I'm using cert-manager to generate certificates and I use one certificate with wildcards in the default namespace. For a long time I assumed that cert-manager automatically copies over the secret to all the other namespaces. I've had this issue though where certifications would often expire on prod because only the default secret was renewed (the one in the namespace where certificate resource lived), the secrets in other namespaces had to be updated manually and I'd blame cert-manager until I read that it doesn't do the copying - it's garden that does and it seems to only update during deployment. I wanted to take that over and use kubernetes-reflector: https://cert-manager.io/docs/devops-tips/syncing-secrets-across-namespaces/#using-reflector Unfortunately, the secrets copied by garden interfere with that method. I wanted to disable the copying mechanism but it seems not possible. Is there a way to achieve that or make garden update the secrets as soon as they change?

Hi @best-flower-46100, according to cert-manager's docs, the ingress-nginx controller Garden deploys by default should support specifying a single certificate for multiple namespaces. See https://cert-manager.io/docs/devops-tips/syncing-secrets-across-namespaces/#serving-a-wildcard-to-ingress-resources-in-different-namespaces-default-ssl-certificate The requirement is

tls.[].secretName

must omitted. Can you clarify if you're using

tls.[].secretName

or not? If you are, can you try without?

yes i am actually, i'll try it out as soon as i'm done with my current task. thanks!

Hi @best-flower-46100 can you report this as a bug using the link provided?

the bug has been reported, ok let me try downgrading

Ok thanks for giving it a shot! I'll ask our engineers to take a look 👀

thanks for help 🙏 hopefully I can fix it before christmas so that i don't get a call to fix the certs during a christmas dinner 😄

I'm pinging our staff now to see what we can do!

hey guys, is there any progress on that one? i noticed that the reflector thing might work after all, although the annotations seem really weird and messy - i'd have to break some stuff on our dev cluster to properly test it and i don't want to do that if you're close to solving the ingress issue

Hi @best-flower-46100 no progress, unfortunately but I can offer my own personal project if you were wanting to use kubed instead of reflector as I do in https://gitlab.hansen.agency/worldofgeese/little_bits_of_buddha/-/blob/main/project.garden.yml?ref_type=heads

ok, thanks, i'll look into it

I'll be here all week next week as well to support you not having to work over Christmas

Hi @best-flower-46100 are you using the garden provided ingress controller?

hey! yes, i removed it as I hoped to get the benefit of having a single certificate for all namespaces. If that's causing problems then I guess this way simply isn't supported, right? https://cdn.discordapp.com/attachments/1181979459243495526/1182723963273625620/image.png?ex=6585bc86&is=65734786&hm=5048ac83e384da405ad7cd868c79c48268371c53caf16c65d840cf1fddf1ba29&

The config in garden looks a bit different then directly on the ingress resource. So if you want garden to not copy your secret at all and not reference it in the ingresses, remove the whole entry from the

tlsCertificates

block (or if it is the only entry, the whole block)

I would like to use the secrets in the ingress, just not have them be copied by garden. If i remove the entire tlsCertificates then the ingress won't be referencing any secret, right?

Are you using the garden provided ingress controller? Because setting the default certificate would actually be a great usecase that should also allow you to skip copying secrets around alltogether. However that is a value for the nginx ingress controller and we currently don't set it with the garden supplied one.

yet, I'm using garden provided ingress controller

Gotcha. This is how it could be set https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml#L180

Ok, thanks! First, i'll try to figure out if maybe reflector works, even if it's a little messy with annotations. If that doesn't work I will reach out to you, I don't want you to spend time on this without first trying out absolutely all the options myself 😄

Sounds good! I am also signing off for the weekend - have a nice one!

Have a nice one too, see you! 😄

Are you using the

container

module to deploy this container? Maybe you would benefit from using Helm so you can customize 100% of your resources. As Anna said, if you want to change values in NGINX it would be valuable that you had a separate nginx deployment in the cluster and then in your services use something like

helmet

to template any resources you want in your deployment. This example https://docs.garden.io/garden-seeds/languages/go uses that approach. https://github.com/garden-io/go-seed/blob/main/%7B%7Bcookiecutter.app_name%7D%7D/api.garden.yml