Feature: log a warning if ARN of certificate is not in the same region where ALB is being created

[rodrigc]

Is your feature request related to a problem? If you create a Kubernetes cluster in AWS, and an ALB is being created in a particular AWS region, the certificate must be stored in AWS Certificate Manager in the same region as the ALB, otherwise when creating an ingress, the ingress will fail.

A warning will look like:

  Warning  FailedDeployModel  50m   ingress  Failed deploy model due to ValidationError: Certificate ARN 'arn:aws:acm:us-east-1:XXXX:certificate/mycert' is not valid

See description of problem here: https://kubernetes.slack.com/archives/C8SH2GSL9/p1659997656606629

Describe the solution you'd like Print out a warning to the logs, indicating that the ARN of the certificate is for a region which is different than the region where the ALB and ingress is being created. This will give the end user better diagnostics as to the source of the problem.

Describe alternatives you've considered I set up an EKS cluster in us-east-2, and tried to use a certificate stored in us-east-1 and ingress creation failed. The ValidationError error message which came back was confusing and did not help me root cause the problem.

[kishorj]

@rodrigc, we can parse the certificates specified via annotation, and if the certificate is from a different region than the controller, return appropriate error while building the model. This way we can return a more descriptive error and don't depend on the generic ALB errors.

[rodrigc]

@kishorj that would be helpful.

When we use the AWS API to attach a certificate to an ALB, does the AWS API return a useful error message to indicate that the cert is invalid because it is stored in a different region in the AWS Cert Manager?

If not, then implementing your suggestion is good to parse the certificate arn, and compare the arn region with the region of the ALB, and log the error if they don't match.

[johurul000]

@kishorj Hi, I am new to open source and would like to work on this issue. If you could help me it would be wonderful.

[kishorj]

@johurul000, sure, that would be wonderful. I will assign the issue to you. Feel free to reach out if you need further help.

/assign @johurul000

[johurul000]

@kishorj should I try to recreate the issue in Aws Eks

[kishorj]

@johurul000, you can use any k8s on AWS.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[csauoss]

@kishorj if this is still needed, I can give it a try as my first issue. Thanks!