Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
[WIP] Initial implementation of ACM certificate for API server ELB #5414
This is a WIP implementation fo the support for ACM certificates for the API ELB. This PR allows to specify the ARN of the SSL certificate to use for the Kubernetes API server. It makes the
I'm not fully sure of the consequences of this PR, so I am really looking forward for feedback in this regards. I'd be happy to make changes especially in the way the ARN of the certificate needs to be passed (currently it's just a CLI flag).
This PR fixes #834 which I promised many weeks ago, but finally took the time to tackle.
Also, if anyone can guide me on how to add tests for this, that'd be great!
When trying to add this to an existing cluster I'm getting
Not sure if this is your change or something else on master.
Thanks for the comment! Well it looks like my change given the area of error, but I am not sure. I tested it on my machine and I didn't see this issue... I create the cluster with the following command:
Can you post the command that you used?
Ok, I managed to reproduce the issue. The commands I used are:
The last one fails with the following output:
I will dig into it in the next days to try to figure out how to fix it as I would need it as well.
@sstarcher To be able to add the SSL certificate, we have to first delete and then add the listener. I think this is a fine operation to do and it shouldn't be too much of a big deal. The change I implemented should be okay to satisfy your use case. TL;DR: please take another look
[APPROVALNOTIFIER] This PR is APPROVED
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing
Jul 19, 2018
11 checks passed
added a commit
this pull request
Sep 16, 2018
referenced this pull request
Sep 16, 2018
Looks like this doesn't work with the Terraform exporter, unless I'm doing something very wrong.
... spec: api: loadBalancer: sslCertificate: arn:aws:acm:blah:blah:certificate/blah type: Public ...
Applying this generates a "dumb" TCP ELB. I'm migrating an existing cluster from directly exposing the API to using a
I'm using kops 1.10.0.
I created a cluster like:
And when I try to validate or do anything that communicates with the Master API, I get the following error:
There is a mismatch between ELB address given by AWS and my own domain for which I issued the certificate, hence it cannot communicate with Master API.
Any workaround for this?
Hi @abhyuditjain , can you add another issue and quote me adding some details like the version of kops that you are running? It's better for tracking. Also, I think I'm running in a very similar setup from the one that you are specifying and I don't see such issue. I would recommend to output the cluster yaml such that we can see the generated settings like that.