kubernetes
Could not deploy an AWS Network Load Balancer with multiple SSL certifications.
What happened:
I cannot deploy an AWS Network Load Balancer with multiple SSL certifications. The service.beta.kubernetes.io/aws-load-balancer-ssl-cert annotation can only assign one SSL certificate from ACM
What you expected to happen: I can deploy an AWS Network Load Balancer with multiple SSL certifications. The service.beta.kubernetes.io/aws-load-balancer-ssl-cert annotation can assign multiple SSL certificate from ACM
How to reproduce it (as minimally and precisely as possible):
In the annotations section, put multiple SSL ARN as string list in service.beta.kubernetes.io/aws-load-balancer-ssl-cert. Eg
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/3e0ae8dd-d678-4cd0-97fd-d552ac264799, arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/8de13d30-1c2a-4cc8-8cae-53cb58449fb0"
service.beta.kubernetes.io/aws-load-balancer-subnets: "subnet-xxxxxxxxx,subnet-xxxxxxxxx,subnet-xxxxxxxxx"
Anything else we need to know?:
Environment:
- Kubernetes version (use
kubectl version):v1.24 - Cloud provider or hardware configuration: AWS
- OS (e.g. from /etc/os-release): Linux
- Kernel (e.g.
uname -a): Linux - Install tools:
- Others:
/kind bug
This issue is currently awaiting triage.
If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.
The triage/accepted label can be added by org members by writing /triage accepted in a comment.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
An NLB listener would accept only 1 certificate as far as i know. Can you explain your case a little bit more?
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle rotten - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Reopen this issue with
/reopen - Mark this issue as fresh with
/remove-lifecycle rotten - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
@k8s-triage-robot: Closing this issue, marking it as "Not Planned".
In response to this:
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied- After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied- After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closedYou can:
- Reopen this issue with
/reopen- Mark this issue as fresh with
/remove-lifecycle rotten- Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
@kmala sorry to bring this issue back, but i'm getting the same behavior . i think what @LYSingD is trying to do is to attach multiple certificates into the NLB. The listener wil get one default certificate but you can attach multiple optional certificates . You can see it in the AWS UI where you can find default certificate section and Listener certificates for SNI section.
https://aws.amazon.com/about-aws/whats-new/2019/09/elastic-load-balancing-network-load-balancers-now-supports-multiple-tls-certificates-using-server-name-indication/
can you please take a look ?
@ilyesAj: You can't reopen an issue/PR unless you authored it or you are a collaborator.
In response to this:
/reopen
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.