github.com/projectcontour/contour@v1.28.2/site/content/docs/v1.17.0/config/tls-delegation.md

github.com/projectcontour/contour@v1.28.2/site/content/docs/v1.17.0/config/tls-delegation.md (about)

     1  # TLS Certificate Delegation
     2  
     3  In order to support wildcard certificates, TLS certificates for a `*.somedomain.com`, which are stored in a namespace controlled by the cluster administrator, Contour supports a facility known as TLS Certificate Delegation.
     4  This facility allows the owner of a TLS certificate to delegate, for the purposes of referencing the TLS certificate, permission to Contour to read the Secret object from another namespace.
     5  Delegation works for both HTTPProxy and Ingress v1beta1 resources (however it does not work with Ingress v1).
     6  TLS Certificate Delegation is not currently supported on Ingress v1 resources due to changes in the spec that make this impossible.
     7  See [this issue][0] for details.
     8  
     9  The [`TLSCertificateDelegation`][1] resource defines a set of `delegations` in the `spec`.
    10  Each delegation references a `secretName` from the namespace where the `TLSCertificateDelegation` is created as well as describing a set of `targetNamespaces` in which the certificate can be referenced.
    11  If all namespaces should be able to reference the secret, then set `"*"` as the value of `targetNamespaces` (see example below).
    12  
    13  ```yaml
    14  apiVersion: projectcontour.io/v1
    15  kind: TLSCertificateDelegation
    16  metadata:
    17    name: example-com-wildcard
    18    namespace: www-admin
    19  spec:
    20    delegations:
    21      - secretName: example-com-wildcard
    22        targetNamespaces:
    23        - example-com
    24      - secretName: another-com-wildcard
    25        targetNamespaces:
    26        - "*"
    27  ---
    28  apiVersion: projectcontour.io/v1
    29  kind: HTTPProxy
    30  metadata:
    31    name: www
    32    namespace: example-com
    33  spec:
    34    virtualhost:
    35      fqdn: foo2.bar.com
    36      tls:
    37        secretName: www-admin/example-com-wildcard
    38    routes:
    39      - services:
    40          - name: s1
    41            port: 80
    42  ```
    43  
    44  In this example, the permission for Contour to reference the Secret `example-com-wildcard` in the `admin` namespace has been delegated to HTTPProxy objects in the `example-com` namespace.
    45  Also, the permission for Contour to reference the Secret `another-com-wildcard` from all namespaces has been delegated to all HTTPProxy objects in the cluster.
    46  
    47  [0]: https://github.com/projectcontour/contour/issues/3544
    48  [1]: /docs/{{< param version >}}/config/api/#projectcontour.io/v1.TLSCertificateDelegation