Makes ALPN protocols configurable

2021-08-20 18:20:06 +02:00 · 2021-08-20 18:20:06 +02:00 · 2644c1f598
commit 2644c1f598
parent fa53f7ec85
18 changed files with 216 additions and 15 deletions
--- a/pkg/tls/tls.go
+++ b/pkg/tls/tls.go
@ -23,6 +23,13 @@ type Options struct {
 	ClientAuth               ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"`
 	SniStrict                bool       `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"`
 	PreferServerCipherSuites bool       `json:"preferServerCipherSuites,omitempty" toml:"preferServerCipherSuites,omitempty" yaml:"preferServerCipherSuites,omitempty" export:"true"`
+	ALPNProtocols            []string   `json:"alpnProtocols,omitempty" toml:"alpnProtocols,omitempty" yaml:"alpnProtocols,omitempty" export:"true"`
+}
+
+// SetDefaults sets the default values for an Options struct.
+func (o *Options) SetDefaults() {
+	// ensure http2 enabled
+	o.ALPNProtocols = DefaultTLSOptions.ALPNProtocols
 }

 // +k8s:deepcopy-gen=true
--- a/pkg/tls/tlsmanager.go
+++ b/pkg/tls/tlsmanager.go
@ -24,7 +24,10 @@ const (
 )

 // DefaultTLSOptions the default TLS options.
-var DefaultTLSOptions = Options{}
+var DefaultTLSOptions = Options{
+	// ensure http2 enabled
+	ALPNProtocols: []string{"h2", "http/1.1", tlsalpn01.ACMETLS1Protocol},
+}

 // Manager is the TLS option/store/configuration factory.
 type Manager struct {
@ -230,10 +233,9 @@ func buildCertificateStore(ctx context.Context, tlsStore Store, storename string

 // creates a TLS config that allows terminating HTTPS for multiple domains using SNI.
 func buildTLSConfig(tlsOption Options) (*tls.Config, error) {
-	conf := &tls.Config{}
-
-	// ensure http2 enabled
-	conf.NextProtos = []string{"h2", "http/1.1", tlsalpn01.ACMETLS1Protocol}
+	conf := &tls.Config{
+		NextProtos: tlsOption.ALPNProtocols,
+	}

 	if len(tlsOption.ClientAuth.CAFiles) > 0 {
 		pool := x509.NewCertPool()
--- a/pkg/tls/zz_generated.deepcopy.go
+++ b/pkg/tls/zz_generated.deepcopy.go
@ -85,6 +85,11 @@ func (in *Options) DeepCopyInto(out *Options) {
 		copy(*out, *in)
 	}
 	in.ClientAuth.DeepCopyInto(&out.ClientAuth)
+	if in.ALPNProtocols != nil {
+		in, out := &in.ALPNProtocols, &out.ALPNProtocols
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	return
 }