Merge pull request #15430 from liggitt/fix_tls_config_for

Auto commit by PR queue bot

pkg/client/unversioned/transport.go

@@ -110,28 +110,32 @@ func TLSConfigFor(config *Config) (*tls.Config, error) {
 	hasCA := len(config.CAFile) > 0 || len(config.CAData) > 0
 	hasCert := len(config.CertFile) > 0 || len(config.CertData) > 0
 
+	if !hasCA && !hasCert && !config.Insecure {
+		return nil, nil
+	}
 	if hasCA && config.Insecure {
 		return nil, fmt.Errorf("specifying a root certificates file with the insecure flag is not allowed")
 	}
 	if err := LoadTLSFiles(config); err != nil {
 		return nil, err
 	}
-	var tlsConfig *tls.Config
+
-	switch {
+	tlsConfig := &tls.Config{
-	case hasCert:
+		// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
-		cfg, err := NewClientCertTLSConfig(config.CertData, config.KeyData, config.CAData)
+		MinVersion:         tls.VersionTLS10,
+		InsecureSkipVerify: config.Insecure,
+	}
+
+	if hasCA {
+		tlsConfig.RootCAs = rootCertPool(config.CAData)
+	}
+
+	if hasCert {
+		cert, err := tls.X509KeyPair(config.CertData, config.KeyData)
 		if err != nil {
 			return nil, err
 		}
-		tlsConfig = cfg
+		tlsConfig.Certificates = []tls.Certificate{cert}
-	case hasCA:
-		cfg, err := NewTLSConfig(config.CAData)
-		if err != nil {
-			return nil, err
-		}
-		tlsConfig = cfg
-	case config.Insecure:
-		tlsConfig = NewUnsafeTLSConfig()
 	}
 
 	return tlsConfig, nil
@@ -186,30 +190,6 @@ func dataFromSliceOrFile(data []byte, file string) ([]byte, error) {
 	return nil, nil
 }
 
-func NewClientCertTLSConfig(certData, keyData, caData []byte) (*tls.Config, error) {
-	cert, err := tls.X509KeyPair(certData, keyData)
-	if err != nil {
-		return nil, err
-	}
-
-	return &tls.Config{
-		// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
-		MinVersion: tls.VersionTLS10,
-		Certificates: []tls.Certificate{
-			cert,
-		},
-		RootCAs: rootCertPool(caData),
-	}, nil
-}
-
-func NewTLSConfig(caData []byte) (*tls.Config, error) {
-	return &tls.Config{
-		// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
-		MinVersion: tls.VersionTLS10,
-		RootCAs:    rootCertPool(caData),
-	}, nil
-}
-
 // rootCertPool returns nil if caData is empty.  When passed along, this will mean "use system CAs".
 // When caData is not empty, it will be the ONLY information used in the CertPool.
 func rootCertPool(caData []byte) *x509.CertPool {
@@ -226,12 +206,6 @@ func rootCertPool(caData []byte) *x509.CertPool {
 	return certPool
 }
 
-func NewUnsafeTLSConfig() *tls.Config {
-	return &tls.Config{
-		InsecureSkipVerify: true,
-	}
-}
-
 // cloneRequest returns a clone of the provided *http.Request.
 // The clone is a shallow copy of the struct and its Header map.
 func cloneRequest(r *http.Request) *http.Request {

pkg/client/unversioned/transport_test.go

@@ -24,13 +24,6 @@ import (
 	"k8s.io/kubernetes/pkg/api/testapi"
 )
 
-func TestUnsecuredTLSTransport(t *testing.T) {
-	cfg := NewUnsafeTLSConfig()
-	if !cfg.InsecureSkipVerify {
-		t.Errorf("expected config to be insecure")
-	}
-}
-
 type testRoundTripper struct {
 	Request  *http.Request
 	Response *http.Response