Automatically provision ACM certificates and attach to ALB based on spec #2509
Comments
|
I am also looking for this (also for use with NLBs). Also see aws-controllers-k8s/community#482 which may be a better separation of concerns. |
|
that does sound interesting, if it gets off the ground |
|
we had a PR for a similar feature in the past. The reason we didn't include it was due to the AWS certificate import quota, it was about 20/year - which would count both import and delete, and it wouldn't be based on the number of active certificates. I see the new quota is around 1k. However, the original concern is still there since the feature would stop working after the quota is hit. |
|
Importing certificate is not an option for us. We need ACM to provision the certificate. |
|
This is also of interest to me, in particular using it with ACM Private CA. I'm unclear on how import quotas matter for this feature, since the certificates would be created on-demand through the controller making the request to ACM to provision the certificate; I don't think anyone would have to import a certificate to make this work. |
|
I don't think anyone is asking for I see the ACM quotas have been further increased to 2500 active (5000/yr). IMO, It seems to be a bit more viable if you consider that's an account quota and blast radius could further be reduced with multiple accounts (e.g. dev and prod). An additional quota limit risk mitigation could be to add a parameter of max certificates. For instance, if you could specify a Helm value of As for that historical PR, 20 certificates is extremely different than 5000. I think it's time to reconsider past decisions. If you put a mitigation limit like I suggested above and provide ample documentation, I think organizations can make their own informed decision about adopting this controller. Limits are also a concern with orgs that have adopted ingress-nginx/cert-manager/let's encrypt/external-dns and they operate comfortably within those limits. LE pins you at 50 certificates per registered domain per week (2600/yr). |
We have to ask ourselves if we'd keep referring to the original concern. If the limit was 10k, would we still cite the original concern? What about 10M? I think the current limit of 2500/5000 nullifies the original concern. Organizations can make their own decisions at this point. |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
It can take time for the ACM certificate validation to complete (sometimes even hours). |
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
/remove-lifecycle rotten |
k8s-ci-robot
removed
the
lifecycle/rotten
|
It would be interesting to have this. This will make easier to configure a new site with DNS and certificates without using external and complicated tools and without the need to separate the flow from Kubernetes annotation to use Terraform or AWS console. |
|
/kind feature |
k8s-ci-robot
added
the
kind/feature
I've never seen this. I would say that hours is way outside of a reasonable SLO for ACM DNS certificate validation. Even tools like AWS Amplify and AWS Copilot will timeout within a few minutes for DNS certificate validation. The controller should have a timeout and surface errors, just like every controller should. |
|
Hi all, just wanted to say I think this feature would be very welcomed by the community. Sadly, I see quite a few things going on this thread at the same time and that seems to just slow down the process of getting anything going. From my eyes, it all comes down to trying to make too much of something that shouldn't be this complicated. Instead of talking about attaching to LBs, importing custom certs, ACM PCA, and some other (although valid) advanced usecases, can we just agree on just starting with something simple that would already yield a LOT OF VALUE to the community? My two cents here. The initial realease for this feature should only contain creation public certs certs with DNS validation. This thread has been going for almost 1 year. That would be more than enough time to implement the forementioned initial release and gather lots of extra feedback on how it's been and improve on it. |
|
Another points, already mentioned:
Actually, I don't think so. Not a lot of considerarion is necessary here. From the client side, all one would need is a status in the resource in Kubernetes saying the Cert is ready or still being provisioned. Until the cert is marked as ready, just keep waiting. That's how many other implementation do for resources that have some background provisioning time. Just saying this here to avoid even more overthinking of a simple solution. Regarding of cert limits in ACM, I don't think is up to this repo (or anyone other than the client itself) to keep an eye on what the numbers look like. Have said that, the current limits are very relaxed and shouldn't be a problem for the majority of the usecases.
|
|
We need this feature too. |
|
+1 |
|
Good day, |
|
I had this issue. I uninstalled the helm chart. I reinstalled the helm chart and it is now working. I also removed this from my yaml file: |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
k8s-ci-robot
removed
the
lifecycle/rotten
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
lifecycle/stale
Is your feature request related to a problem?
Right now if you want a dynamic environment based on configured Ingresses, but also includes TLS protection (for example development or demo environments provisioned on-demand) it seems the only option is to use a combination of the Nginx Ingress Controller, cert-manager (using LetsEncrypt) and external-dns. This works but is clunky and it would be nicer to use the AWS Load Balancer Controller, ALBs and ACM. It seems that this controller is most of the way there, but just needs the ability to provision a cert in ACM based on the configured host names - attaching it to the ALB is already possible.
Describe the solution you'd like
When an Ingress object is created, the controller inspects the configured hostnames and requests a certificate be provisioned in ACM. The certificate is then attached to the configured load balancer.
Describe alternatives you've considered
As mentioned, the only workable alternative is using another Ingress controller altogether. In our case Ingresses are created by some other tooling that doesn't have the capability of creating ACM certificates and providing the ARN to this controller. This functionality is already present when using the combination of nginx-ingress/cert-manager/external-dns so there is clearly a use case that has been solved by other projects.
The text was updated successfully, but these errors were encountered: