perses · Nexucis · Feb 10, 2025 · Feb 10, 2025
diff --git a/cue/model/api/v1/secret/tls_config_go_gen.cue b/cue/model/api/v1/secret/tls_config_go_gen.cue
@@ -15,6 +15,8 @@ package secret
 	keyFile?:           string  @go(KeyFile)
 	serverName?:        string  @go(ServerName)
 	insecureSkipVerify: bool    @go(InsecureSkipVerify)
+	minVersion?:        string  @go(MinVersion)
+	maxVersion?:        string  @go(MaxVersion)
 }
 
 #TLSConfig: {
@@ -41,4 +43,14 @@ package secret
 
 	// Disable target certificate validation.
 	insecureSkipVerify: bool @go(InsecureSkipVerify)
+
+	// Minimum acceptable TLS version. Accepted values: TLS10 (TLS 1.0), TLS11 (TLS 1.1), TLS12 (TLS 1.2), TLS13 (TLS 1.3).
+	// If unset, Perses will use Go default minimum version, which is TLS 1.2.
+	// See MinVersion in https://pkg.go.dev/crypto/tls#Config.
+	minVersion?: string @go(MinVersion)
+
+	// Maximum acceptable TLS version. Accepted values: TLS10 (TLS 1.0), TLS11 (TLS 1.1), TLS12 (TLS 1.2), TLS13 (TLS 1.3).
+	// If unset, Perses will use Go default maximum version, which is TLS 1.3.
+	// See MaxVersion in https://pkg.go.dev/crypto/tls#Config.
+	maxVersion?: string @go(MaxVersion)
 }
diff --git a/docs/configuration/configuration.md b/docs/configuration/configuration.md
@@ -464,31 +464,31 @@ A TLS config allows configuring TLS connections.
 ```yaml
 # CA certificate to validate API server certificate with. At most one of ca and ca_file is allowed.
 ca: <string> # Optional
-ca_file: <filename> # Optional
+caFile: <filename> # Optional
 
 # Certificate and key for client cert authentication to the server.
 # At most one of cert and cert_file is allowed.
 # At most one of key and key_file is allowed.
 cert: <string> # Optional
-cert_file: <filename> # Optional
+certFile: <filename> # Optional
 key: <secret> # Optional
-key_file: <filename> # Optional
+keyFile: <filename> # Optional
 
 # ServerName extension to indicate the name of the server.
 # https://tools.ietf.org/html/rfc4366#section-3.1
-server_name: <string> # Optional
+serverName: <string> # Optional
 
 # Disable validation of the server certificate.
-insecure_skip_verify: <boolean> # Optional
+insecureSkipVerify: <boolean> # Optional
 
 # Minimum acceptable TLS version. Accepted values: TLS10 (TLS 1.0), TLS11 (TLS
 # 1.1), TLS12 (TLS 1.2), TLS13 (TLS 1.3).
-# If unset, Prometheus will use Go default minimum version, which is TLS 1.2.
+# If unset, Perses will use Go default minimum version, which is TLS 1.2.
 # See MinVersion in https://pkg.go.dev/crypto/tls#Config.
 min_version: <string> # Optional
 # Maximum acceptable TLS version. Accepted values: TLS10 (TLS 1.0), TLS11 (TLS
 # 1.1), TLS12 (TLS 1.2), TLS13 (TLS 1.3).
-# If unset, Prometheus will use Go default maximum version, which is TLS 1.3.
+# If unset, Perses will use Go default maximum version, which is TLS 1.3.
 # See MaxVersion in https://pkg.go.dev/crypto/tls#Config.
 max_version: <string> # Optional
 ```

diff --git a/pkg/model/api/v1/secret/tls_config.go b/pkg/model/api/v1/secret/tls_config.go
@@ -30,6 +30,8 @@ type PublicTLSConfig struct {
 	KeyFile            string `yaml:"keyFile,omitempty" json:"keyFile,omitempty"`
 	ServerName         string `yaml:"serverName,omitempty" json:"serverName,omitempty"`
 	InsecureSkipVerify bool   `yaml:"insecureSkipVerify" json:"insecureSkipVerify"`
+	MinVersion         string `yaml:"minVersion,omitempty" json:"minVersion,omitempty"`
+	MaxVersion         string `yaml:"maxVersion,omitempty" json:"maxVersion,omitempty"`
 }
 
 func NewPublicTLSConfig(t *TLSConfig) *PublicTLSConfig {
@@ -45,12 +47,22 @@ func NewPublicTLSConfig(t *TLSConfig) *PublicTLSConfig {
 		KeyFile:            t.KeyFile,
 		ServerName:         t.ServerName,
 		InsecureSkipVerify: t.InsecureSkipVerify,
+		MinVersion:         t.MinVersion,
+		MaxVersion:         t.MaxVersion,
 	}
 }
 
 func BuildTLSConfig(cfg *TLSConfig) (*tls.Config, error) {
 	if cfg == nil {
-		return &tls.Config{MinVersion: tls.VersionTLS12}, nil
+		return &tls.Config{MinVersion: tls.VersionTLS12, MaxVersion: tls.VersionTLS13}, nil
+	}
+	minVersion := promConfig.TLSVersions["TLS12"]
+	maxVersion := promConfig.TLSVersions["TLS13"]
+	if len(cfg.MinVersion) == 0 {
+		minVersion = promConfig.TLSVersions[cfg.MinVersion]
+	}
+	if len(cfg.MaxVersion) == 0 {
+		maxVersion = promConfig.TLSVersions[cfg.MaxVersion]
 	}
 	preConfig := &promConfig.TLSConfig{
 		CA:                 cfg.CA,
@@ -61,8 +73,8 @@ func BuildTLSConfig(cfg *TLSConfig) (*tls.Config, error) {
 		KeyFile:            cfg.KeyFile,
 		ServerName:         cfg.ServerName,
 		InsecureSkipVerify: cfg.InsecureSkipVerify,
-		MinVersion:         promConfig.TLSVersions["TLS12"],
-		MaxVersion:         promConfig.TLSVersions["TLS13"],
+		MinVersion:         minVersion,
+		MaxVersion:         maxVersion,
 	}
 	return promConfig.NewTLSConfig(preConfig)
 }
@@ -84,4 +96,28 @@ type TLSConfig struct {
 	ServerName string `yaml:"serverName,omitempty" json:"serverName,omitempty"`
 	// Disable target certificate validation.
 	InsecureSkipVerify bool `yaml:"insecureSkipVerify" json:"insecureSkipVerify"`
+	// Minimum acceptable TLS version. Accepted values: TLS10 (TLS 1.0), TLS11 (TLS 1.1), TLS12 (TLS 1.2), TLS13 (TLS 1.3).
+	// If unset, Perses will use Go default minimum version, which is TLS 1.2.
+	// See MinVersion in https://pkg.go.dev/crypto/tls#Config.
+	MinVersion string `yaml:"minVersion,omitempty" json:"minVersion,omitempty"`
+	// Maximum acceptable TLS version. Accepted values: TLS10 (TLS 1.0), TLS11 (TLS 1.1), TLS12 (TLS 1.2), TLS13 (TLS 1.3).
+	// If unset, Perses will use Go default maximum version, which is TLS 1.3.
+	// See MaxVersion in https://pkg.go.dev/crypto/tls#Config.
+	MaxVersion string `yaml:"maxVersion,omitempty" json:"maxVersion,omitempty"`
+}
+
+// Verify checks if the TLSConfig is valid.
+// It also set the default value if needed
+// This method is called when Perses is loading the configuration.
+func (t *TLSConfig) Verify() error {
+	if t == nil {
+		return nil
+	}
+	if len(t.MinVersion) == 0 {
+		t.MinVersion = "TLS12"
+	}
+	if len(t.MaxVersion) == 0 {
+		t.MaxVersion = "TLS13"
+	}
+	return nil
 }