When one cluster have multiple ingresses under different namespaces but shares one subdomain, the wildcard certificate need to be copied into every namespace.
This will consume more resource and may increase cert leak risk.
eg:
namespace a have one ingress a.example.com
namespace b have one ingress b.example.com
...
and cluster have *.exmaple.com cert
How could it be?
Define one global ConfigMap field to support default ssl certificate.
When one namespace's ingress is set to use one tls secret, but fails to resolve(either not found or wrong secret), higress then search for this global config to see if hosts match cert's domains(especially for wildcard cert)
But be careful: when using cert-manager with this function, when trigger reconcile first time, the tls.secretName will be missing under same namespace (when issuing cert),we should update right cert when cert is ready in-time.
Why do you need it?
When one cluster have multiple ingresses under different namespaces but shares one subdomain, the wildcard certificate need to be copied into every namespace. This will consume more resource and may increase cert leak risk. eg:
How could it be?
Define one global ConfigMap field to support default ssl certificate.
When one namespace's ingress is set to use one tls secret, but fails to resolve(either not found or wrong secret), higress then search for this global config to see if hosts match cert's domains(especially for wildcard cert)
But be careful: when using cert-manager with this function, when trigger reconcile first time, the
tls.secretName
will be missing under same namespace (when issuing cert),we should update right cert when cert is ready in-time.Other related information
Witch
ingress-nginx
support: https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate