Support specifying allowed ACM Certificate arns

[kimxogus]

Is your feature request related to a problem?

In our case, we have dozens of alb ingresses with a single amazon issued acm certificate. When we need to change acm certificates like expiration due to misconfiguration, changing domain subjects... etc, we have to apply or edit all the ingresses one by one.

Describe the solution you'd like

1. Specify allowed acm certificate arns to controller with arn of cert A.
2. Create ingresses without specifying acm certificate arn in its annotation for automated cert discovery
3. In case you need to change acm cert, just change allowed acm certificate arn from cert A to cert B to controller args.
4. Controller will change certificates for those ingresses automatically. You don't need to change annotation one by one

Describe alternatives you've considered

Maybe containing cert arn in the ingress class might be useful as an alternative.

[shethyogita83]

@kimxogus Thanks for reaching out and sending us detailed info about the problem you are facing with ACM certificates configuration in ingresses. We are planning to add a support for the alternative solution in v2.8.0. Will this alternative solution solve your problem?

[kimxogus]

Partially yes, but it's not a complete solution for us. We have ingresses with different configurations in several clusters. Managing those different ingress classes is not a happy situation for us too.

[rofreytag]

Good discussion. I am adding another use-case that is popping up for us: We are migrating from a set of ACM certs to another. The ACM certs in AWS (old and new) coexist for a while. Currently the controller will add all certificates to the load-balancers. For a smooth migration, we would like to set the new ACM certs on the controller. That would make the controller update all load-balancers and remove the old certs.

Only after removal of the old certs will the ACM become "unused", so that we can clean them up.

Yes, there is a workaround: configure each ingress with its cert, but that would require a lot of edits across code-bases an environments instead of specifying a list of valid ACM certs in a central place (for each environment once).

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[kimxogus]

/remove-lifecycle rotten