fix: do not require a TLS client cert when InsecureSkipVerify is false

Co-authored-by: Tom Moulard <tom.moulard@traefik.io>
2021-10-26 10:54:11 +02:00 · 2021-10-26 10:54:11 +02:00 · d3ff0c2cd4
commit d3ff0c2cd4
parent 566b205758
21 changed files with 273 additions and 184 deletions
--- a/pkg/provider/docker/docker.go
+++ b/pkg/provider/docker/docker.go
@ -165,7 +165,7 @@ func (p *Provider) getClientOpts() ([]client.Opt, error) {

 		conf, err := p.TLS.CreateTLSConfig(ctx)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("unable to create client TLS configuration: %w", err)
 		}

 		hostURL, err := client.ParseHostURL(p.Endpoint)
--- a/pkg/provider/http/http.go
+++ b/pkg/provider/http/http.go
@ -55,7 +55,7 @@ func (p *Provider) Init() error {
 	if p.TLS != nil {
 		tlsConfig, err := p.TLS.CreateTLSConfig(context.Background())
 		if err != nil {
-			return fmt.Errorf("unable to create TLS configuration: %w", err)
+			return fmt.Errorf("unable to create client TLS configuration: %w", err)
 		}

 		p.httpClient.Transport = &http.Transport{
--- a/pkg/provider/kubernetes/crd/kubernetes.go
+++ b/pkg/provider/kubernetes/crd/kubernetes.go
@ -23,6 +23,7 @@ import (
 	"github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefik/v1alpha1"
 	"github.com/traefik/traefik/v2/pkg/safe"
 	"github.com/traefik/traefik/v2/pkg/tls"
+	"github.com/traefik/traefik/v2/pkg/types"
 	corev1 "k8s.io/api/core/v1"
 	apiextensionv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/labels"
@ -481,7 +482,7 @@ func createForwardAuthMiddleware(k8sClient Client, namespace string, auth *v1alp
 		return forwardAuth, nil
 	}

-	forwardAuth.TLS = &dynamic.ClientTLS{
+	forwardAuth.TLS = &types.ClientTLS{
 		CAOptional:         auth.TLS.CAOptional,
 		InsecureSkipVerify: auth.TLS.InsecureSkipVerify,
 	}
--- a/pkg/provider/kubernetes/crd/kubernetes_test.go
+++ b/pkg/provider/kubernetes/crd/kubernetes_test.go
@ -9,13 +9,14 @@ import (

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/traefik/paerser/types"
+	ptypes "github.com/traefik/paerser/types"
 	"github.com/traefik/traefik/v2/pkg/config/dynamic"
 	"github.com/traefik/traefik/v2/pkg/provider"
 	crdfake "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned/fake"
 	"github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefik/v1alpha1"
 	"github.com/traefik/traefik/v2/pkg/provider/kubernetes/k8s"
 	"github.com/traefik/traefik/v2/pkg/tls"
+	"github.com/traefik/traefik/v2/pkg/types"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/intstr"
@ -3243,7 +3244,7 @@ func TestLoadIngressRoutes(t *testing.T) {
 						"default-forwardauth": {
 							ForwardAuth: &dynamic.ForwardAuth{
 								Address: "test.com",
-								TLS: &dynamic.ClientTLS{
+								TLS: &types.ClientTLS{
 									CA:   "-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----",
 									Cert: "-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----",
 									Key:  "-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----",
@ -3612,17 +3613,17 @@ func TestLoadIngressRoutes(t *testing.T) {
 							MaxIdleConnsPerHost: 42,
 							DisableHTTP2:        true,
 							ForwardingTimeouts: &dynamic.ForwardingTimeouts{
-								DialTimeout:           types.Duration(42 * time.Second),
-								ResponseHeaderTimeout: types.Duration(42 * time.Second),
-								IdleConnTimeout:       types.Duration(42 * time.Millisecond),
+								DialTimeout:           ptypes.Duration(42 * time.Second),
+								ResponseHeaderTimeout: ptypes.Duration(42 * time.Second),
+								IdleConnTimeout:       ptypes.Duration(42 * time.Millisecond),
 							},
 							PeerCertURI: "foo://bar",
 						},
 						"default-test": {
 							ServerName: "test",
 							ForwardingTimeouts: &dynamic.ForwardingTimeouts{
-								DialTimeout:     types.Duration(30 * time.Second),
-								IdleConnTimeout: types.Duration(90 * time.Second),
+								DialTimeout:     ptypes.Duration(30 * time.Second),
+								IdleConnTimeout: ptypes.Duration(90 * time.Second),
 							},
 						},
 					},
--- a/pkg/provider/kv/kv.go
+++ b/pkg/provider/kv/kv.go
@ -170,7 +170,7 @@ func (p *Provider) createKVClient(ctx context.Context) (store.Store, error) {
 		var err error
 		storeConfig.TLS, err = p.TLS.CreateTLSConfig(ctx)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("unable to create client TLS configuration: %w", err)
 		}
 	}

--- a/pkg/provider/kv/kv_test.go
+++ b/pkg/provider/kv/kv_test.go
@ -399,7 +399,7 @@ func Test_buildConfiguration(t *testing.T) {
 				"Middleware08": {
 					ForwardAuth: &dynamic.ForwardAuth{
 						Address: "foobar",
-						TLS: &dynamic.ClientTLS{
+						TLS: &types.ClientTLS{
 							CA:                 "foobar",
 							CAOptional:         true,
 							Cert:               "foobar",
@ -478,7 +478,7 @@ func Test_buildConfiguration(t *testing.T) {
 							NotAfter:  true,
 							NotBefore: true,
 							Sans:      true,
-							Subject: &dynamic.TLSCLientCertificateDNInfo{
+							Subject: &dynamic.TLSClientCertificateDNInfo{
 								Country:         true,
 								Province:        true,
 								Locality:        true,
@ -487,7 +487,7 @@ func Test_buildConfiguration(t *testing.T) {
 								SerialNumber:    true,
 								DomainComponent: true,
 							},
-							Issuer: &dynamic.TLSCLientCertificateDNInfo{
+							Issuer: &dynamic.TLSClientCertificateDNInfo{
 								Country:         true,
 								Province:        true,
 								Locality:        true,
--- a/pkg/provider/marathon/marathon.go
+++ b/pkg/provider/marathon/marathon.go
@ -134,7 +134,7 @@ func (p *Provider) Provide(configurationChan chan<- dynamic.Message, pool *safe.
 		}
 		TLSConfig, err := p.TLS.CreateTLSConfig(ctx)
 		if err != nil {
-			return err
+			return fmt.Errorf("unable to create client TLS configuration: %w", err)
 		}
 		confg.HTTPClient = &http.Client{
 			Transport: &http.Transport{