Menu
We are using EKS and Nginx-ingress(NLB). I'm trying to configure multiple AWS ACM certificates in the AWS-load-balancer-SSL-cert annotation for NLB. But with no luck. Could someone help if it possible at all? Thanks
If that not possible, Please guide me any other way on how to use multiple ACM cert in the ingress object-level if possible.
My EXACT Scenario:-
I am using an NLB (FYI)
If we able to add multiple ACM certificate at controller level that also works for me (I am using a single certificate in my NLB currently see below annotations)
At the controller level, these flags help me to add a single certificate:-
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:ap-south-1:1234556677:certificate/3a1d5a-469b-dffe4bad3182
service.beta.kubernetes.io/aws-load-balancer-type: nlb
or
I am maintaining an ingress object as per NameSpace. if we are able to attach a Certificate at the ingress object level, which also solves my problem.
807
You can't export an ACM certificate from one AWS Region to another or from one AWS account to another. This is because the default AWS Key Management Service (AWS KMS) key used to encrypt the private key of the certificate is unique for each AWS Region and AWS account.
You can't associate more than one SSL or Transport Layer Security (TLS) certificate to an individual CloudFront distribution. However, certificates provided by AWS Certificate Manager (ACM) support up to 10 subject alternative names, including wildcards.
You can only have 2,500 certificates at any given time. To request 5,000 certificates in a year, you must delete 2,500 during the year to stay within the quota. If you need more than 2,500 certificates at any given time, you must contact the AWS Support Center .
Note: The ALB and NLB limit excluding default certificates is 25.
Good question.
There is no support for multiple ACM certificates on an ALB/NLB that points to an nginx ingress controller (or any other ingress controller AFAIK).
The dirty hack from Kubernetes is to create another Service that points to the same nginx ingress controller (same selectors) but in this case, it will just create another ALB/NLB and you may not want that.
The non-Kubernetes way which is the way might work better for you is just to do it from AWS itself and modify the ALB/NLB that sends traffic to your nginx ingress.
✌️
102
To add in Rico's answer.
It's not possible to attach multiple certificates to the Nginx ingress controller or any other ingress with annotation : service.beta.kubernetes.io/aws-load-balancer-ssl-cert.
Closed PR : https://github.com/kubernetes/kubernetes/pull/95208
Issue thread: https://github.com/kubernetes/cloud-provider-aws/issues/80#issuecomment-686722657
It's not working with NLB However if you are using the ALB you can use this annotation
Single cert with ALB
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:xxxxx:certificate/xxxxxxx
Multiple certificates
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:xxxxx:certificate/cert1,arn:aws:acm:us-west-2:xxxxx:certificate/cert2,arn:aws:acm:us-west-2:xxxxx:certificate/cert3
alb.ingress.kubernetes.io/certificate-arn specifies the ARN of one or more certificates managed by ACM
Another Option For NLB
Create an ACM certificate with multiple Wild card domains and use this single Cert with ingress. this will work with NLB also
So your ACM certificate will be storing certs for multiple domains example
*.example.com
*.hello.io
*.so.in
single ACM certificate now you can use with NLB Ingress, and no need worry about attaching multiple certs.
Option : 2 using cert-manager and storing cert in secret
It would be better if you planning to use multiple domains use wild card certificates with Cert-manager store them into Secret of K8s and use it as pluggable solution with ingress.
38
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
