fix: use host's root CA set if ClientTLS ca is not defined

Co-authored-by: Tom Moulard <tom.moulard@traefik.io>
2021-11-03 17:38:07 +01:00 · 2021-11-03 17:38:07 +01:00 · b39d226fb8
commit b39d226fb8
parent 20dfb91948
13 changed files with 31 additions and 13 deletions
--- a/pkg/types/tls.go
+++ b/pkg/types/tls.go
@ -30,7 +30,9 @@ func (clientTLS *ClientTLS) CreateTLSConfig(ctx context.Context) (*tls.Config, e
 		return nil, nil
 	}

-	caPool := x509.NewCertPool()
+	// Not initialized, to rely on system bundle.
+	var caPool *x509.CertPool
+
 	clientAuth := tls.NoClientCert
 	if clientTLS.CA != "" {
 		var ca []byte
@ -44,6 +46,7 @@ func (clientTLS *ClientTLS) CreateTLSConfig(ctx context.Context) (*tls.Config, e
 			ca = []byte(clientTLS.CA)
 		}

+		caPool = x509.NewCertPool()
 		if !caPool.AppendCertsFromPEM(ca) {
 			return nil, errors.New("failed to parse CA")
 		}
--- a/pkg/types/tls_test.go
+++ b/pkg/types/tls_test.go
@ -115,9 +115,15 @@ func TestClientTLS_CreateTLSConfig(t *testing.T) {

 			require.NoError(t, err)

-			assert.Len(t, tlsConfig.RootCAs.Subjects(), test.wantCALen)
 			assert.Len(t, tlsConfig.Certificates, test.wantCertLen)
 			assert.Equal(t, test.clientTLS.InsecureSkipVerify, tlsConfig.InsecureSkipVerify)
+
+			if test.wantCALen > 0 {
+				assert.Len(t, tlsConfig.RootCAs.Subjects(), test.wantCALen)
+				return
+			}
+
+			assert.Nil(t, tlsConfig.RootCAs)
 		})
 	}
 }