I'm working with the K8s AWS Load Balancer Controller (https://github.com/kubernetes-sigs/aws-load-balancer-controller) and need some advice. I need it to respond to two different hostnames with two different wildcard SSL certificates and direct traffic to the same target group.
Here's my current ingress.yaml file:
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
namespace: gradle
name: gradle-proxy-dev
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internal
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/certificate-arn: "<scrubbed cert ARN>"
alb.ingress.kubernetes.io/inbound-cidrs: "<scrubbed>"
alb.ingress.kubernetes.io/ssl-policy: "ELBSecurityPolicy-TLS-1-2-2017-01"
alb.ingress.kubernetes.io/healthcheck-path: /info/version
alb.ingress.kubernetes.io/success-codes: "200"
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
alb.ingress.kubernetes.io/load-balancer-attributes: routing.http2.enabled=true
spec:
rules:
- http:
paths:
- path: /*
backend:
serviceName: ssl-redirect
servicePort: use-annotation
- path: /*
backend:
serviceName: gradle-proxy
servicePort: 80It currently has no trouble responding to the URL gradle.internal.domain.com, but throws an SSL error when I direct traffic for gradle.new.domain.com, which makes sense since the only certificate is for *.internal.domain.com.
In the EC2 console, I can attach a second certificate and add a rule to forward traffic for host "gradle.new.domain.com" to to the created target group, but I'm having trouble figuring out how to capture that in the ingress yaml configuration.
I found my solution here was that I didn't need any fancy rules, I just needed to add the second wildcard SSL certificate to the ingress configuration.