apiVersion: v1
kind: Secret
metadata:
  name: rootCas0
  namespace: foo

data:
  foobar: VEVTVFJPT1RDQVMw

---
apiVersion: v1
kind: Secret
metadata:
  name: rootCas1
  namespace: foo

data:
  tls.ca: VEVTVFJPT1RDQVMx

---
apiVersion: v1
kind: Secret
metadata:
  name: rootCas2
  namespace: foo

data:
  tls.ca: VEVTVFJPT1RDQVMy

---
apiVersion: v1
kind: Secret
metadata:
  name: rootCas3
  namespace: foo

data:
  ca.crt: VEVTVFJPT1RDQVMz

---
apiVersion: v1
kind: Secret
metadata:
  name: rootCas4
  namespace: foo

data:
  ca.crt: VEVTVFJPT1RDQVM0
  tls.ca: VEVTVFJPT1RDQVM1 # <-- This should be the prefered one.

---
apiVersion: v1
kind: Secret
metadata:
  name: mtls1
  namespace: foo

data:
  tls.crt: VEVTVENFUlQx
  tls.key: VEVTVEtFWTE=

---
apiVersion: v1
kind: Secret
metadata:
  name: mtls2
  namespace: foo

data:
  tls.crt: VEVTVENFUlQy
  tls.key: VEVTVEtFWTI=

---
apiVersion: v1
kind: Secret
metadata:
  name: allcerts
  namespace: foo

data:
  ca.crt: VEVTVEFMTENFUlRT
  tls.crt: VEVTVENFUlQz
  tls.key: VEVTVEtFWTM=

---
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: test
  namespace: foo

spec:
  serverName: "test"
  insecureSkipVerify: true
  maxIdleConnsPerHost: 42
  rootCAsSecrets:
  - rootCas0
  - rootCas1
  - rootCas2
  - rootCas3
  - rootCas4
  - allcerts
  certificatesSecrets:
  - mtls1
  - mtls2
  - allcerts
  forwardingTimeouts:
    dialTimeout: 42
    responseHeaderTimeout: 42s
    idleConnTimeout: 42ms