[stephenr]

> I wonder why there's not an option to pay/donate to bump the limit temporarily

> I could have avoided this by combining names into a single certificate

You can get a cert (via <=20, 100 SAN combined certs) 2000 subdomains per week.

I actually don't really understand your problem case though. What do you mean by:

> when moving domains

[kiallmacinnes]

This requires sharing the same cert and key for everything. Lots of software doesn't really like this way of doing things, I've been bit by the 20 limit too - and yes, I could have swapped to SANs, it wouldn't have fit with the deployment tooling for all the different things!

[stephenr]

> This requires sharing the same cert and key for everything.

That entirely depends on where/how you're terminating TLS.

Do you really have > 20 different pieces of independent software all doing their own TLS?

This is exactly what things like HAProxy are for.

[kiallmacinnes]

Yes, with Kubernetes, the patterns used are a little different than if you were to setup TLS and haproxy by hand (I actually use nginx, but it doesn't particularly matter).

You deploy software, that software declares it needs TLS for its endpoint, and certs are obtained.

While moving from one cluster to another, a new deployment of everything was done - about 20 different services - a few minutes work with Kubernetes. However, the fetching of TLS certs stopped working for the very last service!

Yes, I should have migrated the certs, however, the migration was happing due to a failure - I couldn't access the old certs.

I now make sure to backup those secrets rather than rely on re-issuance.

Still, for a usecase like Kubernetes, 20 certs per domain per week is limiting. I do totally understand that the quotas are in place because cert issuance is expensive, but I'd happily pay a yearly subscription fee to LE to cover the costs and help fund them if the option was there!

[ithkuil]

It's possible to have another implementation of the ingress controller that will not create one certificate per host

[kiallmacinnes]

It's possible, but that would weaken security.

Each independent application is isolated from each other, sharing a TLS cert/key among them all means we're weakening security - again, the Kubernetes patterns here would mean we need to duplicate the secret data into each applications namespace, allowing a compromise of one to compromise the TLS of all.

There are legitimate reasons to not share a single TLS cert for everything in an environment like Kubernetes.

(I'm nearly certain it's not possible to reference secrets cross namespace when declaring an ingress secret, or mounting a secret)

[ithkuil]

> the Kubernetes patterns here would mean we need to duplicate the secret data into each applications namespace, allowing a compromise of one to compromise the TLS of all

yeah, this would be wrong indeed.

Is there any requirement for an TLS terminating proxy acting as k8s ingress to actually store the TLS secrets in the same namespace where the requesting ingress object lives?

[stephenr]

This is kind of what I expected too. Surely that component of the architecture can (even if the OP's doesn't) be smart enough to handle various certificate scenarios - there must be someone using it with a wildcard certificate, for instance.

[justinsb]

By "when moving domains" I mean that I'm enabling a production domain (project.com), where previously I was working on a development domain (project-dev.com). More recently, I was deploying gitlab and exhausted my quota simply because of mistakes I made along the way. This was simply my mistake, so I don't think it would be appropriate to request an official rate limit increase. If (say) a $100 donation to the EFF allowed me to specify a domain on which the rate-limit-counters would be reset to zero (as a one-off), I'd likely have done that - it's easier than changing the process of how I'm managing certificates.