Syncing Secrets Across Namespaces
It may be required for multiple components across namespaces to consume the same
Secret that has been created by a single
Certificate. The recommended way to
do this is to use kubed with its secret
feature. However if your use case is a wildcard certificate another approach may meet your needs.
Most ingress controllers, including ingress-nginx, Traefik, and Kong support specifying a single certificate to be used for ingress resources which request TLS but do not specify
tls..secretName. This is often referred to as a "default SSL certificate". As long as this is correctly configured, ingress resources in any namespace will be able to use a single wildcard certificate. Wildcard certificates are not supported with HTTP01 validation and require DNS01.
Sample ingress snippet:
apiVersion: networking.k8s.io/v1kind: Ingress#[...]spec:rules:- host: service.example.com#[...]tls:- hosts:- service.example.com#secretName omitted to use default wildcard certificate
In order for the target Secret to be synced, you can use the
secretTemplate field for annotating the generated secret with the kubed sync annotation (See CertificateSecretTemplate). The example below shows syncing
a certificate belonging to the
sandbox Certificate from the
namespace, into the
apiVersion: v1kind: Namespacemetadata:name: sandboxlabels:cert-manager-tls: sandbox # Define namespace label for kubed---apiVersion: cert-manager.io/v1kind: Certificatemetadata:name: sandboxnamespace: cert-managerspec:secretName: sandbox-tlscommonName: sandboxissuerRef:name: sandbox-cakind: Issuergroup: cert-manager.iosecretTemplate:annotations:kubed.appscode.com/sync: "cert-manager-tls=sandbox" # Sync certificate to matching namespaces