Allow Use of Default Secret in Non-Default Backends

[ameijer-corsha]

Is your feature request related to a problem? Please describe.
We allow our developers to create namespaces for their dev/test workflows, but we don't want them managing TLS certs/keys for their ssl. We normally handle this via the default-server-secret, which resides in a protected nginx namespace, and allow them to specify anything as the secret in their ingress resource. The controller then fails to find their arbitrary secret name, as intended, and defaults to the default secret residing in the protected namespace as designed. This secret is a wildcard cert that covers all our developer endpoints. However, the following addition:

if pemFile == pemFileNameForMissingTLSSecret { server.SSLCiphers = "NULL" }

added to the controller now results in cipher failures when using a legitimate default secret. This has forced us to share SSL secrets amongst teams, which is never a good state of affairs.

Describe the solution you'd like
Perhaps a warning printed when the default secret is used for a non-default backend, rather than crippling that endpoint with NULL ciphers? This could also be a configurable property itself...

Describe alternatives you've considered
I understand why this change to NULL was made - so that people don't accidentally use the default cert that NGINX ships in values.yaml for their ingress. However, there are some use cases, like the one I describe above, where allowing the default to work for other backends can allow for better k8s secret management practices. What we do now is distribute the secret materials to developers, so that it can exist in their namespace and avoid the NULL cipher. This isn't ideal, as we use wildcard certs that we try to keep secret and well managed.

Additional context
I'm happy to help with the dev and test of this feature. Love the stream snippets configmap, by the way.

[pleshakov]

Thanks for sharing your use case. As it turns out, we're planning to support this feature - the ability to use a wildcard cert across multiple Ingress resources from different namespaces. Please also see #426 In essence, a new parameter -default-tls-secret will be added, allowing the user to specify a wild card certificate/key.

Right now, as a workaround you can consider using a custom template for ingress-template, changing the following line https://github.com/nginxinc/kubernetes-ingress/blob/v1.4.2/internal/nginx/templates/nginx.ingress.tmpl#L23 {{if $server.SSLCiphers}} to {{if and $server.SSLCiphers (ne $server.SSLCiphers "NULL")}}
As a result, for an Ingress resource with a missing secret, the default server secret will be used.

Here is an example of using a custom templates via the ConfigMap -- https://github.com/nginxinc/kubernetes-ingress/tree/master/examples/custom-templates

Do you this workaround can work for you for the time being?

thanks for the feedback about stream snippets configmap!

[ameijer-corsha]

yes, that workaround you propose will work. closing this and will monitor #426. Thanks for your response!