Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fails to use ACME TLS certificate and uses default HTTPS listener certificate instead #3178

Closed
junglie85 opened this issue Apr 26, 2023 · 3 comments
Closed

Fails to use ACME TLS certificate and uses default HTTPS listener certificate instead #3178

junglie85 opened this issue Apr 26, 2023 · 3 comments

Comments

@junglie85
Copy link

When I create an ingress with an ACME issued TLS certificate, it's not being applied and instead the ALB is using the default ACM generated certificate on the HTTPS listener for the domain instead.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: kuard
  annotations:
    kubernetes.io/ingress.class: alb
    cert-manager.io/cluster-issuer: letsencrypt-staging
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/inbound-cidrs: 1.2.3.4/24
    alb.ingress.kubernetes.io/ssl-redirect: "443"
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 80}, {"HTTPS": 443}]'
spec:
  rules:
    - host: kuard.domain.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: kuard
                port:
                  number: 443
  tls:
    - hosts:
        - kuard.domain.com
      secretName: kuard-tls

What annotations need to be set or configuration applied when deploying the load balancer controller to prevent this behaviour and use the ACME certificate?
@M00nF1sh
Copy link
Collaborator

@junglie85
We don't support certificate in tls field. You have to create a ACM certificate in AWS, and specify the certificate ARN via annotation. (or we auto-discover a matching certificate by domain name from ACM).

See https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.5/guide/ingress/cert_discovery/

@junglie85
Copy link
Author

Thanks for the info @M00nF1sh. Is support for this on the roadmap?

I don't really want users to need to know low-level details such as having to create a certificate in AWS and providing its ARN. cert-manager abstracts this away and enables automated certificate creation, but it does not support ACM. Even if using certificate discovery, it still seems that there is no way to automate the certificate creation and deletion from within k8s. Is there a tool I am missing that enables this?

@oliviassss
Copy link
Collaborator

@junglie85, unfortunately, it's a security requirement for us to have the certificate on ACM, so we don't have it on roadmap now. closing this issue.

@is-it-ayush is-it-ayush mentioned this issue May 20, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@junglie85 @M00nF1sh @oliviassss