search

kubernetes-sigs / aws-load-balancer-controller

A Kubernetes controller for Elastic Load Balancers
https://kubernetes-sigs.github.io/aws-load-balancer-controller/
Apache License 2.0
3.95k stars 1.47k forks source link

Unable to Pass Multiple ACM Certificate ARNs to service.beta.kubernetes.io/aws-load-balancer-ssl-cert #3942

Open vSharique opened 4 days ago

vSharique commented 4 days ago

Describe the bug I encountered an issue when trying to pass multiple ACM certificate ARNs to the Kubernetes annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert. The operation fails, and the following error is returned:

Error syncing load balancer: failed to ensure load balancer: error creating listener: "error creating load balancer listener: \"ValidationError: Certificate ARN 'arn of certificate1, arn of certificate2' is not valid\n\tstatus code: 400, request id: e7c31ef5-06b6-4027-acff-ecc2d3762d26\""

Passing a single ACM certificate ARN works as expected. However, the issue arises specifically when multiple ARNs are provided.

Steps to reproduce

  1. Create a Kubernetes service with the service.beta.kubernetes.io/aws-load-balancer-ssl-cert annotation.
  2. Provide a comma-separated list of ACM certificate ARNs as the value for the annotation. Example: metadata: annotations: service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:region:account-id:certificate/cert1,arn:aws:acm:region:account-id:certificate/cert2"
  3. Deploy the service and observe the load balancer creation logs at kubernetes service level.

Expected outcome The load balancer should be created successfully with listeners configured for all specified ACM certificates.

Environment

zac-nixon commented 2 days ago

I think I need more information, I can't replicate this by applying the manifest. How are you deploying the service?

apiVersion: v1
kind: Service
metadata:
  name: echoserver-cert
  namespace: echoserver
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "80"
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:565768096483:certificate/e5b8b88e-99d6-429c-a7d1-172ae522f907,arn:aws:acm:us-west-2:565768096483:certificate/9bfe3677-0731-46b3-8bcf-4f5146e09140
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
spec:
  selector:
    app: echoserver
  ports:
    - port: 80
      targetPort: 8080
      protocol: TCP
  type: LoadBalancer
  loadBalancerClass: service.k8s.aws/nlb
vSharique commented 12 hours ago

I encountered an error while creating the service for the first time. I am using the nginx-ingress Helm chart to deploy the resources.

apiVersion: v1
kind: Service
metadata:
  name: ingress-external-controller
  namespace: ingress-external
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-external
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.12.0-beta.0
  annotations:
    meta.helm.sh/release-name: ingress-external
    meta.helm.sh/release-namespace: ingress-external
    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
    service.beta.kubernetes.io/aws-load-balancer-name: prod-external
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: >-
      arn:aws:acm:us-west-2:565768096483:certificate/e5b8b88e-99d6-429c-a7d1-172ae522f907,arn:aws:acm:us-west-2:565768096483:certificate/9bfe3677-0731-46b3-8bcf-4f5146e09140
    service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-TLS-1-2-2017-01
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
spec:
  ports:
    - name: http
      protocol: TCP
      appProtocol: http
      port: 80
      targetPort: tohttps
      nodePort: 31374
    - name: https
      protocol: TCP
      appProtocol: https
      port: 443
      targetPort: http
      nodePort: 31456
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-external
    app.kubernetes.io/name: ingress-nginx
  type: LoadBalancer
  sessionAffinity: None
  externalTrafficPolicy: Cluster
  ipFamilyPolicy: SingleStack
  allocateLoadBalancerNodePorts: true
  internalTrafficPolicy: Cluster