Default TLS options without Host

I'm using Traefik 2.4 on a Kubernetes cluster (v1.21), deployed through the helm chart.

I have two entrypoints, defined as follows:

      --entryPoints.websecure.address=:32443/tcp
      --entrypoints.websecure.http.tls=true
      --entrypoints.websecure.http.tls.options=traefik-v2-default-tlsoptions@kubernetescrd
      --entryPoints.mtls.address=:32444/tcp
      --entrypoints.mtls.http.tls=true
      --entrypoints.mtls.http.tls.options=traefik-v2-mtls@kubernetescrd

websecure TLSOptions:

  spec:
    minVersion: VersionTLS12

mtls TLSOptions

  spec:
    clientAuth:
      clientAuthType: RequireAndVerifyClientCert
      secretNames:
      - test-mtls-ca-cert
    minVersion: VersionTLS12

It was my understanding that the TLSOptions defined on the entrypoint level would be the fallback TLS options for any route on that entrypoint.
I did some testing, but my client certificates are only checked for hosts that are explicitly defined in routes under the mtls entrypoint.

So I read through some other issues and went through the documentation again. Now I am led to believe that, as with TLS options defined on a router level, there must be a matching Host condition somewhere in the routes on this entrypoint before the TLS options as defined on the entrypoint level will take effect.

From reading through other issues, I get the feeling that there are some hidden TLS options that are the real fallback when there is no matching host, and that these options are global and unrelated to the entrypoint spec. However it is not clear to me where I could find these options or how I can modify them through the Helm chart.

My request basically boils down to 2 questions:

  1. Can someone verify that TLS options defined on the entrypoint level only take effect if there is a matching Host in the underlying routes
  2. How can I make sure that all requests that arrive through the mtls entrypoint must contain a valid client certificate, without having to add hosts explicitly?

@lanmarti - did you ever end up w/ a solution to this? i'm loosing my mind trying to disable old tls versions...

I'm sorry for the late reply, but I don't think I'll be able to help. We've switched to host matching on nearly each ingress resource and are using explicit TLS options references on the routers for those domains where the correct TLS options are critical.