We are using EKS and Nginx-ingress(NLB). I'm trying to configure multiple AWS ACM certificates in the AWS-load-balancer-SSL-cert annotation for NLB. But with no luck. Could someone help if it possible at all? Thanks
If that not possible, Please guide me any other way on how to use multiple ACM cert in the ingress object-level if possible.
My EXACT Scenario:-
I am using an NLB (FYI)
If we able to add multiple ACM certificate at controller level that also works for me (I am using a single certificate in my NLB currently see below annotations)
At the controller level, these flags help me to add a single certificate:-
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:ap-south-1:1234556677:certificate/3a1d5a-469b-dffe4bad3182
service.beta.kubernetes.io/aws-load-balancer-type: nlb
or
I am maintaining an ingress object as per NameSpace. if we are able to attach a Certificate at the ingress object level, which also solves my problem.
Good question.
There is no support for multiple ACM certificates on an ALB/NLB that points to an nginx ingress controller (or any other ingress controller AFAIK).
The dirty hack from Kubernetes is to create another Service
that points to the same nginx ingress controller (same selectors) but in this case, it will just create another ALB/NLB and you may not want that.
The non-Kubernetes way which is the way might work better for you is just to do it from AWS itself and modify the ALB/NLB that sends traffic to your nginx ingress.
✌️
To add in Rico's answer.
It's not possible to attach multiple certificates to the Nginx ingress controller or any other ingress with annotation : service.beta.kubernetes.io/aws-load-balancer-ssl-cert
.
Closed PR : https://github.com/kubernetes/kubernetes/pull/95208
Issue thread: https://github.com/kubernetes/cloud-provider-aws/issues/80#issuecomment-686722657
It's not working with NLB However if you are using the ALB you can use this annotation
Single cert with ALB
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:xxxxx:certificate/xxxxxxx
Multiple certificates
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:xxxxx:certificate/cert1,arn:aws:acm:us-west-2:xxxxx:certificate/cert2,arn:aws:acm:us-west-2:xxxxx:certificate/cert3
alb.ingress.kubernetes.io/certificate-arn
specifies the ARN of one or more certificates managed by ACM
Another Option For NLB
Create an ACM certificate with multiple Wild card domains and use this single Cert with ingress. this will work with NLB also
So your ACM certificate will be storing certs for multiple domains example
*.example.com
*.hello.io
*.so.in
single ACM certificate now you can use with NLB Ingress, and no need worry about attaching multiple certs.
Option : 2 using cert-manager and storing cert in secret
It would be better if you planning to use multiple domains use wild card certificates with Cert-manager store them into Secret of K8s and use it as pluggable solution with ingress.