Allow root CA to be added through config maps

pkg/provider/kubernetes/crd/traefikio/v1alpha1/serverstransport.go

@@ -31,7 +31,10 @@ type ServersTransportSpec struct {
 	ServerName string `json:"serverName,omitempty"`
 	// InsecureSkipVerify disables SSL certificate verification.
 	InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
+	// RootCAs defines a list of CA certificate Secrets or ConfigMaps used to validate server certificates.
+	RootCAs []RootCA `json:"rootCAs,omitempty"`
 	// RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
+	// Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead.
 	RootCAsSecrets []string `json:"rootCAsSecrets,omitempty"`
 	// CertificatesSecrets defines a list of secret storing client certificates for mTLS.
 	CertificatesSecrets []string `json:"certificatesSecrets,omitempty"`
@@ -74,6 +77,20 @@ type ForwardingTimeouts struct {
 	PingTimeout *intstr.IntOrString `json:"pingTimeout,omitempty"`
 }
 
+// +k8s:deepcopy-gen=true
+
+// RootCA defines a reference to a Secret or a ConfigMap that holds a CA certificate.
+// If both a Secret and a ConfigMap reference are defined, the Secret reference takes precedence.
+// +kubebuilder:validation:XValidation:rule="has(self.secret) && has(self.configMap)",message="RootCA cannot have both Secret and ConfigMap defined."
+type RootCA struct {
+	// Secret defines the name of a Secret that holds a CA certificate.
+	// The referenced Secret must contain a certificate under either a tls.ca or a ca.crt key.
+	Secret *string `json:"secret,omitempty"`
+	// ConfigMap defines the name of a ConfigMap that holds a CA certificate.
+	// The referenced ConfigMap must contain a certificate under either a tls.ca or a ca.crt key.
+	ConfigMap *string `json:"configMap,omitempty"`
+}
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // ServersTransportList is a collection of ServersTransport resources.