This is an automated email from the ASF dual-hosted git repository.
zhangjintao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-helm-chart.git
The following commit(s) were added to refs/heads/master by this push:
new c20437f chore: support configuring SSL protocols (#328)
c20437f is described below
commit c20437f72bb9f8f3a9ae3c23429054079d2711bd
Author: Alex Zhang <[email protected]>
AuthorDate: Tue Aug 23 12:31:51 2022 +0800
chore: support configuring SSL protocols (#328)
And drop older SSL protocols version.
---
charts/apisix/README.md | 3 ++-
charts/apisix/templates/configmap.yaml | 2 +-
charts/apisix/values.yaml | 1 +
3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/charts/apisix/README.md b/charts/apisix/README.md
index ca2dc35..343f10d 100644
--- a/charts/apisix/README.md
+++ b/charts/apisix/README.md
@@ -91,7 +91,8 @@ Apache APISIX service parameters, this determines how users
can access itself.
| `gateway.http` | Apache APISIX service settings for http
| |
| `gateway.tls` | Apache APISIX service settings for tls
| |
| `gateway.tls.existingCASecret` | Specifies the name of Secret contains
trusted CA certificates in the PEM format used to verify the certificate when
APISIX needs to do SSL/TLS handshaking with external services (e.g. etcd) |
`""` |
-| `gateway.tls.certCAFilename` | filename be used in the
`gateway.tls.existingCASecret`
| `""` |
+| `gateway.tls.certCAFilename` | Filename be used in the
`gateway.tls.existingCASecret`
| `""` |
+| `gateway.tls.sslProtocols` | TLS protocols allowed to use. | `"TLSv1.2
TLSv1.3"` |
| `gateway.stream` | Apache APISIX service settings for stream
| |
| `gateway.ingress` | Using ingress access Apache APISIX service
| |
diff --git a/charts/apisix/templates/configmap.yaml
b/charts/apisix/templates/configmap.yaml
index 6c0e5da..ee78a14 100644
--- a/charts/apisix/templates/configmap.yaml
+++ b/charts/apisix/templates/configmap.yaml
@@ -156,7 +156,7 @@ data:
enable: {{ .Values.gateway.tls.enabled }}
enable_http2: {{ .Values.gateway.tls.http2.enabled }}
listen_port: {{ .Values.gateway.tls.containerPort }}
- ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
+ ssl_protocols: {{ .Values.gateway.tls.sslProtocols | quote }}
ssl_ciphers:
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-
[...]
{{- if and .Values.gateway.tls.enabled
.Values.gateway.tls.existingCASecret }}
ssl_trusted_certificate: "/usr/local/apisix/conf/ssl/{{
.Values.gateway.tls.certCAFilename }}"
diff --git a/charts/apisix/values.yaml b/charts/apisix/values.yaml
index e0824f9..0071c6c 100644
--- a/charts/apisix/values.yaml
+++ b/charts/apisix/values.yaml
@@ -142,6 +142,7 @@ gateway:
certCAFilename: ""
http2:
enabled: true
+ sslProtocols: "TLSv1.2 TLSv1.3"
# L4 proxy (TCP/UDP)
stream:
enabled: false
