apiVersion: v1
kind: Secret
metadata:
  name: secretCA1
  namespace: myns

data:
  tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=

---
apiVersion: v1
kind: Secret
metadata:
  name: secretCA2
  namespace: myns

data:
  tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=

---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: foo
  namespace: myns

spec:
  minVersion: VersionTLS12
  sniStrict: true
  cipherSuites:
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    - TLS_RSA_WITH_AES_256_GCM_SHA384
  clientAuth:
    secretNames:
      - secretCA1
      - secretCA2
    clientAuthType: VerifyClientCertIfGiven

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: test.route
  namespace: default

spec:
  entryPoints:
    - web

  routes:
  - match: Host(`foo.com`) && PathPrefix(`/bar`)
    kind: Rule
    priority: 12
    services:
    - name: whoami
      port: 80

  tls:
    options:
      name: foo
      namespace: myns