homelab/traefik
1
0
Fork 0
Code Activity

Makes ALPN protocols configurable

Browse source
This commit is contained in:
Romain 2021-08-20 18:20:06 +02:00 committed by GitHub
parent fa53f7ec85
commit 2644c1f598
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
18 changed files with 216 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

7
pkg/provider/kubernetes/crd/kubernetes.go
View file

@ -703,6 +703,12 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options
id = tlsOption.Name
nsDefault = append(nsDefault, tlsOption.Namespace)
}
alpnProtocols := tls.DefaultTLSOptions.ALPNProtocols
if len(tlsOption.Spec.ALPNProtocols) > 0 {
alpnProtocols = tlsOption.Spec.ALPNProtocols
}
tlsOptions[id] = tls.Options{
MinVersion: tlsOption.Spec.MinVersion,
MaxVersion: tlsOption.Spec.MaxVersion,
@ -714,6 +720,7 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options
},
SniStrict: tlsOption.Spec.SniStrict,
PreferServerCipherSuites: tlsOption.Spec.PreferServerCipherSuites,
ALPNProtocols: alpnProtocols,
}
}

55
pkg/provider/kubernetes/crd/kubernetes_test.go
View file

@ -616,6 +616,11 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
},
SniStrict: true,
PreferServerCipherSuites: true,
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
},
},
@ -678,6 +683,11 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
ClientAuthType: "VerifyClientCertIfGiven",
},
SniStrict: true,
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
},
},
@ -739,6 +749,11 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
ClientAuthType: "VerifyClientCertIfGiven",
},
SniStrict: true,
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
},
},
@ -789,6 +804,11 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
Options: map[string]tls.Options{
"default-foo": {
MinVersion: "VersionTLS12",
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
},
},
@ -839,6 +859,11 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
Options: map[string]tls.Options{
"default-foo": {
MinVersion: "VersionTLS12",
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
},
},
@ -2539,6 +2564,11 @@ func TestLoadIngressRoutes(t *testing.T) {
},
SniStrict: true,
PreferServerCipherSuites: true,
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
},
},
@ -2648,6 +2678,11 @@ func TestLoadIngressRoutes(t *testing.T) {
},
SniStrict: true,
PreferServerCipherSuites: true,
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
},
},
@ -2716,6 +2751,11 @@ func TestLoadIngressRoutes(t *testing.T) {
ClientAuthType: "VerifyClientCertIfGiven",
},
SniStrict: true,
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
},
},
@ -2779,6 +2819,11 @@ func TestLoadIngressRoutes(t *testing.T) {
ClientAuthType: "VerifyClientCertIfGiven",
},
SniStrict: true,
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
},
},
@ -2831,6 +2876,11 @@ func TestLoadIngressRoutes(t *testing.T) {
Options: map[string]tls.Options{
"default-foo": {
MinVersion: "VersionTLS12",
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
},
},
@ -2883,6 +2933,11 @@ func TestLoadIngressRoutes(t *testing.T) {
Options: map[string]tls.Options{
"default-foo": {
MinVersion: "VersionTLS12",
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
},
},

1
pkg/provider/kubernetes/crd/traefik/v1alpha1/tlsoption.go
View file

@ -27,6 +27,7 @@ type TLSOptionSpec struct {
ClientAuth ClientAuth `json:"clientAuth,omitempty"`
SniStrict bool `json:"sniStrict,omitempty"`
PreferServerCipherSuites bool `json:"preferServerCipherSuites,omitempty"`
ALPNProtocols []string `json:"alpnProtocols,omitempty"`
}
// +k8s:deepcopy-gen=true

5
pkg/provider/kubernetes/crd/traefik/v1alpha1/zz_generated.deepcopy.go
View file

@ -1327,6 +1327,11 @@ func (in *TLSOptionSpec) DeepCopyInto(out *TLSOptionSpec) {
copy(*out, *in)
}
in.ClientAuth.DeepCopyInto(&out.ClientAuth)
if in.ALPNProtocols != nil {
in, out := &in.ALPNProtocols, &out.ALPNProtocols
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}

10
pkg/provider/kv/kv_test.go
View file

@ -846,6 +846,11 @@ func Test_buildConfiguration(t *testing.T) {
ClientAuthType: "foobar",
},
SniStrict: true,
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
"Options1": {
MinVersion: "foobar",
@ -866,6 +871,11 @@ func Test_buildConfiguration(t *testing.T) {
ClientAuthType: "foobar",
},
SniStrict: true,
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
},
Stores: map[string]tls.Store{

32
pkg/server/aggregator_test.go
View file

@ -182,7 +182,13 @@ func Test_mergeConfiguration_tlsOptions(t *testing.T) {
desc: "Nil returns an empty configuration",
given: nil,
expected: map[string]tls.Options{
"default": {},
"default": {
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
},
},
{
@ -199,7 +205,13 @@ func Test_mergeConfiguration_tlsOptions(t *testing.T) {
},
},
expected: map[string]tls.Options{
"default": {},
"default": {
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
"foo@provider-1": {
MinVersion: "VersionTLS12",
},
@ -228,7 +240,13 @@ func Test_mergeConfiguration_tlsOptions(t *testing.T) {
},
},
expected: map[string]tls.Options{
"default": {},
"default": {
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
"foo@provider-1": {
MinVersion: "VersionTLS13",
},
@ -334,7 +352,13 @@ func Test_mergeConfiguration_tlsOptions(t *testing.T) {
},
},
expected: map[string]tls.Options{
"default": {},
"default": {
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
"foo@provider-1": {
MinVersion: "VersionTLS12",
},

24
pkg/server/configurationwatcher_test.go
View file

@ -76,7 +76,13 @@ func TestNewConfigurationWatcher(t *testing.T) {
},
TLS: &dynamic.TLSConfiguration{
Options: map[string]tls.Options{
"default": {},
"default": {
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
},
Stores: map[string]tls.Store{},
},
@ -236,7 +242,13 @@ func TestListenProvidersDoesNotSkipFlappingConfiguration(t *testing.T) {
},
TLS: &dynamic.TLSConfiguration{
Options: map[string]tls.Options{
"default": {},
"default": {
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
},
Stores: map[string]tls.Store{},
},
@ -292,7 +304,13 @@ func TestListenProvidersPublishesConfigForEachProvider(t *testing.T) {
},
TLS: &dynamic.TLSConfiguration{
Options: map[string]tls.Options{
"default": {},
"default": {
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
},
Stores: map[string]tls.Store{},
},

7
pkg/tls/tls.go
View file

@ -23,6 +23,13 @@ type Options struct {
ClientAuth ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"`
SniStrict bool `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"`
PreferServerCipherSuites bool `json:"preferServerCipherSuites,omitempty" toml:"preferServerCipherSuites,omitempty" yaml:"preferServerCipherSuites,omitempty" export:"true"`
ALPNProtocols []string `json:"alpnProtocols,omitempty" toml:"alpnProtocols,omitempty" yaml:"alpnProtocols,omitempty" export:"true"`
}
// SetDefaults sets the default values for an Options struct.
func (o *Options) SetDefaults() {
// ensure http2 enabled
o.ALPNProtocols = DefaultTLSOptions.ALPNProtocols
}
// +k8s:deepcopy-gen=true

12
pkg/tls/tlsmanager.go
View file

@ -24,7 +24,10 @@ const (
)
// DefaultTLSOptions the default TLS options.
var DefaultTLSOptions = Options{}
var DefaultTLSOptions = Options{
// ensure http2 enabled
ALPNProtocols: []string{"h2", "http/1.1", tlsalpn01.ACMETLS1Protocol},
}
// Manager is the TLS option/store/configuration factory.
type Manager struct {
@ -230,10 +233,9 @@ func buildCertificateStore(ctx context.Context, tlsStore Store, storename string
// creates a TLS config that allows terminating HTTPS for multiple domains using SNI.
func buildTLSConfig(tlsOption Options) (*tls.Config, error) {
conf := &tls.Config{}
// ensure http2 enabled
conf.NextProtos = []string{"h2", "http/1.1", tlsalpn01.ACMETLS1Protocol}
conf := &tls.Config{
NextProtos: tlsOption.ALPNProtocols,
}
if len(tlsOption.ClientAuth.CAFiles) > 0 {
pool := x509.NewCertPool()

5
pkg/tls/zz_generated.deepcopy.go
View file

@ -85,6 +85,11 @@ func (in *Options) DeepCopyInto(out *Options) {
copy(*out, *in)
}
in.ClientAuth.DeepCopyInto(&out.ClientAuth)
if in.ALPNProtocols != nil {
in, out := &in.ALPNProtocols, &out.ALPNProtocols
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}