Can We use Multiple AWS ACM Certificates at Nginx-Ingress-Contoller OR Multiple ACM certificate at Ingress object level?

8/16/2020

We are using EKS and Nginx-ingress(NLB). I'm trying to configure multiple AWS ACM certificates in the AWS-load-balancer-SSL-cert annotation for NLB. But with no luck. Could someone help if it possible at all? Thanks

If that not possible, Please guide me any other way on how to use multiple ACM cert in the ingress object-level if possible.

My EXACT Scenario:-

I am using an NLB (FYI)

If we able to add multiple ACM certificate at controller level that also works for me (I am using a single certificate in my NLB currently see below annotations)

At the controller level, these flags help me to add a single certificate:-

service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:ap-south-1:1234556677:certificate/3a1d5a-469b-dffe4bad3182
service.beta.kubernetes.io/aws-load-balancer-type: nlb

or

I am maintaining an ingress object as per NameSpace. if we are able to attach a Certificate at the ingress object level, which also solves my problem.

-- me2586
amazon-eks
amazon-web-services
kubernetes
ssl

2 Answers

8/16/2020

Good question.

There is no support for multiple ACM certificates on an ALB/NLB that points to an nginx ingress controller (or any other ingress controller AFAIK).

The dirty hack from Kubernetes is to create another Service that points to the same nginx ingress controller (same selectors) but in this case, it will just create another ALB/NLB and you may not want that.

The non-Kubernetes way which is the way might work better for you is just to do it from AWS itself and modify the ALB/NLB that sends traffic to your nginx ingress.

Image1 Image2

✌️

-- Rico
Source: StackOverflow

11/16/2021

To add in Rico's answer.

It's not possible to attach multiple certificates to the Nginx ingress controller or any other ingress with annotation : service.beta.kubernetes.io/aws-load-balancer-ssl-cert.

Closed PR : https://github.com/kubernetes/kubernetes/pull/95208

Issue thread: https://github.com/kubernetes/cloud-provider-aws/issues/80#issuecomment-686722657

It's not working with NLB However if you are using the ALB you can use this annotation

Single cert with ALB

alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:xxxxx:certificate/xxxxxxx

Multiple certificates

alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:xxxxx:certificate/cert1,arn:aws:acm:us-west-2:xxxxx:certificate/cert2,arn:aws:acm:us-west-2:xxxxx:certificate/cert3

alb.ingress.kubernetes.io/certificate-arn specifies the ARN of one or more certificates managed by ACM


Another Option For NLB

Create an ACM certificate with multiple Wild card domains and use this single Cert with ingress. this will work with NLB also

So your ACM certificate will be storing certs for multiple domains example

*.example.com
*.hello.io
*.so.in

single ACM certificate now you can use with NLB Ingress, and no need worry about attaching multiple certs.


Option : 2 using cert-manager and storing cert in secret

It would be better if you planning to use multiple domains use wild card certificates with Cert-manager store them into Secret of K8s and use it as pluggable solution with ingress.

-- Harsh Manvar
Source: StackOverflow