fix(tlsutils): fix nil error wrapping and wrong env var in TLS config

pkg/tlsutils/tlsconfig.go

@@ -25,7 +25,10 @@ import (
 	"strings"
 )
 
-const defaultMinVersion = 0
+const (
+	// The TLS 1.2 default was introduced in Go 1.18 (released March 2022).
+	defaultMinVersion = tls.VersionTLS12
+)
 
 // CreateTLSConfig creates tls.Config instance from TLS parameters passed in environment variables with the given prefix
 func CreateTLSConfig(prefix string) (*tls.Config, error) {
@@ -40,7 +43,7 @@ func CreateTLSConfig(prefix string) (*tls.Config, error) {
 
 // NewTLSConfig creates a tls.Config instance from directly passed parameters, loading the ca, cert, and key from disk
 func NewTLSConfig(certPath, keyPath, caPath, serverName string, insecure bool, minVersion uint16) (*tls.Config, error) {
-	if certPath != "" && keyPath == "" || certPath == "" && keyPath != "" {
+	if (certPath != "" && keyPath == "") || (certPath == "" && keyPath != "") {
 		return nil, errors.New("either both cert and key or none must be provided")
 	}
 	var certificates []tls.Certificate
@@ -78,9 +81,8 @@ func loadRoots(caPath string) (*x509.CertPool, error) {
 	if err != nil {
 		return nil, fmt.Errorf("error reading %s: %w", caPath, err)
 	}
-	ok := roots.AppendCertsFromPEM(pem)
-	if !ok {
-		return nil, fmt.Errorf("could not read root certs: %w", err)
+	if !roots.AppendCertsFromPEM(pem) {
+		return nil, fmt.Errorf("could not parse PEM certificates from %s", caPath)
 	}
 	return roots, nil
 }

pkg/tlsutils/tlsconfig_test.go

@@ -28,7 +28,8 @@ import (
 	"sigs.k8s.io/external-dns/internal/gen/docs/utils"
 )
 
-var rsaCertPEM = `-----BEGIN CERTIFICATE-----
+var (
+	rsaCertPEM = `-----BEGIN CERTIFICATE-----
 MIIB0zCCAX2gAwIBAgIJAI/M7BYjwB+uMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
 BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
 aWRnaXRzIFB0eSBMdGQwHhcNMTIwOTEyMjE1MjAyWhcNMTUwOTEyMjE1MjAyWjBF
@@ -41,8 +42,7 @@ MAMBAf8wDQYJKoZIhvcNAQEFBQADQQBJlffJHybjDGxRMqaRmDhX0+6v02TUKZsW
 r5QuVbpQhH6u+0UgcW0jp9QwpxoPTLTWGXEWBBBurxFwiCBhkQ+V
 -----END CERTIFICATE-----
 `
-
-var rsaKeyPEM = testingKey(`-----BEGIN RSA TESTING KEY-----
+	rsaKeyPEM = testingKey(`-----BEGIN RSA TESTING KEY-----
 MIIBOwIBAAJBANLJhPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wo
 k/4xIA+ui35/MmNartNuC+BdZ1tMuVCPFZcCAwEAAQJAEJ2N+zsR0Xn8/Q6twa4G
 6OB1M1WO+k+ztnX/1SvNeWu8D6GImtupLTYgjZcHufykj09jiHmjHx8u8ZZB/o1N
@@ -52,6 +52,7 @@ xVLHwDXh/6NJAiEAl2oHGGLz64BuAfjKrqwz7qMYr9HCLIe/YsoWq/olzScCIQDi
 D2lWusoe2/nEqfDVVWGWlyJ7yOmqaVm/iNUN9B2N2g==
 -----END RSA TESTING KEY-----
 `)
+)
 
 func testingKey(s string) string { return strings.ReplaceAll(s, "TESTING KEY", "PRIVATE KEY") }
 
@@ -117,7 +118,7 @@ func TestCreateTLSConfig(t *testing.T) {
 			"",
 			func(_ *tls.Config, err error) {
 				assert.Error(t, err)
-				assert.Contains(t, err.Error(), "could not read root certs")
+				assert.Contains(t, err.Error(), "could not parse PEM certificates from")
 			},
 		},
 		{
@@ -158,7 +159,8 @@ func TestCreateTLSConfig(t *testing.T) {
 
 			if tc.caFile != "" {
 				path := fmt.Sprintf("%s/caFile", dir)
-				utils.WriteToFile(path, tc.caFile)
+				err := utils.WriteToFile(path, tc.caFile)
+				require.NoError(t, err)
 				t.Setenv(fmt.Sprintf("%s_CA_FILE", tc.prefix), path)
 			}
 
@@ -168,13 +170,15 @@ func TestCreateTLSConfig(t *testing.T) {
 
 			if tc.certFile != "" {
 				path := fmt.Sprintf("%s/certFile", dir)
-				utils.WriteToFile(path, tc.certFile)
+				err := utils.WriteToFile(path, tc.certFile)
+				require.NoError(t, err)
 				t.Setenv(fmt.Sprintf("%s_CERT_FILE", tc.prefix), path)
 			}
 
 			if tc.keyFile != "" {
 				path := fmt.Sprintf("%s/keyFile", dir)
-				utils.WriteToFile(path, tc.keyFile)
+				err := utils.WriteToFile(path, tc.keyFile)
+				require.NoError(t, err)
 				t.Setenv(fmt.Sprintf("%s_KEY_FILE", tc.prefix), path)
 			}
 
@@ -183,7 +187,7 @@ func TestCreateTLSConfig(t *testing.T) {
 			}
 
 			if tc.isInsecureStr != "" {
-				t.Setenv(fmt.Sprintf("%s_INSECURE", tc.prefix), tc.isInsecureStr)
+				t.Setenv(fmt.Sprintf("%s_TLS_INSECURE", tc.prefix), tc.isInsecureStr)
 			}
 
 			// test