okay. my setup currently uses 'kubed' to sync the cert-manager TLS certificate to all namespaces that need tls termination, since the secret needs to exist in that namespace and i use the same domain. As long as at least one ingressroute with a tls secret in its namespace exists, all other ingressroutes with the same hostname share this certificate, even if the tls is not referenced/exists in their namespace, which I verified multiple times on my cluster. In order to always have at least one tls secret in the namespace of the tls ingressroute, i use kubed as I said, EVEN if traefik internally uses the same certificate by default for the ingressroutes with same hostname.
Does nginx behave the same way? I might consider trying spinning up a cluster and doing the same thing but with nginx instead of traefik..