[EKS] [feature request]: Support specifying ACM certificate for API server

[Raffo]

Tell us about your request It would be great to use a valid SSL certificate for the Kubernetes API server. Kops, for example supports that since several months by allowing to specify the ARN of an existing ACM certificate: https://github.com/kubernetes/kops/pull/5414

Which service(s) is this request for? EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? As a cluster administrator, I don't want to give everybody the CA to access the cluster and I want to be able to have a vanity URL for the cluster's API with a valid SSL certificate.

Are you currently working around this issue? Using Kops and its ACM feature.

[sontags]

Also there's this thing in big companies called corporate proxy. Although they make very little sense, some of them go further and do TLS interception. In that case the certificate provided by the EKS API server is unusable unless the corporate proxy can be accessed and controlled.

A perfectly valid certificate signed by a commonly known CA is required.

[geofffranks]

+1

This would be very helpful for us as well for the same proxy/TLS interception scenario

[enriquesantosblanco-sanuk]

+1, this is currently making it quite difficult to use EKS for us, as we need to either expose the EKS K8 API through an additional LB with a "proper" CA certificate or install the K8 CA in every consumer connecting to the API.

[dahateb]

+1 this would be super helpful