Upload certificate to ACM if certificate manager is not ACM since controller expects ACM

[is-it-ayush]

Is your feature request related to a problem?
Currently, aws-load-balancer-controller expects the issued Certificate to be present in ACM for any of the SSL/TLS features to work. This is a problem when the kubernetes cluster is using a different certificate manager such as cert-manager.

Describe the solution you'd like
I've read that aws-load-balancer-controller attempts to auto-detect the certificate in ACM based on the hostname provided in the tls spec on Ingress/ALB resource. For Service/NLB resource, you have to provide the Certificate ARN as an annotation. This problem could be solved by importing the certificate into ACM when it is issued/updated/deleted by listening for events on the linked Certificate resource within the cluster. ACM offers ImportCertificate API call to import a certificate and the only requirement it presents are,

• the issued certificate.
• the issued certificate private key

I think cert-manager stores the issued certificate and the the certificate's private key as Secret within the cluster. It should be possible to upload/update the certificate after it is issued/updated/deleted by the controller. This way SSL/TLS annotations on Service/Ingress resources would work with both ALB & NLB load balancers.

Describe alternatives you've considered
This is the only solution I can think of for now! : )

Extra
This issue contains the problem in more detail! #3708 (comment)

[huangm777]

Thank you for your feature request! We will be discussing this with our security team to see if it can be supported.