ACM service controller #482
Comments
mdykes-gw
added
the
kind/new-service
|
@mdykes-gw can you elaborate on how you'd envision an ACK service controller for ACM working? I suppose the only resource in the ACM API is the Were you thinking of implementing your own kind of certificate renewal using an ACK service controller for ACM and some other script or Kubernetes operator? |
|
From my point of view it can initiate creation of Certificate so this certificate can be used with AWS LoadBalancer Controller. The problem is that this can be tricky because it will probably also need access to Route 53 resource for validation and it will work only for domains hosted in Route 53. |
|
@Vrtak-CZ But isn't this basically the exact use-case for many EKS users? We have EKS, Route53, and the Loadbalancer Controller and no automatic certificate issuer for dynamic scopes. We had to fall back to pre-defined certificates using tools like pulumi or terraform. This breaks the envisioned workflow of just creating a development instance with a valid certificate chain Route53 in our setups have an authoritative domain like dev.example.com The developers should be enabled to deploy an ingress host for my-service.my-dev-namespace.dev.example.com and everything works in an automated way. |
|
Issues go stale after 90d of inactivity. |
ack-bot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
ack-bot
removed
the
lifecycle/stale
|
I came here looking for exactly this workflow. Would prefer to not use a wildcard cert. Use wise, being able to include an annotation to create the cert in acm would be useful. metadata:
annotations:
aws.acm.kubernetes.io/create: trueThe Or just use a similar Certificate kind used by CertManager and grant the controller to specified Route53 hosted zones and Cert Manager for creating new certs. |
|
@Pitta AWS already supports using ACM for private certificates through the cert-manager issuer - https://github.com/cert-manager/aws-privateca-issuer/ Perhaps some integration between that issuer and the |
|
Why the forced push on the private ca? If cloudformation or the cli can do it, this should also be able right? |
|
I've been working on a simple controller to handle this based on That said, the logic is pretty simple. I haven't done the service account yet, but the operator worked in my local testing. |
|
Thanks for sharing @Pitta !looking forward. |
|
@sbkg0002 Yes CloudFormation and the CLI are both able to create certs, and an ACM ACK controller would be able too as well. However, we don't have plans to extend ACK out any further than the control plane of ACM, for example attaching certificates within a Kubernetes environment. I think there are other good tools (like cert-manager) that handle the K8s part of it once the certificate has been created by an ACK custom resource. |
|
If cert-manager did what I was asking for in a way that was clear that others have done, I'm all for it. |
|
/lifecycle frozen |
ack-bot
added
the
lifecycle/frozen
|
The ACM + route53 validation + Load balancer controller use case is definitely very interesting to us. Not having this functionality prohibits us from using ACM and ALBs. |
|
I also have this use case and the most recently linked issue is mine. Like another previous commenter I'm a bit mystified why there seems to be more support in the ecosystem for ACMPCA rather than public ACM certificates - so many use cases for dynamic environments require a load balancer, publicly-verifiable certificates and matching DNS. To be honest I don't know why the ALB, ACM and Route53 services aren't more tightly integrated to make this a one-click operation, but that's a separate feature request ;) |
|
I too am interested in this. I think it's worth distinguishing between the IssueCertificate and RequestCertificate API calls, because they do different things. The cert-manager plugin for ACMPCA seems to only do IssueCertificate, which is an ACMPCA-exclusive call - this requires you to generate a key and CSR and submit it to the PCA, and then you get a certificate back. It does not seem to support RequestCertificate, which can be used both for ACM public certs and also for getting certs from ACMPCA that you want to use in other managed services like ALB. This RequestCertificate gap is what I would like to see solved; we use ACMPCA now but have to tell people that they need to provision certs themselves through Terraform/API/console and get the ARN, then use that ARN in the annotation for the LB controller. It's not wretched, but the ideal workflow would be annotating a Service or Ingress in a way that tells the LB controller to deal with requesting the certificate itself and figuring out the SANs based on the NLB hostname annotation or Ingress hosts, respectively. |
|
If it matters, there still are people interested in this, e.g. me! |
|
It's 2023 now.... 1 year and 2 months of this thread. This shouldn't be taking this long. It's quite sad that some are still trying to untangle all the details of an advanced implementation (ACM with Private CAs + LB attachment) but the basic functionality of just creating a simple public ceritificate using DNS challenge is not even supported yet. Can we just agree of having a simple support for creating public certs first then we can iterate over that to then add support for more advanced cases? Happy 2023 🎉 |
If only it were actually a simple thing. :)
After digging into the ACM APIs, I think we could support We would need to add a caveat, though: If no We could handle the @migueleliasweb would that meet your minimum use case needs? |
|
Thanks for jumping in, @jaypipes . I think you've nailed the problem. I did basically the same digging as you did and I didn't think that was overly complicated. I'm sure there's a lot of people here in the AWS team (and in the broader community) that are on top of the APIs, so my rationale was that the main problem here is having a plan in the first place and not really implementing it. That's basically why I thought it was sad this thread is taking over a year to output any sort of outcome. Just to be clear, the usecase you mentioned won't fully solve my usecase as I would still like to have some kind of way to attach this to a LB (I was thinking there could be something like a Have said that, this is lightyears better than nothing! I will take it! Taking smaller steps like this will give all the involved parties more confidence they're heading the right direction. This (from my point of view) is far better than trying to foresee 2..3..5..10 steps ahead and ended up overcomplicating something that could have given value to the community much sooner. |
Initial support for Certificate resources. Items to note: We hardcode `ValidationMethod` to "DNS" because the "EMAIL" validation method means cert renewal is not automateable. See https://docs.aws.amazon.com/acm/latest/userguide/email-validation.html We have some custom validation of the number of domain validation options. When requesting a public certificate with DNS validation, you can only submit a max of 5 subdomains/CNAME records for use in DNS validation, and since we hardcode DNS validation method, we need to check for this and put the Certificate into a Terminal state if there are more than 5 CNAME records listed in the DomainValidationOptions field. Finally, we add a simple sleep of 5 seconds after successful creation since https://docs.aws.amazon.com/acm/latest/APIReference/API_RequestCertificate.html warns us that DescribeCertificate calls will not succeed for several seconds after a RequestCertificate call has returned the CertificateArn... Issue aws-controllers-k8s/community#482 Signed-off-by: Jay Pipes <jaypipes@gmail.com>
|
That would be awesome, @jaypipes! FWIW, this is the cert-manager feature we use. Perhaps it would make sense for this service controller to export any certificate generated by a given cluster issuer? A couple of caveats, though, is reconciling these certificates (as Ingress resources come and go), as well as the case of multiple EKS clusters in the same account. But I guess you already thought of all these. 😅 |
mikestef9
moved this from Generally Available
to Preview
in Service Controller Release Roadmap
|
great work @jaypipes are there plans to automate validation through route 53 or by a helper utility? |
Hi Calvin! At this time, no, I don't have plans to do this. As we complete the route53 controller, however, we can certainly look into this. Would it be possible for you to create a separate GH issue for the route53 validation behaviour feature request, since this GH issue is for the ACM service controller generally? |
|
Our use case is to import certs, issued by cert-manager, to ACM. |
@akamac ACM certs are free, why not issue new ones instead? |
Because AWS no longer issues certificates for ru zone, while Let's Encrypt does. |
@mahadh02 it was me who was working on this :) And I have not had the time or resources to get to it unfortunately. I may have some time towards the end of May to tackle this, however. |
|
@mahadh02 it was me who was working on this :) And I have not had the time or resources to get to it unfortunately. I may have some time towards the end of May to tackle this, however @jaypipes , my apologies for incorrectly quoting.. this feature will be very beneficial and looking forward for its availability. |
|
@jaypipes Echoing what the initial comments said. We're moving to EKS and I was looking to use this controller to create a certificate and complete validation. If this controller can satisfy that, we could use AWS Load Balancer Controller to act on the ingress resource with simply a host set and it would all just work nicely (in theory). Now I'm looking at implementing what we currently have outside EKS which feels like a step back. |
|
DNS validation via R53 record set is the last missing piece for creating a service with ELB and certificate with r53 alias through Kubernetes manifests...unfortunately, as long as this is missing, the acm-controller is not usable efficiently. |
|
@FuriouZ07 shouldn't that be done with external-DNS + acm-controller? |
Yeah, external-dns could create a R53 record. But it needs to query the cname name&value from the ACM certificate and then create a record with these data. As far as I know, external-dns does not support such a use case to automate the creation&verification completely. I've used the CRD for creating the certificate and did not try to use annotations. |
|
I'm also not finding a way to automate the R53 DNS validation. Everything else worked well, but the validation is a blocker for us as well. |
Hey, @jaypipes. Happy new year. 😄 Any updates on this? |
|
@jaypipes I can create a validated cert by doing the steps in #1904 (comment) But there is the missing part of getting the resource record info to create the correct RecordSet resource. Can that info be put onto the Certificate status like I could work with that for now |
a-hilaly
added
service/acm
@john-r-swyftx Resource recordsets are now shown in the |
Hey, @a-hilaly, do you happen to have any updates on this? Should I create another issue, for better tracking? |
|
I did some playing around with the controller today and it is looking nice so far. I have a couple of questions/feature requests.
|
Been stuck with exactly this! My setup is non-EKS
Without either, TLS on Load Balancer's is pretty much impossible to automate on non-EKS (tested) or even EKS clusters (untested). I wrote an issue here that condenses the problems I encountered on non-EKS cluster with |
|
This is frustrating to learn that such an important feature is not automated today, almost 5 years later |
and others
New ACK Service Controller
Support for ACM
List of API resources
List the API resources in order of importance to you:
The text was updated successfully, but these errors were encountered: