Thanks for the great post btw Pablo Loschi, forgot to mention it first time.

A quick follow-up on the secrets issue. It is now also possible to set the --default-ssl-certificate when configuring the cert-manager. See: https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate

Pointing this default to your original <namespace>/<wilcard-certificate> wildcard certificate means you can leave out the secretName altogether and there is no need to copy the secret.

I guess it might not be plausible in all cases but it is a nice option to have.