mirror of
https://github.com/alibaba/higress.git
synced 2026-03-02 07:30:49 +08:00
165 lines
5.0 KiB
Go
165 lines
5.0 KiB
Go
// Copyright (c) 2022 Alibaba Group Holding Ltd.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package annotations
|
|
|
|
import (
|
|
"strings"
|
|
|
|
networking "istio.io/api/networking/v1alpha3"
|
|
"github.com/alibaba/higress/ingress/kube/util"
|
|
. "github.com/alibaba/higress/ingress/log"
|
|
"istio.io/istio/pilot/pkg/credentials/kube"
|
|
"istio.io/istio/pilot/pkg/model"
|
|
gatewaytool "istio.io/istio/pkg/config/gateway"
|
|
"istio.io/istio/pkg/config/security"
|
|
)
|
|
|
|
const (
|
|
authTLSSecret = "auth-tls-secret"
|
|
tlsMinVersion = "tls-min-protocol-version"
|
|
tlsMaxVersion = "tls-max-protocol-version"
|
|
sslCipher = "ssl-cipher"
|
|
)
|
|
|
|
type TLSProtocolVersion string
|
|
|
|
const (
|
|
tlsV10 TLSProtocolVersion = "TLSv1.0"
|
|
tlsV11 TLSProtocolVersion = "TLSv1.1"
|
|
tlsV12 TLSProtocolVersion = "TLSv1.2"
|
|
tlsV13 TLSProtocolVersion = "TLSv1.3"
|
|
)
|
|
|
|
var (
|
|
_ Parser = &downstreamTLS{}
|
|
_ GatewayHandler = &downstreamTLS{}
|
|
|
|
tlsProtocol = map[TLSProtocolVersion]networking.ServerTLSSettings_TLSProtocol{
|
|
tlsV10: networking.ServerTLSSettings_TLSV1_0,
|
|
tlsV11: networking.ServerTLSSettings_TLSV1_1,
|
|
tlsV12: networking.ServerTLSSettings_TLSV1_2,
|
|
tlsV13: networking.ServerTLSSettings_TLSV1_3,
|
|
}
|
|
)
|
|
|
|
func isValidTLSProtocolVersion(protocol string) bool {
|
|
tls := TLSProtocolVersion(protocol)
|
|
_, exist := tlsProtocol[tls]
|
|
return exist
|
|
}
|
|
|
|
func Convert(protocol string) networking.ServerTLSSettings_TLSProtocol {
|
|
return tlsProtocol[TLSProtocolVersion(protocol)]
|
|
}
|
|
|
|
type DownstreamTLSConfig struct {
|
|
TlsMinVersion TLSProtocolVersion
|
|
TlsMaxVersion TLSProtocolVersion
|
|
CipherSuites []string
|
|
Mode networking.ServerTLSSettings_TLSmode
|
|
CASecretName model.NamespacedName
|
|
}
|
|
|
|
type downstreamTLS struct{}
|
|
|
|
func (d downstreamTLS) Parse(annotations Annotations, config *Ingress, _ *GlobalContext) error {
|
|
if !needDownstreamTLS(annotations) {
|
|
return nil
|
|
}
|
|
|
|
downstreamTLSConfig := &DownstreamTLSConfig{
|
|
Mode: networking.ServerTLSSettings_SIMPLE,
|
|
}
|
|
defer func() {
|
|
config.DownstreamTLS = downstreamTLSConfig
|
|
}()
|
|
|
|
if secretName, err := annotations.ParseStringASAP(authTLSSecret); err == nil {
|
|
namespacedName := util.SplitNamespacedName(secretName)
|
|
if namespacedName.Name == "" {
|
|
IngressLog.Errorf("CA secret name %s format is invalid.", secretName)
|
|
} else {
|
|
if namespacedName.Namespace == "" {
|
|
namespacedName.Namespace = config.Namespace
|
|
}
|
|
downstreamTLSConfig.CASecretName = namespacedName
|
|
downstreamTLSConfig.Mode = networking.ServerTLSSettings_MUTUAL
|
|
}
|
|
}
|
|
|
|
if minVersion, err := annotations.ParseStringForMSE(tlsMinVersion); err == nil &&
|
|
isValidTLSProtocolVersion(minVersion) {
|
|
downstreamTLSConfig.TlsMinVersion = TLSProtocolVersion(minVersion)
|
|
}
|
|
|
|
if maxVersion, err := annotations.ParseStringForMSE(tlsMaxVersion); err == nil &&
|
|
isValidTLSProtocolVersion(maxVersion) {
|
|
downstreamTLSConfig.TlsMaxVersion = TLSProtocolVersion(maxVersion)
|
|
}
|
|
|
|
if rawTlsCipherSuite, err := annotations.ParseStringASAP(sslCipher); err == nil {
|
|
var validCipherSuite []string
|
|
cipherList := strings.Split(rawTlsCipherSuite, ":")
|
|
for _, cipher := range cipherList {
|
|
if security.IsValidCipherSuite(cipher) {
|
|
validCipherSuite = append(validCipherSuite, cipher)
|
|
}
|
|
}
|
|
|
|
downstreamTLSConfig.CipherSuites = validCipherSuite
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (d downstreamTLS) ApplyGateway(gateway *networking.Gateway, config *Ingress) {
|
|
if config.DownstreamTLS == nil {
|
|
return
|
|
}
|
|
|
|
downstreamTLSConfig := config.DownstreamTLS
|
|
for _, server := range gateway.Servers {
|
|
if gatewaytool.IsTLSServer(server) {
|
|
if downstreamTLSConfig.CASecretName.Name != "" {
|
|
serverCert := extraSecret(server.Tls.CredentialName)
|
|
if downstreamTLSConfig.CASecretName.Namespace != serverCert.Namespace ||
|
|
(downstreamTLSConfig.CASecretName.Name != serverCert.Name &&
|
|
downstreamTLSConfig.CASecretName.Name != serverCert.Name+kube.GatewaySdsCaSuffix) {
|
|
IngressLog.Errorf("CA secret %s is invalid", downstreamTLSConfig.CASecretName.String())
|
|
} else {
|
|
server.Tls.Mode = downstreamTLSConfig.Mode
|
|
}
|
|
}
|
|
|
|
if downstreamTLSConfig.TlsMinVersion != "" {
|
|
server.Tls.MinProtocolVersion = tlsProtocol[downstreamTLSConfig.TlsMinVersion]
|
|
}
|
|
if downstreamTLSConfig.TlsMaxVersion != "" {
|
|
server.Tls.MaxProtocolVersion = tlsProtocol[downstreamTLSConfig.TlsMaxVersion]
|
|
}
|
|
if len(downstreamTLSConfig.CipherSuites) != 0 {
|
|
server.Tls.CipherSuites = downstreamTLSConfig.CipherSuites
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
func needDownstreamTLS(annotations Annotations) bool {
|
|
return annotations.HasMSE(tlsMinVersion) ||
|
|
annotations.HasMSE(tlsMaxVersion) ||
|
|
annotations.HasASAP(sslCipher) ||
|
|
annotations.HasASAP(authTLSSecret)
|
|
}
|