From b80f89e3db78be011381ca81b58c4f046ccbea47 Mon Sep 17 00:00:00 2001
From: Andrew Savinykh <658865+AndrewSav@users.noreply.github.com>
Date: Fri, 16 Oct 2020 01:12:04 +1300
Subject: [PATCH] Adding details about the default TLS options to the
 documentation

---
 docs/content/https/tls.md | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/docs/content/https/tls.md b/docs/content/https/tls.md
index a0f667d48..71fd50222 100644
--- a/docs/content/https/tls.md
+++ b/docs/content/https/tls.md
@@ -134,14 +134,23 @@ If no default certificate is provided, Traefik generates and uses a self-signed
 
 The TLS options allow one to configure some parameters of the TLS connection.
 
+!!! important "'default' TLS Option"
+
+    The `default` option is special.
+    When no tls options are specified in a tls router, the `default` option is used.  
+    When specifying the `default` option explicitly, make sure not to specify provider namespace as the `default` option does not have one.  
+    Conversely, for cross-provider references, for example, when referencing the file provider from a docker label,
+    you must specify the provider namespace, for example:  
+    `traefik.http.routers.myrouter.tls.options=myoptions@file`
+
 !!! important "TLSOptions in Kubernetes"
 
     When using the TLSOptions-CRD in Kubernetes, one might setup a default set of options that,
-    if not explicitly overwritten, should apply to all ingresses. To achieve that, you'll have to
-    create a TLSOptions CR with the name `default`. There may exist only one TLSOption with the 
-    name `default` (across all namespaces) - otherwise they will be dropped.  
-    To explicitly use a different TLSOption (and using the Kubernetes Ingress resources) you'll 
-    have to add an annotation to the Ingress in the following form:
+    if not explicitly overwritten, should apply to all ingresses.  
+    To achieve that, you'll have to create a TLSOptions CR with the name `default`.
+    There may exist only one TLSOption with the name `default` (across all namespaces) - otherwise they will be dropped.  
+    To explicitly use a different TLSOption (and using the Kubernetes Ingress resources)
+    you'll have to add an annotation to the Ingress in the following form:
     `traefik.ingress.kubernetes.io/router.tls.options: <resource-namespace>-<resource-name>@kubernetescrd`
 
 ### Minimum TLS Version