Unused certificate for root domain?

[surajkota]

Is your feature request related to a problem? Please describe.

Cognito and load balancer guides require user to create a wild card certificate for both the root domain(*.example.com) and the subdomain(*.platform.example.com). The root domain cert is not attached to any resource and is unused after deployment.

Upon investigation, I found that if the URL client accesses is kubeflow.platform.example.com, the presented certificate must include a SAN covering either kubeflow.platform.example.com OR *.platform.example.com, it does not need anything at the parent domain. In fact, wildcards should also not be needed.

Describe the solution you'd like Need to investigate if there is reason for a client need to make a connection to platform.example.com and if there isnt, remove the need for root domain certificate from deployment process.

Only place platform.example.com is used is for A record pointing to ALB which is not usable.

[btuffreau]

This should only be necessary if one chooses to go with a Cognito setup since it's a requirement.