cr7258
commented
2 months ago Hi @johnlanni, I would like to work on this issue. Can you please assign this issue to me? Thank you.
Open zzjin opened 5 months ago
cr7258
commented
2 months ago Hi @johnlanni, I would like to work on this issue. Can you please assign this issue to me? Thank you.
Why do you need it?
When one cluster have multiple ingresses under different namespaces but shares one subdomain, the wildcard certificate need to be copied into every namespace. This will consume more resource and may increase cert leak risk. eg:
How could it be?
Define one global ConfigMap field to support default ssl certificate.
When one namespace's ingress is set to use one tls secret, but fails to resolve(either not found or wrong secret), higress then search for this global config to see if hosts match cert's domains(especially for wildcard cert)
But be careful: when using cert-manager with this function, when trigger reconcile first time, the
tls.secretNamewill be missing under same namespace (when issuing cert),we should update right cert when cert is ready in-time.Other related information
Witch
ingress-nginxsupport: https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate