Certificate Filter for Certificate Discovery supporting RSA 4096 #2719
Comments
conrad784
changed the title
|
@conrad784 We'll also sync with ALB/NLB team to see the supported certificate types and see whether we can add these keyTypes by default without configuration. |
kishorj
added
the
good first issue
|
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
|
Have the same issue self-discovery is not working for RSA 4096 certificates |
|
@conrad784, @yair-sedaka, We have shipped the improvement with v2.6.0 release, I'm closing the issue as for now. Please feel free to reopen if you have any issue. Thanks |
Hello @oliviassss , I can't find anything in the documentation, is this going to be added to the documentation? Meanwhile can you share how can one install the load balancer controller specyfing the list of certificates? |
|
@nmofonseca, you can either use the ingress annotation |
Hello @oliviassss , Thank you for your reply. I understand that I can either specify the certificate arn via ingress annotations or leverage the auto discovery The problem stated in this issue was that auto discovery wouldn't work for e.g ECDSA certificates since the underlying aws acm api by default doesn't return them, unless we pass the keytype as includes. So the proposed solution here initially was to allow to specify that filter which then the controller would use. From what you said, in v2.6 improvements have been made but is not clear what that means.I did check the PR mentioned here #3314 but both my coding and knowledge of go are very limited. So to double check from what you replied am I correct in assuming that the improvements in v2.6 are not an implementation as described here but just to allow th auto discovery to pick up any certificate type without the need to fiddle with filters? If you could provide further clarifications it will be much appreciated |
|
@nmofonseca what's the controller version you are currently on? Maybe check by |
I haven't tested yet with v2.6.x yet, was just try it to understand if the improvements mentioned require any additional steps or configuration, from what I am getting from you it doesn't seem to do. Tomorrow will try to upgrade and test. |
|
hello @oliviassss , Apologies for the delay. I have now tested with the latest version 2.6.2 and it picked up my ECDSA certificate. Thank you for the help |
Is your feature request related to a problem?
For our frontends in our EKS we need certificates which are RSA_4096, which are currently not issued by AWS ACM. Therefore we have an external certificate provider and are importing the certificates via IaC to AWS.
When creating an ALB manually, I can select this certificate and everything is working fine. But the k8s load-balancer-controller only says
Turns out, by default the AWS-cli also does not show the certificate when
aws acm list-certificatesonly after adding--include keyTypes=RSA_2048,RSA_4096the wanted certificate is shown (see keyTypes in https://docs.aws.amazon.com/cli/latest/reference/acm/list-certificates.html#options)If I am providing the ingress annotations with the certificate ARN will result in an ALB with the right certificate provisioned but this can hardly be described as auto-configuration ;)
Describe the solution you'd like
It would be nice to be able to provide filters to the certificate discovery, I only tried hard-coding it (as I am lacking the required go-knowledge) for my case in c8bddae and it is working for me.
By default the keyTypes filter should be like defined in the aws-cli command reference ["RSA_2048,RSA_4096"], but this should be over-writable with a configuration of this controller.
Important to note: NLB and classic LB can't use RSA_4096 certificates from ACM (whereas it might be possible when loading it from IAM? https://docs.amazonaws.cn/en_us/elasticloadbalancing/latest/classic/elb-update-ssl-cert.html).
Describe alternatives you've considered
Chaining an NLB before the auto-configured ALB does not work, as it does not support the certificate.
Maybe creating the target group + ALB manually would also work, but this does not scale nicely.
There is some conflicting information from AWS, what you should/can do with those certificates within their service. One resource says you should upload them to IAM [1] but on an older entry it says ACM now supports those certificates [2] so I am not fully understanding why those server-certificates still exist in IAM. I can't test the IAM way as my current account is restricted not to use IAM. I also can not find if there is code to lookup certificates in IAM #60
[1] https://aws.amazon.com/premiumsupport/knowledge-center/import-ssl-certificate-to-iam/
[2] https://aws.amazon.com/about-aws/whats-new/2021/07/aws-certificate-manager-provides-expanded-usage-imported-ecdsa-rsa-certificates/
The text was updated successfully, but these errors were encountered: