github.com/projectcontour/contour@v1.28.2/site/content/docs/1.23/config/tls-delegation.md

github.com/projectcontour/contour@v1.28.2/site/content/docs/1.23/config/tls-delegation.md (about)

     1  # TLS Certificate Delegation
     2  
     3  In order to support wildcard certificates, TLS certificates for a `*.somedomain.com`, which are stored in a namespace controlled by the cluster administrator, Contour supports a facility known as TLS Certificate Delegation.
     4  This facility allows the owner of a TLS certificate to delegate, for the purposes of referencing the TLS certificate, permission to Contour to read the Secret object from another namespace.
     5  Delegation works for both HTTPProxy and Ingress resources, however it needs an annotation to work with Ingress v1.
     6  
     7  The [`TLSCertificateDelegation`][1] resource defines a set of `delegations` in the `spec`.
     8  Each delegation references a `secretName` from the namespace where the `TLSCertificateDelegation` is created as well as describing a set of `targetNamespaces` in which the certificate can be referenced.
     9  If all namespaces should be able to reference the secret, then set `"*"` as the value of `targetNamespaces` (see example below).
    10  
    11  ```yaml
    12  apiVersion: projectcontour.io/v1
    13  kind: TLSCertificateDelegation
    14  metadata:
    15    name: example-com-wildcard
    16    namespace: www-admin
    17  spec:
    18    delegations:
    19      - secretName: example-com-wildcard
    20        targetNamespaces:
    21        - example-com
    22      - secretName: another-com-wildcard
    23        targetNamespaces:
    24        - "*"
    25  ```
    26  
    27  In this example, the permission for Contour to reference the Secret `example-com-wildcard` in the `admin` namespace has been delegated to HTTPProxy and Ingress objects in the `example-com` namespace.
    28  Also, the permission for Contour to reference the Secret `another-com-wildcard` from all namespaces has been delegated to all HTTPProxy and Ingress objects in the cluster.
    29  
    30  To reference the secret from an HTTPProxy or Ingress v1beta1 you must use the slash syntax in the `secretName`:
    31  ```yaml
    32  apiVersion: projectcontour.io/v1
    33  kind: HTTPProxy
    34  metadata:
    35    name: www
    36    namespace: example-com
    37  spec:
    38    virtualhost:
    39      fqdn: foo2.bar.com
    40      tls:
    41        secretName: www-admin/example-com-wildcard
    42    routes:
    43      - services:
    44          - name: s1
    45            port: 80
    46  ```
    47  
    48  To reference the secret from an Ingress v1 you must use the `projectcontour.io/tls-cert-namespace` annotation:
    49  ```yaml
    50  apiVersion: networking.k8s.io/v1
    51  kind: Ingress
    52  metadata:
    53    annotations:
    54      projectcontour.io/tls-cert-namespace: www-admin
    55    name: www
    56    namespace: example-com
    57  spec:
    58    rules:
    59    - host: foo2.bar.com
    60      http:
    61        paths:
    62        - path: /
    63          pathType: Prefix
    64          backend:
    65            service:
    66              name: s1
    67              port:
    68                number: 80
    69    tls:
    70    - hosts:
    71      - foo2.bar.com
    72      secretName: example-com-wildcard
    73  ```
    74  
    75  
    76  [0]: https://github.com/projectcontour/contour/issues/3544
    77  [1]: /docs/{{< param version >}}/config/api/#projectcontour.io/v1.TLSCertificateDelegation