Aws-load-balancer-controller: Feature req: Support multiple SSL certificate ARNs

Created on 27 Jul 2018  路  6Comments  路  Source: kubernetes-sigs/aws-load-balancer-controller

Since Oct/17 Application Load Balancers support Server Name Indicator (SNI) that enables use of multiple SSL certificates on the same IP and port: https://aws.amazon.com/about-aws/whats-new/2017/10/elastic-load-balancing-application-load-balancers-now-support-multiple-ssl-certificates-and-smart-certificate-selection-using-server-name-indication-sni/

For example: current annotations:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: "test-alb-ingress"
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80, "HTTPS": 443}]'
    alb.ingress.kubernetes.io/subnets: 'blah1,blah2'
    alb.ingress.kubernetes.io/security-groups: 'xxx,yyy'
    alb.ingress.kubernetes.io/certificate-arn: zzz

Would be nice to be able to define multiple certificates like:

alb.ingress.kubernetes.io/certificate-arn: 'zzz,bbb'

Currently we get a error if we do it this:

Warning ERROR 24s ingress-controller Error parsing annotations: ACM certificate ARN does not exist. ARN: arn:aws:acm:us-east-1:xxx:certificate/cfaf99c1-6616-478d-8e21-zzzzzz,arn:aws:acm:us-east-1:xxx:certificate/d5a1f5ad-d6cc-4f99-9e81-bbbbbbb

This is needed so we can serve multiple https websites from the same ALB thereby reducing the cost of needing a separate ELB for each website.

kinfeature
Source
picture tomfotherby
👍39

Most helpful comment

Is there any update on this feature? This would be extremely helpful.

picture KristianWindsor on 4 Nov 2018
👍18

All 6 comments

Is there any update on this feature? This would be extremely helpful.

KristianWindsor picture KristianWindsor on 4 Nov 2018
👍18

Mark

bingochen87 picture bingochen87 on 20 Dec 2018

bump

mward29 picture mward29 on 3 Jan 2019

This can be achieved by SNI I think ? https://en.wikipedia.org/wiki/Server_Name_Indication so one cert will simply contain more domains.

omerfsen picture omerfsen on 4 Jan 2019

SNI doesn't solve this when you don't want the different domains to show up in the certificate.

nesl247 picture nesl247 on 4 Jan 2019

also needed for supporting more domains than the SNI limit. We are successfully using the cert discovery feature using the ingress' rules' hostnames, but one of our future projects will be accepting more hostnames than we can feasibly define in an ingress resource, so being able to explicitly provide a list of certs would be great.

rifelpet picture rifelpet on 4 Jan 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

khacminh picture khacminh  路  3Comments
rdubya16 picture rdubya16  路  4Comments
joseppla picture joseppla  路  5Comments
gigi-at-zymergen picture gigi-at-zymergen  路  5Comments
benwilson512 picture benwilson512  路  5Comments