Is it possible to add multiple TLS options to a particular route?

Hi I've defined the following within my dynamic config file:

tls:
  options:
    default:
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    intermediate:
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    modern:
      minVersion: VersionTLS13
      sniStrict: true
    syncthing-discosrv:
      clientAuth:
        clientAuthType: RequireAnyClientCert

What I would like to do is combine the modern and syncthing-discosrv options within a docker provider definition like this:

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.tls.options=modern@file,syncthing-discosrv@file"

I'm getting an error when trying to combine the options as such. Is this not an option or do I need just to duplicate the modern options within my defined sycthing-discosrv label so it more like this:

    syncthing-discosrv:
      minVersion: VersionTLS13
      sniStrict: true
      clientAuth:
        clientAuthType: RequireAnyClientCert

Yup. You can only select one TLS options.

@cakiwi

Thanks for reply -- I guess that clarifies some things. It would be nice to be able to combine some options to decrease verbosity however I'm not exactly sure how traefik is written and developed. I would be nice to pass an array or array of objects rather than just an object.

Thanks for clarification.

It's defined in yaml, so you can use yaml tricks to define and resue blocks.

Dang -- I didn't even know about the anchor/merge feature of yaml. Do you know of a good yaml configuration check or a program that will take the yaml file and expand upon all the anchors and merges to check the configuration?

I often use yq.

tls.yaml
tls:
  options:
    default:
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    intermediate: &int
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    modern: &modern
      minVersion: VersionTLS13
      sniStrict: true
    syncthing-discosrv:
      <<: *modern
      clientAuth:
        clientAuthType: RequireAnyClientCert

yq -y . tls.yaml 
tls:
  options:
    default:
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    intermediate:
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    modern:
      minVersion: VersionTLS13
      sniStrict: true
    syncthing-discosrv:
      minVersion: VersionTLS13
      sniStrict: true
      clientAuth:
        clientAuthType: RequireAnyClientCert

I'm wondering if I'm using the same yq executable as yours since:

yq -y . dynamic_conf.yaml
Error: unknown command "dynamic_conf.yaml" for "yq"
Run 'yq --help' for usage.

In fact I don't even see -y as a flag for yq.

$ yq -V
yq (https://github.com/mikefarah/yq/) version 4.13.5

I clearly don't know how to use yq to expand merge statements but I did run across bosh Installing the CLI - Cloud Foundry BOSH (bosh interpolate) that will actually expand the merge statements for verification.

I guess not: GitHub - kislyuk/yq: Command-line YAML, XML, TOML processor - jq wrapper for YAML/XML/TOML documents