Makes ALPN protocols configurable

2021-08-20 18:20:06 +02:00 · 2021-08-20 18:20:06 +02:00 · 2644c1f598
commit 2644c1f598
parent fa53f7ec85
18 changed files with 216 additions and 15 deletions
--- a/pkg/provider/kubernetes/crd/kubernetes.go
+++ b/pkg/provider/kubernetes/crd/kubernetes.go
@ -703,6 +703,12 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options
 			id = tlsOption.Name
 			nsDefault = append(nsDefault, tlsOption.Namespace)
 		}
+
+		alpnProtocols := tls.DefaultTLSOptions.ALPNProtocols
+		if len(tlsOption.Spec.ALPNProtocols) > 0 {
+			alpnProtocols = tlsOption.Spec.ALPNProtocols
+		}
+
 		tlsOptions[id] = tls.Options{
 			MinVersion:       tlsOption.Spec.MinVersion,
 			MaxVersion:       tlsOption.Spec.MaxVersion,
@ -714,6 +720,7 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options
 			},
 			SniStrict:                tlsOption.Spec.SniStrict,
 			PreferServerCipherSuites: tlsOption.Spec.PreferServerCipherSuites,
+			ALPNProtocols:            alpnProtocols,
 		}
 	}

--- a/pkg/provider/kubernetes/crd/kubernetes_test.go
+++ b/pkg/provider/kubernetes/crd/kubernetes_test.go
@ -616,6 +616,11 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
 							},
 							SniStrict:                true,
 							PreferServerCipherSuites: true,
+							ALPNProtocols: []string{
+								"h2",
+								"http/1.1",
+								"acme-tls/1",
+							},
 						},
 					},
 				},
@ -678,6 +683,11 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
 								ClientAuthType: "VerifyClientCertIfGiven",
 							},
 							SniStrict: true,
+							ALPNProtocols: []string{
+								"h2",
+								"http/1.1",
+								"acme-tls/1",
+							},
 						},
 					},
 				},
@ -739,6 +749,11 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
 								ClientAuthType: "VerifyClientCertIfGiven",
 							},
 							SniStrict: true,
+							ALPNProtocols: []string{
+								"h2",
+								"http/1.1",
+								"acme-tls/1",
+							},
 						},
 					},
 				},
@ -789,6 +804,11 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
 					Options: map[string]tls.Options{
 						"default-foo": {
 							MinVersion: "VersionTLS12",
+							ALPNProtocols: []string{
+								"h2",
+								"http/1.1",
+								"acme-tls/1",
+							},
 						},
 					},
 				},
@ -839,6 +859,11 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
 					Options: map[string]tls.Options{
 						"default-foo": {
 							MinVersion: "VersionTLS12",
+							ALPNProtocols: []string{
+								"h2",
+								"http/1.1",
+								"acme-tls/1",
+							},
 						},
 					},
 				},
@ -2539,6 +2564,11 @@ func TestLoadIngressRoutes(t *testing.T) {
 							},
 							SniStrict:                true,
 							PreferServerCipherSuites: true,
+							ALPNProtocols: []string{
+								"h2",
+								"http/1.1",
+								"acme-tls/1",
+							},
 						},
 					},
 				},
@ -2648,6 +2678,11 @@ func TestLoadIngressRoutes(t *testing.T) {
 							},
 							SniStrict:                true,
 							PreferServerCipherSuites: true,
+							ALPNProtocols: []string{
+								"h2",
+								"http/1.1",
+								"acme-tls/1",
+							},
 						},
 					},
 				},
@ -2716,6 +2751,11 @@ func TestLoadIngressRoutes(t *testing.T) {
 								ClientAuthType: "VerifyClientCertIfGiven",
 							},
 							SniStrict: true,
+							ALPNProtocols: []string{
+								"h2",
+								"http/1.1",
+								"acme-tls/1",
+							},
 						},
 					},
 				},
@ -2779,6 +2819,11 @@ func TestLoadIngressRoutes(t *testing.T) {
 								ClientAuthType: "VerifyClientCertIfGiven",
 							},
 							SniStrict: true,
+							ALPNProtocols: []string{
+								"h2",
+								"http/1.1",
+								"acme-tls/1",
+							},
 						},
 					},
 				},
@ -2831,6 +2876,11 @@ func TestLoadIngressRoutes(t *testing.T) {
 					Options: map[string]tls.Options{
 						"default-foo": {
 							MinVersion: "VersionTLS12",
+							ALPNProtocols: []string{
+								"h2",
+								"http/1.1",
+								"acme-tls/1",
+							},
 						},
 					},
 				},
@ -2883,6 +2933,11 @@ func TestLoadIngressRoutes(t *testing.T) {
 					Options: map[string]tls.Options{
 						"default-foo": {
 							MinVersion: "VersionTLS12",
+							ALPNProtocols: []string{
+								"h2",
+								"http/1.1",
+								"acme-tls/1",
+							},
 						},
 					},
 				},
--- a/pkg/provider/kubernetes/crd/traefik/v1alpha1/tlsoption.go
+++ b/pkg/provider/kubernetes/crd/traefik/v1alpha1/tlsoption.go
@ -27,6 +27,7 @@ type TLSOptionSpec struct {
 	ClientAuth               ClientAuth `json:"clientAuth,omitempty"`
 	SniStrict                bool       `json:"sniStrict,omitempty"`
 	PreferServerCipherSuites bool       `json:"preferServerCipherSuites,omitempty"`
+	ALPNProtocols            []string   `json:"alpnProtocols,omitempty"`
 }

 // +k8s:deepcopy-gen=true
--- a/pkg/provider/kubernetes/crd/traefik/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/provider/kubernetes/crd/traefik/v1alpha1/zz_generated.deepcopy.go
@ -1327,6 +1327,11 @@ func (in *TLSOptionSpec) DeepCopyInto(out *TLSOptionSpec) {
 		copy(*out, *in)
 	}
 	in.ClientAuth.DeepCopyInto(&out.ClientAuth)
+	if in.ALPNProtocols != nil {
+		in, out := &in.ALPNProtocols, &out.ALPNProtocols
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	return
 }