Ingress 配置通配符 TSL 证书存放位置

问题

当通配符SSL证书，被不同命名空间的 Ingress 使用时，关于 namespace 私有问题如何解决？

解决方案

Referring to TLS secret from other namespace (i.e. not the namespace in which ingress is created) https://github.com/kubernetes/ingress-nginx/issues/2170

配置方案

https://kubernetes.github.io/ingress-nginx/user-guide/tls/

实施步骤

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-ingress-controller
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
spec:
  replicas: 2
  selector:
    matchLabels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/part-of: ingress-nginx
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
      annotations:
        prometheus.io/port: "10254"
        prometheus.io/scrape: "true"
    spec:
      serviceAccountName: nginx-ingress-serviceaccount
      containers:
        - name: nginx-ingress-controller
          image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.21.0
          args:
            - /nginx-ingress-controller
            - --configmap=$(POD_NAMESPACE)/nginx-configuration
            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
            - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
            - --publish-service=$(POD_NAMESPACE)/ingress-nginx
            - --annotations-prefix=nginx.ingress.kubernetes.io
            - --default-ssl-certificate=$(POD_NAMESPACE)/foo-tls
          securityContext:
...

如果我们在 ingress-nginx 有 foo-tls 密钥配置，添加一行 - --default-ssl-certificate=$(POD_NAMESPACE)/foo-tls

kubectl apply -f ingress-controller.yaml 生效查看