search

kubernetes-sigs / aws-load-balancer-controller

A Kubernetes controller for Elastic Load Balancers
https://kubernetes-sigs.github.io/aws-load-balancer-controller/
Apache License 2.0
3.84k stars 1.42k forks source link

Can't have a certificate in both the default certificate and additional certificate for SNI #3070

Open jebeaudet opened 1 year ago

jebeaudet commented 1 year ago

Describe the bug Currently, using the certificate-arn annotation, it is not possible to have a certain certificate as the default certificate AND in the additional certificate list for SNI. Here is what I'm trying to do in the console (I've tried manually and it's permitted) : elb

Steps to reproduce Add an ingress with the following certificate-arn: 

    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:1234:certificate/bb08f8b3-967c-46d1-91f8-07b08a5dad9c,arn:aws:acm:us-east-1:1234:certificate/d4b002c2-5e06-4051-9d0f-8ccfa9cff5f1,arn:aws:acm:us-east-1:1234:certificate/bb08f8b3-967c-46d1-91f8-07b08a5dad9c

Expected outcome A valid configuration like this (this was done manually in the aws console, you can see the same cert as the default and in the SNI section) :

Screen Shot 2023-02-21 at 2 53 10 PM

Environment

Additional Context: I think the problem comes from the code who's merging multiple potential ingress resources, it uses a set for the merge strategy and this end up in stripping an extra certificate here https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/pkg/ingress/model_builder.go#L328

Thanks

oliviassss commented 1 year ago

Hi @jebeaudet, I'm just trying to understand why would you like one certificate to appear in both default and additional cert list? Can you please elaborate more on the use case? Thanks.

jebeaudet commented 1 year ago

Hi @oliviassss

Because the default certificate is used only when the client doesn't support SNI or when the SNI request does not match any certificate in the additional certificate lists. This is documented here. Therefore, if you want your default certificate to server as a potential SNI target, it needs to be in both places.

To quote another of AWS documentation page :

You can optionally add the default certificate to ensure that this certificate is used with the SNI protocol even if it is replaced as the default certificate https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html

oliviassss commented 1 year ago

@jebeaudet thanks, checking on that

kahirokunn commented 1 year ago

I need this

k8s-triage-robot commented 1 year ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

kahirokunn commented 1 year ago

keep

k8s-triage-robot commented 6 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot commented 5 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-ci-robot commented 5 months ago

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to [this](https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/3070#issuecomment-1951524413): >The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. > >This bot triages issues according to the following rules: >- After 90d of inactivity, `lifecycle/stale` is applied >- After 30d of inactivity since `lifecycle/stale` was applied, `lifecycle/rotten` is applied >- After 30d of inactivity since `lifecycle/rotten` was applied, the issue is closed > >You can: >- Reopen this issue with `/reopen` >- Mark this issue as fresh with `/remove-lifecycle rotten` >- Offer to help out with [Issue Triage][1] > >Please send feedback to sig-contributor-experience at [kubernetes/community](https://github.com/kubernetes/community). > >/close not-planned > >[1]: https://www.kubernetes.dev/docs/guide/issue-triage/ Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
kahirokunn commented 5 months ago

/reopen

bushong1 commented 2 months ago

/remove-lifecycle rotten

bushong1 commented 2 months ago

/reopen

k8s-ci-robot commented 2 months ago

@bushong1: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to [this](https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/3070#issuecomment-2123151480): >/reopen Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.
bushong1 commented 2 months ago

@jebeaudet can you reopen?