fix: do not require a TLS client cert when InsecureSkipVerify is false

Co-authored-by: Tom Moulard <tom.moulard@traefik.io>

docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml

@@ -398,7 +398,7 @@ spec:
                       info configuration.
                     properties:
                       issuer:
-                        description: TLSCLientCertificateDNInfo holds the client TLS
+                        description: TLSClientCertificateDNInfo holds the client TLS
                           certificate distinguished name info configuration. cf https://tools.ietf.org/html/rfc3739
                         properties:
                           commonName:
@@ -425,7 +425,7 @@ spec:
                       serialNumber:
                         type: boolean
                       subject:
-                        description: TLSCLientCertificateDNInfo holds the client TLS
+                        description: TLSClientCertificateDNInfo holds the client TLS
                           certificate distinguished name info configuration. cf https://tools.ietf.org/html/rfc3739
                         properties:
                           commonName:

integration/fixtures/k8s/01-traefik-crd.yml

@@ -840,7 +840,7 @@ spec:
                       info configuration.
                     properties:
                       issuer:
-                        description: TLSCLientCertificateDNInfo holds the client TLS
+                        description: TLSClientCertificateDNInfo holds the client TLS
                           certificate distinguished name info configuration. cf https://tools.ietf.org/html/rfc3739
                         properties:
                           commonName:
@@ -867,7 +867,7 @@ spec:
                       serialNumber:
                         type: boolean
                       subject:
-                        description: TLSCLientCertificateDNInfo holds the client TLS
+                        description: TLSClientCertificateDNInfo holds the client TLS
                           certificate distinguished name info configuration. cf https://tools.ietf.org/html/rfc3739
                         properties:
                           commonName:

pkg/anonymize/anonymize_config_test.go

@@ -273,7 +273,7 @@ func TestDo_dynamicConfiguration(t *testing.T) {
 				},
 				ForwardAuth: &dynamic.ForwardAuth{
 					Address: "127.0.0.1",
-					TLS: &dynamic.ClientTLS{
+					TLS: &types.ClientTLS{
 						CA:                 "ca.pem",
 						CAOptional:         true,
 						Cert:               "cert.pem",
@@ -315,7 +315,7 @@ func TestDo_dynamicConfiguration(t *testing.T) {
 						NotAfter:  true,
 						NotBefore: true,
 						Sans:      true,
-						Subject: &dynamic.TLSCLientCertificateDNInfo{
+						Subject: &dynamic.TLSClientCertificateDNInfo{
 							Country:         true,
 							Province:        true,
 							Locality:        true,
@@ -324,7 +324,7 @@ func TestDo_dynamicConfiguration(t *testing.T) {
 							SerialNumber:    true,
 							DomainComponent: true,
 						},
-						Issuer: &dynamic.TLSCLientCertificateDNInfo{
+						Issuer: &dynamic.TLSClientCertificateDNInfo{
 							Country:         true,
 							Province:        true,
 							Locality:        true,

pkg/config/dynamic/middlewares.go

@@ -1,14 +1,11 @@
 package dynamic
 
 import (
-	"crypto/tls"
-	"crypto/x509"
-	"fmt"
-	"os"
 	"time"
 
 	ptypes "github.com/traefik/paerser/types"
 	"github.com/traefik/traefik/v2/pkg/ip"
+	"github.com/traefik/traefik/v2/pkg/types"
 )
 
 // +k8s:deepcopy-gen=true
@@ -131,7 +128,7 @@ type ErrorPage struct {
 // ForwardAuth holds the http forward authentication configuration.
 type ForwardAuth struct {
 	Address                  string           `json:"address,omitempty" toml:"address,omitempty" yaml:"address,omitempty"`
-	TLS                      *ClientTLS `json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" export:"true"`
+	TLS                      *types.ClientTLS `json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" export:"true"`
 	TrustForwardHeader       bool             `json:"trustForwardHeader,omitempty" toml:"trustForwardHeader,omitempty" yaml:"trustForwardHeader,omitempty" export:"true"`
 	AuthResponseHeaders      []string         `json:"authResponseHeaders,omitempty" toml:"authResponseHeaders,omitempty" yaml:"authResponseHeaders,omitempty" export:"true"`
 	AuthResponseHeadersRegex string           `json:"authResponseHeadersRegex,omitempty" toml:"authResponseHeadersRegex,omitempty" yaml:"authResponseHeadersRegex,omitempty" export:"true"`
@@ -402,16 +399,16 @@ type TLSClientCertificateInfo struct {
 	NotAfter     bool                        `json:"notAfter,omitempty" toml:"notAfter,omitempty" yaml:"notAfter,omitempty" export:"true"`
 	NotBefore    bool                        `json:"notBefore,omitempty" toml:"notBefore,omitempty" yaml:"notBefore,omitempty" export:"true"`
 	Sans         bool                        `json:"sans,omitempty" toml:"sans,omitempty" yaml:"sans,omitempty" export:"true"`
-	Subject      *TLSCLientCertificateDNInfo `json:"subject,omitempty" toml:"subject,omitempty" yaml:"subject,omitempty" export:"true"`
+	Subject      *TLSClientCertificateDNInfo `json:"subject,omitempty" toml:"subject,omitempty" yaml:"subject,omitempty" export:"true"`
-	Issuer       *TLSCLientCertificateDNInfo `json:"issuer,omitempty" toml:"issuer,omitempty" yaml:"issuer,omitempty" export:"true"`
+	Issuer       *TLSClientCertificateDNInfo `json:"issuer,omitempty" toml:"issuer,omitempty" yaml:"issuer,omitempty" export:"true"`
 	SerialNumber bool                        `json:"serialNumber,omitempty" toml:"serialNumber,omitempty" yaml:"serialNumber,omitempty" export:"true"`
 }
 
 // +k8s:deepcopy-gen=true
 
-// TLSCLientCertificateDNInfo holds the client TLS certificate distinguished name info configuration.
+// TLSClientCertificateDNInfo holds the client TLS certificate distinguished name info configuration.
 // cf https://tools.ietf.org/html/rfc3739
-type TLSCLientCertificateDNInfo struct {
+type TLSClientCertificateDNInfo struct {
 	Country         bool `json:"country,omitempty" toml:"country,omitempty" yaml:"country,omitempty" export:"true"`
 	Province        bool `json:"province,omitempty" toml:"province,omitempty" yaml:"province,omitempty" export:"true"`
 	Locality        bool `json:"locality,omitempty" toml:"locality,omitempty" yaml:"locality,omitempty" export:"true"`
@@ -425,83 +422,3 @@ type TLSCLientCertificateDNInfo struct {
 
 // Users holds a list of users.
 type Users []string
-
-// +k8s:deepcopy-gen=true
-
-// ClientTLS holds the TLS specific configurations as client
-// CA, Cert and Key can be either path or file contents.
-type ClientTLS struct {
-	CA                 string `json:"ca,omitempty" toml:"ca,omitempty" yaml:"ca,omitempty"`
-	CAOptional         bool   `json:"caOptional,omitempty" toml:"caOptional,omitempty" yaml:"caOptional,omitempty" export:"true"`
-	Cert               string `json:"cert,omitempty" toml:"cert,omitempty" yaml:"cert,omitempty"`
-	Key                string `json:"key,omitempty" toml:"key,omitempty" yaml:"key,omitempty"`
-	InsecureSkipVerify bool   `json:"insecureSkipVerify,omitempty" toml:"insecureSkipVerify,omitempty" yaml:"insecureSkipVerify,omitempty" export:"true"`
-}
-
-// CreateTLSConfig creates a TLS config from ClientTLS structures.
-func (c *ClientTLS) CreateTLSConfig() (*tls.Config, error) {
-	if c == nil {
-		return nil, nil
-	}
-
-	var err error
-	caPool := x509.NewCertPool()
-	clientAuth := tls.NoClientCert
-	if c.CA != "" {
-		var ca []byte
-		if _, errCA := os.Stat(c.CA); errCA == nil {
-			ca, err = os.ReadFile(c.CA)
-			if err != nil {
-				return nil, fmt.Errorf("failed to read CA. %w", err)
-			}
-		} else {
-			ca = []byte(c.CA)
-		}
-
-		if !caPool.AppendCertsFromPEM(ca) {
-			return nil, fmt.Errorf("failed to parse CA")
-		}
-
-		if c.CAOptional {
-			clientAuth = tls.VerifyClientCertIfGiven
-		} else {
-			clientAuth = tls.RequireAndVerifyClientCert
-		}
-	}
-
-	cert := tls.Certificate{}
-	_, errKeyIsFile := os.Stat(c.Key)
-
-	if !c.InsecureSkipVerify && (len(c.Cert) == 0 || len(c.Key) == 0) {
-		return nil, fmt.Errorf("TLS Certificate or Key file must be set when TLS configuration is created")
-	}
-
-	if len(c.Cert) > 0 && len(c.Key) > 0 {
-		if _, errCertIsFile := os.Stat(c.Cert); errCertIsFile == nil {
-			if errKeyIsFile == nil {
-				cert, err = tls.LoadX509KeyPair(c.Cert, c.Key)
-				if err != nil {
-					return nil, fmt.Errorf("failed to load TLS keypair: %w", err)
-				}
-			} else {
-				return nil, fmt.Errorf("tls cert is a file, but tls key is not")
-			}
-		} else {
-			if errKeyIsFile != nil {
-				cert, err = tls.X509KeyPair([]byte(c.Cert), []byte(c.Key))
-				if err != nil {
-					return nil, fmt.Errorf("failed to load TLS keypair: %w", err)
-				}
-			} else {
-				return nil, fmt.Errorf("TLS key is a file, but tls cert is not")
-			}
-		}
-	}
-
-	return &tls.Config{
-		Certificates:       []tls.Certificate{cert},
-		RootCAs:            caPool,
-		InsecureSkipVerify: c.InsecureSkipVerify,
-		ClientAuth:         clientAuth,
-	}, nil
-}

pkg/config/dynamic/zz_generated.deepcopy.go

@@ -124,22 +124,6 @@ func (in *CircuitBreaker) DeepCopy() *CircuitBreaker {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ClientTLS) DeepCopyInto(out *ClientTLS) {
-	*out = *in
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientTLS.
-func (in *ClientTLS) DeepCopy() *ClientTLS {
-	if in == nil {
-		return nil
-	}
-	out := new(ClientTLS)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Compress) DeepCopyInto(out *Compress) {
 	*out = *in
@@ -306,7 +290,7 @@ func (in *ForwardAuth) DeepCopyInto(out *ForwardAuth) {
 	*out = *in
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
-		*out = new(ClientTLS)
+		*out = new(types.ClientTLS)
 		**out = **in
 	}
 	if in.AuthResponseHeaders != nil {
@@ -1536,17 +1520,17 @@ func (in *TCPWeightedRoundRobin) DeepCopy() *TCPWeightedRoundRobin {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TLSCLientCertificateDNInfo) DeepCopyInto(out *TLSCLientCertificateDNInfo) {
+func (in *TLSClientCertificateDNInfo) DeepCopyInto(out *TLSClientCertificateDNInfo) {
 	*out = *in
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSCLientCertificateDNInfo.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSClientCertificateDNInfo.
-func (in *TLSCLientCertificateDNInfo) DeepCopy() *TLSCLientCertificateDNInfo {
+func (in *TLSClientCertificateDNInfo) DeepCopy() *TLSClientCertificateDNInfo {
 	if in == nil {
 		return nil
 	}
-	out := new(TLSCLientCertificateDNInfo)
+	out := new(TLSClientCertificateDNInfo)
 	in.DeepCopyInto(out)
 	return out
 }
@@ -1556,12 +1540,12 @@ func (in *TLSClientCertificateInfo) DeepCopyInto(out *TLSClientCertificateInfo)
 	*out = *in
 	if in.Subject != nil {
 		in, out := &in.Subject, &out.Subject
-		*out = new(TLSCLientCertificateDNInfo)
+		*out = new(TLSClientCertificateDNInfo)
 		**out = **in
 	}
 	if in.Issuer != nil {
 		in, out := &in.Issuer, &out.Issuer
-		*out = new(TLSCLientCertificateDNInfo)
+		*out = new(TLSClientCertificateDNInfo)
 		**out = **in
 	}
 	return

pkg/config/label/label_test.go

@@ -9,6 +9,7 @@ import (
 	"github.com/stretchr/testify/require"
 	ptypes "github.com/traefik/paerser/types"
 	"github.com/traefik/traefik/v2/pkg/config/dynamic"
+	"github.com/traefik/traefik/v2/pkg/types"
 )
 
 func TestDecodeConfiguration(t *testing.T) {
@@ -366,7 +367,7 @@ func TestDecodeConfiguration(t *testing.T) {
 							NotAfter:     true,
 							NotBefore:    true,
 							SerialNumber: true,
-							Subject: &dynamic.TLSCLientCertificateDNInfo{
+							Subject: &dynamic.TLSClientCertificateDNInfo{
 								Country:         true,
 								Province:        true,
 								Locality:        true,
@@ -375,7 +376,7 @@ func TestDecodeConfiguration(t *testing.T) {
 								SerialNumber:    true,
 								DomainComponent: true,
 							},
-							Issuer: &dynamic.TLSCLientCertificateDNInfo{
+							Issuer: &dynamic.TLSClientCertificateDNInfo{
 								Country:         true,
 								Province:        true,
 								Locality:        true,
@@ -501,7 +502,7 @@ func TestDecodeConfiguration(t *testing.T) {
 				"Middleware7": {
 					ForwardAuth: &dynamic.ForwardAuth{
 						Address: "foobar",
-						TLS: &dynamic.ClientTLS{
+						TLS: &types.ClientTLS{
 							CA:                 "foobar",
 							CAOptional:         true,
 							Cert:               "foobar",
@@ -844,7 +845,7 @@ func TestEncodeConfiguration(t *testing.T) {
 							NotAfter:     true,
 							NotBefore:    true,
 							SerialNumber: true,
-							Subject: &dynamic.TLSCLientCertificateDNInfo{
+							Subject: &dynamic.TLSClientCertificateDNInfo{
 								Country:         true,
 								Province:        true,
 								Locality:        true,
@@ -853,7 +854,7 @@ func TestEncodeConfiguration(t *testing.T) {
 								SerialNumber:    true,
 								DomainComponent: true,
 							},
-							Issuer: &dynamic.TLSCLientCertificateDNInfo{
+							Issuer: &dynamic.TLSClientCertificateDNInfo{
 								Country:         true,
 								Province:        true,
 								Locality:        true,
@@ -986,7 +987,7 @@ func TestEncodeConfiguration(t *testing.T) {
 				"Middleware7": {
 					ForwardAuth: &dynamic.ForwardAuth{
 						Address: "foobar",
-						TLS: &dynamic.ClientTLS{
+						TLS: &types.ClientTLS{
 							CA:                 "foobar",
 							CAOptional:         true,
 							Cert:               "foobar",

pkg/middlewares/auth/forward.go

@@ -72,9 +72,9 @@ func NewForward(ctx context.Context, next http.Handler, config dynamic.ForwardAu
 	}
 
 	if config.TLS != nil {
-		tlsConfig, err := config.TLS.CreateTLSConfig()
+		tlsConfig, err := config.TLS.CreateTLSConfig(ctx)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("unable to create client TLS configuration: %w", err)
 		}
 
 		tr := http.DefaultTransport.(*http.Transport).Clone()

pkg/middlewares/passtlsclientcert/pass_tls_client_cert.go

@@ -46,7 +46,7 @@ type DistinguishedNameOptions struct {
 	StateOrProvinceName bool
 }
 
-func newDistinguishedNameOptions(info *dynamic.TLSCLientCertificateDNInfo) *DistinguishedNameOptions {
+func newDistinguishedNameOptions(info *dynamic.TLSClientCertificateDNInfo) *DistinguishedNameOptions {
 	if info == nil {
 		return nil
 	}

pkg/middlewares/passtlsclientcert/pass_tls_client_cert_test.go

@@ -376,7 +376,7 @@ func TestPassTLSClientCert_certInfo(t *testing.T) {
 			desc: "No TLS, with subject info",
 			config: dynamic.PassTLSClientCert{
 				Info: &dynamic.TLSClientCertificateInfo{
-					Subject: &dynamic.TLSCLientCertificateDNInfo{
+					Subject: &dynamic.TLSClientCertificateDNInfo{
 						CommonName:   true,
 						Organization: true,
 						Locality:     true,
@@ -392,7 +392,7 @@ func TestPassTLSClientCert_certInfo(t *testing.T) {
 			config: dynamic.PassTLSClientCert{
 				PEM: false,
 				Info: &dynamic.TLSClientCertificateInfo{
-					Subject: &dynamic.TLSCLientCertificateDNInfo{},
+					Subject: &dynamic.TLSClientCertificateDNInfo{},
 				},
 			},
 		},
@@ -405,7 +405,7 @@ func TestPassTLSClientCert_certInfo(t *testing.T) {
 					NotBefore:    true,
 					Sans:         true,
 					SerialNumber: true,
-					Subject: &dynamic.TLSCLientCertificateDNInfo{
+					Subject: &dynamic.TLSClientCertificateDNInfo{
 						CommonName:      true,
 						Country:         true,
 						DomainComponent: true,
@@ -414,7 +414,7 @@ func TestPassTLSClientCert_certInfo(t *testing.T) {
 						Province:        true,
 						SerialNumber:    true,
 					},
-					Issuer: &dynamic.TLSCLientCertificateDNInfo{
+					Issuer: &dynamic.TLSClientCertificateDNInfo{
 						CommonName:      true,
 						Country:         true,
 						DomainComponent: true,
@@ -434,10 +434,10 @@ func TestPassTLSClientCert_certInfo(t *testing.T) {
 				Info: &dynamic.TLSClientCertificateInfo{
 					NotAfter: true,
 					Sans:     true,
-					Subject: &dynamic.TLSCLientCertificateDNInfo{
+					Subject: &dynamic.TLSClientCertificateDNInfo{
 						Organization: true,
 					},
-					Issuer: &dynamic.TLSCLientCertificateDNInfo{
+					Issuer: &dynamic.TLSClientCertificateDNInfo{
 						Country: true,
 					},
 				},
@@ -453,7 +453,7 @@ func TestPassTLSClientCert_certInfo(t *testing.T) {
 					NotBefore:    true,
 					Sans:         true,
 					SerialNumber: true,
-					Subject: &dynamic.TLSCLientCertificateDNInfo{
+					Subject: &dynamic.TLSClientCertificateDNInfo{
 						Country:         true,
 						Province:        true,
 						Locality:        true,
@@ -462,7 +462,7 @@ func TestPassTLSClientCert_certInfo(t *testing.T) {
 						SerialNumber:    true,
 						DomainComponent: true,
 					},
-					Issuer: &dynamic.TLSCLientCertificateDNInfo{
+					Issuer: &dynamic.TLSClientCertificateDNInfo{
 						Country:         true,
 						Province:        true,
 						Locality:        true,
@@ -484,7 +484,7 @@ func TestPassTLSClientCert_certInfo(t *testing.T) {
 					NotBefore:    true,
 					Sans:         true,
 					SerialNumber: true,
-					Subject: &dynamic.TLSCLientCertificateDNInfo{
+					Subject: &dynamic.TLSClientCertificateDNInfo{
 						Country:         true,
 						Province:        true,
 						Locality:        true,
@@ -493,7 +493,7 @@ func TestPassTLSClientCert_certInfo(t *testing.T) {
 						SerialNumber:    true,
 						DomainComponent: true,
 					},
-					Issuer: &dynamic.TLSCLientCertificateDNInfo{
+					Issuer: &dynamic.TLSClientCertificateDNInfo{
 						Country:         true,
 						Province:        true,
 						Locality:        true,

pkg/provider/docker/docker.go

@@ -165,7 +165,7 @@ func (p *Provider) getClientOpts() ([]client.Opt, error) {
 
 		conf, err := p.TLS.CreateTLSConfig(ctx)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("unable to create client TLS configuration: %w", err)
 		}
 
 		hostURL, err := client.ParseHostURL(p.Endpoint)

pkg/provider/http/http.go

@@ -55,7 +55,7 @@ func (p *Provider) Init() error {
 	if p.TLS != nil {
 		tlsConfig, err := p.TLS.CreateTLSConfig(context.Background())
 		if err != nil {
-			return fmt.Errorf("unable to create TLS configuration: %w", err)
+			return fmt.Errorf("unable to create client TLS configuration: %w", err)
 		}
 
 		p.httpClient.Transport = &http.Transport{

pkg/provider/kubernetes/crd/kubernetes.go

@@ -23,6 +23,7 @@ import (
 	"github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefik/v1alpha1"
 	"github.com/traefik/traefik/v2/pkg/safe"
 	"github.com/traefik/traefik/v2/pkg/tls"
+	"github.com/traefik/traefik/v2/pkg/types"
 	corev1 "k8s.io/api/core/v1"
 	apiextensionv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/labels"
@@ -481,7 +482,7 @@ func createForwardAuthMiddleware(k8sClient Client, namespace string, auth *v1alp
 		return forwardAuth, nil
 	}
 
-	forwardAuth.TLS = &dynamic.ClientTLS{
+	forwardAuth.TLS = &types.ClientTLS{
 		CAOptional:         auth.TLS.CAOptional,
 		InsecureSkipVerify: auth.TLS.InsecureSkipVerify,
 	}

pkg/provider/kubernetes/crd/kubernetes_test.go

@@ -9,13 +9,14 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/traefik/paerser/types"
+	ptypes "github.com/traefik/paerser/types"
 	"github.com/traefik/traefik/v2/pkg/config/dynamic"
 	"github.com/traefik/traefik/v2/pkg/provider"
 	crdfake "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned/fake"
 	"github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefik/v1alpha1"
 	"github.com/traefik/traefik/v2/pkg/provider/kubernetes/k8s"
 	"github.com/traefik/traefik/v2/pkg/tls"
+	"github.com/traefik/traefik/v2/pkg/types"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/intstr"
@@ -3243,7 +3244,7 @@ func TestLoadIngressRoutes(t *testing.T) {
 						"default-forwardauth": {
 							ForwardAuth: &dynamic.ForwardAuth{
 								Address: "test.com",
-								TLS: &dynamic.ClientTLS{
+								TLS: &types.ClientTLS{
 									CA:   "-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----",
 									Cert: "-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----",
 									Key:  "-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----",
@@ -3612,17 +3613,17 @@ func TestLoadIngressRoutes(t *testing.T) {
 							MaxIdleConnsPerHost: 42,
 							DisableHTTP2:        true,
 							ForwardingTimeouts: &dynamic.ForwardingTimeouts{
-								DialTimeout:           types.Duration(42 * time.Second),
+								DialTimeout:           ptypes.Duration(42 * time.Second),
-								ResponseHeaderTimeout: types.Duration(42 * time.Second),
+								ResponseHeaderTimeout: ptypes.Duration(42 * time.Second),
-								IdleConnTimeout:       types.Duration(42 * time.Millisecond),
+								IdleConnTimeout:       ptypes.Duration(42 * time.Millisecond),
 							},
 							PeerCertURI: "foo://bar",
 						},
 						"default-test": {
 							ServerName: "test",
 							ForwardingTimeouts: &dynamic.ForwardingTimeouts{
-								DialTimeout:     types.Duration(30 * time.Second),
+								DialTimeout:     ptypes.Duration(30 * time.Second),
-								IdleConnTimeout: types.Duration(90 * time.Second),
+								IdleConnTimeout: ptypes.Duration(90 * time.Second),
 							},
 						},
 					},

pkg/provider/kv/kv.go

@@ -170,7 +170,7 @@ func (p *Provider) createKVClient(ctx context.Context) (store.Store, error) {
 		var err error
 		storeConfig.TLS, err = p.TLS.CreateTLSConfig(ctx)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("unable to create client TLS configuration: %w", err)
 		}
 	}
 

pkg/provider/kv/kv_test.go

@@ -399,7 +399,7 @@ func Test_buildConfiguration(t *testing.T) {
 				"Middleware08": {
 					ForwardAuth: &dynamic.ForwardAuth{
 						Address: "foobar",
-						TLS: &dynamic.ClientTLS{
+						TLS: &types.ClientTLS{
 							CA:                 "foobar",
 							CAOptional:         true,
 							Cert:               "foobar",
@@ -478,7 +478,7 @@ func Test_buildConfiguration(t *testing.T) {
 							NotAfter:  true,
 							NotBefore: true,
 							Sans:      true,
-							Subject: &dynamic.TLSCLientCertificateDNInfo{
+							Subject: &dynamic.TLSClientCertificateDNInfo{
 								Country:         true,
 								Province:        true,
 								Locality:        true,
@@ -487,7 +487,7 @@ func Test_buildConfiguration(t *testing.T) {
 								SerialNumber:    true,
 								DomainComponent: true,
 							},
-							Issuer: &dynamic.TLSCLientCertificateDNInfo{
+							Issuer: &dynamic.TLSClientCertificateDNInfo{
 								Country:         true,
 								Province:        true,
 								Locality:        true,

pkg/provider/marathon/marathon.go

@@ -134,7 +134,7 @@ func (p *Provider) Provide(configurationChan chan<- dynamic.Message, pool *safe.
 		}
 		TLSConfig, err := p.TLS.CreateTLSConfig(ctx)
 		if err != nil {
-			return err
+			return fmt.Errorf("unable to create client TLS configuration: %w", err)
 		}
 		confg.HTTPClient = &http.Client{
 			Transport: &http.Transport{

pkg/types/fixtures/cert.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB9jCCAV+gAwIBAgIQI3edJckNbicw4WIHs5Ws9TANBgkqhkiG9w0BAQsFADAS
+MRAwDgYDVQQKEwdBY21lIENvMCAXDTcwMDEwMTAwMDAwMFoYDzIwODQwMTI5MTYw
+MDAwWjASMRAwDgYDVQQKEwdBY21lIENvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQCb8oWyME1QRBoMLFei3M8TVKwfZfW74cVjtcugCBMTTOTCouEIgjjmiMv6
+FdMio2uBcgeD9R3dOtjjnA7N+xjwZ4vIPqDlJRE3YbfpV9igVX3sXU7ssHTSH0vs
+R0TuYJwGReIFUnu5QIjGwVorodF+CQ8dTnyXVLeQVU9kvjohHwIDAQABo0swSTAO
+BgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIw
+ADAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADgYEADqylUQ/4
+lrxh4h8UUQ2wKATQ2kG2YvMGlaIhr2vPZo2QDBlmL2xzai7YXX3+JZyM15TNCamn
+WtFR7WQIOHzKA1GkR9WkaXKmFbJjhGMSZVCG6ghhTjzB+stBYZXhBsdjCJbkZWBu
+OeI73oivo0MdI+4iCYCo7TnoY4PZGObwcgI=
+-----END CERTIFICATE-----

pkg/types/fixtures/key.pem

@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAJvyhbIwTVBEGgws
+V6LczxNUrB9l9bvhxWO1y6AIExNM5MKi4QiCOOaIy/oV0yKja4FyB4P1Hd062OOc
+Ds37GPBni8g+oOUlETdht+lX2KBVfexdTuywdNIfS+xHRO5gnAZF4gVSe7lAiMbB
+Wiuh0X4JDx1OfJdUt5BVT2S+OiEfAgMBAAECgYA9+PbghQl0aFvhko2RDybLi86K
++73X2DTVFx3AjvTlqp0OLCQ5eWabVqmYzKuHDGJgoqwR6Irhq80dRpsriCm0YNui
+mMV35bbimOKz9FoCTKx0ZB6xsqrVoFhjVmX3DOD9Txe41H42ZxmccOKZndR/QaXz
+VV+1W/Wbz2VawnkyYQJBAMvF6w2eOJRRoN8e7GM7b7uqkupJPp9axgFREoJZb16W
+mqXUZnH4Cydzc5keG4yknQRHdgz6RrQxnvR7GyKHLfUCQQDD6qG9D5BX0+mNW6TG
+PRwW/L2qWgnmg9lxtSSQat9ZOnBhw2OLPi0zTu4p70oSmU67/YJr50HEoJpRccZJ
+mnJDAkBdBTtY2xpe8qhqUjZ80hweYi5wzwDMQ+bRoQ2+/U6usjdkbgJaEm4dE0H4
+6tqOqHKZCnokUHfIOEKkvjHT4DulAkBAgiJNSTGi6aDOLa28pGR6YS/mRo1Z/HH9
+kcJ/VuFB1Q8p8Zb2QzvI2CVtY2AFbbtSBPALrXKnVqZZSNgcZiFXAkEAvcLKaEXE
+haGMGwq2BLADPHqAR3hdCJL3ikMJwWUsTkTjm973iEIEZfF5j57EzRI4bASm4Zq5
+Zt3BcblLODQ//w==
+-----END PRIVATE KEY-----

pkg/types/tls.go

@@ -4,12 +4,15 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"os"
 
 	"github.com/traefik/traefik/v2/pkg/log"
 )
 
+// +k8s:deepcopy-gen=true
+
 // ClientTLS holds TLS specific configurations as client
 // CA, Cert and Key can be either path or file contents.
 type ClientTLS struct {
@@ -42,7 +45,7 @@ func (clientTLS *ClientTLS) CreateTLSConfig(ctx context.Context) (*tls.Config, e
 		}
 
 		if !caPool.AppendCertsFromPEM(ca) {
-			return nil, fmt.Errorf("failed to parse CA")
+			return nil, errors.New("failed to parse CA")
 		}
 
 		if clientTLS.CAOptional {
@@ -52,34 +55,24 @@ func (clientTLS *ClientTLS) CreateTLSConfig(ctx context.Context) (*tls.Config, e
 		}
 	}
 
-	if !clientTLS.InsecureSkipVerify && (len(clientTLS.Cert) == 0 || len(clientTLS.Key) == 0) {
+	hasCert := len(clientTLS.Cert) > 0
-		return nil, fmt.Errorf("TLS Certificate or Key file must be set when TLS configuration is created")
+	hasKey := len(clientTLS.Key) > 0
+
+	if hasCert != hasKey {
+		return nil, errors.New("both TLS cert and key must be defined")
 	}
 
-	cert := tls.Certificate{}
+	if !hasCert || !hasKey {
-	_, errKeyIsFile := os.Stat(clientTLS.Key)
+		return &tls.Config{
+			RootCAs:            caPool,
+			InsecureSkipVerify: clientTLS.InsecureSkipVerify,
+			ClientAuth:         clientAuth,
+		}, nil
+	}
 
-	if len(clientTLS.Cert) > 0 && len(clientTLS.Key) > 0 {
+	cert, err := loadKeyPair(clientTLS.Cert, clientTLS.Key)
-		var err error
-		if _, errCertIsFile := os.Stat(clientTLS.Cert); errCertIsFile == nil {
-			if errKeyIsFile == nil {
-				cert, err = tls.LoadX509KeyPair(clientTLS.Cert, clientTLS.Key)
 	if err != nil {
-					return nil, fmt.Errorf("failed to load TLS keypair: %w", err)
+		return nil, err
-				}
-			} else {
-				return nil, fmt.Errorf("TLS cert is a file, but tls key is not")
-			}
-		} else {
-			if errKeyIsFile != nil {
-				cert, err = tls.X509KeyPair([]byte(clientTLS.Cert), []byte(clientTLS.Key))
-				if err != nil {
-					return nil, fmt.Errorf("failed to load TLS keypair: %w", err)
-				}
-			} else {
-				return nil, fmt.Errorf("TLS key is a file, but tls cert is not")
-			}
-		}
 	}
 
 	return &tls.Config{
@@ -89,3 +82,27 @@ func (clientTLS *ClientTLS) CreateTLSConfig(ctx context.Context) (*tls.Config, e
 		ClientAuth:         clientAuth,
 	}, nil
 }
+
+func loadKeyPair(cert, key string) (tls.Certificate, error) {
+	keyPair, err := tls.X509KeyPair([]byte(cert), []byte(key))
+	if err == nil {
+		return keyPair, nil
+	}
+
+	_, err = os.Stat(cert)
+	if err != nil {
+		return tls.Certificate{}, errors.New("cert file does not exist")
+	}
+
+	_, err = os.Stat(key)
+	if err != nil {
+		return tls.Certificate{}, errors.New("key file does not exist")
+	}
+
+	keyPair, err = tls.LoadX509KeyPair(cert, key)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+
+	return keyPair, nil
+}

pkg/types/tls_test.go

@@ -0,0 +1,123 @@
+package types
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// go run $GOROOT/src/crypto/tls/generate_cert.go --rsa-bits 1024 --host localhost --start-date "Jan 1 00:00:00 1970" --duration=1000000h
+var cert = `-----BEGIN CERTIFICATE-----
+MIIB9jCCAV+gAwIBAgIQI3edJckNbicw4WIHs5Ws9TANBgkqhkiG9w0BAQsFADAS
+MRAwDgYDVQQKEwdBY21lIENvMCAXDTcwMDEwMTAwMDAwMFoYDzIwODQwMTI5MTYw
+MDAwWjASMRAwDgYDVQQKEwdBY21lIENvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQCb8oWyME1QRBoMLFei3M8TVKwfZfW74cVjtcugCBMTTOTCouEIgjjmiMv6
+FdMio2uBcgeD9R3dOtjjnA7N+xjwZ4vIPqDlJRE3YbfpV9igVX3sXU7ssHTSH0vs
+R0TuYJwGReIFUnu5QIjGwVorodF+CQ8dTnyXVLeQVU9kvjohHwIDAQABo0swSTAO
+BgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIw
+ADAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADgYEADqylUQ/4
+lrxh4h8UUQ2wKATQ2kG2YvMGlaIhr2vPZo2QDBlmL2xzai7YXX3+JZyM15TNCamn
+WtFR7WQIOHzKA1GkR9WkaXKmFbJjhGMSZVCG6ghhTjzB+stBYZXhBsdjCJbkZWBu
+OeI73oivo0MdI+4iCYCo7TnoY4PZGObwcgI=
+-----END CERTIFICATE-----`
+
+var key = `-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAJvyhbIwTVBEGgws
+V6LczxNUrB9l9bvhxWO1y6AIExNM5MKi4QiCOOaIy/oV0yKja4FyB4P1Hd062OOc
+Ds37GPBni8g+oOUlETdht+lX2KBVfexdTuywdNIfS+xHRO5gnAZF4gVSe7lAiMbB
+Wiuh0X4JDx1OfJdUt5BVT2S+OiEfAgMBAAECgYA9+PbghQl0aFvhko2RDybLi86K
++73X2DTVFx3AjvTlqp0OLCQ5eWabVqmYzKuHDGJgoqwR6Irhq80dRpsriCm0YNui
+mMV35bbimOKz9FoCTKx0ZB6xsqrVoFhjVmX3DOD9Txe41H42ZxmccOKZndR/QaXz
+VV+1W/Wbz2VawnkyYQJBAMvF6w2eOJRRoN8e7GM7b7uqkupJPp9axgFREoJZb16W
+mqXUZnH4Cydzc5keG4yknQRHdgz6RrQxnvR7GyKHLfUCQQDD6qG9D5BX0+mNW6TG
+PRwW/L2qWgnmg9lxtSSQat9ZOnBhw2OLPi0zTu4p70oSmU67/YJr50HEoJpRccZJ
+mnJDAkBdBTtY2xpe8qhqUjZ80hweYi5wzwDMQ+bRoQ2+/U6usjdkbgJaEm4dE0H4
+6tqOqHKZCnokUHfIOEKkvjHT4DulAkBAgiJNSTGi6aDOLa28pGR6YS/mRo1Z/HH9
+kcJ/VuFB1Q8p8Zb2QzvI2CVtY2AFbbtSBPALrXKnVqZZSNgcZiFXAkEAvcLKaEXE
+haGMGwq2BLADPHqAR3hdCJL3ikMJwWUsTkTjm973iEIEZfF5j57EzRI4bASm4Zq5
+Zt3BcblLODQ//w==
+-----END PRIVATE KEY-----`
+
+func TestClientTLS_CreateTLSConfig(t *testing.T) {
+	tests := []struct {
+		desc        string
+		clientTLS   ClientTLS
+		wantCertLen int
+		wantCALen   int
+		wantErr     bool
+	}{
+		{
+			desc:      "Configure CA",
+			clientTLS: ClientTLS{CA: cert},
+			wantCALen: 1,
+			wantErr:   false,
+		},
+		{
+			desc:        "Configure the client keyPair from strings",
+			clientTLS:   ClientTLS{Cert: cert, Key: key},
+			wantCertLen: 1,
+			wantErr:     false,
+		},
+		{
+			desc:        "Configure the client keyPair from files",
+			clientTLS:   ClientTLS{Cert: "fixtures/cert.pem", Key: "fixtures/key.pem"},
+			wantCertLen: 1,
+			wantErr:     false,
+		},
+		{
+			desc:      "Configure InsecureSkipVerify",
+			clientTLS: ClientTLS{InsecureSkipVerify: true},
+			wantErr:   false,
+		},
+		{
+			desc:      "Return an error if only the client cert is provided",
+			clientTLS: ClientTLS{Cert: cert},
+			wantErr:   true,
+		},
+		{
+			desc:      "Return an error if only the client key is provided",
+			clientTLS: ClientTLS{Key: key},
+			wantErr:   true,
+		},
+		{
+			desc:      "Return an error if only the client cert is of type file",
+			clientTLS: ClientTLS{Cert: "fixtures/cert.pem", Key: key},
+			wantErr:   true,
+		},
+		{
+			desc:      "Return an error if only the client key is of type file",
+			clientTLS: ClientTLS{Cert: cert, Key: "fixtures/key.pem"},
+			wantErr:   true,
+		},
+		{
+			desc:      "Return an error if the client cert does not exist",
+			clientTLS: ClientTLS{Cert: "fixtures/cert2.pem", Key: "fixtures/key.pem"},
+			wantErr:   true,
+		},
+		{
+			desc:      "Return an error if the client key does not exist",
+			clientTLS: ClientTLS{Cert: "fixtures/cert.pem", Key: "fixtures/key2.pem"},
+			wantErr:   true,
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+
+		t.Run(test.desc, func(t *testing.T) {
+			tlsConfig, err := test.clientTLS.CreateTLSConfig(context.Background())
+			if test.wantErr {
+				require.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err)
+
+			assert.Len(t, tlsConfig.RootCAs.Subjects(), test.wantCALen)
+			assert.Len(t, tlsConfig.Certificates, test.wantCertLen)
+			assert.Equal(t, test.clientTLS.InsecureSkipVerify, tlsConfig.InsecureSkipVerify)
+		})
+	}
+}

pkg/types/zz_generated.deepcopy.go

@@ -29,6 +29,22 @@ THE SOFTWARE.
 
 package types
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClientTLS) DeepCopyInto(out *ClientTLS) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientTLS.
+func (in *ClientTLS) DeepCopy() *ClientTLS {
+	if in == nil {
+		return nil
+	}
+	out := new(ClientTLS)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Domain) DeepCopyInto(out *Domain) {
 	*out = *in