pkg/transport: don't set certificates on tls config

[roboll]

Fixes #9541

[gyuho]

Can you confirm this fixes #9541?

[roboll]

Yeah in my tests here it definitely fixes the issue. I haven't looked at the CI failures yet.

[gyuho]

Our TLS reload was introduced since 3.2 and the go runtime logic works that way with Go 1.8 as well. So, we will backport this to 3.2 and 3.3.

[gyuho]

lgtm. thanks!

will merge after CI greens.

[gyuho]

Actually, this somehow breaks TLS tests for certs with SAN field. Will take another look next week.

[roboll]

👍 Let me know what you need from me.

[roboll]

hey @gyuho anything I can do to help out here?

[gyuho]

@roboll Sorry, I looked into it and found this breaks other TLS reload tests. But, still think this is the right approach. Just want to take some time to understand how Go TLS works with this change, and fix the test failures. I had to work on something else, but I should be able to get back to this by this week and plan is release this patch by next week. I will give you more updates as I investigate further.

[roboll]

@gyuho sounds good, ping me if you need a hand otherwise I'll check back in a few days 👍.

[gyuho]

Test failures happen in our integration testing, where Go httptest defaults to its internal test certs if initial Certificates is empty as with this patch. Will see if we can work around it.

[gyuho]

@roboll Can you try #9570? Just cherry-picked your commit with test fixes. Thanks!