apiVersion: v1
kind: Namespace
metadata:
  name: foo

---
apiVersion: v1
kind: Secret
metadata:
  name: root-ca0
  namespace: foo

data:
  foobar: VEVTVFJPT1RDQVMw

---
apiVersion: v1
kind: Secret
metadata:
  name: root-ca1
  namespace: foo

data:
  tls.ca: VEVTVFJPT1RDQVMx

---
apiVersion: v1
kind: Secret
metadata:
  name: root-ca2
  namespace: foo

data:
  tls.ca: VEVTVFJPT1RDQVMy

---
apiVersion: v1
kind: Secret
metadata:
  name: root-ca3
  namespace: foo

data:
  ca.crt: VEVTVFJPT1RDQVMz

---
apiVersion: v1
kind: Secret
metadata:
  name: root-ca4
  namespace: foo

data:
  ca.crt: VEVTVFJPT1RDQVM0
  tls.ca: VEVTVFJPT1RDQVM1 # <-- This should be the preferred one.

---
apiVersion: v1
kind: Secret
metadata:
  name: root-ca5
  namespace: foo

data:
  ca.crt: VEVTVFJPT1RDQVM2

---
apiVersion: v1
kind: Secret
metadata:
  name: root-ca6
  namespace: foo

data:
  ca.crt: VEVTVFJPT1RDQVM3

---
apiVersion: v1
kind: Secret
metadata:
  name: mtls1
  namespace: foo

data:
  tls.crt: VEVTVENFUlQx
  tls.key: VEVTVEtFWTE=

---
apiVersion: v1
kind: Secret
metadata:
  name: mtls2
  namespace: foo

data:
  tls.crt: VEVTVENFUlQy
  tls.key: VEVTVEtFWTI=

---
apiVersion: v1
kind: Secret
metadata:
  name: allcerts
  namespace: foo

data:
  ca.crt: VEVTVEFMTENFUlRT
  tls.crt: VEVTVENFUlQz
  tls.key: VEVTVEtFWTM=

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: root-ca-as-config-map
  namespace: foo

data:
  ca.crt: "TESTROOTCASFROMCONFIGMAP"

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: root-ca-as-config-map-2
  namespace: foo

data:
  ca.crt: "TESTROOTCASFROMCONFIGMAP2"

---
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
  name: test
  namespace: foo

spec:
  serverName: "test"
  insecureSkipVerify: true
  maxIdleConnsPerHost: 42
  disableHTTP2: true
  peerCertURI: foo://bar
  rootCAsSecrets:
    - root-ca0
    - root-ca1
    - root-ca2
    - root-ca3
    - root-ca4
    - allcerts
  rootCAs:
    - configMap: root-ca-as-config-map
    - secret: root-ca5
    # referencing both a ConfigMap and a Secret should fail.
    - configMap: root-ca-as-config-map-2
      secret: root-ca6
  certificatesSecrets:
    - mtls1
    - mtls2
    - allcerts
  forwardingTimeouts:
    dialTimeout: 42
    responseHeaderTimeout: 42s
    idleConnTimeout: 42ms
    readIdleTimeout: 42s
    pingTimeout: 42s
  spiffe:
    ids:
      - spiffe://foo/buz
      - spiffe://bar/biz
    trustDomain: spiffe://lol

---
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
  name: test
  namespace: default

spec:
  serverName: "test"

---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: test.route
  namespace: default

spec:
  entryPoints:
    - foo

  routes:
    - match: Host(`foo.com`)
      kind: Rule
      services:
        - name: external-svc-with-https
          port: 443
          serversTransport: test
        - name: whoamitls
          port: 443
          serversTransport: default-test