+			if security.IsValidCipherSuite(cipher) {
+				validCipherSuite = append(validCipherSuite, cipher)
+			}
+		}
+
+		downstreamTLSConfig.CipherSuites = validCipherSuite
+	}
+
+	return nil
+}
+
+func (d downstreamTLS) ApplyGateway(gateway *networking.Gateway, config *Ingress) {
+	if config.DownstreamTLS == nil {
+		return
+	}
+
+	downstreamTLSConfig := config.DownstreamTLS
+	for _, server := range gateway.Servers {
+		if gatewaytool.IsTLSServer(server) {
+			if downstreamTLSConfig.CASecretName.Name != "" {
+				serverCert := extraSecret(server.Tls.CredentialName)
+				if downstreamTLSConfig.CASecretName.Namespace != serverCert.Namespace ||
+					(downstreamTLSConfig.CASecretName.Name != serverCert.Name &&
+						downstreamTLSConfig.CASecretName.Name != serverCert.Name+kube.GatewaySdsCaSuffix) {
+					IngressLog.Errorf("CA secret %s is invalid", downstreamTLSConfig.CASecretName.String())
+				} else {
+					server.Tls.Mode = downstreamTLSConfig.Mode
+				}
+			}
+
+			if downstreamTLSConfig.TlsMinVersion != "" {
+				server.Tls.MinProtocolVersion = tlsProtocol[downstreamTLSConfig.TlsMinVersion]
+			}
+			if downstreamTLSConfig.TlsMaxVersion != "" {
+				server.Tls.MaxProtocolVersion = tlsProtocol[downstreamTLSConfig.TlsMaxVersion]
+			}
+			if len(downstreamTLSConfig.CipherSuites) != 0 {
+				server.Tls.CipherSuites = downstreamTLSConfig.CipherSuites
+			}
+		}
+	}
+}
+
+func needDownstreamTLS(annotations Annotations) bool {
+	return annotations.HasMSE(tlsMinVersion) ||
+		annotations.HasMSE(tlsMaxVersion) ||
+		annotations.HasASAP(sslCipher) ||
+		annotations.HasASAP(authTLSSecret)
+}