Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to Pass Multiple ACM Certificate ARNs to service.beta.kubernetes.io/aws-load-balancer-ssl-cert #3942

Open
vSharique opened this issue Nov 18, 2024 · 2 comments
Open

Unable to Pass Multiple ACM Certificate ARNs to service.beta.kubernetes.io/aws-load-balancer-ssl-cert #3942

vSharique opened this issue Nov 18, 2024 · 2 comments

Comments

@vSharique
Copy link

Describe the bug
I encountered an issue when trying to pass multiple ACM certificate ARNs to the Kubernetes annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert. The operation fails, and the following error is returned:

Error syncing load balancer: failed to ensure load balancer: error creating listener: "error creating load balancer listener: \"ValidationError: Certificate ARN 'arn of certificate1, arn of certificate2' is not valid\n\tstatus code: 400, request id: e7c31ef5-06b6-4027-acff-ecc2d3762d26\""

Passing a single ACM certificate ARN works as expected. However, the issue arises specifically when multiple ARNs are provided.

Steps to reproduce

  1. Create a Kubernetes service with the service.beta.kubernetes.io/aws-load-balancer-ssl-cert annotation.
  2. Provide a comma-separated list of ACM certificate ARNs as the value for the annotation.
    Example:
    metadata: annotations: service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:region:account-id:certificate/cert1,arn:aws:acm:region:account-id:certificate/cert2"
  3. Deploy the service and observe the load balancer creation logs at kubernetes service level.

Expected outcome
The load balancer should be created successfully with listeners configured for all specified ACM certificates.

Environment

  • Ingress Nginx v1.12.0-beta.0
  • Helm Chart Version 4.12.0-beta.0
  • Kubernetes version 1.31
  • Using EKS 1.31
@zac-nixon
Copy link
Contributor

I think I need more information, I can't replicate this by applying the manifest. How are you deploying the service?

apiVersion: v1
kind: Service
metadata:
  name: echoserver-cert
  namespace: echoserver
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "80"
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:565768096483:certificate/e5b8b88e-99d6-429c-a7d1-172ae522f907,arn:aws:acm:us-west-2:565768096483:certificate/9bfe3677-0731-46b3-8bcf-4f5146e09140
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
spec:
  selector:
    app: echoserver
  ports:
    - port: 80
      targetPort: 8080
      protocol: TCP
  type: LoadBalancer
  loadBalancerClass: service.k8s.aws/nlb

@vSharique
Copy link
Author

I encountered an error while creating the service for the first time. I am using the nginx-ingress Helm chart to deploy the resources.

apiVersion: v1
kind: Service
metadata:
  name: ingress-external-controller
  namespace: ingress-external
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-external
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.12.0-beta.0
  annotations:
    meta.helm.sh/release-name: ingress-external
    meta.helm.sh/release-namespace: ingress-external
    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
    service.beta.kubernetes.io/aws-load-balancer-name: prod-external
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: >-
      arn:aws:acm:us-west-2:565768096483:certificate/e5b8b88e-99d6-429c-a7d1-172ae522f907,arn:aws:acm:us-west-2:565768096483:certificate/9bfe3677-0731-46b3-8bcf-4f5146e09140
    service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-TLS-1-2-2017-01
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
spec:
  ports:
    - name: http
      protocol: TCP
      appProtocol: http
      port: 80
      targetPort: tohttps
      nodePort: 31374
    - name: https
      protocol: TCP
      appProtocol: https
      port: 443
      targetPort: http
      nodePort: 31456
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-external
    app.kubernetes.io/name: ingress-nginx
  type: LoadBalancer
  sessionAffinity: None
  externalTrafficPolicy: Cluster
  ipFamilyPolicy: SingleStack
  allocateLoadBalancerNodePorts: true
  internalTrafficPolicy: Cluster

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zac-nixon @vSharique