TLS SecretName will only be set if tlsSecret is specified.
What does this MR do?
This change makes the secretName optional to be populated. This behaviour is to support the feature wildcard certificates.
Serving a wildcard to ingress resources in different namespaces (default SSL certificate)
Most ingress controllers, including ingress-nginx, Traefik, and Kong support specifying a single certificate to be used for ingress resources which request TLS but do not specify tls.[].secretName. This is often referred to as a "default SSL certificate". As long as this is correctly configured, ingress resources in any namespace will be able to use a single wildcard certificate. Wildcard certificates are not supported with HTTP01 validation and require DNS01.
Sample ingress snippet:
apiVersion: networking.k8s.io/v1
kind: Ingress
#[...]
spec:
rules:
- host: service.example.com
#[...]
tls:
- hosts:
- service.example.com
#secretName omitted to use default wildcard certificateBasically if no secretName is specified, then a default tls secret is used
Related issues
Checklist
See Definition of done.
For anything in this list which will not be completed, please provide a reason in the MR discussion.
Required
-
Merge Request Title and Description are up to date, accurate, and descriptive -
MR targeting the appropriate branch -
MR has a green pipeline on GitLab.com -
When ready for review, MR is labeled "~workflow::ready for review" per the Distribution MR workflow
Expected (please provide an explanation if not completing)
-
Test plan indicating conditions for success has been posted and passes -
Documentation created/updated -
Tests added -
Integration tests added to GitLab QA -
Equivalent MR/issue for omnibus-gitlab opened -
Validate potential values for new configuration settings. Formats such as integer 10, duration10s, URIscheme://user:passwd@host:portmay require quotation or other special handling when rendered in a template and written to a configuration file.