Request for more detailed documentation on restrictCertificatesToNamespace parameter

[slavb18]

Dear autocert maintainers,

I’ve noticed that the current documentation for the restrictCertificatesToNamespace parameter contains the following description:

"If certificate names are restricted to the namespace"

However, the documentation does not provide further details on how this parameter works, its impact on certificate management across namespaces, or its specific use cases. It would be helpful if you could clarify the following points:

1. How does this parameter works?
2. What are the potential security and operational implications of enabling restrictCertificatesToNamespace?
3. Could you provide an example scenario where this parameter is recommended and how it affects the configuration?

Thank you for maintaining this great tool!

[maraino]

If restrictCertificatesToNamespace is the to false (the default), autocert will allow you to set any domain, but if you set it to true, it will enforce a name like something.<namespace>.svc.<cluster-domain>, for example, test.default.svc.cluster.local.

Operational implications depend on how you use those deployments. For example, if you expose them outside of k8s, you might want to keep the default value, false, so you don't have to configure the DNS to resolve k8s domains. However, if you only use the certificates inside the cluster, you can be more strict and enforce the domain name.

Feel free to reopen this issue if it doesn't resolve your questions.