Define a TLS section to group TLS, TLSOptions, and TLSStores.

Co-authored-by: Jean-Baptiste Doumenjou <jb.doumenjou@gmail.com>
2019-06-27 23:58:03 +02:00 · 2019-06-27 23:58:03 +02:00 · 4245096be4
commit 4245096be4
parent c9b2a07bc7
52 changed files with 717 additions and 628 deletions
--- a/pkg/provider/acme/provider.go
+++ b/pkg/provider/acme/provider.go
@ -589,14 +589,20 @@ func (p *Provider) refreshCertificates() {
 				Middlewares: map[string]*config.Middleware{},
 				Services:    map[string]*config.Service{},
 			},
-			TLS: []*traefiktls.Configuration{},
+			TLS: &config.TLSConfiguration{},
 		},
 	}

 	for _, cert := range p.certificates {
-		cert := &traefiktls.Certificate{CertFile: traefiktls.FileOrContent(cert.Certificate), KeyFile: traefiktls.FileOrContent(cert.Key)}
-		conf.Configuration.TLS = append(conf.Configuration.TLS, &traefiktls.Configuration{Certificate: cert})
+		certConf := &traefiktls.CertAndStores{
+			Certificate: traefiktls.Certificate{
+				CertFile: traefiktls.FileOrContent(cert.Certificate),
+				KeyFile:  traefiktls.FileOrContent(cert.Key),
+			},
+		}
+		conf.Configuration.TLS.Certificates = append(conf.Configuration.TLS.Certificates, certConf)
 	}
+
 	p.configurationChan <- conf
 }

--- a/pkg/provider/file/file.go
+++ b/pkg/provider/file/file.go
@ -182,28 +182,36 @@ func (p *Provider) loadFileConfig(filename string, parseTemplate bool) (*config.
 		return nil, err
 	}

-	var tlsConfigs []*tls.Configuration
-	for _, conf := range configuration.TLS {
-		bytes, err := conf.Certificate.CertFile.Read()
-		if err != nil {
-			log.Error(err)
-			continue
-		}
-		conf.Certificate.CertFile = tls.FileOrContent(string(bytes))
-
-		bytes, err = conf.Certificate.KeyFile.Read()
-		if err != nil {
-			log.Error(err)
-			continue
-		}
-		conf.Certificate.KeyFile = tls.FileOrContent(string(bytes))
-		tlsConfigs = append(tlsConfigs, conf)
+	if configuration.TLS != nil {
+		configuration.TLS.Certificates = flattenCertificates(configuration.TLS)
 	}
-	configuration.TLS = tlsConfigs

 	return configuration, nil
 }

+func flattenCertificates(tlsConfig *config.TLSConfiguration) []*tls.CertAndStores {
+	var certs []*tls.CertAndStores
+	for _, cert := range tlsConfig.Certificates {
+		content, err := cert.Certificate.CertFile.Read()
+		if err != nil {
+			log.Error(err)
+			continue
+		}
+		cert.Certificate.CertFile = tls.FileOrContent(string(content))
+
+		content, err = cert.Certificate.KeyFile.Read()
+		if err != nil {
+			log.Error(err)
+			continue
+		}
+		cert.Certificate.KeyFile = tls.FileOrContent(string(content))
+
+		certs = append(certs, cert)
+	}
+
+	return certs
+}
+
 func (p *Provider) loadFileConfigFromDirectory(ctx context.Context, directory string, configuration *config.Configuration) (*config.Configuration, error) {
 	logger := log.FromContext(ctx)

@ -223,13 +231,16 @@ func (p *Provider) loadFileConfigFromDirectory(ctx context.Context, directory st
 				Routers:  make(map[string]*config.TCPRouter),
 				Services: make(map[string]*config.TCPService),
 			},
+			TLS: &config.TLSConfiguration{
+				Stores:  make(map[string]tls.Store),
+				Options: make(map[string]tls.Options),
+			},
 		}
 	}

-	configTLSMaps := make(map[*tls.Configuration]struct{})
+	configTLSMaps := make(map[*tls.CertAndStores]struct{})

 	for _, item := range fileList {
-
 		if item.IsDir() {
 			configuration, err = p.loadFileConfigFromDirectory(ctx, filepath.Join(directory, item.Name()), configuration)
 			if err != nil {
@ -291,7 +302,7 @@ func (p *Provider) loadFileConfigFromDirectory(ctx context.Context, directory st
 			}
 		}

-		for _, conf := range c.TLS {
+		for _, conf := range c.TLS.Certificates {
 			if _, exists := configTLSMaps[conf]; exists {
 				logger.Warnf("TLS configuration %v already configured, skipping", conf)
 			} else {
@ -300,9 +311,14 @@ func (p *Provider) loadFileConfigFromDirectory(ctx context.Context, directory st
 		}
 	}

-	for conf := range configTLSMaps {
-		configuration.TLS = append(configuration.TLS, conf)
+	if len(configTLSMaps) > 0 {
+		configuration.TLS = &config.TLSConfiguration{}
 	}
+
+	for conf := range configTLSMaps {
+		configuration.TLS.Certificates = append(configuration.TLS.Certificates, conf)
+	}
+
 	return configuration, nil
 }

@ -364,9 +380,10 @@ func (p *Provider) decodeConfiguration(filePath string, content string) (*config
 			Routers:  make(map[string]*config.TCPRouter),
 			Services: make(map[string]*config.TCPService),
 		},
-		TLS:        make([]*tls.Configuration, 0),
-		TLSStores:  make(map[string]tls.Store),
-		TLSOptions: make(map[string]tls.TLS),
+		TLS: &config.TLSConfiguration{
+			Stores:  make(map[string]tls.Store),
+			Options: make(map[string]tls.Options),
+		},
 	}

 	switch strings.ToLower(filepath.Ext(filePath)) {
--- a/pkg/provider/file/file_test.go
+++ b/pkg/provider/file/file_test.go
@ -37,10 +37,9 @@ func TestTLSContent(t *testing.T) {
 	require.NoError(t, err)

 	content := `
-[[tls]]
-  [tls.certificate]
-    certFile = "` + fileTLS.Name() + `"
-    keyFile = "` + fileTLS.Name() + `"
+[[tls.certificates]]
+  certFile = "` + fileTLS.Name() + `"
+  keyFile = "` + fileTLS.Name() + `"
 `

 	_, err = fileConfig.Write([]byte(content))
@ -50,8 +49,8 @@ func TestTLSContent(t *testing.T) {
 	configuration, err := provider.loadFileConfig(fileConfig.Name(), true)
 	require.NoError(t, err)

-	require.Equal(t, "CONTENT", configuration.TLS[0].Certificate.CertFile.String())
-	require.Equal(t, "CONTENT", configuration.TLS[0].Certificate.KeyFile.String())
+	require.Equal(t, "CONTENT", configuration.TLS.Certificates[0].Certificate.CertFile.String())
+	require.Equal(t, "CONTENT", configuration.TLS.Certificates[0].Certificate.KeyFile.String())
 }

 func TestErrorWhenEmptyConfig(t *testing.T) {
@ -91,9 +90,11 @@ func TestProvideWithoutWatch(t *testing.T) {
 			timeout := time.After(time.Second)
 			select {
 			case conf := <-configChan:
+				require.NotNil(t, conf.Configuration.HTTP)
 				assert.Len(t, conf.Configuration.HTTP.Services, test.expectedNumService)
 				assert.Len(t, conf.Configuration.HTTP.Routers, test.expectedNumRouter)
-				assert.Len(t, conf.Configuration.TLS, test.expectedNumTLSConf)
+				require.NotNil(t, conf.Configuration.TLS)
+				assert.Len(t, conf.Configuration.TLS.Certificates, test.expectedNumTLSConf)
 			case <-timeout:
 				t.Errorf("timeout while waiting for config")
 			}
@ -116,9 +117,11 @@ func TestProvideWithWatch(t *testing.T) {
 			timeout := time.After(time.Second)
 			select {
 			case conf := <-configChan:
+				require.NotNil(t, conf.Configuration.HTTP)
 				assert.Len(t, conf.Configuration.HTTP.Services, 0)
 				assert.Len(t, conf.Configuration.HTTP.Routers, 0)
-				assert.Len(t, conf.Configuration.TLS, 0)
+				require.NotNil(t, conf.Configuration.TLS)
+				assert.Len(t, conf.Configuration.TLS.Certificates, 0)
 			case <-timeout:
 				t.Errorf("timeout while waiting for config")
 			}
@ -148,7 +151,7 @@ func TestProvideWithWatch(t *testing.T) {
 					numUpdates++
 					numServices = len(conf.Configuration.HTTP.Services)
 					numRouters = len(conf.Configuration.HTTP.Routers)
-					numTLSConfs = len(conf.Configuration.TLS)
+					numTLSConfs = len(conf.Configuration.TLS.Certificates)
 					t.Logf("received update #%d: services %d/%d, routers %d/%d, TLS configs %d/%d", numUpdates, numServices, test.expectedNumService, numRouters, test.expectedNumRouter, numTLSConfs, test.expectedNumTLSConf)

 					if numServices == test.expectedNumService && numRouters == test.expectedNumRouter && numTLSConfs == test.expectedNumTLSConf {
--- a/pkg/provider/file/fixtures/toml/dir01_file03.toml
+++ b/pkg/provider/file/fixtures/toml/dir01_file03.toml
@ -1,16 +1,17 @@
-[[TLS]]
-	[TLS.Certificate]
-	CertFile = "integration/fixtures/https/snitest1.com.cert"
-	KeyFile = "integration/fixtures/https/snitest1.com.key"
-[[TLS]]
-	[TLS.Certificate]
-	CertFile = "integration/fixtures/https/snitest2.com.cert"
-	KeyFile = "integration/fixtures/https/snitest2.com.key"
-[[TLS]]
-	[TLS.Certificate]
-	CertFile = "integration/fixtures/https/snitest3.com.cert"
-	KeyFile = "integration/fixtures/https/snitest3.com.key"
-[[TLS]]
-	[TLS.Certificate]
-	CertFile = "integration/fixtures/https/snitest4.com.cert"
-	KeyFile = "integration/fixtures/https/snitest4.com.key"
+[TLS]
+
+[[TLS.Certificates]]
+  CertFile = "integration/fixtures/https/snitest1.com.cert"
+  KeyFile = "integration/fixtures/https/snitest1.com.key"
+
+[[TLS.Certificates]]
+  CertFile = "integration/fixtures/https/snitest2.com.cert"
+  KeyFile = "integration/fixtures/https/snitest2.com.key"
+
+[[TLS.Certificates]]
+  CertFile = "integration/fixtures/https/snitest3.com.cert"
+  KeyFile = "integration/fixtures/https/snitest3.com.key"
+
+[[TLS.Certificates]]
+  CertFile = "integration/fixtures/https/snitest4.com.cert"
+  KeyFile = "integration/fixtures/https/snitest4.com.key"
--- a/pkg/provider/file/fixtures/toml/simple_file_01.toml
+++ b/pkg/provider/file/fixtures/toml/simple_file_01.toml
@ -33,23 +33,25 @@
 [http.services.application-6.loadbalancer]
   [[http.services.application-6.loadbalancer.servers]]
     url = "http://172.17.0.6:80"
-[[TLS]]
-	[TLS.Certificate]
-	CertFile = "integration/fixtures/https/snitest1.com.cert"
-	KeyFile = "integration/fixtures/https/snitest1.com.key"
-[[TLS]]
-	[TLS.Certificate]
-	CertFile = "integration/fixtures/https/snitest2.com.cert"
-	KeyFile = "integration/fixtures/https/snitest2.com.key"
-[[TLS]]
-	[TLS.Certificate]
-	CertFile = "integration/fixtures/https/snitest3.com.cert"
-	KeyFile = "integration/fixtures/https/snitest3.com.key"
-[[TLS]]
-	[TLS.Certificate]
-	CertFile = "integration/fixtures/https/snitest4.com.cert"
-	KeyFile = "integration/fixtures/https/snitest4.com.key"
-[[TLS]]
-	[TLS.Certificate]
-	CertFile = "integration/fixtures/https/snitest5.com.cert"
-	KeyFile = "integration/fixtures/https/snitest5.com.key"
+
+[TLS]
+
+[[TLS.Certificates]]
+  CertFile = "integration/fixtures/https/snitest1.com.cert"
+  KeyFile = "integration/fixtures/https/snitest1.com.key"
+
+[[TLS.Certificates]]
+  CertFile = "integration/fixtures/https/snitest2.com.cert"
+  KeyFile = "integration/fixtures/https/snitest2.com.key"
+
+[[TLS.Certificates]]
+  CertFile = "integration/fixtures/https/snitest3.com.cert"
+  KeyFile = "integration/fixtures/https/snitest3.com.key"
+
+[[TLS.Certificates]]
+  CertFile = "integration/fixtures/https/snitest4.com.cert"
+  KeyFile = "integration/fixtures/https/snitest4.com.key"
+
+[[TLS.Certificates]]
+  CertFile = "integration/fixtures/https/snitest5.com.cert"
+  KeyFile = "integration/fixtures/https/snitest5.com.key"
--- a/pkg/provider/file/fixtures/toml/simple_file_02.toml
+++ b/pkg/provider/file/fixtures/toml/simple_file_02.toml
@ -44,19 +44,21 @@
 [http.services.application-8.loadbalancer]
   [[http.services.application-8.loadbalancer.servers]]
     url = "http://172.17.0.8:80"
-[[TLS]]
-	[TLS.Certificate]
-	CertFile = "integration/fixtures/https/snitest1.com.cert"
-	KeyFile = "integration/fixtures/https/snitest1.com.key"
-[[TLS]]
-	[TLS.Certificate]
-	CertFile = "integration/fixtures/https/snitest2.com.cert"
-	KeyFile = "integration/fixtures/https/snitest2.com.key"
-[[TLS]]
-	[TLS.Certificate]
-	CertFile = "integration/fixtures/https/snitest3.com.cert"
-	KeyFile = "integration/fixtures/https/snitest3.com.key"
-[[TLS]]
-	[TLS.Certificate]
-	CertFile = "integration/fixtures/https/snitest4.com.cert"
-	KeyFile = "integration/fixtures/https/snitest4.com.key"
+
+[TLS]
+
+[[TLS.Certificates]]
+  CertFile = "integration/fixtures/https/snitest1.com.cert"
+  KeyFile = "integration/fixtures/https/snitest1.com.key"
+
+[[TLS.Certificates]]
+  CertFile = "integration/fixtures/https/snitest2.com.cert"
+  KeyFile = "integration/fixtures/https/snitest2.com.key"
+
+[[TLS.Certificates]]
+  CertFile = "integration/fixtures/https/snitest3.com.cert"
+  KeyFile = "integration/fixtures/https/snitest3.com.key"
+
+[[TLS.Certificates]]
+  CertFile = "integration/fixtures/https/snitest4.com.cert"
+  KeyFile = "integration/fixtures/https/snitest4.com.key"
--- a/pkg/provider/file/fixtures/toml/simple_traefik_file_01.toml
+++ b/pkg/provider/file/fixtures/toml/simple_traefik_file_01.toml
@ -1,3 +1,2 @@
-
 [log]
-	level = "DEBUG"
+  level = "DEBUG"
--- a/pkg/provider/file/fixtures/toml/simple_traefik_file_02.toml
+++ b/pkg/provider/file/fixtures/toml/simple_traefik_file_02.toml
@ -20,19 +20,21 @@
 [http.services.application-3.loadbalancer]
   [[http.services.application-3.loadbalancer.servers]]
     url = "http://172.17.0.3:80"
-[[TLS]]
-	[TLS.Certificate]
-	CertFile = "integration/fixtures/https/snitest1.com.cert"
-	KeyFile = "integration/fixtures/https/snitest1.com.key"
-[[TLS]]
-	[TLS.Certificate]
-	CertFile = "integration/fixtures/https/snitest2.com.cert"
-	KeyFile = "integration/fixtures/https/snitest2.com.key"
-[[TLS]]
-	[TLS.Certificate]
-	CertFile = "integration/fixtures/https/snitest3.com.cert"
-	KeyFile = "integration/fixtures/https/snitest3.com.key"
-[[TLS]]
-	[TLS.Certificate]
-	CertFile = "integration/fixtures/https/snitest4.com.cert"
-	KeyFile = "integration/fixtures/https/snitest4.com.key"
+
+[TLS]
+
+[[TLS.Certificates]]
+  CertFile = "integration/fixtures/https/snitest1.com.cert"
+  KeyFile = "integration/fixtures/https/snitest1.com.key"
+
+[[TLS.Certificates]]
+  CertFile = "integration/fixtures/https/snitest2.com.cert"
+  KeyFile = "integration/fixtures/https/snitest2.com.key"
+
+[[TLS.Certificates]]
+  CertFile = "integration/fixtures/https/snitest3.com.cert"
+  KeyFile = "integration/fixtures/https/snitest3.com.key"
+
+[[TLS.Certificates]]
+  CertFile = "integration/fixtures/https/snitest4.com.cert"
+  KeyFile = "integration/fixtures/https/snitest4.com.key"
--- a/pkg/provider/file/fixtures/toml/simple_traefik_file_with_templating.toml
+++ b/pkg/provider/file/fixtures/toml/simple_traefik_file_with_templating.toml
@ -1,7 +1,8 @@
+temp="{{ getTag \"test\" }}"

-				temp="{{ getTag \"test\" }}"
-				[providers.file]	
-				[http.routers]
+[providers.file]
+
+[http.routers]
 
 [http.routers."router1"]
 	service = "application-1"
@ -21,19 +22,21 @@
 [http.services.application-3.loadbalancer]
   [[http.services.application-3.loadbalancer.servers]]
     url = "http://172.17.0.3:80"
-[[TLS]]
-	[TLS.Certificate]
-	CertFile = "integration/fixtures/https/snitest1.com.cert"
-	KeyFile = "integration/fixtures/https/snitest1.com.key"
-[[TLS]]
-	[TLS.Certificate]
-	CertFile = "integration/fixtures/https/snitest2.com.cert"
-	KeyFile = "integration/fixtures/https/snitest2.com.key"
-[[TLS]]
-	[TLS.Certificate]
-	CertFile = "integration/fixtures/https/snitest3.com.cert"
-	KeyFile = "integration/fixtures/https/snitest3.com.key"
-[[TLS]]
-	[TLS.Certificate]
-	CertFile = "integration/fixtures/https/snitest4.com.cert"
-	KeyFile = "integration/fixtures/https/snitest4.com.key"
+
+[TLS]
+
+[[TLS.Certificates]]
+  CertFile = "integration/fixtures/https/snitest1.com.cert"
+  KeyFile = "integration/fixtures/https/snitest1.com.key"
+
+[[TLS.Certificates]]
+  CertFile = "integration/fixtures/https/snitest2.com.cert"
+  KeyFile = "integration/fixtures/https/snitest2.com.key"
+
+[[TLS.Certificates]]
+  CertFile = "integration/fixtures/https/snitest3.com.cert"
+  KeyFile = "integration/fixtures/https/snitest3.com.key"
+
+[[TLS.Certificates]]
+  CertFile = "integration/fixtures/https/snitest4.com.cert"
+  KeyFile = "integration/fixtures/https/snitest4.com.key"
--- a/pkg/provider/file/fixtures/toml/template_file.toml
+++ b/pkg/provider/file/fixtures/toml/template_file.toml
@ -1,4 +1,3 @@
-
 [http.routers]
 {{ range $i, $e := until 20 }}
  [http.routers.router{{ $e }}]
--- a/pkg/provider/file/fixtures/yaml/dir01_file03.yml
+++ b/pkg/provider/file/fixtures/yaml/dir01_file03.yml
@ -1,13 +1,10 @@
 tls:
-  - certificate:
-      certfile: integration/fixtures/https/snitest1.com.cert
-      keyfile: integration/fixtures/https/snitest1.com.key
-  - certificate:
-      certfile: integration/fixtures/https/snitest2.com.cert
-      keyfile: integration/fixtures/https/snitest2.com.key
-  - certificate:
-      certfile: integration/fixtures/https/snitest3.com.cert
-      keyfile: integration/fixtures/https/snitest3.com.key
-  - certificate:
-      certfile: integration/fixtures/https/snitest4.com.cert
-      keyfile: integration/fixtures/https/snitest4.com.key
+  certificates:
+  - certfile: integration/fixtures/https/snitest1.com.cert
+    keyfile: integration/fixtures/https/snitest1.com.key
+  - certfile: integration/fixtures/https/snitest2.com.cert
+    keyfile: integration/fixtures/https/snitest2.com.key
+  - certfile: integration/fixtures/https/snitest3.com.cert
+    keyfile: integration/fixtures/https/snitest3.com.key
+  - certfile: integration/fixtures/https/snitest4.com.cert
+    keyfile: integration/fixtures/https/snitest4.com.key
--- a/pkg/provider/file/fixtures/yaml/simple_file_01.yml
+++ b/pkg/provider/file/fixtures/yaml/simple_file_01.yml
@ -33,18 +33,14 @@ http:
          - url: 'http://172.17.0.6:80'

 tls:
-  - certificate:
-      certfile: integration/fixtures/https/snitest1.com.cert
-      keyfile: integration/fixtures/https/snitest1.com.key
-  - certificate:
-      certfile: integration/fixtures/https/snitest2.com.cert
-      keyfile: integration/fixtures/https/snitest2.com.key
-  - certificate:
-      certfile: integration/fixtures/https/snitest3.com.cert
-      keyfile: integration/fixtures/https/snitest3.com.key
-  - certificate:
-      certfile: integration/fixtures/https/snitest4.com.cert
-      keyfile: integration/fixtures/https/snitest4.com.key
-  - certificate:
-      certfile: integration/fixtures/https/snitest5.com.cert
-      keyfile: integration/fixtures/https/snitest5.com.key
+  certificates:
+  - certfile: integration/fixtures/https/snitest1.com.cert
+    keyfile: integration/fixtures/https/snitest1.com.key
+  - certfile: integration/fixtures/https/snitest2.com.cert
+    keyfile: integration/fixtures/https/snitest2.com.key
+  - certfile: integration/fixtures/https/snitest3.com.cert
+    keyfile: integration/fixtures/https/snitest3.com.key
+  - certfile: integration/fixtures/https/snitest4.com.cert
+    keyfile: integration/fixtures/https/snitest4.com.key
+  - certfile: integration/fixtures/https/snitest5.com.cert
+    keyfile: integration/fixtures/https/snitest5.com.key
--- a/pkg/provider/file/fixtures/yaml/simple_file_02.yml
+++ b/pkg/provider/file/fixtures/yaml/simple_file_02.yml
@ -43,16 +43,12 @@ http:
          - url: 'http://172.17.0.8:80'

 tls:
-  - certificate:
-      certfile: integration/fixtures/https/snitest1.com.cert
+  certificates:
+    - certfile: integration/fixtures/https/snitest1.com.cert
      keyfile: integration/fixtures/https/snitest1.com.key
-  - certificate:
-      certfile: integration/fixtures/https/snitest2.com.cert
+    - certfile: integration/fixtures/https/snitest2.com.cert
      keyfile: integration/fixtures/https/snitest2.com.key
-  - certificate:
-      certfile: integration/fixtures/https/snitest3.com.cert
+    - certfile: integration/fixtures/https/snitest3.com.cert
      keyfile: integration/fixtures/https/snitest3.com.key
-  - certificate:
-      certfile: integration/fixtures/https/snitest4.com.cert
-      keyfile: integration/fixtures/https/snitest4.com.key
-
+    - certfile: integration/fixtures/https/snitest4.com.cert
+      keyfile: integration/fixtures/https/snitest4.com.key
--- a/pkg/provider/file/fixtures/yaml/simple_traefik_file_02.yml
+++ b/pkg/provider/file/fixtures/yaml/simple_traefik_file_02.yml
@ -21,15 +21,12 @@ http:
          - url: 'http://172.17.0.3:80'

 tls:
-  - certificate:
-      certfile: integration/fixtures/https/snitest1.com.cert
+  certificates:
+    - certfile: integration/fixtures/https/snitest1.com.cert
      keyfile: integration/fixtures/https/snitest1.com.key
-  - certificate:
-      certfile: integration/fixtures/https/snitest2.com.cert
+    - certfile: integration/fixtures/https/snitest2.com.cert
      keyfile: integration/fixtures/https/snitest2.com.key
-  - certificate:
-      certfile: integration/fixtures/https/snitest3.com.cert
+    - certfile: integration/fixtures/https/snitest3.com.cert
      keyfile: integration/fixtures/https/snitest3.com.key
-  - certificate:
-      certfile: integration/fixtures/https/snitest4.com.cert
-      keyfile: integration/fixtures/https/snitest4.com.key
+    - certfile: integration/fixtures/https/snitest4.com.cert
+      keyfile: integration/fixtures/https/snitest4.com.key
--- a/pkg/provider/kubernetes/crd/kubernetes.go
+++ b/pkg/provider/kubernetes/crd/kubernetes.go
@ -293,14 +293,14 @@ func loadServers(client Client, namespace string, svc v1alpha1.Service) ([]confi
 	return servers, nil
 }

-func buildTLSOptions(ctx context.Context, client Client) map[string]tls.TLS {
+func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options {
 	tlsOptionsCRD := client.GetTLSOptions()
-	var tlsOptions map[string]tls.TLS
+	var tlsOptions map[string]tls.Options

 	if len(tlsOptionsCRD) == 0 {
 		return tlsOptions
 	}
-	tlsOptions = make(map[string]tls.TLS)
+	tlsOptions = make(map[string]tls.Options)

 	for _, tlsOption := range tlsOptionsCRD {
 		logger := log.FromContext(log.With(ctx, log.Str("tlsOption", tlsOption.Name), log.Str("namespace", tlsOption.Namespace)))
@ -327,7 +327,7 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.TLS {
 			clientCAs = append(clientCAs, tls.FileOrContent(cert))
 		}

-		tlsOptions[makeID(tlsOption.Namespace, tlsOption.Name)] = tls.TLS{
+		tlsOptions[makeID(tlsOption.Namespace, tlsOption.Name)] = tls.Options{
 			MinVersion:   tlsOption.Spec.MinVersion,
 			CipherSuites: tlsOption.Spec.CipherSuites,
 			ClientCA: tls.ClientCA{
@ -340,7 +340,7 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.TLS {
 	return tlsOptions
 }

-func (p *Provider) loadIngressRouteConfiguration(ctx context.Context, client Client, tlsConfigs map[string]*tls.Configuration) *config.HTTPConfiguration {
+func (p *Provider) loadIngressRouteConfiguration(ctx context.Context, client Client, tlsConfigs map[string]*tls.CertAndStores) *config.HTTPConfiguration {
 	conf := &config.HTTPConfiguration{
 		Routers:     map[string]*config.Router{},
 		Middlewares: map[string]*config.Middleware{},
@ -465,7 +465,7 @@ func (p *Provider) loadIngressRouteConfiguration(ctx context.Context, client Cli
 	return conf
 }

-func (p *Provider) loadIngressRouteTCPConfiguration(ctx context.Context, client Client, tlsConfigs map[string]*tls.Configuration) *config.TCPConfiguration {
+func (p *Provider) loadIngressRouteTCPConfiguration(ctx context.Context, client Client, tlsConfigs map[string]*tls.CertAndStores) *config.TCPConfiguration {
 	conf := &config.TCPConfiguration{
 		Routers:  map[string]*config.TCPRouter{},
 		Services: map[string]*config.TCPService{},
@ -565,12 +565,14 @@ func (p *Provider) loadIngressRouteTCPConfiguration(ctx context.Context, client
 }

 func (p *Provider) loadConfigurationFromCRD(ctx context.Context, client Client) *config.Configuration {
-	tlsConfigs := make(map[string]*tls.Configuration)
+	tlsConfigs := make(map[string]*tls.CertAndStores)
 	conf := &config.Configuration{
-		HTTP:       p.loadIngressRouteConfiguration(ctx, client, tlsConfigs),
-		TCP:        p.loadIngressRouteTCPConfiguration(ctx, client, tlsConfigs),
-		TLSOptions: buildTLSOptions(ctx, client),
-		TLS:        getTLSConfig(tlsConfigs),
+		HTTP: p.loadIngressRouteConfiguration(ctx, client, tlsConfigs),
+		TCP:  p.loadIngressRouteTCPConfiguration(ctx, client, tlsConfigs),
+		TLS: &config.TLSConfiguration{
+			Certificates: getTLSConfig(tlsConfigs),
+			Options:      buildTLSOptions(ctx, client),
+		},
 	}

 	for _, middleware := range client.GetMiddlewares() {
@ -604,7 +606,7 @@ func shouldProcessIngress(ingressClass string, ingressClassAnnotation string) bo
 		(len(ingressClass) == 0 && ingressClassAnnotation == traefikDefaultIngressClass)
 }

-func getTLSHTTP(ctx context.Context, ingressRoute *v1alpha1.IngressRoute, k8sClient Client, tlsConfigs map[string]*tls.Configuration) error {
+func getTLSHTTP(ctx context.Context, ingressRoute *v1alpha1.IngressRoute, k8sClient Client, tlsConfigs map[string]*tls.CertAndStores) error {
 	if ingressRoute.Spec.TLS == nil {
 		return nil
 	}
@ -626,7 +628,7 @@ func getTLSHTTP(ctx context.Context, ingressRoute *v1alpha1.IngressRoute, k8sCli
 	return nil
 }

-func getTLSTCP(ctx context.Context, ingressRoute *v1alpha1.IngressRouteTCP, k8sClient Client, tlsConfigs map[string]*tls.Configuration) error {
+func getTLSTCP(ctx context.Context, ingressRoute *v1alpha1.IngressRouteTCP, k8sClient Client, tlsConfigs map[string]*tls.CertAndStores) error {
 	if ingressRoute.Spec.TLS == nil {
 		return nil
 	}
@ -648,7 +650,7 @@ func getTLSTCP(ctx context.Context, ingressRoute *v1alpha1.IngressRouteTCP, k8sC
 	return nil
 }

-func getTLS(k8sClient Client, secretName, namespace string) (*tls.Configuration, error) {
+func getTLS(k8sClient Client, secretName, namespace string) (*tls.CertAndStores, error) {
 	secret, exists, err := k8sClient.GetSecret(namespace, secretName)
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch secret %s/%s: %v", namespace, secretName, err)
@ -662,22 +664,22 @@ func getTLS(k8sClient Client, secretName, namespace string) (*tls.Configuration,
 		return nil, err
 	}

-	return &tls.Configuration{
-		Certificate: &tls.Certificate{
+	return &tls.CertAndStores{
+		Certificate: tls.Certificate{
 			CertFile: tls.FileOrContent(cert),
 			KeyFile:  tls.FileOrContent(key),
 		},
 	}, nil
 }

-func getTLSConfig(tlsConfigs map[string]*tls.Configuration) []*tls.Configuration {
+func getTLSConfig(tlsConfigs map[string]*tls.CertAndStores) []*tls.CertAndStores {
 	var secretNames []string
 	for secretName := range tlsConfigs {
 		secretNames = append(secretNames, secretName)
 	}
 	sort.Strings(secretNames)

-	var configs []*tls.Configuration
+	var configs []*tls.CertAndStores
 	for _, secretName := range secretNames {
 		configs = append(configs, tlsConfigs[secretName])
 	}
--- a/pkg/provider/kubernetes/crd/kubernetes_test.go
+++ b/pkg/provider/kubernetes/crd/kubernetes_test.go
@ -31,6 +31,7 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
 					Middlewares: map[string]*config.Middleware{},
 					Services:    map[string]*config.Service{},
 				},
+				TLS: &config.TLSConfiguration{},
 			},
 		},
 		{
@ -67,6 +68,7 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
 						},
 					},
 				},
+				TLS: &config.TLSConfiguration{},
 			},
 		},
 		{
@ -122,6 +124,7 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
 					Middlewares: map[string]*config.Middleware{},
 					Services:    map[string]*config.Service{},
 				},
+				TLS: &config.TLSConfiguration{},
 			},
 		},
 		{
@ -165,6 +168,7 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
 					Middlewares: map[string]*config.Middleware{},
 					Services:    map[string]*config.Service{},
 				},
+				TLS: &config.TLSConfiguration{},
 			},
 		},
 		{
@ -181,6 +185,7 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
 					Middlewares: map[string]*config.Middleware{},
 					Services:    map[string]*config.Service{},
 				},
+				TLS: &config.TLSConfiguration{},
 			},
 		},
 		{
@ -196,6 +201,7 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
 					Middlewares: map[string]*config.Middleware{},
 					Services:    map[string]*config.Service{},
 				},
+				TLS: &config.TLSConfiguration{},
 			},
 		},
 		{
@ -211,17 +217,20 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
 					Middlewares: map[string]*config.Middleware{},
 					Services:    map[string]*config.Service{},
 				},
+				TLS: &config.TLSConfiguration{},
 			},
 		},
 		{
 			desc:  "TLS",
 			paths: []string{"tcp/services.yml", "tcp/with_tls.yml"},
 			expected: &config.Configuration{
-				TLS: []*tls.Configuration{
-					{
-						Certificate: &tls.Certificate{
-							CertFile: tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
-							KeyFile:  tls.FileOrContent("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----"),
+				TLS: &config.TLSConfiguration{
+					Certificates: []*tls.CertAndStores{
+						{
+							Certificate: tls.Certificate{
+								CertFile: tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
+								KeyFile:  tls.FileOrContent("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----"),
+							},
 						},
 					},
 				},
@ -295,27 +304,30 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
 					Middlewares: map[string]*config.Middleware{},
 					Services:    map[string]*config.Service{},
 				},
+				TLS: &config.TLSConfiguration{},
 			},
 		},
 		{
 			desc:  "TLS with tls options",
 			paths: []string{"tcp/services.yml", "tcp/with_tls_options.yml"},
 			expected: &config.Configuration{
-				TLSOptions: map[string]tls.TLS{
-					"default/foo": {
-						MinVersion: "VersionTLS12",
-						CipherSuites: []string{
-							"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-							"TLS_RSA_WITH_AES_256_GCM_SHA384",
-						},
-						ClientCA: tls.ClientCA{
-							Files: []tls.FileOrContent{
-								tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
-								tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
+				TLS: &config.TLSConfiguration{
+					Options: map[string]tls.Options{
+						"default/foo": {
+							MinVersion: "VersionTLS12",
+							CipherSuites: []string{
+								"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+								"TLS_RSA_WITH_AES_256_GCM_SHA384",
 							},
-							Optional: true,
+							ClientCA: tls.ClientCA{
+								Files: []tls.FileOrContent{
+									tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
+									tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
+								},
+								Optional: true,
+							},
+							SniStrict: true,
 						},
-						SniStrict: true,
 					},
 				},
 				TCP: &config.TCPConfiguration{
@ -357,21 +369,23 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
 			desc:  "TLS with tls options and specific namespace",
 			paths: []string{"tcp/services.yml", "tcp/with_tls_options_and_specific_namespace.yml"},
 			expected: &config.Configuration{
-				TLSOptions: map[string]tls.TLS{
-					"myns/foo": {
-						MinVersion: "VersionTLS12",
-						CipherSuites: []string{
-							"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-							"TLS_RSA_WITH_AES_256_GCM_SHA384",
-						},
-						ClientCA: tls.ClientCA{
-							Files: []tls.FileOrContent{
-								tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
-								tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
+				TLS: &config.TLSConfiguration{
+					Options: map[string]tls.Options{
+						"myns/foo": {
+							MinVersion: "VersionTLS12",
+							CipherSuites: []string{
+								"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+								"TLS_RSA_WITH_AES_256_GCM_SHA384",
 							},
-							Optional: true,
+							ClientCA: tls.ClientCA{
+								Files: []tls.FileOrContent{
+									tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
+									tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
+								},
+								Optional: true,
+							},
+							SniStrict: true,
 						},
-						SniStrict: true,
 					},
 				},
 				TCP: &config.TCPConfiguration{
@ -413,20 +427,22 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
 			desc:  "TLS with bad tls options",
 			paths: []string{"tcp/services.yml", "tcp/with_bad_tls_options.yml"},
 			expected: &config.Configuration{
-				TLSOptions: map[string]tls.TLS{
-					"default/foo": {
-						MinVersion: "VersionTLS12",
-						CipherSuites: []string{
-							"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-							"TLS_RSA_WITH_AES_256_GCM_SHA384",
-						},
-						ClientCA: tls.ClientCA{
-							Files: []tls.FileOrContent{
-								tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
+				TLS: &config.TLSConfiguration{
+					Options: map[string]tls.Options{
+						"default/foo": {
+							MinVersion: "VersionTLS12",
+							CipherSuites: []string{
+								"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+								"TLS_RSA_WITH_AES_256_GCM_SHA384",
 							},
-							Optional: true,
+							ClientCA: tls.ClientCA{
+								Files: []tls.FileOrContent{
+									tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
+								},
+								Optional: true,
+							},
+							SniStrict: true,
 						},
-						SniStrict: true,
 					},
 				},
 				TCP: &config.TCPConfiguration{
@ -468,9 +484,11 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
 			desc:  "TLS with unknown tls options",
 			paths: []string{"tcp/services.yml", "tcp/with_unknown_tls_options.yml"},
 			expected: &config.Configuration{
-				TLSOptions: map[string]tls.TLS{
-					"default/foo": {
-						MinVersion: "VersionTLS12",
+				TLS: &config.TLSConfiguration{
+					Options: map[string]tls.Options{
+						"default/foo": {
+							MinVersion: "VersionTLS12",
+						},
 					},
 				},
 				TCP: &config.TCPConfiguration{
@ -512,9 +530,11 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
 			desc:  "TLS with unknown tls options namespace",
 			paths: []string{"tcp/services.yml", "tcp/with_unknown_tls_options_namespace.yml"},
 			expected: &config.Configuration{
-				TLSOptions: map[string]tls.TLS{
-					"default/foo": {
-						MinVersion: "VersionTLS12",
+				TLS: &config.TLSConfiguration{
+					Options: map[string]tls.Options{
+						"default/foo": {
+							MinVersion: "VersionTLS12",
+						},
 					},
 				},
 				TCP: &config.TCPConfiguration{
@ -587,6 +607,7 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
 					Middlewares: map[string]*config.Middleware{},
 					Services:    map[string]*config.Service{},
 				},
+				TLS: &config.TLSConfiguration{},
 			},
 		},
 	}
@ -627,6 +648,7 @@ func TestLoadIngressRoutes(t *testing.T) {
 					Middlewares: map[string]*config.Middleware{},
 					Services:    map[string]*config.Service{},
 				},
+				TLS: &config.TLSConfiguration{},
 			},
 		},
 		{
@ -663,6 +685,7 @@ func TestLoadIngressRoutes(t *testing.T) {
 						},
 					},
 				},
+				TLS: &config.TLSConfiguration{},
 			},
 		},
 		{
@ -711,12 +734,14 @@ func TestLoadIngressRoutes(t *testing.T) {
 						},
 					},
 				},
+				TLS: &config.TLSConfiguration{},
 			},
 		},
 		{
 			desc:  "Simple Ingress Route with middleware crossprovider",
 			paths: []string{"services.yml", "with_middleware_crossprovider.yml"},
 			expected: &config.Configuration{
+				TLS: &config.TLSConfiguration{},
 				TCP: &config.TCPConfiguration{
 					Routers:  map[string]*config.TCPRouter{},
 					Services: map[string]*config.TCPService{},
@ -814,12 +839,14 @@ func TestLoadIngressRoutes(t *testing.T) {
 						},
 					},
 				},
+				TLS: &config.TLSConfiguration{},
 			},
 		},
 		{
 			desc:  "One ingress Route with two different services, their servers will merge",
 			paths: []string{"services.yml", "with_two_services.yml"},
 			expected: &config.Configuration{
+				TLS: &config.TLSConfiguration{},
 				TCP: &config.TCPConfiguration{
 					Routers:  map[string]*config.TCPRouter{},
 					Services: map[string]*config.TCPService{},
@ -863,6 +890,7 @@ func TestLoadIngressRoutes(t *testing.T) {
 			paths:        []string{"services.yml", "simple.yml"},
 			ingressClass: "tchouk",
 			expected: &config.Configuration{
+				TLS: &config.TLSConfiguration{},
 				TCP: &config.TCPConfiguration{
 					Routers:  map[string]*config.TCPRouter{},
 					Services: map[string]*config.TCPService{},
@ -878,6 +906,7 @@ func TestLoadIngressRoutes(t *testing.T) {
 			desc:  "Route with empty rule value is ignored",
 			paths: []string{"services.yml", "with_no_rule_value.yml"},
 			expected: &config.Configuration{
+				TLS: &config.TLSConfiguration{},
 				TCP: &config.TCPConfiguration{
 					Routers:  map[string]*config.TCPRouter{},
 					Services: map[string]*config.TCPService{},
@ -893,6 +922,7 @@ func TestLoadIngressRoutes(t *testing.T) {
 			desc:  "Route with kind not of a rule type (empty kind) is ignored",
 			paths: []string{"services.yml", "with_wrong_rule_kind.yml"},
 			expected: &config.Configuration{
+				TLS: &config.TLSConfiguration{},
 				TCP: &config.TCPConfiguration{
 					Routers:  map[string]*config.TCPRouter{},
 					Services: map[string]*config.TCPService{},
@ -908,6 +938,7 @@ func TestLoadIngressRoutes(t *testing.T) {
 			desc:  "check rule quoting validity",
 			paths: []string{"services.yml", "with_bad_host_rule.yml"},
 			expected: &config.Configuration{
+				TLS: &config.TLSConfiguration{},
 				TCP: &config.TCPConfiguration{
 					Routers:  map[string]*config.TCPRouter{},
 					Services: map[string]*config.TCPService{},
@ -923,11 +954,13 @@ func TestLoadIngressRoutes(t *testing.T) {
 			desc:  "TLS",
 			paths: []string{"services.yml", "with_tls.yml"},
 			expected: &config.Configuration{
-				TLS: []*tls.Configuration{
-					{
-						Certificate: &tls.Certificate{
-							CertFile: tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
-							KeyFile:  tls.FileOrContent("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----"),
+				TLS: &config.TLSConfiguration{
+					Certificates: []*tls.CertAndStores{
+						{
+							Certificate: tls.Certificate{
+								CertFile: tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
+								KeyFile:  tls.FileOrContent("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----"),
+							},
 						},
 					},
 				},
@ -968,21 +1001,23 @@ func TestLoadIngressRoutes(t *testing.T) {
 			desc:  "TLS with tls options",
 			paths: []string{"services.yml", "with_tls_options.yml"},
 			expected: &config.Configuration{
-				TLSOptions: map[string]tls.TLS{
-					"default/foo": {
-						MinVersion: "VersionTLS12",
-						CipherSuites: []string{
-							"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-							"TLS_RSA_WITH_AES_256_GCM_SHA384",
-						},
-						ClientCA: tls.ClientCA{
-							Files: []tls.FileOrContent{
-								tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
-								tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
+				TLS: &config.TLSConfiguration{
+					Options: map[string]tls.Options{
+						"default/foo": {
+							MinVersion: "VersionTLS12",
+							CipherSuites: []string{
+								"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+								"TLS_RSA_WITH_AES_256_GCM_SHA384",
 							},
-							Optional: true,
+							ClientCA: tls.ClientCA{
+								Files: []tls.FileOrContent{
+									tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
+									tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
+								},
+								Optional: true,
+							},
+							SniStrict: true,
 						},
-						SniStrict: true,
 					},
 				},
 				TCP: &config.TCPConfiguration{
@ -1024,21 +1059,23 @@ func TestLoadIngressRoutes(t *testing.T) {
 			desc:  "TLS with tls options and specific namespace",
 			paths: []string{"services.yml", "with_tls_options_and_specific_namespace.yml"},
 			expected: &config.Configuration{
-				TLSOptions: map[string]tls.TLS{
-					"myns/foo": {
-						MinVersion: "VersionTLS12",
-						CipherSuites: []string{
-							"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-							"TLS_RSA_WITH_AES_256_GCM_SHA384",
-						},
-						ClientCA: tls.ClientCA{
-							Files: []tls.FileOrContent{
-								tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
-								tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
+				TLS: &config.TLSConfiguration{
+					Options: map[string]tls.Options{
+						"myns/foo": {
+							MinVersion: "VersionTLS12",
+							CipherSuites: []string{
+								"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+								"TLS_RSA_WITH_AES_256_GCM_SHA384",
 							},
-							Optional: true,
+							ClientCA: tls.ClientCA{
+								Files: []tls.FileOrContent{
+									tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
+									tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
+								},
+								Optional: true,
+							},
+							SniStrict: true,
 						},
-						SniStrict: true,
 					},
 				},
 				TCP: &config.TCPConfiguration{
@ -1080,20 +1117,22 @@ func TestLoadIngressRoutes(t *testing.T) {
 			desc:  "TLS with bad tls options",
 			paths: []string{"services.yml", "with_bad_tls_options.yml"},
 			expected: &config.Configuration{
-				TLSOptions: map[string]tls.TLS{
-					"default/foo": {
-						MinVersion: "VersionTLS12",
-						CipherSuites: []string{
-							"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-							"TLS_RSA_WITH_AES_256_GCM_SHA384",
-						},
-						ClientCA: tls.ClientCA{
-							Files: []tls.FileOrContent{
-								tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
+				TLS: &config.TLSConfiguration{
+					Options: map[string]tls.Options{
+						"default/foo": {
+							MinVersion: "VersionTLS12",
+							CipherSuites: []string{
+								"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+								"TLS_RSA_WITH_AES_256_GCM_SHA384",
 							},
-							Optional: true,
+							ClientCA: tls.ClientCA{
+								Files: []tls.FileOrContent{
+									tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
+								},
+								Optional: true,
+							},
+							SniStrict: true,
 						},
-						SniStrict: true,
 					},
 				},
 				TCP: &config.TCPConfiguration{
@ -1135,9 +1174,11 @@ func TestLoadIngressRoutes(t *testing.T) {
 			desc:  "TLS with unknown tls options",
 			paths: []string{"services.yml", "with_unknown_tls_options.yml"},
 			expected: &config.Configuration{
-				TLSOptions: map[string]tls.TLS{
-					"default/foo": {
-						MinVersion: "VersionTLS12",
+				TLS: &config.TLSConfiguration{
+					Options: map[string]tls.Options{
+						"default/foo": {
+							MinVersion: "VersionTLS12",
+						},
 					},
 				},
 				TCP: &config.TCPConfiguration{
@ -1179,9 +1220,11 @@ func TestLoadIngressRoutes(t *testing.T) {
 			desc:  "TLS with unknown tls options namespace",
 			paths: []string{"services.yml", "with_unknown_tls_options_namespace.yml"},
 			expected: &config.Configuration{
-				TLSOptions: map[string]tls.TLS{
-					"default/foo": {
-						MinVersion: "VersionTLS12",
+				TLS: &config.TLSConfiguration{
+					Options: map[string]tls.Options{
+						"default/foo": {
+							MinVersion: "VersionTLS12",
+						},
 					},
 				},
 				TCP: &config.TCPConfiguration{
@ -1223,6 +1266,7 @@ func TestLoadIngressRoutes(t *testing.T) {
 			desc:  "TLS with ACME",
 			paths: []string{"services.yml", "with_tls_acme.yml"},
 			expected: &config.Configuration{
+				TLS: &config.TLSConfiguration{},
 				TCP: &config.TCPConfiguration{
 					Routers:  map[string]*config.TCPRouter{},
 					Services: map[string]*config.TCPService{},
@ -1260,6 +1304,7 @@ func TestLoadIngressRoutes(t *testing.T) {
 			desc:  "Simple Ingress Route, defaulting to https for servers",
 			paths: []string{"services.yml", "with_https_default.yml"},
 			expected: &config.Configuration{
+				TLS: &config.TLSConfiguration{},
 				TCP: &config.TCPConfiguration{
 					Routers:  map[string]*config.TCPRouter{},
 					Services: map[string]*config.TCPService{},
--- a/pkg/provider/kubernetes/ingress/kubernetes.go
+++ b/pkg/provider/kubernetes/ingress/kubernetes.go
@ -257,7 +257,7 @@ func (p *Provider) loadConfigurationFromIngresses(ctx context.Context, client Cl

 	ingresses := client.GetIngresses()

-	tlsConfigs := make(map[string]*tls.Configuration)
+	tlsConfigs := make(map[string]*tls.CertAndStores)
 	for _, ingress := range ingresses {
 		ctx = log.With(ctx, log.Str("ingress", ingress.Name), log.Str("namespace", ingress.Namespace))

@ -341,7 +341,13 @@ func (p *Provider) loadConfigurationFromIngresses(ctx context.Context, client Cl
 		}
 	}

-	conf.TLS = getTLSConfig(tlsConfigs)
+	certs := getTLSConfig(tlsConfigs)
+	if len(certs) > 0 {
+		conf.TLS = &config.TLSConfiguration{
+			Certificates: certs,
+		}
+	}
+
 	return conf
 }

@ -350,7 +356,7 @@ func shouldProcessIngress(ingressClass string, ingressClassAnnotation string) bo
 		(len(ingressClass) == 0 && ingressClassAnnotation == traefikDefaultIngressClass)
 }

-func getTLS(ctx context.Context, ingress *v1beta1.Ingress, k8sClient Client, tlsConfigs map[string]*tls.Configuration) error {
+func getTLS(ctx context.Context, ingress *v1beta1.Ingress, k8sClient Client, tlsConfigs map[string]*tls.CertAndStores) error {
 	for _, t := range ingress.Spec.TLS {
 		if t.SecretName == "" {
 			log.FromContext(ctx).Debugf("Skipping TLS sub-section: No secret name provided")
@ -372,8 +378,8 @@ func getTLS(ctx context.Context, ingress *v1beta1.Ingress, k8sClient Client, tls
 				return err
 			}

-			tlsConfigs[configKey] = &tls.Configuration{
-				Certificate: &tls.Certificate{
+			tlsConfigs[configKey] = &tls.CertAndStores{
+				Certificate: tls.Certificate{
 					CertFile: tls.FileOrContent(cert),
 					KeyFile:  tls.FileOrContent(key),
 				},
@ -384,14 +390,14 @@ func getTLS(ctx context.Context, ingress *v1beta1.Ingress, k8sClient Client, tls
 	return nil
 }

-func getTLSConfig(tlsConfigs map[string]*tls.Configuration) []*tls.Configuration {
+func getTLSConfig(tlsConfigs map[string]*tls.CertAndStores) []*tls.CertAndStores {
 	var secretNames []string
 	for secretName := range tlsConfigs {
 		secretNames = append(secretNames, secretName)
 	}
 	sort.Strings(secretNames)

-	var configs []*tls.Configuration
+	var configs []*tls.CertAndStores
 	for _, secretName := range secretNames {
 		configs = append(configs, tlsConfigs[secretName])
 	}
--- a/pkg/provider/kubernetes/ingress/kubernetes_test.go
+++ b/pkg/provider/kubernetes/ingress/kubernetes_test.go
@ -702,11 +702,13 @@ func TestLoadConfigurationFromIngresses(t *testing.T) {
 						},
 					},
 				},
-				TLS: []*tls.Configuration{
-					{
-						Certificate: &tls.Certificate{
-							CertFile: tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
-							KeyFile:  tls.FileOrContent("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----"),
+				TLS: &config.TLSConfiguration{
+					Certificates: []*tls.CertAndStores{
+						{
+							Certificate: tls.Certificate{
+								CertFile: tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
+								KeyFile:  tls.FileOrContent("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----"),
+							},
 						},
 					},
 				},
@ -973,7 +975,7 @@ func TestGetTLS(t *testing.T) {
 		desc      string
 		ingress   *v1beta1.Ingress
 		client    Client
-		result    map[string]*tls.Configuration
+		result    map[string]*tls.CertAndStores
 		errResult string
 	}{
 		{
@ -1080,15 +1082,15 @@ func TestGetTLS(t *testing.T) {
 					},
 				},
 			},
-			result: map[string]*tls.Configuration{
+			result: map[string]*tls.CertAndStores{
 				"testing/test-secret": {
-					Certificate: &tls.Certificate{
+					Certificate: tls.Certificate{
 						CertFile: tls.FileOrContent("tls-crt"),
 						KeyFile:  tls.FileOrContent("tls-key"),
 					},
 				},
 				"testing/test-secret2": {
-					Certificate: &tls.Certificate{
+					Certificate: tls.Certificate{
 						CertFile: tls.FileOrContent("tls-crt"),
 						KeyFile:  tls.FileOrContent("tls-key"),
 					},
@ -1099,7 +1101,7 @@ func TestGetTLS(t *testing.T) {
 			desc:    "return nil when no secret is defined",
 			ingress: testIngressWithoutSecret,
 			client:  clientMock{},
-			result:  map[string]*tls.Configuration{},
+			result:  map[string]*tls.CertAndStores{},
 		},
 	}

@ -1108,7 +1110,7 @@ func TestGetTLS(t *testing.T) {
 		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()

-			tlsConfigs := map[string]*tls.Configuration{}
+			tlsConfigs := map[string]*tls.CertAndStores{}
 			err := getTLS(context.Background(), test.ingress, test.client, tlsConfigs)

 			if test.errResult != "" {