Fix wrong handling of insecure tls auth forward ingress annotation

provider/kubernetes/kubernetes.go

@@ -993,12 +993,12 @@ func getForwardAuthConfig(i *extensionsv1beta1.Ingress, k8sClient Client) (*type
 	}
 
 	authSecretName := getStringValue(i.Annotations, annotationKubernetesAuthForwardTLSSecret, "")
-	if len(authSecretName) > 0 {
-		authSecretCert, authSecretKey, err := loadAuthTLSSecret(i.Namespace, authSecretName, k8sClient)
-		if err != nil {
-			return nil, fmt.Errorf("failed to load auth secret: %s", err)
-		}
+	authSecretCert, authSecretKey, err := loadAuthTLSSecret(i.Namespace, authSecretName, k8sClient)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load auth secret: %s", err)
+	}
 
+	if authSecretCert != "" || authSecretKey != "" {
 		forwardAuth.TLS = &types.ClientTLS{
 			Cert:               authSecretCert,
 			Key:                authSecretKey,
@@ -1006,10 +1006,20 @@ func getForwardAuthConfig(i *extensionsv1beta1.Ingress, k8sClient Client) (*type
 		}
 	}
 
+	if forwardAuth.TLS == nil && label.Has(i.Annotations, getAnnotationName(i.Annotations, annotationKubernetesAuthForwardTLSInsecure)) {
+		forwardAuth.TLS = &types.ClientTLS{
+			InsecureSkipVerify: getBoolValue(i.Annotations, annotationKubernetesAuthForwardTLSInsecure, false),
+		}
+	}
+
 	return forwardAuth, nil
 }
 
 func loadAuthTLSSecret(namespace, secretName string, k8sClient Client) (string, string, error) {
+	if len(secretName) == 0 {
+		return "", "", nil
+	}
+
 	secret, exists, err := k8sClient.GetSecret(namespace, secretName)
 	if err != nil {
 		return "", "", fmt.Errorf("failed to fetch secret %q/%q: %s", namespace, secretName, err)