Merge branch v2.5 into master

pkg/types/fixtures/cert.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB9jCCAV+gAwIBAgIQI3edJckNbicw4WIHs5Ws9TANBgkqhkiG9w0BAQsFADAS
+MRAwDgYDVQQKEwdBY21lIENvMCAXDTcwMDEwMTAwMDAwMFoYDzIwODQwMTI5MTYw
+MDAwWjASMRAwDgYDVQQKEwdBY21lIENvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQCb8oWyME1QRBoMLFei3M8TVKwfZfW74cVjtcugCBMTTOTCouEIgjjmiMv6
+FdMio2uBcgeD9R3dOtjjnA7N+xjwZ4vIPqDlJRE3YbfpV9igVX3sXU7ssHTSH0vs
+R0TuYJwGReIFUnu5QIjGwVorodF+CQ8dTnyXVLeQVU9kvjohHwIDAQABo0swSTAO
+BgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIw
+ADAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADgYEADqylUQ/4
+lrxh4h8UUQ2wKATQ2kG2YvMGlaIhr2vPZo2QDBlmL2xzai7YXX3+JZyM15TNCamn
+WtFR7WQIOHzKA1GkR9WkaXKmFbJjhGMSZVCG6ghhTjzB+stBYZXhBsdjCJbkZWBu
+OeI73oivo0MdI+4iCYCo7TnoY4PZGObwcgI=
+-----END CERTIFICATE-----

pkg/types/fixtures/key.pem

@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAJvyhbIwTVBEGgws
+V6LczxNUrB9l9bvhxWO1y6AIExNM5MKi4QiCOOaIy/oV0yKja4FyB4P1Hd062OOc
+Ds37GPBni8g+oOUlETdht+lX2KBVfexdTuywdNIfS+xHRO5gnAZF4gVSe7lAiMbB
+Wiuh0X4JDx1OfJdUt5BVT2S+OiEfAgMBAAECgYA9+PbghQl0aFvhko2RDybLi86K
++73X2DTVFx3AjvTlqp0OLCQ5eWabVqmYzKuHDGJgoqwR6Irhq80dRpsriCm0YNui
+mMV35bbimOKz9FoCTKx0ZB6xsqrVoFhjVmX3DOD9Txe41H42ZxmccOKZndR/QaXz
+VV+1W/Wbz2VawnkyYQJBAMvF6w2eOJRRoN8e7GM7b7uqkupJPp9axgFREoJZb16W
+mqXUZnH4Cydzc5keG4yknQRHdgz6RrQxnvR7GyKHLfUCQQDD6qG9D5BX0+mNW6TG
+PRwW/L2qWgnmg9lxtSSQat9ZOnBhw2OLPi0zTu4p70oSmU67/YJr50HEoJpRccZJ
+mnJDAkBdBTtY2xpe8qhqUjZ80hweYi5wzwDMQ+bRoQ2+/U6usjdkbgJaEm4dE0H4
+6tqOqHKZCnokUHfIOEKkvjHT4DulAkBAgiJNSTGi6aDOLa28pGR6YS/mRo1Z/HH9
+kcJ/VuFB1Q8p8Zb2QzvI2CVtY2AFbbtSBPALrXKnVqZZSNgcZiFXAkEAvcLKaEXE
+haGMGwq2BLADPHqAR3hdCJL3ikMJwWUsTkTjm973iEIEZfF5j57EzRI4bASm4Zq5
+Zt3BcblLODQ//w==
+-----END PRIVATE KEY-----

pkg/types/tls.go

@@ -4,12 +4,15 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"os"
 
 	"github.com/traefik/traefik/v2/pkg/log"
 )
 
+// +k8s:deepcopy-gen=true
+
 // ClientTLS holds TLS specific configurations as client
 // CA, Cert and Key can be either path or file contents.
 type ClientTLS struct {
@@ -27,7 +30,9 @@ func (clientTLS *ClientTLS) CreateTLSConfig(ctx context.Context) (*tls.Config, e
 		return nil, nil
 	}
 
-	caPool := x509.NewCertPool()
+	// Not initialized, to rely on system bundle.
+	var caPool *x509.CertPool
+
 	clientAuth := tls.NoClientCert
 	if clientTLS.CA != "" {
 		var ca []byte
@@ -41,8 +46,9 @@ func (clientTLS *ClientTLS) CreateTLSConfig(ctx context.Context) (*tls.Config, e
 			ca = []byte(clientTLS.CA)
 		}
 
+		caPool = x509.NewCertPool()
 		if !caPool.AppendCertsFromPEM(ca) {
-			return nil, fmt.Errorf("failed to parse CA")
+			return nil, errors.New("failed to parse CA")
 		}
 
 		if clientTLS.CAOptional {
@@ -52,34 +58,24 @@ func (clientTLS *ClientTLS) CreateTLSConfig(ctx context.Context) (*tls.Config, e
 		}
 	}
 
-	if !clientTLS.InsecureSkipVerify && (len(clientTLS.Cert) == 0 || len(clientTLS.Key) == 0) {
-		return nil, fmt.Errorf("TLS Certificate or Key file must be set when TLS configuration is created")
+	hasCert := len(clientTLS.Cert) > 0
+	hasKey := len(clientTLS.Key) > 0
+
+	if hasCert != hasKey {
+		return nil, errors.New("both TLS cert and key must be defined")
 	}
 
-	cert := tls.Certificate{}
-	_, errKeyIsFile := os.Stat(clientTLS.Key)
+	if !hasCert || !hasKey {
+		return &tls.Config{
+			RootCAs:            caPool,
+			InsecureSkipVerify: clientTLS.InsecureSkipVerify,
+			ClientAuth:         clientAuth,
+		}, nil
+	}
 
-	if len(clientTLS.Cert) > 0 && len(clientTLS.Key) > 0 {
-		var err error
-		if _, errCertIsFile := os.Stat(clientTLS.Cert); errCertIsFile == nil {
-			if errKeyIsFile == nil {
-				cert, err = tls.LoadX509KeyPair(clientTLS.Cert, clientTLS.Key)
-				if err != nil {
-					return nil, fmt.Errorf("failed to load TLS keypair: %w", err)
-				}
-			} else {
-				return nil, fmt.Errorf("TLS cert is a file, but tls key is not")
-			}
-		} else {
-			if errKeyIsFile != nil {
-				cert, err = tls.X509KeyPair([]byte(clientTLS.Cert), []byte(clientTLS.Key))
-				if err != nil {
-					return nil, fmt.Errorf("failed to load TLS keypair: %w", err)
-				}
-			} else {
-				return nil, fmt.Errorf("TLS key is a file, but tls cert is not")
-			}
-		}
+	cert, err := loadKeyPair(clientTLS.Cert, clientTLS.Key)
+	if err != nil {
+		return nil, err
 	}
 
 	return &tls.Config{
@@ -89,3 +85,27 @@ func (clientTLS *ClientTLS) CreateTLSConfig(ctx context.Context) (*tls.Config, e
 		ClientAuth:         clientAuth,
 	}, nil
 }
+
+func loadKeyPair(cert, key string) (tls.Certificate, error) {
+	keyPair, err := tls.X509KeyPair([]byte(cert), []byte(key))
+	if err == nil {
+		return keyPair, nil
+	}
+
+	_, err = os.Stat(cert)
+	if err != nil {
+		return tls.Certificate{}, errors.New("cert file does not exist")
+	}
+
+	_, err = os.Stat(key)
+	if err != nil {
+		return tls.Certificate{}, errors.New("key file does not exist")
+	}
+
+	keyPair, err = tls.LoadX509KeyPair(cert, key)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+
+	return keyPair, nil
+}

pkg/types/tls_test.go

@@ -0,0 +1,129 @@
+package types
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// go run $GOROOT/src/crypto/tls/generate_cert.go --rsa-bits 1024 --host localhost --start-date "Jan 1 00:00:00 1970" --duration=1000000h
+var cert = `-----BEGIN CERTIFICATE-----
+MIIB9jCCAV+gAwIBAgIQI3edJckNbicw4WIHs5Ws9TANBgkqhkiG9w0BAQsFADAS
+MRAwDgYDVQQKEwdBY21lIENvMCAXDTcwMDEwMTAwMDAwMFoYDzIwODQwMTI5MTYw
+MDAwWjASMRAwDgYDVQQKEwdBY21lIENvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQCb8oWyME1QRBoMLFei3M8TVKwfZfW74cVjtcugCBMTTOTCouEIgjjmiMv6
+FdMio2uBcgeD9R3dOtjjnA7N+xjwZ4vIPqDlJRE3YbfpV9igVX3sXU7ssHTSH0vs
+R0TuYJwGReIFUnu5QIjGwVorodF+CQ8dTnyXVLeQVU9kvjohHwIDAQABo0swSTAO
+BgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIw
+ADAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADgYEADqylUQ/4
+lrxh4h8UUQ2wKATQ2kG2YvMGlaIhr2vPZo2QDBlmL2xzai7YXX3+JZyM15TNCamn
+WtFR7WQIOHzKA1GkR9WkaXKmFbJjhGMSZVCG6ghhTjzB+stBYZXhBsdjCJbkZWBu
+OeI73oivo0MdI+4iCYCo7TnoY4PZGObwcgI=
+-----END CERTIFICATE-----`
+
+var key = `-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAJvyhbIwTVBEGgws
+V6LczxNUrB9l9bvhxWO1y6AIExNM5MKi4QiCOOaIy/oV0yKja4FyB4P1Hd062OOc
+Ds37GPBni8g+oOUlETdht+lX2KBVfexdTuywdNIfS+xHRO5gnAZF4gVSe7lAiMbB
+Wiuh0X4JDx1OfJdUt5BVT2S+OiEfAgMBAAECgYA9+PbghQl0aFvhko2RDybLi86K
++73X2DTVFx3AjvTlqp0OLCQ5eWabVqmYzKuHDGJgoqwR6Irhq80dRpsriCm0YNui
+mMV35bbimOKz9FoCTKx0ZB6xsqrVoFhjVmX3DOD9Txe41H42ZxmccOKZndR/QaXz
+VV+1W/Wbz2VawnkyYQJBAMvF6w2eOJRRoN8e7GM7b7uqkupJPp9axgFREoJZb16W
+mqXUZnH4Cydzc5keG4yknQRHdgz6RrQxnvR7GyKHLfUCQQDD6qG9D5BX0+mNW6TG
+PRwW/L2qWgnmg9lxtSSQat9ZOnBhw2OLPi0zTu4p70oSmU67/YJr50HEoJpRccZJ
+mnJDAkBdBTtY2xpe8qhqUjZ80hweYi5wzwDMQ+bRoQ2+/U6usjdkbgJaEm4dE0H4
+6tqOqHKZCnokUHfIOEKkvjHT4DulAkBAgiJNSTGi6aDOLa28pGR6YS/mRo1Z/HH9
+kcJ/VuFB1Q8p8Zb2QzvI2CVtY2AFbbtSBPALrXKnVqZZSNgcZiFXAkEAvcLKaEXE
+haGMGwq2BLADPHqAR3hdCJL3ikMJwWUsTkTjm973iEIEZfF5j57EzRI4bASm4Zq5
+Zt3BcblLODQ//w==
+-----END PRIVATE KEY-----`
+
+func TestClientTLS_CreateTLSConfig(t *testing.T) {
+	tests := []struct {
+		desc        string
+		clientTLS   ClientTLS
+		wantCertLen int
+		wantCALen   int
+		wantErr     bool
+	}{
+		{
+			desc:      "Configure CA",
+			clientTLS: ClientTLS{CA: cert},
+			wantCALen: 1,
+			wantErr:   false,
+		},
+		{
+			desc:        "Configure the client keyPair from strings",
+			clientTLS:   ClientTLS{Cert: cert, Key: key},
+			wantCertLen: 1,
+			wantErr:     false,
+		},
+		{
+			desc:        "Configure the client keyPair from files",
+			clientTLS:   ClientTLS{Cert: "fixtures/cert.pem", Key: "fixtures/key.pem"},
+			wantCertLen: 1,
+			wantErr:     false,
+		},
+		{
+			desc:      "Configure InsecureSkipVerify",
+			clientTLS: ClientTLS{InsecureSkipVerify: true},
+			wantErr:   false,
+		},
+		{
+			desc:      "Return an error if only the client cert is provided",
+			clientTLS: ClientTLS{Cert: cert},
+			wantErr:   true,
+		},
+		{
+			desc:      "Return an error if only the client key is provided",
+			clientTLS: ClientTLS{Key: key},
+			wantErr:   true,
+		},
+		{
+			desc:      "Return an error if only the client cert is of type file",
+			clientTLS: ClientTLS{Cert: "fixtures/cert.pem", Key: key},
+			wantErr:   true,
+		},
+		{
+			desc:      "Return an error if only the client key is of type file",
+			clientTLS: ClientTLS{Cert: cert, Key: "fixtures/key.pem"},
+			wantErr:   true,
+		},
+		{
+			desc:      "Return an error if the client cert does not exist",
+			clientTLS: ClientTLS{Cert: "fixtures/cert2.pem", Key: "fixtures/key.pem"},
+			wantErr:   true,
+		},
+		{
+			desc:      "Return an error if the client key does not exist",
+			clientTLS: ClientTLS{Cert: "fixtures/cert.pem", Key: "fixtures/key2.pem"},
+			wantErr:   true,
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+
+		t.Run(test.desc, func(t *testing.T) {
+			tlsConfig, err := test.clientTLS.CreateTLSConfig(context.Background())
+			if test.wantErr {
+				require.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err)
+
+			assert.Len(t, tlsConfig.Certificates, test.wantCertLen)
+			assert.Equal(t, test.clientTLS.InsecureSkipVerify, tlsConfig.InsecureSkipVerify)
+
+			if test.wantCALen > 0 {
+				assert.Len(t, tlsConfig.RootCAs.Subjects(), test.wantCALen)
+				return
+			}
+
+			assert.Nil(t, tlsConfig.RootCAs)
+		})
+	}
+}

pkg/types/zz_generated.deepcopy.go

@@ -29,6 +29,22 @@ THE SOFTWARE.
 
 package types
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClientTLS) DeepCopyInto(out *ClientTLS) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientTLS.
+func (in *ClientTLS) DeepCopy() *ClientTLS {
+	if in == nil {
+		return nil
+	}
+	out := new(ClientTLS)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Domain) DeepCopyInto(out *Domain) {
 	*out = *in