fix the first pr

alibaba · Dec 19, 2024 · 8bfd938 · 8bfd938
1 parent a04ab0f
commit 8bfd938
Show file tree

Hide file tree

Showing 2 changed files with 511 additions and 201 deletions.
diff --git a/pkg/ingress/kube/annotations/downstreamtls.go b/pkg/ingress/kube/annotations/downstreamtls.go
@@ -30,6 +30,10 @@ const (
 	authTLSSecret      = "auth-tls-secret"
 	sslCipher          = "ssl-cipher"
 	gatewaySdsCaSuffix = "-cacert"
+	annotationMinTLSVersion = "tls-min-version" 
+	annotationMaxTLSVersion = "tls-max-version"
+	RuleMinVersion map[string]string
+	RuleMaxVersion map[string]string
 )
 
 var (
@@ -41,6 +45,8 @@ type DownstreamTLSConfig struct {
 	CipherSuites []string
 	Mode         networking.ServerTLSSettings_TLSmode
 	CASecretName types.NamespacedName
+	MinVersion string
+	MaxVersion string
 }
 
 type downstreamTLS struct{}
@@ -52,6 +58,8 @@ func (d downstreamTLS) Parse(annotations Annotations, config *Ingress, _ *Global
 
 	downstreamTLSConfig := &DownstreamTLSConfig{
 		Mode: networking.ServerTLSSettings_SIMPLE,
+		RuleMinVersion: make(map[string]string),
+		RuleMaxVersion: make(map[string]string),
 	}
 	defer func() {
 		config.DownstreamTLS = downstreamTLSConfig
@@ -81,6 +89,26 @@ func (d downstreamTLS) Parse(annotations Annotations, config *Ingress, _ *Global
 
 		downstreamTLSConfig.CipherSuites = validCipherSuite
 	}
+
+	if minVersion, err := annotations.ParseStringASAP(annotationMinTLSVersion); err == nil {
+		downstreamTLSConfig.MinVersion = minVersion
+	}
+
+	if maxVersion, err := annotations.ParseStringASAP(annotationMaxTLSVersion); err == nil {
+		downstreamTLSConfig.MaxVersion = maxVersion
+	}
+
+	for key, value := range annotations {
+			if strings.HasPrefix(key, annotationMinTLSVersion+".") {
+					ruleName := strings.TrimPrefix(key, annotationMinTLSVersion+".")
+					downstreamTLSConfig.RuleMinVersion[ruleName] = value
+			}
+			if strings.HasPrefix(key, annotationMaxTLSVersion+".") {
+					ruleName := strings.TrimPrefix(key, annotationMaxTLSVersion+".")
+					downstreamTLSConfig.RuleMaxVersion[ruleName] = value
+			}
+	}
+
 
 	return nil
 }
@@ -107,11 +135,52 @@ func (d downstreamTLS) ApplyGateway(gateway *networking.Gateway, config *Ingress
 			if len(downstreamTLSConfig.CipherSuites) != 0 {
 				server.Tls.CipherSuites = downstreamTLSConfig.CipherSuites
 			}
+
+			ruleName := getRuleName(server)
+
+			// 优先使用规则级别的TLS版本设置
+			if minVersion, exists := downstreamTLSConfig.RuleMinVersion[ruleName]; exists {
+					server.Tls.MinProtocolVersion = convertTLSVersion(minVersion)
+			} else if downstreamTLSConfig.MinVersion != "" {
+					// 回退到全局设置
+					server.Tls.MinProtocolVersion = convertTLSVersion(downstreamTLSConfig.MinVersion)
+			}
+
+			if maxVersion, exists := downstreamTLSConfig.RuleMaxVersion[ruleName]; exists {
+					server.Tls.MaxProtocolVersion = convertTLSVersion(maxVersion)
+			} else if downstreamTLSConfig.MaxVersion != "" {
+					// 回退到全局设置
+					server.Tls.MaxProtocolVersion = convertTLSVersion(downstreamTLSConfig.MaxVersion)
+			}
 		}
 	}
+
 }
 
 func needDownstreamTLS(annotations Annotations) bool {
 	return annotations.HasASAP(sslCipher) ||
-		annotations.HasASAP(authTLSSecret)
+		annotations.HasASAP(authTLSSecret)||
+		annotations.HasASAP(annotationMinTLSVersion) ||
+		annotations.HasASAP(annotationMaxTLSVersion)
 }
+
+func convertTLSVersion(version string) networking.ServerTLSSettings_TLSProtocol {
+		switch version {
+		case "TLSv1_0":
+				return networking.ServerTLSSettings_TLSV1_0
+		case "TLSv1_1":
+				return networking.ServerTLSSettings_TLSV1_1
+		case "TLSv1_2":
+				return networking.ServerTLSSettings_TLSV1_2
+		case "TLSv1_3":
+				return networking.ServerTLSSettings_TLSV1_3
+		default:
+				return networking.ServerTLSSettings_TLS_AUTO
+		}
+}
+
+func getRuleName(server *networking.Server) string {
+		// 从server配置中提取规则名称
+		// 可以使用server.Name或其他标识
+		return server.Name
+}