[kiallmacinnes]

This requires sharing the same cert and key for everything. Lots of software doesn't really like this way of doing things, I've been bit by the 20 limit too - and yes, I could have swapped to SANs, it wouldn't have fit with the deployment tooling for all the different things!

[stephenr]

> This requires sharing the same cert and key for everything.

That entirely depends on where/how you're terminating TLS.

Do you really have > 20 different pieces of independent software all doing their own TLS?

This is exactly what things like HAProxy are for.

[kiallmacinnes]

Yes, with Kubernetes, the patterns used are a little different than if you were to setup TLS and haproxy by hand (I actually use nginx, but it doesn't particularly matter).

You deploy software, that software declares it needs TLS for its endpoint, and certs are obtained.

While moving from one cluster to another, a new deployment of everything was done - about 20 different services - a few minutes work with Kubernetes. However, the fetching of TLS certs stopped working for the very last service!

Yes, I should have migrated the certs, however, the migration was happing due to a failure - I couldn't access the old certs.

I now make sure to backup those secrets rather than rely on re-issuance.

Still, for a usecase like Kubernetes, 20 certs per domain per week is limiting. I do totally understand that the quotas are in place because cert issuance is expensive, but I'd happily pay a yearly subscription fee to LE to cover the costs and help fund them if the option was there!

[ithkuil]

It's possible to have another implementation of the ingress controller that will not create one certificate per host

[kiallmacinnes]

It's possible, but that would weaken security.

Each independent application is isolated from each other, sharing a TLS cert/key among them all means we're weakening security - again, the Kubernetes patterns here would mean we need to duplicate the secret data into each applications namespace, allowing a compromise of one to compromise the TLS of all.

There are legitimate reasons to not share a single TLS cert for everything in an environment like Kubernetes.

(I'm nearly certain it's not possible to reference secrets cross namespace when declaring an ingress secret, or mounting a secret)

[ithkuil]

> the Kubernetes patterns here would mean we need to duplicate the secret data into each applications namespace, allowing a compromise of one to compromise the TLS of all

yeah, this would be wrong indeed.

Is there any requirement for an TLS terminating proxy acting as k8s ingress to actually store the TLS secrets in the same namespace where the requesting ingress object lives?

[kiallmacinnes]

The semantics require it, as the ingress resource references a secret without the option of providing a namespace for that secret.

There may be ways around this, however, I've never personally looked for them.

[stephenr]

This is kind of what I expected too. Surely that component of the architecture can (even if the OP's doesn't) be smart enough to handle various certificate scenarios - there must be someone using it with a wildcard certificate, for instance.