As of today all issued ACM and IAM certificates are detected and possibly put into the TLS Listener of ALB/NLB dependeing on matching hostnames and ingress/routegroup resources.
After a production incident, one idea is to make the switch of certificates more explicit.
To allow explicitly taking a certificate to production, we can have a flag --tag=k=v that would only detect certificates that have a tag key k with a tag value v. This option should be optional, which ensures non breaking change and deployments can ensure the migration, before using this feature.
szuecs
commented
4 months ago
As of today all
issuedACM and IAM certificates are detected and possibly put into the TLS Listener of ALB/NLB dependeing on matching hostnames and ingress/routegroup resources. After a production incident, one idea is to make the switch of certificates more explicit. To allow explicitly taking a certificate to production, we can have a flag--tag=k=vthat would only detect certificates that have a tag keykwith a tag valuev. This option should be optional, which ensures non breaking change and deployments can ensure the migration, before using this feature.