Upload certificate to ACM if certificate manager is not ACM since controller expects ACM

[is-it-ayush]

Is your feature request related to a problem? Currently, aws-load-balancer-controller expects the issued Certificate to be present in ACM for any of the SSL/TLS features to work. This is a problem when the kubernetes cluster is using a different certificate manager such as cert-manager.

Describe the solution you'd like I've read that aws-load-balancer-controller attempts to auto-detect the certificate in ACM based on the hostname provided in the tls spec on Ingress/ALB resource. For Service/NLB resource, you have to provide the Certificate ARN as an annotation. This problem could be solved by importing the certificate into ACM when it is issued/updated/deleted by listening for events on the linked Certificate resource within the cluster. ACM offers ImportCertificate API call to import a certificate and the only requirement it presents are,

• the issued certificate.
• the issued certificate private key

I think cert-manager stores the issued certificate and the the certificate's private key as Secret within the cluster. It should be possible to upload/update the certificate after it is issued/updated/deleted by the controller. This way SSL/TLS annotations on Service/Ingress resources would work with both ALB & NLB load balancers.

Describe alternatives you've considered This is the only solution I can think of for now! : )

Extra This issue contains the problem in more detail! https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/3708#issuecomment-2125559446

[huangm777]

Thank you for your feature request! We will be discussing this with our security team to see if it can be supported.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten