github.com/projectcontour/contour@v1.28.2/site/content/docs/1.26/config/tls-delegation.md

github.com/projectcontour/contour@v1.28.2/site/content/docs/1.26/config/tls-delegation.md (about)

     1  # TLS Certificate Delegation
     2  
     3  In order to support wildcard certificates, TLS certificates for a `*.somedomain.com`, which are stored in a namespace controlled by the cluster administrator, Contour supports a facility known as TLS Certificate Delegation.
     4  This facility allows the owner of a TLS certificate to delegate, for the purposes of referencing the TLS certificate, permission to Contour to read the Secret object from another namespace.
     5  Delegation works for both HTTPProxy and Ingress resources, however it needs an annotation to work with Ingress v1.
     6  
     7  If the `--watch-namespaces` configuration flag is used, it must define all namespaces that will be referenced by the delegation.
     8  
     9  The [`TLSCertificateDelegation`][1] resource defines a set of `delegations` in the `spec`.
    10  Each delegation references a `secretName` from the namespace where the `TLSCertificateDelegation` is created as well as describing a set of `targetNamespaces` in which the certificate can be referenced.
    11  If all namespaces should be able to reference the secret, then set `"*"` as the value of `targetNamespaces` (see example below).
    12  
    13  ```yaml
    14  apiVersion: projectcontour.io/v1
    15  kind: TLSCertificateDelegation
    16  metadata:
    17    name: example-com-wildcard
    18    namespace: www-admin
    19  spec:
    20    delegations:
    21      - secretName: example-com-wildcard
    22        targetNamespaces:
    23        - example-com
    24      - secretName: another-com-wildcard
    25        targetNamespaces:
    26        - "*"
    27  ```
    28  
    29  In this example, the permission for Contour to reference the Secret `example-com-wildcard` in the `www-admin` namespace has been delegated to HTTPProxy and Ingress objects in the `example-com` namespace.
    30  Also, the permission for Contour to reference the Secret `another-com-wildcard` from all namespaces has been delegated to all HTTPProxy and Ingress objects in the cluster.
    31  
    32  To reference the secret from an HTTPProxy or Ingress v1beta1 you must use the slash syntax in the `secretName`:
    33  ```yaml
    34  apiVersion: projectcontour.io/v1
    35  kind: HTTPProxy
    36  metadata:
    37    name: www
    38    namespace: example-com
    39  spec:
    40    virtualhost:
    41      fqdn: foo2.bar.com
    42      tls:
    43        secretName: www-admin/example-com-wildcard
    44    routes:
    45      - services:
    46          - name: s1
    47            port: 80
    48  ```
    49  
    50  To reference the secret from an Ingress v1 you must use the `projectcontour.io/tls-cert-namespace` annotation:
    51  ```yaml
    52  apiVersion: networking.k8s.io/v1
    53  kind: Ingress
    54  metadata:
    55    annotations:
    56      projectcontour.io/tls-cert-namespace: www-admin
    57    name: www
    58    namespace: example-com
    59  spec:
    60    rules:
    61    - host: foo2.bar.com
    62      http:
    63        paths:
    64        - path: /
    65          pathType: Prefix
    66          backend:
    67            service:
    68              name: s1
    69              port:
    70                number: 80
    71    tls:
    72    - hosts:
    73      - foo2.bar.com
    74      secretName: example-com-wildcard
    75  ```
    76  
    77  
    78  [0]: https://github.com/projectcontour/contour/issues/3544
    79  [1]: /docs/{{< param version >}}/config/api/#projectcontour.io/v1.TLSCertificateDelegation