From 7d274e80889645e880df51193b43f267515c48b8 Mon Sep 17 00:00:00 2001 From: Kevin Pollet Date: Thu, 28 Apr 2022 14:58:08 +0200 Subject: [PATCH] Deprecate caOptional option in client TLS configuration --- docs/content/middlewares/http/forwardauth.md | 64 -------------------- docs/content/migration/v2.md | 5 ++ docs/content/providers/consul-catalog.md | 31 ---------- docs/content/providers/consul.md | 30 --------- docs/content/providers/docker.md | 30 --------- docs/content/providers/etcd.md | 30 --------- docs/content/providers/http.md | 30 --------- docs/content/providers/marathon.md | 30 --------- docs/content/providers/redis.md | 30 --------- docs/content/providers/zookeeper.md | 30 --------- pkg/types/tls.go | 16 ++--- 11 files changed, 11 insertions(+), 315 deletions(-) diff --git a/docs/content/middlewares/http/forwardauth.md b/docs/content/middlewares/http/forwardauth.md index 0d2d566f5..fdcff0321 100644 --- a/docs/content/middlewares/http/forwardauth.md +++ b/docs/content/middlewares/http/forwardauth.md @@ -426,70 +426,6 @@ http: ca = "path/to/local.crt" ``` -#### `caOptional` - -_Optional_ - -The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the authentication server. - -!!! warning "" - - If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified. - -When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid. - -When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client. - -```yaml tab="Docker" -labels: - - "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true" -``` - -```yaml tab="Kubernetes" -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: test-auth -spec: - forwardAuth: - address: https://example.com/auth - tls: - caOptional: true -``` - -```yaml tab="Consul Catalog" -- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true" -``` - -```json tab="Marathon" -"labels": { - "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional": "true" -} -``` - -```yaml tab="Rancher" -labels: - - "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true" -``` - -```yaml tab="File (YAML)" -http: - middlewares: - test-auth: - forwardAuth: - address: "https://example.com/auth" - tls: - caOptional: true -``` - -```toml tab="File (TOML)" -[http.middlewares] - [http.middlewares.test-auth.forwardAuth] - address = "https://example.com/auth" - [http.middlewares.test-auth.forwardAuth.tls] - caOptional = true -``` - #### `cert` _Optional_ diff --git a/docs/content/migration/v2.md b/docs/content/migration/v2.md index d3f80dcde..783d08cac 100644 --- a/docs/content/migration/v2.md +++ b/docs/content/migration/v2.md @@ -464,3 +464,8 @@ In `v2.6.1`, the Datadog tags added to a span changed from `service.name` to `tr In `v2.7`, the `pilot.token` and `pilot.dashboard` options are deprecated. Please check the [feature deprecation page](../deprecation/features.md) and our Blog for migration instructions later this year. + +## v2.8 + +In `v2.8`, the `caOptional` option is deprecated as TLS client authentication is a server side option. +This option available in the ForwardAuth middleware, as well as in the HTTP, Consul, Etcd, Redis, ZooKeeper, Marathon, Consul Catalog, and Docker providers has no effect and must not be used anymore. diff --git a/docs/content/providers/consul-catalog.md b/docs/content/providers/consul-catalog.md index af03bb2a2..f9db6f119 100644 --- a/docs/content/providers/consul-catalog.md +++ b/docs/content/providers/consul-catalog.md @@ -393,37 +393,6 @@ providers: --providers.consulcatalog.endpoint.tls.ca=path/to/ca.crt ``` -##### `caOptional` - -_Optional_ - -The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul Catalog. - -!!! warning "" - - If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified. - -When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid. - -When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client. - -```yaml tab="File (YAML)" -providers: - consulCatalog: - endpoint: - tls: - caOptional: true -``` - -```toml tab="File (TOML)" -[providers.consulCatalog.endpoint.tls] - caOptional = true -``` - -```bash tab="CLI" ---providers.consulcatalog.endpoint.tls.caoptional=true -``` - ##### `cert` _Optional_ diff --git a/docs/content/providers/consul.md b/docs/content/providers/consul.md index 289991062..25e84abbe 100644 --- a/docs/content/providers/consul.md +++ b/docs/content/providers/consul.md @@ -185,36 +185,6 @@ providers: --providers.consul.tls.ca=path/to/ca.crt ``` -#### `caOptional` - -_Optional_ - -The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul. - -!!! warning "" - - If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified. - -When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid. - -When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client. - -```yaml tab="File (YAML)" -providers: - consul: - tls: - caOptional: true -``` - -```toml tab="File (TOML)" -[providers.consul.tls] - caOptional = true -``` - -```bash tab="CLI" ---providers.consul.tls.caOptional=true -``` - #### `cert` _Optional_ diff --git a/docs/content/providers/docker.md b/docs/content/providers/docker.md index 3ff5cc556..9b55f0668 100644 --- a/docs/content/providers/docker.md +++ b/docs/content/providers/docker.md @@ -643,36 +643,6 @@ providers: --providers.docker.tls.ca=path/to/ca.crt ``` -#### `caOptional` - -_Optional_ - -The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Docker. - -!!! warning "" - - If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified. - -When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid. - -When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client. - -```yaml tab="File (YAML)" -providers: - docker: - tls: - caOptional: true -``` - -```toml tab="File (TOML)" -[providers.docker.tls] - caOptional = true -``` - -```bash tab="CLI" ---providers.docker.tls.caOptional=true -``` - #### `cert` `cert` is the path to the public certificate used for the secure connection to Docker. diff --git a/docs/content/providers/etcd.md b/docs/content/providers/etcd.md index 82909eedd..6bfaef7b7 100644 --- a/docs/content/providers/etcd.md +++ b/docs/content/providers/etcd.md @@ -134,36 +134,6 @@ providers: --providers.etcd.tls.ca=path/to/ca.crt ``` -#### `caOptional` - -_Optional_ - -The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to etcd. - -!!! warning "" - - If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified. - -When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid. - -When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client. - -```yaml tab="File (YAML)" -providers: - etcd: - tls: - caOptional: true -``` - -```toml tab="File (TOML)" -[providers.etcd.tls] - caOptional = true -``` - -```bash tab="CLI" ---providers.etcd.tls.caOptional=true -``` - #### `cert` _Optional_ diff --git a/docs/content/providers/http.md b/docs/content/providers/http.md index 5868e7a4b..f99e90a7c 100644 --- a/docs/content/providers/http.md +++ b/docs/content/providers/http.md @@ -105,36 +105,6 @@ providers: --providers.http.tls.ca=path/to/ca.crt ``` -#### `caOptional` - -_Optional_ - -The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the endpoint. - -!!! warning "" - - If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified. - -When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid. - -When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client. - -```yaml tab="File (YAML)" -providers: - http: - tls: - caOptional: true -``` - -```toml tab="File (TOML)" -[providers.http.tls] - caOptional = true -``` - -```bash tab="CLI" ---providers.http.tls.caOptional=true -``` - #### `cert` _Optional_ diff --git a/docs/content/providers/marathon.md b/docs/content/providers/marathon.md index ec1490e1f..a0ab85ccb 100644 --- a/docs/content/providers/marathon.md +++ b/docs/content/providers/marathon.md @@ -432,36 +432,6 @@ providers: --providers.marathon.tls.ca=path/to/ca.crt ``` -#### `caOptional` - -_Optional_ - -The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Marathon. - -!!! warning "" - - If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified. - -When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid. - -When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client. - -```yaml tab="File (YAML)" -providers: - marathon: - tls: - caOptional: true -``` - -```toml tab="File (TOML)" -[providers.marathon.tls] - caOptional = true -``` - -```bash tab="CLI" ---providers.marathon.tls.caOptional=true -``` - #### `cert` _Optional_ diff --git a/docs/content/providers/redis.md b/docs/content/providers/redis.md index 762d9aab6..505e612b6 100644 --- a/docs/content/providers/redis.md +++ b/docs/content/providers/redis.md @@ -134,36 +134,6 @@ providers: --providers.redis.tls.ca=path/to/ca.crt ``` -#### `caOptional` - -_Optional_ - -The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Redis. - -!!! warning "" - - If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified. - -When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid. - -When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client. - -```yaml tab="File (YAML)" -providers: - redis: - tls: - caOptional: true -``` - -```toml tab="File (TOML)" -[providers.redis.tls] - caOptional = true -``` - -```bash tab="CLI" ---providers.redis.tls.caOptional=true -``` - #### `cert` _Optional_ diff --git a/docs/content/providers/zookeeper.md b/docs/content/providers/zookeeper.md index 8ebc94859..7b7483f98 100644 --- a/docs/content/providers/zookeeper.md +++ b/docs/content/providers/zookeeper.md @@ -134,36 +134,6 @@ providers: --providers.zookeeper.tls.ca=path/to/ca.crt ``` -#### `caOptional` - -_Optional_ - -The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Zookeeper. - -!!! warning "" - - If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified. - -When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid. - -When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client. - -```yaml tab="File (YAML)" -providers: - zooKeeper: - tls: - caOptional: true -``` - -```toml tab="File (TOML)" -[providers.zooKeeper.tls] - caOptional = true -``` - -```bash tab="CLI" ---providers.zookeeper.tls.caOptional=true -``` - #### `cert` _Optional_ diff --git a/pkg/types/tls.go b/pkg/types/tls.go index f064f4e4b..821ac0c78 100644 --- a/pkg/types/tls.go +++ b/pkg/types/tls.go @@ -16,7 +16,8 @@ import ( // ClientTLS holds TLS specific configurations as client // CA, Cert and Key can be either path or file contents. type ClientTLS struct { - CA string `description:"TLS CA" json:"ca,omitempty" toml:"ca,omitempty" yaml:"ca,omitempty"` + CA string `description:"TLS CA" json:"ca,omitempty" toml:"ca,omitempty" yaml:"ca,omitempty"` + // Deprecated: TLS client authentication is a server side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634). CAOptional bool `description:"TLS CA.Optional" json:"caOptional,omitempty" toml:"caOptional,omitempty" yaml:"caOptional,omitempty" export:"true"` Cert string `description:"TLS cert" json:"cert,omitempty" toml:"cert,omitempty" yaml:"cert,omitempty"` Key string `description:"TLS key" json:"key,omitempty" toml:"key,omitempty" yaml:"key,omitempty" loggable:"false"` @@ -30,10 +31,13 @@ func (clientTLS *ClientTLS) CreateTLSConfig(ctx context.Context) (*tls.Config, e return nil, nil } + if clientTLS.CAOptional { + log.FromContext(ctx).Warn("CAOptional is deprecated, TLS client authentication is a server side option.") + } + // Not initialized, to rely on system bundle. var caPool *x509.CertPool - clientAuth := tls.NoClientCert if clientTLS.CA != "" { var ca []byte if _, errCA := os.Stat(clientTLS.CA); errCA == nil { @@ -50,12 +54,6 @@ func (clientTLS *ClientTLS) CreateTLSConfig(ctx context.Context) (*tls.Config, e if !caPool.AppendCertsFromPEM(ca) { return nil, errors.New("failed to parse CA") } - - if clientTLS.CAOptional { - clientAuth = tls.VerifyClientCertIfGiven - } else { - clientAuth = tls.RequireAndVerifyClientCert - } } hasCert := len(clientTLS.Cert) > 0 @@ -69,7 +67,6 @@ func (clientTLS *ClientTLS) CreateTLSConfig(ctx context.Context) (*tls.Config, e return &tls.Config{ RootCAs: caPool, InsecureSkipVerify: clientTLS.InsecureSkipVerify, - ClientAuth: clientAuth, }, nil } @@ -82,7 +79,6 @@ func (clientTLS *ClientTLS) CreateTLSConfig(ctx context.Context) (*tls.Config, e Certificates: []tls.Certificate{cert}, RootCAs: caPool, InsecureSkipVerify: clientTLS.InsecureSkipVerify, - ClientAuth: clientAuth, }, nil }