aws-load-balancer-controller icon indicating copy to clipboard operation
aws-load-balancer-controller copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Globally set certificate ARN

Open fprin opened this issue 1 year ago • 4 comments

Is your feature request related to a problem? There are cases in which multiple AWS Certificate Manager (ACM) instances possess the same Subject Alternative Name (SAN), for example: *.staging.example.sh. This situation disrupts the AWS Load Balancer Controller (LBC) autodiscovery, as it cannot determine which ACM to use. The error message looks like this:

multiple certificates found for host: my-app.us-east-1.staging.example.sh, certARNs: [arn:aws:acm:us-east-1:<ACCOUNT_NAME>:certificate/5b9dc41e-99ce-40b6-861c-4b65720cc389 arn:aws:acm:us-east-1:<ACCOUNT_NAME>:certificate/03e170f2-05f3-4112-a6da-a5adcdf6e7a2]

Describe the solution you'd like I would like the capability to set a global flag or environment variable in the AWS Load Balancer Controller (LBC) pods. This setting would allow the pods to default to using a specific ACM, for example, the one with the ID 5b9dc41e-99ce-40b6-861c-4b65720cc389. This way, errors related to multiple certificates with the same Subject Alternative Name (SAN) would be prevented.

Describe alternatives you've considered Currently, to address this issue, we are manually setting the ACM's ARN in all our Ingress and Service annotations, like this:

   annotations:
       alb.ingress.kubernetes.io/certificate-arn: 'arn:aws:acm:us-east-1:<ACCOUNT_NAME>:certificate/5b9dc41e-99ce-40b6-861c-4b65720cc389'

However, this approach becomes cumbersome when certificates need to be recreated or when we have to globally switch from one certificate to another. The challenge is compounded by multiple Amazon Elastic Kubernetes Service (EKS) clusters in different AWS accounts, each with different ACM ARNs. To streamline this process, we would like the ability to set a global ACM's ARN for each EKS cluster in each account, avoiding manual annotations in every Ingress and Service.

fprin avatar Nov 23 '23 13:11 fprin

/kind feature thanks for bringing this up, I think there are 2 options to add the config for 'global' ingress certificate arn

  • add a new spec in ingressClassParam, like spec.certficateArn
  • Or, have a new controller command line flat --ingress-certficate-arn When the global ingress certificate is set, it takes precedence over the cert specified via annotation alb.ingress.kubernetes.io/certificate-arn

oliviassss avatar Jan 18 '24 01:01 oliviassss

@oliviassss Any updates regarding this? :)

I believe that any of the solutions you previously described are sufficient:

  • add a new spec in ingressClassParam, like spec.certficateArn
  • Or, have a new controller command line flat --ingress-certficate-arn When the global ingress certificate is set, it takes precedence over the cert specified via annotation alb.ingress.kubernetes.io/certificate-arn

fprin avatar Feb 14 '24 14:02 fprin

@fprin, I will discuss with the team internally, but any community contribution is also very welcome. Thanks

oliviassss avatar Feb 14 '24 21:02 oliviassss

/assign

Nezz7 avatar Mar 09 '24 16:03 Nezz7

Delivered in v2.8.0

shraddhabang avatar May 20 '24 18:05 shraddhabang