Ok, burned at least 8+ hours on this so far and loosing my mind:
I simply want to disable TLS 1.0/1.1 globally for traefik. No matter what I do, when running testssl.sh or using any available TLS eval tool, TLS 1.0 and 1.1 is still enabled...
I'm starting traefik 2.6.3 w/ the helm chart on k8s
I've read about every post on the internet about this + the diocs and tried about every combination of ingress annotation...and what seems available in the chart.... this should be much simpler.
Can anyone provide an example of how they have successfully disabled TLS 1.0 and 1.1 on Kubernetes for any Ingress that is deployed including the default when no SNI is provided?
I then did the following in the values.yaml for the Helm chart to mount and read this config:
...
volumes:
- name: traefik-dynamicconfig
mountPath: /etc/traefik/dynamic/
type: configMap
...
additionalArguments:
...
# read dynamic configuration from files in this directory
- "--providers.file.directory=/etc/traefik/dynamic/"
...
(I also use this to load some default middlewares that I can either use manually on any ingress(route) or that are enabled by default on all routes with additionalArgument"--entryPoints.websecure.http.middlewares=name-of-my-default-middleware@file")
Looking at the documentation your defaultTLSOption resource should work out-of-the-box without without any configuration in Traefik though:
When using the TLSOption resource in Kubernetes, one might setup a default set of options that, if not explicitly overwritten, should apply to all ingresses.
To achieve that, you'll have to create a TLSOption resource with the name default. There may exist only one TLSOption with the name default (across all namespaces) - otherwise they will be dropped.
Please note. If yo are using cloudflare in front of your traefik server then you need to configure these settings in cloudflare not in traefik. I spent whole day to configure TLSOptions in traefik and realized I was getting B grade because of coludflare configured settings.