Open jebeaudet opened 1 year ago
Hi @jebeaudet, I'm just trying to understand why would you like one certificate to appear in both default and additional cert list? Can you please elaborate more on the use case? Thanks.
Hi @oliviassss
Because the default certificate is used only when the client doesn't support SNI or when the SNI request does not match any certificate in the additional certificate lists. This is documented here. Therefore, if you want your default certificate to server as a potential SNI target, it needs to be in both places.
To quote another of AWS documentation page :
You can optionally add the default certificate to ensure that this certificate is used with the SNI protocol even if it is replaced as the default certificate https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html
@jebeaudet thanks, checking on that
I need this
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
keep
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/reopen
/remove-lifecycle rotten
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
@k8s-triage-robot: Closing this issue, marking it as "Not Planned".
/reopen
/remove-lifecycle rotten
/reopen
@bushong1: You can't reopen an issue/PR unless you authored it or you are a collaborator.
@jebeaudet can you reopen?
Describe the bug Currently, using the![elb](https://user-images.githubusercontent.com/3722096/220434584-ea883735-5d9e-4cf3-9d8e-321f2a8deb31.png)
certificate-arn
annotation, it is not possible to have a certain certificate as the default certificate AND in the additional certificate list for SNI. Here is what I'm trying to do in the console (I've tried manually and it's permitted) :Steps to reproduce Add an ingress with the following
certificate-arn
:Expected outcome A valid configuration like this (this was done manually in the aws console, you can see the same cert as the default and in the SNI section) :
Environment
Additional Context: I think the problem comes from the code who's merging multiple potential ingress resources, it uses a set for the merge strategy and this end up in stripping an extra certificate here https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/pkg/ingress/model_builder.go#L328
Thanks