Deprecate caOptional option in client TLS configuration
This commit is contained in:
parent
707d355d4a
commit
7d274e8088
11 changed files with 11 additions and 315 deletions
|
@ -426,70 +426,6 @@ http:
|
|||
ca = "path/to/local.crt"
|
||||
```
|
||||
|
||||
#### `caOptional`
|
||||
|
||||
_Optional_
|
||||
|
||||
The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the authentication server.
|
||||
|
||||
!!! warning ""
|
||||
|
||||
If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
|
||||
|
||||
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
|
||||
|
||||
When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
|
||||
|
||||
```yaml tab="Docker"
|
||||
labels:
|
||||
- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
|
||||
```
|
||||
|
||||
```yaml tab="Kubernetes"
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: test-auth
|
||||
spec:
|
||||
forwardAuth:
|
||||
address: https://example.com/auth
|
||||
tls:
|
||||
caOptional: true
|
||||
```
|
||||
|
||||
```yaml tab="Consul Catalog"
|
||||
- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
|
||||
```
|
||||
|
||||
```json tab="Marathon"
|
||||
"labels": {
|
||||
"traefik.http.middlewares.test-auth.forwardauth.tls.caOptional": "true"
|
||||
}
|
||||
```
|
||||
|
||||
```yaml tab="Rancher"
|
||||
labels:
|
||||
- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
|
||||
```
|
||||
|
||||
```yaml tab="File (YAML)"
|
||||
http:
|
||||
middlewares:
|
||||
test-auth:
|
||||
forwardAuth:
|
||||
address: "https://example.com/auth"
|
||||
tls:
|
||||
caOptional: true
|
||||
```
|
||||
|
||||
```toml tab="File (TOML)"
|
||||
[http.middlewares]
|
||||
[http.middlewares.test-auth.forwardAuth]
|
||||
address = "https://example.com/auth"
|
||||
[http.middlewares.test-auth.forwardAuth.tls]
|
||||
caOptional = true
|
||||
```
|
||||
|
||||
#### `cert`
|
||||
|
||||
_Optional_
|
||||
|
|
|
@ -464,3 +464,8 @@ In `v2.6.1`, the Datadog tags added to a span changed from `service.name` to `tr
|
|||
|
||||
In `v2.7`, the `pilot.token` and `pilot.dashboard` options are deprecated.
|
||||
Please check the [feature deprecation page](../deprecation/features.md) and our Blog for migration instructions later this year.
|
||||
|
||||
## v2.8
|
||||
|
||||
In `v2.8`, the `caOptional` option is deprecated as TLS client authentication is a server side option.
|
||||
This option available in the ForwardAuth middleware, as well as in the HTTP, Consul, Etcd, Redis, ZooKeeper, Marathon, Consul Catalog, and Docker providers has no effect and must not be used anymore.
|
||||
|
|
|
@ -393,37 +393,6 @@ providers:
|
|||
--providers.consulcatalog.endpoint.tls.ca=path/to/ca.crt
|
||||
```
|
||||
|
||||
##### `caOptional`
|
||||
|
||||
_Optional_
|
||||
|
||||
The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul Catalog.
|
||||
|
||||
!!! warning ""
|
||||
|
||||
If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
|
||||
|
||||
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
|
||||
|
||||
When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
|
||||
|
||||
```yaml tab="File (YAML)"
|
||||
providers:
|
||||
consulCatalog:
|
||||
endpoint:
|
||||
tls:
|
||||
caOptional: true
|
||||
```
|
||||
|
||||
```toml tab="File (TOML)"
|
||||
[providers.consulCatalog.endpoint.tls]
|
||||
caOptional = true
|
||||
```
|
||||
|
||||
```bash tab="CLI"
|
||||
--providers.consulcatalog.endpoint.tls.caoptional=true
|
||||
```
|
||||
|
||||
##### `cert`
|
||||
|
||||
_Optional_
|
||||
|
|
|
@ -185,36 +185,6 @@ providers:
|
|||
--providers.consul.tls.ca=path/to/ca.crt
|
||||
```
|
||||
|
||||
#### `caOptional`
|
||||
|
||||
_Optional_
|
||||
|
||||
The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul.
|
||||
|
||||
!!! warning ""
|
||||
|
||||
If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
|
||||
|
||||
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
|
||||
|
||||
When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
|
||||
|
||||
```yaml tab="File (YAML)"
|
||||
providers:
|
||||
consul:
|
||||
tls:
|
||||
caOptional: true
|
||||
```
|
||||
|
||||
```toml tab="File (TOML)"
|
||||
[providers.consul.tls]
|
||||
caOptional = true
|
||||
```
|
||||
|
||||
```bash tab="CLI"
|
||||
--providers.consul.tls.caOptional=true
|
||||
```
|
||||
|
||||
#### `cert`
|
||||
|
||||
_Optional_
|
||||
|
|
|
@ -643,36 +643,6 @@ providers:
|
|||
--providers.docker.tls.ca=path/to/ca.crt
|
||||
```
|
||||
|
||||
#### `caOptional`
|
||||
|
||||
_Optional_
|
||||
|
||||
The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Docker.
|
||||
|
||||
!!! warning ""
|
||||
|
||||
If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
|
||||
|
||||
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
|
||||
|
||||
When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
|
||||
|
||||
```yaml tab="File (YAML)"
|
||||
providers:
|
||||
docker:
|
||||
tls:
|
||||
caOptional: true
|
||||
```
|
||||
|
||||
```toml tab="File (TOML)"
|
||||
[providers.docker.tls]
|
||||
caOptional = true
|
||||
```
|
||||
|
||||
```bash tab="CLI"
|
||||
--providers.docker.tls.caOptional=true
|
||||
```
|
||||
|
||||
#### `cert`
|
||||
|
||||
`cert` is the path to the public certificate used for the secure connection to Docker.
|
||||
|
|
|
@ -134,36 +134,6 @@ providers:
|
|||
--providers.etcd.tls.ca=path/to/ca.crt
|
||||
```
|
||||
|
||||
#### `caOptional`
|
||||
|
||||
_Optional_
|
||||
|
||||
The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to etcd.
|
||||
|
||||
!!! warning ""
|
||||
|
||||
If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
|
||||
|
||||
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
|
||||
|
||||
When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
|
||||
|
||||
```yaml tab="File (YAML)"
|
||||
providers:
|
||||
etcd:
|
||||
tls:
|
||||
caOptional: true
|
||||
```
|
||||
|
||||
```toml tab="File (TOML)"
|
||||
[providers.etcd.tls]
|
||||
caOptional = true
|
||||
```
|
||||
|
||||
```bash tab="CLI"
|
||||
--providers.etcd.tls.caOptional=true
|
||||
```
|
||||
|
||||
#### `cert`
|
||||
|
||||
_Optional_
|
||||
|
|
|
@ -105,36 +105,6 @@ providers:
|
|||
--providers.http.tls.ca=path/to/ca.crt
|
||||
```
|
||||
|
||||
#### `caOptional`
|
||||
|
||||
_Optional_
|
||||
|
||||
The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the endpoint.
|
||||
|
||||
!!! warning ""
|
||||
|
||||
If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
|
||||
|
||||
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
|
||||
|
||||
When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
|
||||
|
||||
```yaml tab="File (YAML)"
|
||||
providers:
|
||||
http:
|
||||
tls:
|
||||
caOptional: true
|
||||
```
|
||||
|
||||
```toml tab="File (TOML)"
|
||||
[providers.http.tls]
|
||||
caOptional = true
|
||||
```
|
||||
|
||||
```bash tab="CLI"
|
||||
--providers.http.tls.caOptional=true
|
||||
```
|
||||
|
||||
#### `cert`
|
||||
|
||||
_Optional_
|
||||
|
|
|
@ -432,36 +432,6 @@ providers:
|
|||
--providers.marathon.tls.ca=path/to/ca.crt
|
||||
```
|
||||
|
||||
#### `caOptional`
|
||||
|
||||
_Optional_
|
||||
|
||||
The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Marathon.
|
||||
|
||||
!!! warning ""
|
||||
|
||||
If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
|
||||
|
||||
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
|
||||
|
||||
When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
|
||||
|
||||
```yaml tab="File (YAML)"
|
||||
providers:
|
||||
marathon:
|
||||
tls:
|
||||
caOptional: true
|
||||
```
|
||||
|
||||
```toml tab="File (TOML)"
|
||||
[providers.marathon.tls]
|
||||
caOptional = true
|
||||
```
|
||||
|
||||
```bash tab="CLI"
|
||||
--providers.marathon.tls.caOptional=true
|
||||
```
|
||||
|
||||
#### `cert`
|
||||
|
||||
_Optional_
|
||||
|
|
|
@ -134,36 +134,6 @@ providers:
|
|||
--providers.redis.tls.ca=path/to/ca.crt
|
||||
```
|
||||
|
||||
#### `caOptional`
|
||||
|
||||
_Optional_
|
||||
|
||||
The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Redis.
|
||||
|
||||
!!! warning ""
|
||||
|
||||
If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
|
||||
|
||||
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
|
||||
|
||||
When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
|
||||
|
||||
```yaml tab="File (YAML)"
|
||||
providers:
|
||||
redis:
|
||||
tls:
|
||||
caOptional: true
|
||||
```
|
||||
|
||||
```toml tab="File (TOML)"
|
||||
[providers.redis.tls]
|
||||
caOptional = true
|
||||
```
|
||||
|
||||
```bash tab="CLI"
|
||||
--providers.redis.tls.caOptional=true
|
||||
```
|
||||
|
||||
#### `cert`
|
||||
|
||||
_Optional_
|
||||
|
|
|
@ -134,36 +134,6 @@ providers:
|
|||
--providers.zookeeper.tls.ca=path/to/ca.crt
|
||||
```
|
||||
|
||||
#### `caOptional`
|
||||
|
||||
_Optional_
|
||||
|
||||
The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Zookeeper.
|
||||
|
||||
!!! warning ""
|
||||
|
||||
If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
|
||||
|
||||
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
|
||||
|
||||
When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
|
||||
|
||||
```yaml tab="File (YAML)"
|
||||
providers:
|
||||
zooKeeper:
|
||||
tls:
|
||||
caOptional: true
|
||||
```
|
||||
|
||||
```toml tab="File (TOML)"
|
||||
[providers.zooKeeper.tls]
|
||||
caOptional = true
|
||||
```
|
||||
|
||||
```bash tab="CLI"
|
||||
--providers.zookeeper.tls.caOptional=true
|
||||
```
|
||||
|
||||
#### `cert`
|
||||
|
||||
_Optional_
|
||||
|
|
|
@ -16,7 +16,8 @@ import (
|
|||
// ClientTLS holds TLS specific configurations as client
|
||||
// CA, Cert and Key can be either path or file contents.
|
||||
type ClientTLS struct {
|
||||
CA string `description:"TLS CA" json:"ca,omitempty" toml:"ca,omitempty" yaml:"ca,omitempty"`
|
||||
CA string `description:"TLS CA" json:"ca,omitempty" toml:"ca,omitempty" yaml:"ca,omitempty"`
|
||||
// Deprecated: TLS client authentication is a server side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634).
|
||||
CAOptional bool `description:"TLS CA.Optional" json:"caOptional,omitempty" toml:"caOptional,omitempty" yaml:"caOptional,omitempty" export:"true"`
|
||||
Cert string `description:"TLS cert" json:"cert,omitempty" toml:"cert,omitempty" yaml:"cert,omitempty"`
|
||||
Key string `description:"TLS key" json:"key,omitempty" toml:"key,omitempty" yaml:"key,omitempty" loggable:"false"`
|
||||
|
@ -30,10 +31,13 @@ func (clientTLS *ClientTLS) CreateTLSConfig(ctx context.Context) (*tls.Config, e
|
|||
return nil, nil
|
||||
}
|
||||
|
||||
if clientTLS.CAOptional {
|
||||
log.FromContext(ctx).Warn("CAOptional is deprecated, TLS client authentication is a server side option.")
|
||||
}
|
||||
|
||||
// Not initialized, to rely on system bundle.
|
||||
var caPool *x509.CertPool
|
||||
|
||||
clientAuth := tls.NoClientCert
|
||||
if clientTLS.CA != "" {
|
||||
var ca []byte
|
||||
if _, errCA := os.Stat(clientTLS.CA); errCA == nil {
|
||||
|
@ -50,12 +54,6 @@ func (clientTLS *ClientTLS) CreateTLSConfig(ctx context.Context) (*tls.Config, e
|
|||
if !caPool.AppendCertsFromPEM(ca) {
|
||||
return nil, errors.New("failed to parse CA")
|
||||
}
|
||||
|
||||
if clientTLS.CAOptional {
|
||||
clientAuth = tls.VerifyClientCertIfGiven
|
||||
} else {
|
||||
clientAuth = tls.RequireAndVerifyClientCert
|
||||
}
|
||||
}
|
||||
|
||||
hasCert := len(clientTLS.Cert) > 0
|
||||
|
@ -69,7 +67,6 @@ func (clientTLS *ClientTLS) CreateTLSConfig(ctx context.Context) (*tls.Config, e
|
|||
return &tls.Config{
|
||||
RootCAs: caPool,
|
||||
InsecureSkipVerify: clientTLS.InsecureSkipVerify,
|
||||
ClientAuth: clientAuth,
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
@ -82,7 +79,6 @@ func (clientTLS *ClientTLS) CreateTLSConfig(ctx context.Context) (*tls.Config, e
|
|||
Certificates: []tls.Certificate{cert},
|
||||
RootCAs: caPool,
|
||||
InsecureSkipVerify: clientTLS.InsecureSkipVerify,
|
||||
ClientAuth: clientAuth,
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue