aws-load-balancer-controller icon indicating copy to clipboard operation
aws-load-balancer-controller copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Enable having multiple matching certs in autodiscover mode

Open LechG opened this issue 3 years ago • 12 comments

Issue

https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/1598

Description

When you don't provide the annotation for certificate arn, the controller tries to find a matching certificate in ACM by itself. However when multiple matching certs are found - it fails with "multiple certificate found for host: host, certARNs: [arn1, arn2]"

Which I believe is wronge because:

  1. YOU CAN add multiple certificates via annotation
  2. AWS has it's own algorithm of determining the best certificate to be used for the requests

To adjust this behavior, I removed the if clause that threw an error during setup of ALB in case there was more than one domain matching certificate in ACM.

Checklist

  • [ ] Added tests that cover your change (if possible)
  • [X] Added/modified documentation as required (such as the README.md, or the docs directory)
  • [X] Manually tested
  • [X] Made sure the title of the PR is a good description that can go into the release notes

BONUS POINTS checklist: complete for good vibes and maybe prizes?! :exploding_head:

  • [ ] Backfilled missing tests for code in same general area :tada:
  • [ ] Refactored something and made the world a better place :star2:

LechG avatar Jan 07 '22 09:01 LechG

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

:memo: Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

  • If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
  • If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
  • If you have done the above and are still having issues with the CLA being reported as unsigned, please log a ticket with the Linux Foundation Helpdesk: https://support.linuxfoundation.org/
  • Should you encounter any issues with the Linux Foundation Helpdesk, send a message to the backup e-mail support address at: [email protected]

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

k8s-ci-robot avatar Jan 07 '22 09:01 k8s-ci-robot

CLA Signed

The committers are authorized under a signed CLA.

  • :white_check_mark: LechG (d65c203921ee89922d73bc429c860864262eaf07, a7e4f3ef7f29fee36cfcd1d82a10dd8a3cc80429)

linux-foundation-easycla[bot] avatar Jan 07 '22 09:01 linux-foundation-easycla[bot]

Hi @LechG. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Jan 07 '22 09:01 k8s-ci-robot

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: LechG To complete the pull request process, please assign kishorj after the PR has been reviewed. You can assign the PR to them by writing /assign @kishorj in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar Jan 07 '22 09:01 k8s-ci-robot

CLA Not Signed

  • :white_check_mark: LechG (d65c203921ee89922d73bc429c860864262eaf07, a7e4f3ef7f29fee36cfcd1d82a10dd8a3cc80429)

linux-foundation-easycla[bot] avatar Jan 25 '22 09:01 linux-foundation-easycla[bot]

Hello team, any specific version , this will get merged into ? We are also looking forward for this

allupaku avatar Jan 27 '22 14:01 allupaku

@LechG: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Feb 02 '22 23:02 k8s-ci-robot

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar May 04 '22 00:05 k8s-triage-robot

/remove-lifecycle stale

k1rk avatar May 20 '22 08:05 k1rk

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Aug 18 '22 09:08 k8s-triage-robot

/remove-lifecycle stale

blakepettersson avatar Aug 19 '22 18:08 blakepettersson

@kishorj @M00nF1sh apart from the conflict with master and the CLA, what would be the showstopper to get this in?

blakepettersson avatar Aug 19 '22 18:08 blakepettersson

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Nov 17 '22 18:11 k8s-triage-robot

/remove-lifecycle stale

blakepettersson avatar Nov 23 '22 11:11 blakepettersson

@LechG, thanks for your contribution. We will relax the single cert per host restriction in the v2.5.0 release, PR #3028 will address this. Closing this PR in favor of 3028.

kishorj avatar Feb 06 '23 21:02 kishorj