The reason for this is that it causes extra work for the ingress controller since it has to check for the secret, realise it is missing, log an error message, and then use the default certificate.
We need to only reference the TLS secret in the ingress if it already exists or will be created by cert-manager. So only if:
it already exists in the namespace; or
tls-acme: true
Maybe we should also consider removing an existing secret if tls-acme: false, and the secret is an ACME cert?
The reason for this is that it causes extra work for the ingress controller since it has to check for the secret, realise it is missing, log an error message, and then use the default certificate.
We need to only reference the TLS secret in the ingress if it already exists or will be created by cert-manager. So only if:
tls-acme: trueMaybe we should also consider removing an existing secret if
tls-acme: false, and the secret is an ACME cert?