commit c20437f72bb9f8f3a9ae3c23429054079d2711bd
author Alex Zhang <tokers@apache.org> Tue Aug 23 12:31:51 2022 +0800
committer GitHub <noreply@github.com> Tue Aug 23 12:31:51 2022 +0800
tree 05e34a472dcbaf1b5fc29a7e9be109ed86815cb9
parent d3ca4af48665846bf5a8435e87de9b97f6eae3b3

chore: support configuring SSL protocols (#328)

And drop older SSL protocols version.

charts/apisix/README.md

diff --git a/charts/apisix/README.md b/charts/apisix/README.md
index ca2dc35..343f10d 100644
--- a/charts/apisix/README.md
+++ b/charts/apisix/README.md
@@ -91,7 +91,8 @@
 | `gateway.http`                  | Apache APISIX service settings for http                                                                                                                                             |            |
 | `gateway.tls`                   | Apache APISIX service settings for tls                                                                                                                                              |            |
 | `gateway.tls.existingCASecret`  | Specifies the name of Secret contains trusted CA certificates in the PEM format used to verify the certificate when APISIX needs to do SSL/TLS handshaking with external services (e.g. etcd) | `""`       |
-| `gateway.tls.certCAFilename`    | filename be used in the `gateway.tls.existingCASecret`                                                                                                                                          | `""`       |
+| `gateway.tls.certCAFilename`    | Filename be used in the `gateway.tls.existingCASecret`                                                                                                                                          | `""`       |
+| `gateway.tls.sslProtocols`    |   TLS protocols allowed to use.  | `"TLSv1.2 TLSv1.3"`       |
 | `gateway.stream`                | Apache APISIX service settings for stream                                                                                                                                           |            |
 | `gateway.ingress`               | Using ingress access Apache APISIX service                                                                                                                                          |            |
 

charts/apisix/templates/configmap.yaml

diff --git a/charts/apisix/templates/configmap.yaml b/charts/apisix/templates/configmap.yaml
index 6c0e5da..ee78a14 100644
--- a/charts/apisix/templates/configmap.yaml
+++ b/charts/apisix/templates/configmap.yaml
@@ -156,7 +156,7 @@
         enable: {{ .Values.gateway.tls.enabled }}
         enable_http2: {{ .Values.gateway.tls.http2.enabled }}
         listen_port: {{ .Values.gateway.tls.containerPort }}
-        ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
+        ssl_protocols: {{ .Values.gateway.tls.sslProtocols | quote }}
         ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
         {{- if and .Values.gateway.tls.enabled .Values.gateway.tls.existingCASecret }}
         ssl_trusted_certificate: "/usr/local/apisix/conf/ssl/{{ .Values.gateway.tls.certCAFilename }}"

charts/apisix/values.yaml

diff --git a/charts/apisix/values.yaml b/charts/apisix/values.yaml
index e0824f9..0071c6c 100644
--- a/charts/apisix/values.yaml
+++ b/charts/apisix/values.yaml
@@ -142,6 +142,7 @@
     certCAFilename: ""
     http2:
       enabled: true
+    sslProtocols: "TLSv1.2 TLSv1.3"
   # L4 proxy (TCP/UDP)
   stream:
     enabled: false