Documentation for using reflector for cross-namespace secret sync-ing

.spelling

@@ -277,6 +277,7 @@ publicised
 reStructuredText
 rebase
 reissuance
+reflector
 remediate
 renewBefore
 repo

_redirects

@@ -77,3 +77,6 @@ https://docs.cert-manager.io/en/release-0.16/* https://cert-manager.io/docs/rele
 https://docs.cert-manager.io/en/release-* https://cert-manager.io/docs/release-notes/release-notes-:splat 301!
 https://docs.cert-manager.io https://cert-manager.io/docs 301!
 https://docs.cert-manager.io/* https://cert-manager.io/docs/:splat 302!
+
+# These rules handle page renames
+https://cert-manager.io/docs/faq/kubed/* https://cert-manager.io/docs/faq/sync-secrets/

content/en/docs/faq/_index.md

@@ -11,7 +11,7 @@ face:
 - [TLS Terminology, including commonly misused terms](./terminology/)
 - [Troubleshooting issuing ACME certificates](./acme/)
 - [How to change the Cluster Resource Namespace](./cluster-resource/)
-- [How to sync secrets across namespaces](./kubed/)
+- [How to sync secrets across namespaces](./sync-secrets/)
 - [Failing to create resources due to Webhook](./webhook/)
 
 ## Certificates

content/en/docs/faq/kubed.md → content/en/docs/faq/sync-secrets.md

@@ -7,9 +7,11 @@ type: "docs"
 
 It may be required for multiple components across namespaces to consume the same
 `Secret` that has been created by a single `Certificate`. The recommended way to
-do this is to use [kubed](https://github.com/appscode/kubed) with its [secret
-syncing
-feature](https://appscode.com/products/kubed/v0.11.0/guides/config-syncer/intra-cluster/). However if your use case is a wildcard certificate another approach may meet your needs.
+do this is to use extensions such as:
+  - [reflector](https://github.com/emberstack/kubernetes-reflector) with support
+   for auto secret reflection
+  - [kubed](https://github.com/appscode/kubed) with its 
+  [secret syncing feature](https://appscode.com/products/kubed/v0.11.0/guides/config-syncer/intra-cluster/)
 
 ## Serving a wildcard to ingress resources in different namespaces (default SSL certificate)
 
@@ -31,9 +33,43 @@ spec:
     #secretName omitted to use default wildcard certificate
 ```
 
-## Syncing arbitrary secrets across namespaces using kubed
 
-In order for the target Secret to be synced, you can use the `secretTemplate` field for annotating the generated secret with the kubed sync annotation (See [CertificateSecretTemplate]). The example below shows syncing
+## Syncing arbitrary secrets across namespaces using extensions
+
+In order for the target Secret to be synced, you can use the `secretTemplate` field 
+for annotating the generated secret with the extension specific annotation (See [CertificateSecretTemplate]).
+
+
+### Using `reflector`
+ The example below shows syncing a certificate's secret from the `cert-manager` namespace to multiple namespaces (i.e. `dev`, `staging`, `prod`).
+ Reflector will ensure that any namespace (existing or new) matching the allowed condition (with regex support) will get a copy of the certificate's secret and will keep it up to date.
+ You can also sync other secrets (different name) using `reflector` (consult the extension's [README](https://github.com/emberstack/kubernetes-reflector/blob/main/README.md))
+
+```yaml
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: source
+  namespace: cert-manager
+spec:
+  secretName: source-tls
+  commonName: source
+  issuerRef:
+    name: source-ca
+    kind: Issuer
+    group: cert-manager.io
+  secretTemplate:
+    annotations:
+      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"  
+      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "dev,staging,prod"  # Control destination namespaces
+      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" # Auto create reflection for matching namespaces
+      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "dev,staging,prod" # Control auto-reflection namespaces
+```
+
+
+### Using `kubed`
+ The example below shows syncing
 a certificate belonging to the `sandbox` Certificate from the `cert-manager`
 namespace, into the `sandbox` namespace.
 
@@ -62,4 +98,6 @@ spec:
       kubed.appscode.com/sync: "cert-manager-tls=sandbox" # Sync certificate to matching namespaces
 ```
 
-[CertificateSecretTemplate]: ../../reference/api-docs/#cert-manager.io/v1.CertificateSecretTemplate
+[CertificateSecretTemplate]: ../../reference/api-docs/#cert-manager.io/v1.CertificateSecretTemplate
+
+