tls Manager: do not build a default certificate for ACME challenges store

Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com> Co-authored-by: Romain <rtribotte@users.noreply.github.com>
2021-06-14 10:06:05 +02:00 · 2021-06-14 10:06:05 +02:00 · f15d05b22f
commit f15d05b22f
parent fc9f41b955
6 changed files with 86 additions and 51 deletions
--- a/pkg/server/aggregator.go
+++ b/pkg/server/aggregator.go
@ -91,7 +91,7 @@ func mergeConfiguration(configurations dynamic.Configurations, defaultEntryPoint
 			}

 			for key, store := range configuration.TLS.Stores {
-				if key != "default" {
+				if key != tls.DefaultTLSStoreName {
 					key = provider.MakeQualifiedName(pvd, key)
 				} else {
 					defaultTLSStoreProviders = append(defaultTLSStoreProviders, pvd)
@ -113,16 +113,16 @@ func mergeConfiguration(configurations dynamic.Configurations, defaultEntryPoint

 	if len(defaultTLSStoreProviders) > 1 {
 		log.WithoutContext().Errorf("Default TLS Stores defined multiple times in %v", defaultTLSOptionProviders)
-		delete(conf.TLS.Stores, "default")
+		delete(conf.TLS.Stores, tls.DefaultTLSStoreName)
 	}

 	if len(defaultTLSOptionProviders) == 0 {
-		conf.TLS.Options["default"] = tls.DefaultTLSOptions
+		conf.TLS.Options[tls.DefaultTLSConfigName] = tls.DefaultTLSOptions
 	} else if len(defaultTLSOptionProviders) > 1 {
 		log.WithoutContext().Errorf("Default TLS Options defined multiple times in %v", defaultTLSOptionProviders)
 		// We do not set an empty tls.TLS{} as above so that we actually get a "cascading failure" later on,
 		// i.e. routers depending on this missing TLS option will fail to initialize as well.
-		delete(conf.TLS.Options, "default")
+		delete(conf.TLS.Options, tls.DefaultTLSConfigName)
 	}

 	return conf
--- a/pkg/server/router/tcp/router.go
+++ b/pkg/server/router/tcp/router.go
@ -18,11 +18,6 @@ import (
 	traefiktls "github.com/traefik/traefik/v2/pkg/tls"
 )

-const (
-	defaultTLSConfigName = "default"
-	defaultTLSStoreName  = "default"
-)
-
 type middlewareBuilder interface {
 	BuildChain(ctx context.Context, names []string) *tcp.Chain
 }
@ -103,7 +98,7 @@ func (m *Manager) buildEntryPointHandler(ctx context.Context, configs map[string
 	router := &tcp.Router{}
 	router.HTTPHandler(handlerHTTP)

-	defaultTLSConf, err := m.tlsManager.Get(defaultTLSStoreName, defaultTLSConfigName)
+	defaultTLSConf, err := m.tlsManager.Get(traefiktls.DefaultTLSStoreName, traefiktls.DefaultTLSConfigName)
 	if err != nil {
 		log.FromContext(ctx).Errorf("Error during the build of the default TLS configuration: %v", err)
 	}
@ -123,8 +118,8 @@ func (m *Manager) buildEntryPointHandler(ctx context.Context, configs map[string
 		ctxRouter := log.With(provider.AddInContext(ctx, routerHTTPName), log.Str(log.RouterName, routerHTTPName))
 		logger := log.FromContext(ctxRouter)

-		tlsOptionsName := defaultTLSConfigName
-		if len(routerHTTPConfig.TLS.Options) > 0 && routerHTTPConfig.TLS.Options != defaultTLSConfigName {
+		tlsOptionsName := traefiktls.DefaultTLSConfigName
+		if len(routerHTTPConfig.TLS.Options) > 0 && routerHTTPConfig.TLS.Options != traefiktls.DefaultTLSConfigName {
 			tlsOptionsName = provider.GetQualifiedName(ctxRouter, routerHTTPConfig.TLS.Options)
 		}

@ -141,7 +136,7 @@ func (m *Manager) buildEntryPointHandler(ctx context.Context, configs map[string
 		}

 		for _, domain := range domains {
-			tlsConf, err := m.tlsManager.Get(defaultTLSStoreName, tlsOptionsName)
+			tlsConf, err := m.tlsManager.Get(traefiktls.DefaultTLSStoreName, tlsOptionsName)
 			if err != nil {
 				routerHTTPConfig.AddError(err, true)
 				logger.Debug(err)
@ -159,7 +154,7 @@ func (m *Manager) buildEntryPointHandler(ctx context.Context, configs map[string

 			if name, ok := tlsOptionsForHost[domain]; ok && name != tlsOptionsName {
 				// Different tlsOptions on the same domain fallback to default
-				tlsOptionsForHost[domain] = defaultTLSConfigName
+				tlsOptionsForHost[domain] = traefiktls.DefaultTLSConfigName
 			} else {
 				tlsOptionsForHost[domain] = tlsOptionsName
 			}
@ -280,14 +275,14 @@ func (m *Manager) buildEntryPointHandler(ctx context.Context, configs map[string
 				tlsOptionsName := routerConfig.TLS.Options

 				if len(tlsOptionsName) == 0 {
-					tlsOptionsName = defaultTLSConfigName
+					tlsOptionsName = traefiktls.DefaultTLSConfigName
 				}

-				if tlsOptionsName != defaultTLSConfigName {
+				if tlsOptionsName != traefiktls.DefaultTLSConfigName {
 					tlsOptionsName = provider.GetQualifiedName(ctxRouter, tlsOptionsName)
 				}

-				tlsConf, err := m.tlsManager.Get(defaultTLSStoreName, tlsOptionsName)
+				tlsConf, err := m.tlsManager.Get(traefiktls.DefaultTLSStoreName, tlsOptionsName)
 				if err != nil {
 					routerConfig.AddError(err, true)
 					logger.Debug(err)
@ -338,5 +333,5 @@ func findTLSOptionName(tlsOptionsForHost map[string]string, host string) string
 		return tlsOptions
 	}

-	return defaultTLSConfigName
+	return traefiktls.DefaultTLSConfigName
 }