[kiallmacinnes]

It's possible, but that would weaken security.

Each independent application is isolated from each other, sharing a TLS cert/key among them all means we're weakening security - again, the Kubernetes patterns here would mean we need to duplicate the secret data into each applications namespace, allowing a compromise of one to compromise the TLS of all.

There are legitimate reasons to not share a single TLS cert for everything in an environment like Kubernetes.

(I'm nearly certain it's not possible to reference secrets cross namespace when declaring an ingress secret, or mounting a secret)

[ithkuil]

> the Kubernetes patterns here would mean we need to duplicate the secret data into each applications namespace, allowing a compromise of one to compromise the TLS of all

yeah, this would be wrong indeed.

Is there any requirement for an TLS terminating proxy acting as k8s ingress to actually store the TLS secrets in the same namespace where the requesting ingress object lives?

[kiallmacinnes]

The semantics require it, as the ingress resource references a secret without the option of providing a namespace for that secret.

There may be ways around this, however, I've never personally looked for them.